unsigned kexts on Yosemite

Landon J Fuller landonf at macports.org
Mon Oct 27 17:38:03 PDT 2014


On Oct 27, 2014, at 6:33 PM, Brandon Allbery <allbery.b at gmail.com> wrote:

> On Mon, Oct 27, 2014 at 8:26 PM, Landon J Fuller <landonf at macports.org> wrote:
> On Oct 27, 2014, at 5:36 PM, Dan Ports <dports at macports.org> wrote:
> > Also, I think Apple mandates using a separate certificate for each
> > kext -- so we're stuck getting more certificates no matter what.
> 
> AFAIK it's still just a general "kexts allowed" extension set on the Apple-signed developer ID certificate.
> 
> Mechanism and policy are two different things. I would not be surprised if the agreement specified use of a separate cert for each kext or group of closely related kexts, so they can revoke one without affecting others. A mechanism can't enforce this, and while you can ignore it because the mechanism doesn't enforce it, you risk Apple deciding that because they don't like one kext you signed they can disable all kexts you signed.


Apple can blacklist signed code with more granularity than by certificate. Regardless, we don't need to pre-emptively manufacturer requirements on Apple's behalf; the contractual agreements specify Apple's requirements plainly enough.

-landonf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-dev/attachments/20141027/cd398523/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.macosforge.org/pipermail/macports-dev/attachments/20141027/cd398523/attachment.sig>


More information about the macports-dev mailing list