I have a KEXT that I now need to sign due to the release of Yosemite. I have a GlobalSign certificate for code signing a corresponding Windows driver, so I imported it via Keychain Access, no problems.
Signing the KEXT as follows:
sudo codesign -s "<keychain certificate name>" --timestamp=http://timestamp.globalsign.com/scripts/timstamp.dll MyKext.kext
says A OK and:
spctl --assess --type execute MyKext.kext
says:
MyKext.kext: accepted
override=security disabled
BUT copying that KEXT to a Yosemite target system spctl says:
MyKext.kext: rejected
Any idea why there is this discrepancy ?
EDIT: I noted that the binary within the KEXT is not altered, only the _CodeSignature folder is added under Contents (!)
EDIT2: Checking with kextutil -tn MyKext.kext yields:
Diagnostics for MyKext.kext:
Code Signing Failure: code signature is invalid
MyKext.kext appears to be loadable (including linking for on-disk libraries).
and I've double checked the certificate in the keychain, which is marked as valid (with Code Signing as "Extended Key Usage")
GlobalSign responds:
Upon further checking of the issue, the certificate will allow you to sign but won't get past gatekeeper. There is possibility that you might be able to link our certificate to an Apple Developer account but since they provide it for free, we recommend getting from Apple directly to avoid issues signing apps.
So I'm getting a new certificate directly from Apple instead.