macOS 10.14.5: Kernel extensions signed after April 7, 2019 must be notarized in order to load on macOS

mthakur
Contributor

There is a new security requirement as of macOS 10.14.5, released today (May 13, 2019):

Security New Features • Kernel extensions signed after April 7, 2019 must be notarized in order to load on macOS 10.14.5. (50016570) Known Issues • The system fails to register tickets stapled to installer packages not scanned by Gatekeeper, which causes newly installed kernel extensions to fail to load if Internet access isn’t available. This can occur if a user launches installation from a local folder or an enterprise uses automated tools to deploy an installer. This issue doesn’t affect stapled disk images, apps, or kext bundles. (50205533) Workaround: In a new folder, create a shell script named preinstall to register the stapled ticket during install:
#!/bin/sh
if [[ /usr/bin/sw_vers -productVersion == 10.14.5 ]]; then
    /usr/sbin/spctl -a -vvv -t install "$PACKAGE_PATH"; fi
Then, when creating the flat package installer using either the pkgbuild or productbuild tool, pass the --scripts <path to folder containing preinstall> option to embed the preinstall script into the finalized installer.

TL;DR:
• If you have any vendor-supplied kernel extensions, you will probably have to ensure the vendor notarized them on or after April 7, 2019.
• Even if you have a properly notarized kernel extension, you'll probably have to ensure it's scanned by Gatekeeper on each endpoint, using the workaround described above.

For more information, please click here.

1 REPLY 1

dstranathan
Valued Contributor II

It appears that also include in-house (flat) pkgs.

We have a ton of custom packages that are not notarized. Apple states an existing .pkg be updated for 10.14.5 by 'stapling a ticket' to the package. Has anyone done this?

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

(Edited for clarification)