MP 1,1-5,1 Cannot install or use Nvidia Webdrivers anymore!

[startergo]

Thats a lie. They can and have revoked code signing before. The entire reason they force KEXTs to be signed is so they can revoke them. It's part of their malware control strategy. If there was a virus using kexts to bypass security they can nuke it remotely.

The figment of truth there is that Apple wouldn't revoke code signing just for being old. Like I said earlier in the thread, code signing doesn't expire. Otherwise old apps would break all the time for signing reasons.

I don't have evidence that's what happened here. But they have done it before. And computers are blocking the KEXTs after they phone home. Soooo...

I think you are missing the point that Nvidia also does not want stollen identity being used by impersonators. I don't know how the process works, but if I were them and something like this happened and I couldn't revoke the certificate I would ask Apple to do it.

 

[goMac]

I think you are missing the point that Nvidia also does not want stollen identity being used by impersonators. I don't know how the process works, but if I were them and something like this happened and I couldn't revoke the certificate I would ask Apple to do it.

Their KEXT signing certificate has nothing to do with their stolen certificate. The KEXT signing certificate is an Apple certificate, not an Nvidia one.

Maybe Nvidia asked Apple to remotely nuke their KEXT. But if they did it over their cert leak then they don't know what they are doing. They're two different certs.

 

[startergo]

But if they did it over their cert leak then they don't know what they are doing. They're two different certs.

Could be. But, again what is the first thing you will do if your wallet is stolen? Block all your credit cards ?

 

[mattspace]

It's not an expiration. Signed things don't expire. Otherwise people would have apps and drivers that just stop working all the time.

That's literally what happened to me with an earlier build of 1Password 6.

 

[eierfrucht]

The below steps will resolve your issue at the cost of waiving the operating system’s ability to block signatures revoked for legit security reasons. If you have previously tampered with an affected system, please revert to the most recent Time Machine backup (no manual signature-stripping or hauling around of system files).

Step 1. Physically disconnect the affected device from the web. Powering down the router for a few minutes will do just fine.

Step 2. Boot into Safe Mode. Everything will be extremely laggy, be patient.

Step 3. Launch Terminal and enter the command ‘sudo nano /etc/hosts’, once prompted provide the password.

Step 4. Append the following lines to the file’s contents:

127.0.0.1 ocsp.apple.com
127.0.0.1 ocsp2.apple.com
127.0.0.1 ocsp.digicert.com

Save changes and exit.

Step 5. Run the following batch of Terminal commands:

crlrefresh rp
sudo rm -f /var/db/crls/*cache?.db
sudo date -u 020200002020
sudo reboot

Your computer will immediately reboot after the last command. Upon seeing the desktop again, you should notice that everything is back to normal. You can now reconnect to the internet. System time and date will automatically adjust themselves upon reconnecting. If some apps throw errors related to bad time and date, another reboot will fix that. Don’t worry if you run into any scary messages upon the first reboot.

The ‘sudo date’ shift trick is 90% likely unnecessary but better safe than sorry. It’s there just to lure the system (now reverted to a clean state) into repeating any sneaky moves it’s compelled to make since the 1st of June, just to check it no longer breaks itself.

 

[George_B]

The below steps will resolve your issue at the cost of waiving the operating system’s ability to block signatures revoked for legit security reasons. If you have previously tampered with an affected system, please revert to the most recent Time Machine backup (no manual signature-stripping or hauling around of system files).

Step 1. Physically disconnect the affected device from the web. Powering down the router for a few minutes will do just fine.

Step 2. Boot into Safe Mode. Everything will be extremely laggy, be patient.

Step 3. Launch Terminal and enter the command ‘sudo nano /etc/hosts’, once prompted provide the password.

Step 4. Append the following lines to the file’s contents:

127.0.0.1 ocsp.apple.com
127.0.0.1 ocsp2.apple.com
127.0.0.1 ocsp.digicert.com

Save changes and exit.

Step 5. Run the following batch of Terminal commands:

crlrefresh rp
sudo rm -f /var/db/crls/*cache?.db
sudo date -u 020200002020
sudo reboot

Your computer will immediately reboot after the last command. Upon seeing the desktop again, you should notice that everything is back to normal. You can now reconnect to the internet. System time and date will automatically adjust themselves upon reconnecting. If some apps throw errors related to bad time and date, another reboot will fix that. Don’t worry if you run into any scary messages upon the first reboot.

Hello!

I don't know, how to thank you. Worked like a charm. Thank you again! 🤣

 

[eierfrucht]

You must now stay alert for malware and potentially unwanted software using revoked certificates as fig leaves, the built-in protection will no longer shield you from that sort of threats. Or in other words, don’t download & run sketchy 3rd party installers, use only trusted software sources.

