I built a codeless DEXT to replace a working codeless KEXT - Migrating a codeless KEXT to a codeless DEXT. I referenced a few sites and GitHub repositories to put it together and had help from other SO users.
I am running with SIP turned off, developer mode is on (systemextensionsctl developer on). I am following the advice outlined here https://github.com/knightsc/USBApp/issues/1 for signing the app and dext.
When I run the app it is embedded in and request activation for the extension, that function seems to succeed. However, I then get a call to -
request:didFailWithError:
on my OSSystemExtensionRequestDelegate-derived request object when a work-queue thread starts up. The error is OSSystemExtensionErrorCodeSignatureInvalid. I assume that thread is related to the dispatch_queue_t I used to construct the OSSystemExtensionRequest.
From searching around and Apple source, I understand OSSystemExtensionErrorCodeSignatureInvalid is related to entitlements and signing. When I run systemextensionsctl list I get -
1 extension(s)
--- com.apple.system_extension.driver_extension
enabled active teamID bundleID (version) name [state]
* * <REDACTED> Home.MyUsbDrver (1.0/1) Home.MyUsbDrver [activated enabled]
When I run codesign -d -vvv --entitlements :- , I get -
Executable=/Users/.../TestDequeueApp.app/Contents/MacOS/TestDequeueApp
Identifier=Home.TestDequeueApp
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1055 flags=0x10000(runtime) hashes=24+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=HASH
CandidateCDHashFull sha256=LONG HASH
Hash choices=sha256
CMSDigest=DIGEST
CMSDigestType=2
CDHash=HASH
Signature size=4745
Authority=Apple Development: MY Apple ID STUFF
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 6, 2020 at 10:51:41 AM
Info.plist entries=23
TeamIdentifier=TEAM ID
Runtime Version=10.15.6
Sealed Resources version=2 rules=13 files=7
Internal requirements count=1 size=188
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.system-extension.uninstall</key>
<true/>
</dict>
</plist>
Not sure I see anything wrong there and the code signing script seems to run correctly. Here is my DEXT entitlement file with com.apple.developer.driverkit.transport.usb set for a legacy device (the same device listed in IOKitPersonalities section of my DEXT info.plist) -
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.driverkit</key>
<true/>
<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>
<key>idVendor</key>
<integer>5843</integer>
<key>idProduct</key>
<integer>33</integer>
</dict>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
So it seems that the extension is active and enabled, but something fails during validation.
Any help or input on this problem would be appreciated.
Update:
Just for grins, I ran my production app that does not install the system extension to see if it would cause my hardware to match. Since the driver was installed, it did. However, when I tried to access the device I got a crash. That still seems like progress.