Kext signing for Mac Yosemite

音箱坏了之后, 手上的 TT 6Fire 声卡就一直没有使用过. 这两天准备给它洗尘 发现它已经不工作了. Wow ...

原因是, 不知觉间 系统早已升级到了 Mac 10.10 Yosemite (之前的 Custom driver for 10.9 的声卡驱动 此时失效了)

真是: 山中岁月容易过 世上繁华已千年 ..


打开 Xcode611 重新编译一次驱动,


$ sudo cp -R ./TT_DMX_6fire_CUSTOM_EXT.kext /System/Library/Extensions/

$ sudo chown -R root:wheel /System/Library/Extensions/TT_DMX_6fire_CUSTOM_EXT.kext

$ sudo kextload -verbose /System/Library/Extensions/TT_DMX_6fire_CUSTOM_EXT.kext


./TT_DMX_6fire_CUSTOM_EXT.kext failed to load - (libkern/kext) not loadable (reason unspecified); check the system/kernel logs for errors or try kextutil(8).

Console log 显示:[23]: ERROR: invalid signature for net.terratec.TT_DMX_6fire.CustomExtension, will not load  

invalid signature for ... 无效签名.
但是, 确认 Xcode 中已经设置好了代码签名.

$ codesign -dvvv ./TT_DMX_6fire_CUSTOM_EXT.kext
Signature size=...  
Authority=Mac Developer: ...  
Authority=Apple Worldwide Developer Relations Certification Authority  
Authority=Apple Root CA  
Signed Time=...  
Info.plist entries=...  

So, whats the problem?
查阅一番后, 发现是 Mavericks 开始, 未签名的 Kext 用户可以加载但是会收到一个 Warning. 而在 Yosemite 之后, 未签名的 Kext 就不再是 Warning 了, 而是拒绝加载.

详细说明, 可见于 Apple 文档: Kernel_Debug_Kit_ReadMe.pdf

Certification for kext development,
需要在 Mac Developer Program 单独申请 (给 Apple 发邮件).

[ Two days later ]

Apple response:

Your request for a developer ID for kext signing has been processed.

The kext signing attribute has been added to your Developer ID. If you have previously obtained a Developer ID for application signing, you need to re-download your Developer ID to have the updated certificate.

The Team Agents for your teams can download the cert from the following page:
Select the Developer ID radio button, click Continue, and select the
Developer ID Application and Kernel Extension radio button on the following page, then click Continue and follow the instructions on the subsequent pages.

按照指示, 添加/下载/导入完证书后, Xcode 中会多出一项: Developer ID Application: .... Here is!

重新编译完成, Check 一下签名信息:

$ codesign -dvvv ./TT_DMX_6fire_CUSTOM_EXT.kext
Signature size=...  
Authority=Developer ID Application: ...  
Authority=Developer ID Certification Authority  
Authority=Apple Root CA  
Signed Time=...  
Info.plist entries=...  

再次安装 kext :

$ sudo rm -rf /System/Library/Extensions/TT_DMX_6fire_CUSTOM_EXT.kext/
$ sudo cp -R ...[略]
$ sudo chown -R root:wheel ...[略]
$ sudo kextload -verbose /System/Library/Extensions/TT_DMX_6fire_CUSTOM_EXT.kext


/System/Library/Extensions/TT_DMX_6fire_CUSTOM_EXT.kext loaded successfully (or already loaded).


Many thanks, guys:


If you develop or test kexts or the kernel for OS X, this message is important to you...

As you probably know, Apple introduced kext signing in OS X Mavericks. Kext signatures were checked, but users were only warned when an unknown unsigned kext loaded. The Developer ID program was also extended so that 3rd-party developers could request a certificate enabled for kext signing.

For OS X Yosemite, strict kext signature checking is enabled. All Apple kexts that are distributed as part of a product are signed by Apple. Any kexts built on systems without a Developer ID certificate registered may build non-codesigned kexts, which will fail to load by default.

This means that unsigned (hand-built) kexts will fail to load on OS X Yosemite.

In order to load unsigned kexts, the system must have "KEXT Developer Mode" enabled by adding the "kext-dev-mode=1" boot-arg. The following command (followed by a reboot) would be suitable to prepare a system for testing non-production kexts:

sudo nvram boot-args="debug=0x146 kext-dev-mode=1"

Once this is done, the machine will be able to load any valid kext; signatures will still be checked, but a failed verification will just result in a log message. Note: This applies to kexts that contain a binary, as well as codeless (plist-only) kexts.

The system will remain in developer mode until you manually remove the boot-arg or clear nvram and reboot. You can exit developer mode by redefining the boot-arg to your previous settings, or clear your boot-args as follows:

sudo nvram -d boot-args

Apple recommends that you make use of KEXT Developer Mode rather than use your Developer ID certificate to sign drivers while they are under development. Ideally you should sign a driver using a Developer ID certificate only when it reaches its final stages of testing and is being evaluated for release to customers.