No, I never said that, nor did i "confirm" it. My question above points out the problem. I'm getting the distinct feeling you never read the Code Requirements article, because there are at least two points they make: first, that "anchor trusted" doesn't mean what you think it does, and second, that without an explicit "trusted" argument, the code requirement doesn't check the trust of a certificate. I don't know or control the trusted status of "apple generic" certificate chains ("anchor trusted" doesn't mean "anchor root trusted"), and have no intention of increasing the scrutiny on them. The only goal of this exercise is to allow kext-type certificates which pass "anchor trusted" to be allowed. Why touch the rest?