Unsigned Device Drivers in OS X v10.11 El Capitan
With the release of OS X v10.10 Yosemite, Apple implemented some security restrictions to prohibit unsigned kernel extensions, mostly in the form of device drivers, from being loaded at startup. This is intended to prevent the loading of rogue or unknown extensions that may create security vulnerabilities within the OS X environment. However, Apple also provided a means of bypassing or disabling this restriction through a “developer mode” allowing unsigned drivers to be loaded.
Many Amateur Radio operators on OS X are using hardware that is currently running with unsigned drivers. While devices such as the SignaLink USB do not require drivers beyond those included in OS X, others such as offerings from West Mountain Radio, Timewave Technology Inc, and more do require the installation of drivers. Currently, some or all of these drivers remain “unsigned” despite these security restrictions being announced 13 months ago and being in place for the past nine months. In some cases, this is likely due to not having any OS X developers on staff or the lack of desire to spend money on an OS X Developer account. In other cases, it is probably due to the perceived low number of OS X users resulting in an acceptable “noise level” when those users complain. No matter what the reason, the continued use of unsigned drivers by the hardware developer puts the Amateur Radio operator in the position of making a choice: higher security but not using the hardware in question, or using the hardware and thereby creating possible security vulnerabilities on their OS X machines.
Based upon comments in postings within the OS X v10.11 El Capitan Developers’ forums, the current method of bypassing the OS X kernel security restrictions will be removed from the El Capitan final release. To quote: “This nvram boot-args command will be going away. It will not be available in the El Capitan release version and may disappear before the end of the Developer Betas.”
So, what does this mean to you, the user of OS X? Well, for starters, if your devices are currently running with unsigned drivers and you are planning on upgrading to OS X v10.11 El Capitan, you may want to consider holding off for a bit when v10.11 is released. Furthermore, you should use the time between now and El Capitan’s release to contact your device manufacturers and let them know about this impending change, let them know how it will “break” your ability to use their devices in OS X, and ask them to release signed drivers as soon as possible. Most of the manufacturers already release signed drivers for Windows users. Their continued use of unsigned drivers for OS X reveals a lack of respect for the security and stability of their users’ systems and shows a bias or perception of Amateur Radio operators using OS X as second-class users.
In the end, this may be about nothing; methods to bypass the restrictions or enter developer mode may remain in El Capitan. Nevertheless, we should encourage all developers and manufacturers to use signed device drivers as a basic matter of system security. As you reach out to hardware manufacturers, feel free to share their responses in the comments section of this post. Let’s build a database of devices and manufacturers that will, or will not, commit to fix this issue. For those that will commit to fix this issue, let’s give them our support, our recommendations, and our business. For those that choose to abandon OS X users, let’s spread the word and warn others about those as well.