If the approved KEXT is located in an application's bundle, all other KEXTs signed by the same Team ID in the same application's bundle are also approved. When the user approves a KEXT, they are at the same time approving these other KEXTs signed by the same Team ID: Because of this, developers are encouraged to provide an appropriate company name when requesting KEXT signing identities. This name comes from the Subject Common Name field of the Developer ID Application certificate used to sign the KEXT. The alert shows the name of the developer who signed the KEXT so the user has some information to decide whether to approve the KEXT. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert. This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. This prompts the user to approve the KEXT in System Preferences > Security & Privacy as shown in Figure 2.
When a request is made to load a KEXT that the user has not yet approved, the load request is denied and macOS presents the alert shown in Figure 1.
This feature enforces that only kernel extensions approved by the user will be loaded on a system.
0 kommentar(er)
