I'm developing a product that includes kernel extension and have found a weird problem in one of our testing machines that I can't find a solution for.

我正在开发一个包含内核扩展的产品，并且在我们的一台测试机器中发现了一个我找不到解决方案的奇怪问题。

In my development machine, (OSX 10.8.3 and latest Xcode) I codesign our kext like this:

在我的开发机器上，（OSX 10.8.3 和最新的 Xcode）我像这样对我们的 kext 进行了编码：

$ codesign -s "Developer ID Application: Mycompany" my.kext
my.kext: signed bundle with Mach-O thin (x86_64) [com.mycompany.kext]

it all goes fine, my.kext/Contents/MacOS/mykext binary is modified (signature added) and a folder my.kext/Contents/_CodeSignature is created with a file CodeResources in it.

一切顺利，my.kext/Contents/MacOS/mykext 二进制文件被修改（添加了签名）并创建了一个文件夹 my.kext/Contents/_CodeSignature，其中包含一个文件 CodeResources。

When loading this kext on one of our testing machines (OSX 10.7.5 with Xcode 3.2.6, Darwin Kernel 11.4.2 x86_64), it refuses to do so:

在我们的一台测试机器（OSX 10.7.5 和 Xcode 3.2.6，Darwin Kernel 11.4.2 x86_64）上加载这个 kext 时，它拒绝这样做：

kxld[com.mycompany.kext]: The Mach-O file is malformed: Invalid segment type in MH_KEXT_BUNDLE kext: 29.
Can't load kext com.mycompany.kext - link failed.
Failed to load executable for kext com.mycompany.kext.
Kext com.mycompany.kext failed to load (0xdc008016).

If I load the module unsigned, there is no problem. Also tried signing the kext from Xcode and not from command-line, with the same results.

如果我加载未签名的模块，则没有问题。还尝试从 Xcode 而不是从命令行签署 kext，结果相同。

I moved the signing certificate to that troublesome computer, and signed the kext there. The signing process goes different:

我将签名证书移到那台麻烦的计算机上，并在那里签署了 kext。签署过程有所不同：

$ codesign -v -s "Developer ID Application: Mycompany" my.kext
my.kext: signed bundle with generic [com.mycompany.kext]

Once signed, the kext executable at my.kext/Contents/MacOS/mykext is unmodified, and the folder Contents/_CodeSignature includes more files: CodeDirectory, CodeRequirements, CodeResources and CodeSignature. This signed kext seems to work on all devices so far.

签名后，位于 my.kext/Contents/MacOS/mykext 的 kext 可执行文件未修改，文件夹 Contents/_CodeSignature 包含更多文件：CodeDirectory、CodeRequirements、CodeResources 和 CodeSignature。到目前为止，这个签名的 kext 似乎适用于所有设备。

So the question is:

所以问题是：

What's going on in here? What am I doing wrong in my signing process? How can I create a signature in a updated device that will work on this "outdated" machine? I understand that the target machine is refusing load of the kext because it does not undertand the signed binary. Signing from this device creates some kind of detached signature where the binary is untouched. I can't get my codesign to do that, the -D option seems useless and won't create a _CodeSignature folder inside the bundle.

这里发生了什么？我在签名过程中做错了什么？如何在更新后的设备中创建可以在这台“过时”机器上使用的签名？我知道目标机器拒绝加载 kext，因为它不理解已签名的二进制文件。从此设备签名会创建某种分离的签名，其中二进制文件未受影响。我无法让我的 codesign 这样做，-D 选项似乎没用，并且不会在包中创建 _CodeSignature 文件夹。

Update

更新

As of XCode 4.6, the problem still persists. Only i386 kexts are signed in a backwards-compatible way. x64 and mixed arch kexts can't be loaded by some 10.6 and 10.7 kernels due to them not understanding the signature embedded into the binaries.

从 XCode 4.6 开始，问题仍然存在。只有 i386 kexts 以向后兼容的方式签名。一些 10.6 和 10.7 内核无法加载 x64 和混合架构 kext，因为它们不理解嵌入到二进制文件中的签名。

The codesigncommand-line tool has an undocumented --no-machoflag for this purpose, but seems to be unimplemented.

该协同设计的命令行工具有一个无证--no-男子气用于此目的的标志，但似乎没有实现。

Update 2

更新 2

The problem still persists as of Xcode 4.6.24.6.3

从 Xcode 4.6.24.6.3 开始，问题仍然存在