objective-cmacoskernel-extensioncode-signing-entitlementsdriverkit

Getting OSSystemExtensionErrorCodeSignatureInvalid After Codeless DEXT is Activated


I built a codeless DEXT to replace a working codeless KEXT - Migrating a codeless KEXT to a codeless DEXT. I referenced a few sites and GitHub repositories to put it together and had help from other SO users.

I am running with SIP turned off, developer mode is on (systemextensionsctl developer on). I am following the advice outlined here https://github.com/knightsc/USBApp/issues/1 for signing the app and dext.

When I run the app it is embedded in and request activation for the extension, that function seems to succeed. However, I then get a call to -

request:didFailWithError:

on my OSSystemExtensionRequestDelegate-derived request object when a work-queue thread starts up. The error is OSSystemExtensionErrorCodeSignatureInvalid. I assume that thread is related to the dispatch_queue_t I used to construct the OSSystemExtensionRequest.

From searching around and Apple source, I understand OSSystemExtensionErrorCodeSignatureInvalid is related to entitlements and signing. When I run systemextensionsctl list I get -

1 extension(s)
--- com.apple.system_extension.driver_extension
enabled active  teamID  bundleID (version)  name    [state]
*   *   <REDACTED>  Home.MyUsbDrver (1.0/1) Home.MyUsbDrver [activated enabled]

When I run codesign -d -vvv --entitlements :- , I get -

Executable=/Users/.../TestDequeueApp.app/Contents/MacOS/TestDequeueApp
Identifier=Home.TestDequeueApp
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=1055 flags=0x10000(runtime) hashes=24+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=HASH
CandidateCDHashFull sha256=LONG HASH
Hash choices=sha256
CMSDigest=DIGEST
CMSDigestType=2
CDHash=HASH
Signature size=4745
Authority=Apple Development: MY Apple ID STUFF
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 6, 2020 at 10:51:41 AM
Info.plist entries=23
TeamIdentifier=TEAM ID
Runtime Version=10.15.6
Sealed Resources version=2 rules=13 files=7
Internal requirements count=1 size=188
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.developer.system-extension.uninstall</key>
    <true/>
</dict>
</plist>

Not sure I see anything wrong there and the code signing script seems to run correctly. Here is my DEXT entitlement file with com.apple.developer.driverkit.transport.usb set for a legacy device (the same device listed in IOKitPersonalities section of my DEXT info.plist) -

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.driverkit</key>
    <true/>
    <key>com.apple.developer.driverkit.transport.usb</key>
    <array>
        <dict>
            <key>idVendor</key>
            <integer>5843</integer>
            <key>idProduct</key>
            <integer>33</integer>
        </dict>
    </array>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

So it seems that the extension is active and enabled, but something fails during validation.

Any help or input on this problem would be appreciated.

Update:

Just for grins, I ran my production app that does not install the system extension to see if it would cause my hardware to match. Since the driver was installed, it did. However, when I tried to access the device I got a crash. That still seems like progress.


Solution

  • After a week of vacation not thinking about work at all, I figured this problem out! I re-read information in How to set `com.apple.developer.driverkit.transport.usb` entitlement? and realized my entitlements file was not correctly formatted.

    Here is my old file, created in the editor in Xcode:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>com.apple.developer.driverkit</key>
        <true/>
        <key>com.apple.developer.driverkit.transport.usb</key>
        <array>
            <dict>
                <key>idVendor</key>
                <integer>VID0</integer>
                <key>idProductArray</key>
                <array/>
                <key>item 0</key>
                <integer>PID0</integer>
                <key>item 1</key>
                <integer>PID1</integer>
                <key>item 2</key>
                <integer>PID2</integer>
                <key>item 3</key>
                <integer>PID3</integer>
                <key>item 4</key>
                <integer>PID4</integer>
            </dict>
        </array>
        <key>com.apple.security.app-sandbox</key>
        <true/>
    </dict>
    </plist>
    

    For some reason, the array element insisted on having a key/value format. Looking at an example from the post as well as other information about plist files, I hand-edited to this:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>com.apple.developer.driverkit</key>
        <true/>
        <key>com.apple.developer.driverkit.transport.usb</key>
        <array>
            <dict>
                <key>idVendor</key>
                <integer>VID0</integer>
                <key>idProductArray</key>
                <array>
                    <integer>PID0</integer>
                    <integer>PID1</integer>
                    <integer>PID2</integer>
                    <integer>PID3</integer>
                    <integer>PID4</integer>
                </array>
            </dict>
        </array>
        <key>com.apple.security.app-sandbox</key>
        <true/>
    </dict>
    </plist>
    

    Now the array element looks correct, and the driver loads and functions so that I can read data from my device.

    Any ideas on how to make the Xcode editor behave, or is it just me not using it correctly?