MacOS – How to validate kexts signatures from the command line

command linekernel-extensionsmacos

I'd like my shell script to verify if the /System/Library/Extensions folder (and subfolders) contains any kexts that don't pass signature validation. How do I do that?

There are a couple utilities that seem to include that kind of functionality, e.g.

kextcache -system-prelinked-kernel

but they either apply modifications to the system or do other unwanted lenghty checks. Only the signature validation is necessary here.

Many thanks in advance for your help!

Best Answer

Here's the script which will output not singed kexts inside this directory:

#!/bin/bash                                                                                                                                                                                                        

cd /System/Library/Extensions

find *.kext -prune -type d | while read d; do
    codesign -d "$d" 2>/dev/null
    rc=$?
    if [[ $rc != 0 ]] ; then
        echo "$d" is not signed.
    fi
done
Related Question