目标:签署我自己的软件包和我自己的内核扩展。上下文中的“我自己的”意味着“我编写的,或者我在其他地方选择的,从它们的源代码中重新编译的,并且想要安装在我的机器上。
问题:小牛队不接受我的签名Code Signing Failure: code signature is invalid(但会加载 kext),Yosemite 甚至不会加载它。
我有自己的 CA 和代码签名证书。我已经能够成功地签署代码并设置允许安装和执行由给定证书签名的代码的策略 - 两者codesign https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/codesign.1.html and spctl https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/spctl.8.html喜欢它,正如您在下面的输出中看到的那样。然而,这似乎不适用于 kext(内核扩展)-kextutil https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/kextutil.8.html坚持认为签名无效。这是我得到的输出:
$ codesign --verify -vvvv /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: valid on disk
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: satisfies its Designated Requirement
$ spctl -a -vvv -t exec /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: accepted
source=XXXXXCode
origin=XXXXXCoder
$ spctl -a -vvv -t install /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: accepted
source=XXXXXInstall
origin=XXXXXCoder
$ kextutil -tn /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
Diagnostics for /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext:
Code Signing Failure: code signature is invalid
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext appears to be loadable (including linkage for on-disk libraries).
在 Mavericks 上,这个 kext 会加载一条警告消息,在 Yosemite 上则不会。
我注意到here https://stackoverflow.com/questions/26283158/codesigning-kext-with-kext-enabled-certificate-fails-during-kextload-code-sign and in Apple CA CPS 开发者 ID http://images.apple.com/certificateauthority/pdf/Apple_Developer_ID_CPS_v1.1.pdf该证书必须具有以下扩展名:( 1.2.840.113635.100.6.1.18 )将其指定为 kext 签名证书。我的没有。我怀疑这是我的问题的原因,但不知道如何解决。似乎没有类型选项spctl创建一项策略,将给定的证书指定为 kext 签名证书。
如何添加此扩展(最好在 Keychain Certificate Assist 中,尽管基于 OpenSSL 的解决方案也可以),而不需要支付 Apple 每年 100 美元的“使用费”?
要向 Apple 请求 Kext 签名证书,您需要使用这个表格 https://developer.apple.com/contact/kext/.
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
