Karabiner-elements: System policy prevents loading the kernel extension. (Cannot Resolve)

It's an macOS issue.
There are two work-arounds:

• Use the latest beta version if you are using macOS Catalina.
  The latest beta version does not use kernel extension, so this issue does not happen.
  https://karabiner-elements.pqrs.org/docs/manual/operation/check-for-updates/
• Use spctl in recovery mode.
  https://github.com/pqrs-org/Karabiner-Elements/issues/1701

I recommend the first work-around.

I'm using Mojave 10.14.6. Do you still recommend using the latest beta version as a solution?

I had same issue on macOS Catalina 10.15.7 and Karabiner version 12.95.5, but any work-arounds can't solve.
Do you have any solutions or using same versions ?

@brandonspeaks
The latest beta supports macOS Catalina or later.
(The current stable release is the last version which supports Mojave)

So, the spctl is the most reliable way on.Mojave.

There are some alternative.
These are somewhat easier, but it's not clear if they will solve solution.

• Restart macOS, and then open System Preferences.
• Start macOS in Safe Mode to purge system caches: https://support.apple.com/kb/ht1455
• Reset NVRAM and PRAM: https://support.apple.com/ja-jp/HT204063

@Takashi-kun
Karabiner-Elements 12.95.5, the solution is completely different.

Open Karabiner-Elements preferences, then an alert will be shown about DriverKit driver.
If the allow button is still hidden on System Preferences, follow the "Advance" section in the alert.
(Press deactivate button, and then press activate button.)

I have the same situation with identical versions as @Takashi-kun .
The "Allow"-button in System Preferences shows up but has no effect. When I restart Karabiner or restart the Mac, I get The alert again.
I tried deactivating and reactivating the driver as well, unfortunately with the same result.

@mattti
If the allow button exists, this article helps you.
https://karabiner-elements.pqrs.org/docs/help/troubleshooting/kext-allow-button-does-not-work/

Running into similar problems. Just to be sure: I'm running a beta OS (11.0 Beta 9(20A5384c)) and can't offer a patch, so I'm neither demanding nor asking tekezo to spend any time on this, especially not if it works for them and/or others. This installation has also gone through every MacOS release including betas of the last four years or so, and the real surprise is that anything works at all.

But I have a little more information that may be useful to debugging, at least when combined with more knowledge of MacOS internals than I have.

Manually calling the activation returns this error:

$ sudo /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/MacOS/Karabiner-VirtualHIDDevice-Manager activate
-> activation of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is requested
-> request of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is failed with error: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)

Which, if I'm not mistaken, translates to

static var codeSignatureInvalid: OSSystemExtensionError.Code:
  An error code that indicates the extension’s signature is invalid.

(https://developer.apple.com/documentation/systemextensions/ossystemextensionerror/3295866-codesignatureinvalid)

Here is (roughly) what Console shows at that moment in time. The last six lines are where it goes off the rails, I believe.

