Kernel extension signing is more complicated than signing a user-space executible. Apple issued me a kext signing certificate. It works when I build from the Xcode GUI or with xcodebuild.
Reading The Fine Manual could get me where I want to be, but whenever I try to sign my driver, my head spins.
I'm configuring a remote build box for my client. I've gotten everything other than code signing to work. If I log in to the GUI then run my "build_all" script, codesign presents a GUI that prompts for my password. If I ssh in, codesign will fail.
I think what I to do is:
$ security unlock-keychain ...
$ codesign ...
$ security lock-keychain ...
I can figure out how lock and unlock my key chain; it's the codesign command line that confuses me.
Here's what xcodebuild does:
/usr/bin/codesign --force --sign 84208E9C30B70E303186BAF330554E82E1891492 --requirements =designated\ =>\ anchor\ apple\ generic\ \ and\ identifier\ \"$self.identifier\"\ and\ ((cert\ leaf[field.1.2.840.113635.100.6.1.9]\ exists)\ or\ (\ certificate\ 1[field.1.2.840.113635.100.6.2.6]\ exists\ and\ certificate\ leaf[field.1.2.840.113635.100.6.1.13]\ exists\ \ and\ certificate\ leaf[subject.OU]\ =\ \"444JK52Q93\"\ )) --timestamp=none /Users/build/BuildBox/FL2000/trunk/IOProxyVideoFamily/Release/IOProxyFramebuffer.kext
I attempted to copy the above command line then paste it into the Terminal but so many parentheses lead the command to fail:
Command-C
Command-V
-bash: syntax error near unexpected token `('
Perhaps all I need is to add some quotes or backslashes to codesign's command line.
You are missing " around the requirements string.
Change it to:
/usr/bin/codesign --force --sign 84208E9C30B70E303186BAF330554E82E1891492 --requirements "=designated => anchor apple generic and identifier \"$self.identifier\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or ( certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = \"444JK52Q93\" ))"--timestamp=none /Users/build/BuildBox/FL2000/trunk/IOProxyVideoFamily/Release/IOProxyFramebuffer.kext