无法在Mavericks/Yosemite中签名kext? [英] Can't sign kext in Mavericks/Yosemite?
问题描述
目标:对我自己的软件包和我自己的内核扩展进行签名.在上下文中,我自己的"表示我写过的东西,或者我在其他地方选择的东西,从他们的来源重新编译,并希望在我的机器上安装.
Goal: to sign my own packages, and my own kernel extensions. "My own" in the context means "that I wrote, or that I picked elsewhere, recompiled myself from their sources, and want to install on my machine.
问题:小牛不接受我用Code Signing Failure: code signature is invalid签名(但是加载了kext),优胜美地甚至不加载它.
Problem: Mavericks does not accept my signature with Code Signing Failure: code signature is invalid (but loads the kext), Yosemite won't even load it.
我有自己的CA和代码签名证书.我已经能够成功签名代码并设置策略,以允许安装并执行由给定证书签名的代码-两者 kextutil 坚持认为签名无效.这是我得到的输出:
I have my own CA, and code-signing certs. I've been able to successfully sign code and set up policies that would allow code signed by the given certs to be installed and executed - both codesign and spctl like it, as you see in the output below. However, that does not seem to apply to kext (kernel extensions) - kextutil insists that the signature is invalid. Here's the output I'm getting:
$ codesign --verify -vvvv /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: valid on disk
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: satisfies its Designated Requirement
$ spctl -a -vvv -t exec /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: accepted
source=XXXXXCode
origin=XXXXXCoder
$ spctl -a -vvv -t install /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: accepted
source=XXXXXInstall
origin=XXXXXCoder
$ kextutil -tn /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
Diagnostics for /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext:
Code Signing Failure: code signature is invalid
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext appears to be loadable (including linkage for on-disk libraries).
在Mavericks上,此kext会加载警告消息,在Yosemite上则不会.
On Mavericks this kext loads with a warning message, on Yosemite it will not.
我注意到此处并且在 Apple CA CPS开发人员ID 中,证书必须具有以下内容扩展名:( 1.2.840.113635.100.6.1.18 ),以将其指定为kext签名证书.我的没有.我怀疑这是造成我问题的原因,但不知道如何解决.在 spctl 中似乎没有类型选项可以创建将给定证书指定为kext签名证书的策略.
I noticed here and in Apple CA CPS Developer ID that the cert must have the following extension: ( 1.2.840.113635.100.6.1.18 ) to designate it as kext-signing certificate. Mine does not have it. I suspect it to be the cause of my problem, but don't know how to resolve it. There does not seem to be an type option in spctl to create a policy designating a given cert as a kext-signing one.
我如何添加此扩展名(最好在Keychain Certificate Assist中使用,尽管基于OpenSSL的解决方案也可以),而不必支付Apple每年100美元的使用费"?
How do I add this extension (preferably within Keychain Certificate Assist, though an OpenSSL-based solution would be fine too), short of paying Apple annual "usage fee" of $100?
推荐答案
要向Apple请求Kext签名证书,您需要使用此表单.
To request a Kext signing certificate from Apple, you need to use this form.
这篇关于无法在Mavericks/Yosemite中签名kext?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