68976   default <Missing Description>   00:01:02.938374+0200        255 secinitd    Karabiner-VirtualHIDDevice-Manager[3270]: root path for bundle "<private>" of main executable "<private>"
62817   default SecError    00:01:02.942167+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
62820   default xpc 00:01:02.944550+0200    com.apple.containermanager  255 secinitd    Requesting container lookup; class = <private>, identifier = <private>, temp = <private>, create = <private>, euid = <private>, uid = <private>, personaid = <private>, type = <private>, name = <private>
62820   default xpc 00:01:02.944576+0200    com.apple.containermanager  255 secinitd    Encoded client object as: <private>
62821   default unspecified 00:01:02.946027+0200    com.apple.containermanager  255 secinitd    container_create_or_lookup_app_group_paths_for_platform: success
68976   default unspecified 00:01:02.946472+0200    com.apple.containermanager  255 secinitd    container_copy_info: success
68976   default unspecified 00:01:02.946562+0200    com.apple.containermanager  255 secinitd    container_copy_path: success
68976   default <Missing Description>   00:01:02.947061+0200        255 secinitd    Karabiner-VirtualHIDDevice-Manager[3270]: AppSandbox request successful
68978   default xpc 00:01:02.947537+0200    com.apple.containermanager  3270    Karabiner-VirtualHIDDevice-Manager  Requesting container lookup; class = <private>, identifier = <private>, temp = <private>, create = <private>, euid = <private>, uid = <private>, personaid = <private>, type = <private>, name = <private>
68978   default xpc 00:01:02.948077+0200    com.apple.containermanager  251 containermanagerd   [<private>] command=<private>, client=<private>, error=(none)
68977   default unspecified 00:01:02.948177+0200    com.apple.containermanager  3270    Karabiner-VirtualHIDDevice-Manager  container_create_or_lookup_for_platform: success
62844   default SecError    00:01:02.954003+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
0   default <Missing Description>   00:01:02.956161+0200        519 sysextd attempting to realize extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
62846   default SecError    00:01:02.959970+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
0   default <Missing Description>   00:01:02.961808+0200        519 sysextd Realizing target path: <private>
0   default <Missing Description>   00:01:02.962027+0200        519 sysextd Bundle class: UncachedBundle
68992   default SecError    00:01:02.965791+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
68756   default background  00:01:02.967917+0200    com.apple.nsurlsessiond 387 nsurlsessiond   NDSession <774AF2B6-0983-4474-937C-ADC110A2014D> Task <A55FB9BC-E204-4129-9A3F-63F480078819>.<802> did receive data (3865210 of 4387141 total bytes)
68994   default SecError    00:01:02.971342+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
68996   default SecError    00:01:02.977121+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
68998   default SecError    00:01:02.982276+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
0   default <Missing Description>   00:01:02.984242+0200        519 sysextd staging extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
0   default staging 00:01:02.985493+0200    sysextd 519 sysextd staging bundle from /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/Library/SystemExtensions/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext to: /Library/SystemExtensions/.staging/0180C596-C480-40F4-BEDB-30AB3B10C148/org.pqrs.Karabiner-DriverKit-VirtualHIDDevice.dext
69000   default SecError    00:01:02.994328+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
0   default <Missing Description>   00:01:02.995824+0200        519 sysextd Making activation decision for extension with teamID teamID("G43BCU2T37"), identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
0   default <Missing Description>   00:01:02.995847+0200        519 sysextd No extension policy -- activation decision is UserOption
0   default <Missing Description>   00:01:02.995865+0200        519 sysextd validating extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
69002   default SecError    00:01:03.000072+0200    com.apple.securityd 154 trustd  OCSPResponse: single response has extension(s).
**0 error   logging 00:01:03.004502+0200    com.apple.libsqlite3    126 syspolicyd  file is not a database in "SELECT tickets.flags  FROM hashes INNER JOIN tickets ON hashes.ticket_id = tickets.id  WHERE hashes.hash = ?1 AND hashes.hash_type = ?2"**
0   error   default 00:01:03.004540+0200    com.apple.syspolicy 126 syspolicyd  SQL error '<private>' (26)
0   error   default 00:01:03.004573+0200    com.apple.syspolicy 126 syspolicyd  Prepare error (26) on query: SELECT tickets.flags  FROM hashes INNER JOIN tickets ON hashes.ticket_id = tickets.id  WHERE hashes.hash = ?1 AND hashes.hash_type = ?2
0   default security_exception  00:01:03.004637+0200    com.apple.securityd 519 sysextd MacOS error: 3
0   default SecError    00:01:03.007000+0200    com.apple.securityd 519 sysextd Error checking with notarization daemon: 3
0   error   <Missing Description>   00:01:03.007169+0200        519 sysextd bundle code signature is not valid - does not satisfy requirement: -67050 code failed to satisfy specified code requirement(s)
0   default <Missing Description>   00:01:03.007281+0200        519 sysextd extension failed to validate! uninstalling...
0   default <Missing Description>   00:01:03.007299+0200        519 sysextd uninstalling invalid extension org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
0   default <Missing Description>   00:01:03.010294+0200        519 sysextd finished uninstalling extension org.pqrs.Karabiner-DriverKit-VirtualHIDDevice
0   default <Missing Description>   00:01:03.010328+0200        519 sysextd waiting for external validation of extension with identifier org.pqrs.Karabiner-DriverKit-VirtualHIDDevice

So it seems to be a failure in code signing, and specifically some sqlite database that is corrupted? I haven't figured out how to disable the anonymizing of log messages to show the specific file in question.

The above was from 12.95.5. The same happens on 12.95.6. Security & Privacy -> Privacy -> Input monitoring shows three related entries, karabiner_grabber, karabiner_observer, and Karabiner-EventViewer.app, which are all checked.

