kext is not signed, requiring kernel development mode

[lloeki]

Apple developer registration is pending.

[lloeki]

Registered as Mac Developer, certificate obtained, now waiting for grant of kext signing ability (7-10 business days).

[lloeki]

2 months in, no reply from Apple.

[lloeki]

Second request is 13 days old, still no reply (neither positive nor negative).

[lloeki]

Well, here's the mail from Apple (received twice, once for each request), and my reply inline:

KEXT signing is intended for signing commercially shipping kexts or projects broadly distributed in a large organization. The use you describe does not need a signed kext.

As you may have guessed, I beg to differ (with the last sentence).

To conform to the first part, should I set up a paid version for it to qualify as a commercial product?

You can turn off kext signature checking for sample code and development use as described in the OS X 10.10 Kernel Debug Kit located at https://developer.apple.com/downloads/

I am perfectly aware of this fact. The installer script sadly even uses that as a workaround (with due warning about the consequences) for end users to be able to use the kext.

[snipped instructions about how to use kext-dev-mode]

Apple recommends that you make use of KEXT Developer Mode rather than use your Developer ID certificate to sign drivers while they are under development.

This is not a matter of development, this is a matter of release.

Ideally you should sign a driver using a Developer ID certificate only when it reaches its final stages of testing and is being evaluated for release to customers.”

Final stages of testing have long passed and I requested the developer certificate only when I deemed that the code was indeed production-ready.

Going back to the terms of request, the use I describe does need a signed kext or a whitelist addition (for which there is, to date, no mechanism to request, and although awkward, qualifies as a mild form of signing mechanism by way of the whitelist kext containing MD5 sums of the whitelisted kexts as well as being signed itself) to maintain a decent level of security for end-users. While the above language doesn't cover free software kexts that warrant a signature, there are numerous exceptions that have been made. Example: VirtualBox Open Source Edition is neither a commercial product nor distributed in a large organization, yet has its kext signed. Alternatively, software in the same category such as USB Overdrive has had its kext signed (or exempted to do so by way of the AppleKextExcludeList.kext whitelist).

That the above text from the request form does not cover the Free and Open-Source Software use case or that there is no mechanism to request a whitelist entry looks like an omission. I wish FOSS kext developers could make use of the signing process instead of relying on the whitelist feature (which requires an addition with each version release) but I could make-do with a whitelist entry, as well as a statement that Apple is committed to support and allow FOSS software development on OS X, whether it is in userland or in kernel.

Thanks for your attention.

Best regards,

Loic

[lloeki]

So, two refusals, and no change in AppleKextExcludeList.kext. I now have little hope of seeing this signed.

[lloeki]

A long, long time ago, my developer certificate expired.