Search code examples
macosmacos-high-sierrakernel-extension

macOS Kext with valid signature rejected after 2nd installation (high sierra)

In a machine where my product was installed before, a second installation fails, due to kext signature rejection.

I have seen in some places the same error, for example here: https://support.eset.com/kb6570, however even after clearing the kext_policy table in recovery mode, and approving the kext manually in settings --> security in the next boot, the kext still appears to be unapproved.

For example, running kextutil provides the following:

Kalyan:~ KalyanPentakota$ sudo kextutil /Library/Extensions/mycompanyAT.kext/
Password:
Kext rejected due to insecure location: <OSKext 0x7f8e9ff02e20 [0x7fffa11c8af0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/mycompanyAT.kext/", ID = "com.mycompany.at" }
Kext rejected due to insecure location: <OSKext 0x7f8e9ff02e20 [0x7fffa11c8af0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/mycompanyAT.kext/", ID = "com.mycompany.at" }
Diagnostics for /Library/Extensions/mycompanyAT.kext:

kext approval status in database:

sqlite> select * from kext_policy;
XE2XNRRXZ5|jp.co.canon.bj.print.BJUSBLoad|1|Canon Inc.|8
KBVSJ83SS9|com.citrix.kext.gusb|1|Citrix Systems, Inc.|8
MK9BR98H51|com.mycompany.at|1|My Company Ltd|1

Kext certificate validation:

Kalyan:~ KalyanPentakota$ codesign -dvv /Library/Extensions/mycompanyAT.kext/
Executable=/Library/Extensions/mycompanyAT.kext/Contents/MacOS/mycompanyAT
Identifier=com.mycompany.at
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=8179 flags=0x0(none) hashes=250+3 location=embedded
Signature size=4651
Authority=Developer ID Application: My Company Ltd (MK9BR98H51)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Jun 5, 2018 at 6:05:21 AM
Info.plist entries=22
TeamIdentifier=MK9BR98H51
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=212

I have also tried removing /Library/StagedExtensions/Library/, but it didn't change anything as well.

Solution

  • This workaround currently resolved all the cases we encountered in production:

    You should load in recovery mode, disable sip, restart, invalidate kext cache, restart in recovery again and then re-enable sip.

    Detailed steps:

    1. From the Apple menu select Restart.
    2. As your Mac restarts, press and hold down the Command(⌘) + R keys immediately upon hearing the startup chime. Hold the keys until the Apple logo appears to get the computer in Recovery mode.
    3. The computer is now in Recovery mode. From the Apple menu select Utilities -> Terminal
    4. Run the command: csrutil disable
    5. From the Apple menu, select Restart.
    6. After the macOS is loaded, open terminal and type: sudo kextcache -invalidate /
    7. if you your kext is located in non standard location, add the custom kext path, for example:
      sudo kextcache -invalidate /Library/MyApp/MyApp.kext
    8. From the Apple menu, select Restart.
    9. As your Mac restarts, press and hold down the Command(⌘) + R keys immediately upon hearing the startup chime. Hold the keys until the Apple logo appears to get the computer in Recovery mode.
    10. The computer is now in Recovery mode. From the Apple menu select Utilities -> Terminal
    11. Run the command: csrutil enable
    12. From the Apple menu, select Restart.
    13. Now your kext should run..