Goal: to sign my own packages, and my own kernel extensions. "My own" in the context means "that I wrote, or that I picked elsewhere, recompiled myself from their sources, and want to install on my machine.
目标:签署我自己的包,以及我自己的内核扩展。“我自己的”在上下文中的意思是“我写的,或者我在别处挑选的,从他们的来源重新编译我自己,并且想要安装在我的机器上。”
Problem: Mavericks does not accept my signature with Code Signing Failure: code signature is invalid
(but loads the kext), Yosemite won't even load it.
问题:Mavericks不接受我的签名代码签名失败:代码签名无效(但是加载kext), Yosemite甚至不加载它。
I have my own CA, and code-signing certs. I've been able to successfully sign code and set up policies that would allow code signed by the given certs to be installed and executed - both codesign and spctl like it, as you see in the output below. However, that does not seem to apply to kext (kernel extensions) - kextutil insists that the signature is invalid. Here's the output I'm getting:
我有自己的CA和代码签名证书。我已经成功地签署了代码并设置了一些策略,这些策略将允许安装并执行给定证书的代码——codesign和spctl都喜欢它,正如您在下面的输出中看到的那样。但是,这似乎并不适用于kext(内核扩展)——kextutil坚持签名无效。这是我得到的输出:
$ codesign --verify -vvvv /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: valid on disk
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: satisfies its Designated Requirement
$ spctl -a -vvv -t exec /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: accepted
source=XXXXXCode
origin=XXXXXCoder
$ spctl -a -vvv -t install /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext: accepted
source=XXXXXInstall
origin=XXXXXCoder
$ kextutil -tn /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext
Diagnostics for /opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext:
Code Signing Failure: code signature is invalid
/opt/local/Library/Filesystems/osxfusefs.fs/Support/osxfusefs.kext appears to be loadable (including linkage for on-disk libraries).
On Mavericks this kext loads with a warning message, on Yosemite it will not.
在Mavericks上,这个kext装载着一个警告信息,在Yosemite上它不会。
I noticed here and in Apple CA CPS Developer ID that the cert must have the following extension: ( 1.2.840.113635.100.6.1.18 )
to designate it as kext-signing certificate. Mine does not have it. I suspect it to be the cause of my problem, but don't know how to resolve it. There does not seem to be an type option in spctl to create a policy designating a given cert as a kext-signing one.
我注意到,在Apple CA CPS开发人员ID中,cert必须具有以下扩展名:(1.2.840.113635.100.6.1.18),将其指定为kext签名证书。我的没有。我怀疑这是我的问题的原因,但不知道如何解决。在spctl中似乎没有一个类型选项来创建一个策略,指定一个给定的证书作为kext签名。
How do I add this extension (preferably within Keychain Certificate Assist, though an OpenSSL-based solution would be fine too), short of paying Apple annual "usage fee" of $100?
我如何添加这个扩展(最好是在Keychain证书帮助下,尽管基于opensssl的解决方案也很好),而没有支付Apple年度“使用费”100美元?
3 个解决方案
#1
4
To request a Kext signing certificate from Apple, you need to use this form.
要请求苹果的Kext签名证书,您需要使用此表单。
#2
2
Only Apple can generate certificates with this OID and have it considered as valid for the kernel.
只有苹果可以用这个OID生成证书,并认为它对内核是有效的。
See What's New in Kext Development at tonymacx86.com for a more-detailed explanation. Here are the relevant parts.
请参阅tonymacx86.com的Kext开发项目,以获得更详细的解释。这是相关的部分。
The OID 1.2.840.113635 is Apple's company prefix, and the rest of the OID describes what specific property must exist in certificate "leaf" (the signing certificate) to allow the kernel extension to load. This means that a valid, signed kernel extension can only be created with a certificate provided by Apple as part of their $99/yr Developer program, and additionally that interested parties must fill out a special form explaining why they require the certificate; kext certificates are only provided upon request and approval.
OID 1.2.840.113635是苹果公司的前缀,其余的OID描述了证书“leaf”(签名证书)中必须存在的特定属性,以允许内核扩展加载。这意味着,一个有效的、已签名的内核扩展只能通过Apple提供的证书创建,作为其$99/yr开发程序的一部分,另外,有兴趣的一方必须填写一份特殊的表格,说明他们为什么需要证书;kext证书只在请求和批准时提供。
While it is possible to generate a certificate with a specific OID and sign it with your own CA, OS X will only recognize Apple's CA for kernel extensions. Gatebreak's documentation briefly mentions this.