But the driver debugging screen shows when launching Karabiner Preferences. The System Preferences open from there but do not show the "...has been blocked" message nor button.

Deactivating asks for password and probably fails silently after that. Clicking "activate" does nothing, probably with the error from the first quote, above.

@MatthiasWinkelmann Where did you get the Karabiner-Elements package?
(The following page or beta updates or your own build?)
https://github.com/pqrs-org/Karabiner-Elements/releases/tag/beta

And systemextensionsctl list command is useful to confirm the driver loading status.

@mattti
If the allow button exists, this article helps you.
https://karabiner-elements.pqrs.org/docs/help/troubleshooting/kext-allow-button-does-not-work/

I could actually click the button and it disappeared, however karabiner still showed the warning.
Anyways, I upgraded now to Big Sur Beta 9, now everything works as expected.
Thanks for the help and for all the work!

I upgraded to Karabiner-Elements version 13.0.0 (following Karabiner's prompt to do so) and am having the same issue as above -- I do not see an Allow button. I am running macOS 10.15.2. Thank you

It's now working for me. Unfortunately, a few things were changed so I can't pinpoint the exact resolution. Deactivating CSR is the most likely. I should have tried that far earlier, but had believed it to already be off.

I also reinstalled XCode and the Command Line Utilities. I don't see how they figure into it (I was using downloaded build). But there were issues with code signing unrelated software, such as XCode restarting the verification after every reboot. The reinstall may just have reset something to working condition.

Also quit all applications that have permissions to control input devices / Accessibility (Magnet, iTerms2, Hammerspoon, etc.), as someone wrote that these may interfere (they could grant themselves more permissions without the user noticing, so Apple deactivates it completely under some circumstances. Not too sure of that idea, but it's easy to do and riskless.)

@tekezo I was/am running "official builds" only. Thank you for your work!

As noted in #2445, re-installing version 12.10.0 works! Phew :-) I'll stay on that version for now.

@tekezo Thank you for your work, and I tried suggestion to press deactivate and activate .
But unfortunately, I got same result(no Allow button appeared in System Preferences)
Also I tried Karabiner-VirtualHIDDevice-Manager via console, it returns below results.

$ /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/MacOS/Karabiner-VirtualHIDDevice-Manager deactivate
deactivation of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is requestedrequest of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is failed with error: The operation couldn't be completed. (OSSystemExtensionErrorDomain error 4.)

$ /Applications/.Karabiner-VirtualHIDDevice-Manager.app/Contents/MacOS/Karabiner-VirtualHIDDevice-Manager activate
activation of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is requestedrequest of org.pqrs.Karabiner-DriverKit-VirtualHIDDevice is failed with error: The operation couldn't be completed. (OSSystemExtensionErrorDomain error 10.)

@Takashi-kun I have the same issue, the only way for me to get this to work is by disabling SIP. (boot into recovery mode and run csrutil disable in terminal) But this is not a good idea in general.
I have no idea how to work around this...

Thank you for feedbacks!

@gregsadetsky
It might be old Catalina issue.
I think you keeps macOS version intentionally, so please use v12.10.0 until updating macOS.

@MatthiasWinkelmann
It's good!
I guess the cache of CSR or code signing may have been corrupted.
Karabiner-Elements works with SIP, so I recommend enable SIP back on.

@Takashi-kun
The error 10 is OSSystemExtensionErrorForbiddenBySystemPolicy.
So, the allow button should be visible but hidden due to macOS issue.

There is no further solution on the karabiner-elements side, but
there are ways that may remove the cause of some macOS problems.

• Resetting your Mac's PRAM and NVRAM
  https://support.apple.com/kb/ht1379
• Starting up in Safe Mode (Safe Mode purges cache files)
  https://support.apple.com/kb/ht1455

I confirmed macOS Catalina sometimes fails the activate the driver property.
In this case, restart macOS just after deactivating driver may solve the issue.

https://karabiner-elements.pqrs.org/docs/help/troubleshooting/driver-alert-keeps-showing-up/
(macOS Catalina Note #1)

I had the same issue as @brandonspeaks (on Mojave 10.14.6), and I could resolve it by:

1. Restart in recovery mode (keep pressing Cmd+R).
2. Open terminal, type spctl kext-consent add G43BCU2T37.
3. Restart normally.
4. I needed to start Karabiner manually (not sure why), and it works now.

Thanks to @tekezo & others.