Last I checked, you have to disable signature checking on kernel extensions. For some, having to trade off that level of security is a pretty big flaw.

I mean, that was standard until what 2 years ago? Not checking extensions was okay for about 42 years, I’m not sure anything really changed in the last 2. I doubt that most security experts will tell you otherwise when getting a signing certificate takes all of 5 minutes. The benefit you get is revocation but it really depends on your threat model right?

I assume you're being downvoted because of the unnecessary political commentary.

However, I am curious as to the process for getting a kext signing cert, as that plays a part in the value of having the certs in the first place or not.

I didn't mention anything about serial numbers and the fun and games that goes on there when trying to get a Hackintosh working with iMessage/Facetime/iCloud services, which is a bit of a mixed bag. There could be security implications related to that, that haven't been worked out of the woodwork yet, but the kernel extensions feels like the biggest risk there.