虽然可以用一个特定的OID生成一个证书,并使用自己的CA签名,但是OS X只会识别出苹果的内核扩展CA。Gatebreak的文档简要地提到了这一点。
change the code requirements embedded in kextutil, kextd, and kextcache so they allow root certificates other than Apple's
更改在kextutil、kextd和kextcache中嵌入的代码需求,以便它们允许除苹果之外的根证书。
#3
1
Anyone can generate certificates with whatever OIDs that they want. In fact, OIDs are being added all the time. You can head over to IANA, request an OID and hack gnutls/openssl source code to start generating certificates for your new fangled field. The relevant OIDs for code signing that need to be in the certificate are documented. That should take handle the generation of personal CA and intermediary certificates that can sign kexts. Have a look at the patches against OpenSSL that enable it to generate RPKI certificaes
任何人都可以用他们想要的任何oid来生成证书。事实上,一直在增加oid。您可以前往IANA,请求OID和hack gnutls/openssl源代码,以开始为您的新fangled字段生成证书。需要在证书中的代码签名的相关oid被记录。这应该处理能够签署kexts的个人CA和中介证书的生成。看看OpenSSL的补丁,它能生成RPKI证书吗?
The next task is figuring out how Apple will recognise your CA as an anchor certificate. My guess here is that you'll need to import the generated CA cert using KeyChain Access. If apple somehow hardcodes the CAs (unlikely and would be stupid), we would be doomed. Otherwise, they must be loading the certificate anchors from some filesystem resource. Use dtruss to find out. My initial investigation points at /System/Library/Keychains/
下一个任务是弄清楚苹果将如何识别你的CA作为锚证书。我的猜测是,您需要使用KeyChain访问导入生成的CA cert。如果苹果以某种方式硬编码了CAs(不太可能,而且将是愚蠢的),我们就注定要失败了。否则,它们必须从某些文件系统资源加载证书锚。用dtruss找出答案。我最初的调查点是/系统/图书馆/钥匙链/。
#1
4
To request a Kext signing certificate from Apple, you need to use this form.
要请求苹果的Kext签名证书,您需要使用此表单。
#2
2
Only Apple can generate certificates with this OID and have it considered as valid for the kernel.
只有苹果可以用这个OID生成证书,并认为它对内核是有效的。
See What's New in Kext Development at tonymacx86.com for a more-detailed explanation. Here are the relevant parts.
请参阅tonymacx86.com的Kext开发项目,以获得更详细的解释。这是相关的部分。
The OID 1.2.840.113635 is Apple's company prefix, and the rest of the OID describes what specific property must exist in certificate "leaf" (the signing certificate) to allow the kernel extension to load. This means that a valid, signed kernel extension can only be created with a certificate provided by Apple as part of their $99/yr Developer program, and additionally that interested parties must fill out a special form explaining why they require the certificate; kext certificates are only provided upon request and approval.
OID 1.2.840.113635是苹果公司的前缀,其余的OID描述了证书“leaf”(签名证书)中必须存在的特定属性,以允许内核扩展加载。这意味着,一个有效的、已签名的内核扩展只能通过Apple提供的证书创建,作为其$99/yr开发程序的一部分,另外,有兴趣的一方必须填写一份特殊的表格,说明他们为什么需要证书;kext证书只在请求和批准时提供。
While it is possible to generate a certificate with a specific OID and sign it with your own CA, OS X will only recognize Apple's CA for kernel extensions. Gatebreak's documentation briefly mentions this.
虽然可以用一个特定的OID生成一个证书,并使用自己的CA签名,但是OS X只会识别出苹果的内核扩展CA。Gatebreak的文档简要地提到了这一点。
change the code requirements embedded in kextutil, kextd, and kextcache so they allow root certificates other than Apple's
更改在kextutil、kextd和kextcache中嵌入的代码需求,以便它们允许除苹果之外的根证书。
#3
1
Anyone can generate certificates with whatever OIDs that they want. In fact, OIDs are being added all the time. You can head over to IANA, request an OID and hack gnutls/openssl source code to start generating certificates for your new fangled field. The relevant OIDs for code signing that need to be in the certificate are documented. That should take handle the generation of personal CA and intermediary certificates that can sign kexts. Have a look at the patches against OpenSSL that enable it to generate RPKI certificaes
任何人都可以用他们想要的任何oid来生成证书。事实上,一直在增加oid。您可以前往IANA,请求OID和hack gnutls/openssl源代码,以开始为您的新fangled字段生成证书。需要在证书中的代码签名的相关oid被记录。这应该处理能够签署kexts的个人CA和中介证书的生成。看看OpenSSL的补丁,它能生成RPKI证书吗?
The next task is figuring out how Apple will recognise your CA as an anchor certificate. My guess here is that you'll need to import the generated CA cert using KeyChain Access. If apple somehow hardcodes the CAs (unlikely and would be stupid), we would be doomed. Otherwise, they must be loading the certificate anchors from some filesystem resource. Use dtruss to find out. My initial investigation points at /System/Library/Keychains/
下一个任务是弄清楚苹果将如何识别你的CA作为锚证书。我的猜测是,您需要使用KeyChain访问导入生成的CA cert。如果苹果以某种方式硬编码了CAs(不太可能,而且将是愚蠢的),我们就注定要失败了。否则,它们必须从某些文件系统资源加载证书锚。用dtruss找出答案。我最初的调查点是/系统/图书馆/钥匙链/。