#28 Notarizing the kexts

[Jonathan K. Bullard]

Are there any plans to provide notarized versions of the tun and tap kexts? As of macOS 10.14.5, kexts that are not notarized and have not been previously used on a system cannot be loaded. [1]

As an alternative, does anyone have tips for converting the source code into an Xcode project so the kexts can be notarized?

I'm particularly interested in the tap kext, because recent macOS versions include a "utun" driver which seems to work as a replacement for the tun kext.

[1] https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution?language=objc says:

"Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run."

My experiments with 10.14.5 Beta 2 show that by "new or updated" they mean not having been loaded by the system at some earlier time.

[Mattias Nissler]

Apple sent me a nudge a while back and a I got 2-3 other requests. That's not a lot so I figured we can put the project to rest after more than a decade. That said, if more demand shows up, I might try to carve out some time and take a look after all.

The other factor is that I'm no longer actively using a Mac these days, so it'd be a bit of work to get a dev environment up and running again.

[Jonathan K. Bullard]

Understandable.

Tunnelblick [1] still needs the tap kext to make tap connections, so I will work on getting both kexts notarized for Tunnelblick. They would then be available to anyone. The next beta version of Tunnelblick will probably include notarized kexts; subscribe to the Tunnelblick Announce Mailing List [3] to be notified when that happens.

Matthias, thanks for all your work creating these kexts and making them publicly available.

[1] https://tunnelblick.net
[2] https://groups.google.com/forum/#!forum/tunnelblick-announce

[Jonathan K. Bullard]

My earlier comment said

My experiments with 10.14.5 Beta 2 show that by "new or updated" they mean not having been loaded by the system at some earlier time.

10.14.5 Beta 3 changes that – it will load a kext if it was signed before early April if it was signed with the --timestamp option so it has a secure timestamp.

Apple could change the critera again, of course, and may very well require notarization in the next version of macOS (10.15), but in the meantime, if the tuntaposx kexts were signed with the --timestamp option, they should still be loadable. Someone should try that out and report back here.

[Jonathan K. Bullard]

Tunnelblick includes notarized tun and tap kexts which anyone may extract and use separately from the Tunnelblick application.

(Tunnelblick is a GUI for OpenVPN on macOS that has been around since 2005 and is actively maintained.)

The notarized kexts were built for Tunnelblick build 5300 [1]. They are based on tuntaposx 20141104 [2], which has been modified as follows:

• The CFBundleShortVersionString is appended with " (Tunnelblick build 5300)".
• The CFBundleVersion is replaced"5300".
• The tap CFBundleIdentifier is changed from "net.sf.tuntaposx.tap" to "net.tunnelblick.tap"
• The tun CFBundleIdentifier is changed from "net.sf.tuntaposx.tun" to "net.tunnelblick.tun"

To find them inside the Tunnelblick.app:

1. Download a Tunnelblick disk image from https://tunnelblick.net/downloads.html
2. Mount the disk image by double-clicking it (if your browser didn't already mount it).
3. The kexts are located in /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources and are named "tap-notarized.kext" and "tun-notarized.kext".

[1] The Tunnelblick build process expands tuntap_20141104_src.tar.gz and patches it using .diff files, making it easy to see no other changes were made to the kexts. See the Tunnelblick source code for details.

[2] The 20150118 version of tuntaposx did not change the kexts from 20141104, only the documentation, so the 20141104 version is used by Tunnelblick.

[Tim Osborn]

Thanks Jonathan for doing this. Seems to be what I needed.

[Phil Smith]

Thanks! How should these be installed? The tuntap distro is a pkg.

[Jonathan K. Bullard]

I looked at the pkg. To have the kexts loaded at system startup I think you need to:

1. Rename the kexts to "tun.kext" and "tap.kext";
2. Copy the kext(s) you want into /Library/Extensions; and
3. Copy a modified version of two .plist files into /Library/LaunchDaemons.
4. Restart the computer.

The two files are net.sf.tuntaposx.tap.plist and/or net.sf.tuntaposx.tun.plist, and can be found inside the .pkg (using Pacifist or something similar).

The modifications to make are:

1. Rename the files to something like "net.tunnelblick.tap.plist" and "net.tunnelblick.tun.plist"; and
2. Edit the files to replace "net.sf.tuntaposx.tun" and "net.sf.tuntaposx.tap" with "net.tunnelblick.tun" and "net.tunnelblick.tap", respectively.

I'm not sure this will work on Catalina; it may be that /Library/LaunchDaemons and/or /Library/Extensions are on the read-only volume.

Also, note that you don't need the tun kext. macOS since 10.6.8 has had a built-in tun driver ("utun"). See Errors Loading Kexts [1] for details about using utun with OpenVPN.

[1] https://tunnelblick.net/cKextLoadError.html

[Edited to fix numbering.]

[Phil Smith]

I created a pkg with the notarized kext files. If anyone has Mojave or later and wants to try this, feel free to contact me.

[Jonathan K. Bullard]

Hi, Phil. I'm the primary Tunnelblick developer.

If you're willing, I would be happy to host your pkg on Tunnelblick's Downloads page. Since it consists of signed Tunnelblick's kexts, I think I would be able to sign the pkg, too, which should make the installation smoother for users.

Just send the pkg to developers@tunnelblick.net, along with a couple of sentences about what it is and how to use it and how you would like your name (or pseudonym) to appear.

Or I can write the paragraph if you'd like – just let me know how you would like your name to appear.