Reputation: 1
Unable to load kext "Authenticating extension failed"
I am trying to build https://github.com/jwise/HoRNDIS for apple silicon and I am able to get certificate that able to sign kext files.
However, I am gettin the error while loading the kext
sudo kextload HoRNDIS.kext
Executing: /usr/bin/kmutil load -p /Library/Extensions/HoRNDIS.kext
Error Domain=KMErrorDomain Code=29 "Authenticating extension failed: Kext com.joshuawise.kexts.HoRNDIS v9.2 in executable kext bundle com.joshuawise.kexts.HoRNDIS at /private/var/db/KernelExtensionManagement/Staging/com.joshuawise.kexts.HoRNDIS.YWG1Lt/HoRNDIS.kext:
Authenticating extension failed: Bad code signature" UserInfo={NSLocalizedDescription=Authenticating extension failed: Kext com.joshuawise.kexts.HoRNDIS v9.2 in executable kext bundle com.joshuawise.kexts.HoRNDIS at /private/var/db/KernelExtensionManagement/Staging/com.joshuawise.kexts.HoRNDIS.YWG1Lt/HoRNDIS.kext:
Authenticating extension failed: Bad code signature}
I cloned the repository I built the kext with
xcodebuild -sdk macosx -configuration Release
after that I signed code with codesign
codesign -s "Developer ID Application: Developer Team (id)" -vvvv /Users/myuser/src/HoRNDIS/build/Release/HoRNDIS.kext
the output for above command was:
/Users/oksuz/src/HoRNDIS/build/Release/HoRNDIS.kext: signed bundle with Mach-O universal (x86_64 arm64e) [com.joshuawise.kexts.HoRNDIS]
It seems I did something wrong. How can I load the kernel the proper way (without disabling SIP)
codesign -dvvvv HoRNDIS.kext output:
Executable=/Library/Extensions/HoRNDIS.kext/Contents/MacOS/HoRNDIS
Identifier=com.joshuawise.kexts.HoRNDIS
Format=bundle with Mach-O universal (x86_64 arm64e)
CodeDirectory v=20200 size=1308 flags=0x0(none) hashes=35+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=da805347a49a50cff27fddc8e9da83cc80763002
CandidateCDHashFull sha1=da805347a49a50cff27fddc8e9da83cc80763002
CandidateCDHash sha256=e72f5bbb583b89840270080d39f3fe8673a55b89
CandidateCDHashFull sha256=e72f5bbb583b89840270080d39f3fe8673a55b8947c9242bf55048e18d0a70cd
Hash choices=sha1,sha256
CMSDigest=a8ca9fac31012390c5eecce48bbf3b13ed658552b602e2f01f0a5b292cc21da7
CMSDigestType=2
Page size=4096
CDHash=e72f5bbb583b89840270080d39f3fe8673a55b89
Signature size=9098
Authority=Developer ID Application: Developer Team (Developer Team ID)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=19 Mar 2023 14:55:52
Info.plist entries=22
TeamIdentifier=TEAMIDENTIFIER
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=188
Upvotes: -1
Views: 908
Answers (1)
Reputation: 23428
Your certificate is not a kext signing certificate. For signing kexts, you need to use a "Developer ID Application" certificate with the 1.2.840.113635.100.6.1.18 extension. You then also need to go through the notarisation process.
As of 2023, it is rare that Apple grants certificates with 1.2.840.113635.100.6.1.18 anymore.
I'll also point out that the kext appears to be a USB network adapter kext. These are entirely unsupported from macOS 11 on even if the kext is correctly signed and notarised.
If you are targeting macOS 11 or later, your only options are, I think: Drop SIP's kext signing requirement (and hope the "unsupported" state is still good enough for it to work) or rewrite the driver for DriverKit or in user space.
Upvotes: 0
Related Questions
- Failed to build gem native extension (installing Compass)
- Failure digitally signing a Mac app outside Xcode
- I can't load kext on macOS Sierra
- Unable to find symbol links for IOKit kext
- codesign and kernel extension (Kext) in OSX: Won't load
- ERROR: Failed to build gem native extension. JSON Gem
- Codeless kext loading problem