[snuxoll]

kext's must be signed now, Apple can freely revoke developer certs and block them if they so desire.

[threeseed]

Signing was designed for security purposes which is the only reason where certificate revocation has been used to date. There seems to be a lot of FUD here but without any actual hard examples.

[stymaar]

But it prevents doing what you just said above :

> Developers can ask users for their admin password, sudo to root and largely do whatever they want including adding kernel extensions and drivers.

[plorkyeran]

Having a technical means to make distribution of a driver awkward is quite a few steps short of forbidding it.

[nicky0]

But they only use these power to shut out malware. Not to nix software they don't like.

[AlphaSite]

Windows drivers need to be signed as well, whats the problem?

[snuxoll]

But not by Microsoft, you can opt to obtain WHQL certification for your driver and have MS sign them - but it's also acceptable to get a code signing cert from any trusted CA.

Apple controls all the keys for macOS, AFAIK there's not even an option to add additional CA's for code-signing trust. To get around this you have to completely disable SIP, and it's rather stupid to tell users they must disable a well-meaning (if somewhat poorly implemented) security feature to install a kext because Apple doesn't like you (no knowledge if this has happened, but it can, and I don't care for that).