unsigned kexts on Yosemite

Brandon Allbery allbery.b at gmail.com
Mon Oct 27 17:33:06 PDT 2014

On Mon, Oct 27, 2014 at 8:26 PM, Landon J Fuller <landonf at macports.org>
> On Oct 27, 2014, at 5:36 PM, Dan Ports <dports at macports.org> wrote:
> > Also, I think Apple mandates using a separate certificate for each
> > kext -- so we're stuck getting more certificates no matter what.
> AFAIK it's still just a general "kexts allowed" extension set on the
> Apple-signed developer ID certificate.

Mechanism and policy are two different things. I would not be surprised if
the agreement specified use of a separate cert for each kext or group of
closely related kexts, so they can revoke one without affecting others. A
mechanism can't enforce this, and while you can ignore it because the
mechanism doesn't enforce it, you risk Apple deciding that because they
don't like one kext you signed they can disable all kexts you signed.

brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-dev/attachments/20141027/f0cb61c3/attachment-0001.html>

More information about the macports-dev mailing list