 

[George_B]

The applications have been in a static state for two years, i'm using it only for small works (hobby) on microcontrollers. Anyway, thanks for the warning too.

 

[Terry 44]

Hy every body . Is someone able to download high sierra 13.6 (17g65) and where ? I’m blocked with 17g66 . The patch for unsupported Mac get that one . Do you have a link for it ?

and maybe someone can make a tutorial fully for newbies which explain all the process to get it work . My Mac is a 3.1 early 2008 . Everything was ok since friday and then I get crazy . I’ve tested all the 3 graphic card I have ,and no way . deoacking and repacking make the web driver installation but then the problem is back . My web driver should be 387.10.10.10.40.105 for 17g65 HS .
im sure I’m missing something 🧐

I need to start from the install of HS (17G65) and then do the process . I tried 2 times but I never succède . I know Im not able to process clearly . I need a clear and basic tutorial to avoid mistakes
salutation from France
please help 🙏🙏

 

[Dayo]

I need a clear and basic tutorial to avoid mistakes

The steps needed to overcome this issue have been posted for a few days now: See This Post on Page 4. It has also been repackaged and represented by others in a few posts since.

While there was good reason to look into it, the attempts to remove certificates ended up being a confusing distraction as they do not work at this time.

Until someone finds way to bypass that roadblock or Apple and/or Nvidia issue a replacement cert, stick with blocking the process as outlined in that post and do not install dodgy stuff.

I have updated the post to reflect the current state of play on things.

 

[Terry 44]

The steps needed to overcome this issue have been posted for a few days now: See Post 82 on Page 4. It has also been repackaged and represented by others in a few posts since.

While there was good reason to look into it, the attempts to remove certificates ended up being a confusing distraction as they do not work at this time.

Until someone finds way to bypass that roadblock or Apple and/or Nvidia issue a replacement cert, stick with blocking the process as outlined in that post and do not install dodgy stuff.

I have updated the post to reflect the current state of play on things.

Thank u . I’ll try this now . I’ve seen differences in steps depending of the supported Mac or not for HS . I’m on a patched OS X. Hope this time I’ll use the good steps for my Mac.
CANNOT FIND ANY HS 10.13.6 (17g65) ? Only 17g66

 

[Dayo]

I’ve seen differences in steps depending of the supported Mac or not

I can only tell you about what I wrote in that post and it makes no difference whether running supported or unsupported

 

[eierfrucht]

The applications have been in a static state for two years, i'm using it only for small works (hobby) on microcontrollers. Anyway, thanks for the warning too.

Purchasing an Apple-notarized certificate to intentionally sign malware would be a most foolish move anyways, so nearly 100% instances of Apple revoking certificates for non-commercial reasons deal with good-faith software with previously discovered grave vulnerabilities that a problematic developer won’t fix despite warnings and pulling the bad stuff off Appstore — to protect the users who already have the leaky app installed but the vulnerability is super urgent.

There barely exists any actual outright malign malware that parades under rogue certificates that once were issued and authorized by Apple.

Nevertheless this attack vector is immensely dangerous in theory so I felt like warning y’all that the fix comes with a catch.

 

[Terry 44]

I’ve done all the process but I could not purge the current certificate revocation list : it’s says couldn’t open database file and when itry to install web driver it’s says that I have to put it to trash as before … no luck for me date set as said etc … don’t know if the reason is that my OS X is 17g66 or else ?

 

[Dayo]

don’t know if the reason is that my OS X is 17g66 or else ?

Your OS version is unrelated. Did you restore to a backup from before 31 May 2022?

 

[ndruha]

You must now stay alert for malware and potentially unwanted software using revoked certificates as fig leaves, the built-in protection will no longer shield you from that sort of threats. Or in other words, don’t download & run sketchy 3rd party installers, use only trusted software sources.

You can also probably check any 3rd party installers / dmg on virustotal.com

 

[Terry 44]

Your OS version is unrelated. Did you restore to a backup from before 31 May 2022?

No I had to make a new install of OSX HS and start from beginning , but no chance at all for now .

 

[Terry 44]

Really anoying bug . Normally i get all good . But since friday I'm stucked on that f....g trouble webdriver and cuda to put back my GTX 970 on my Mac pro 3.1

 

[Terry 44]

I fact I do need 17G65 instead of 17G66 because of webdriver , as it was before my system make me get crazy I just found it. It's the 13.0.64 install of HS 17G65 10.13.6. Anyway . I will consider to make a windows machine with that mac pro if all that tricks u gave here won't work for me . I'm Lost for now because I was on a project on that mac .

 

[Terry 44]

Even with the date change in terminal, the date came back on today after fews minutes , no internet connection, no cable on. Very strange all that

 

[ori69]

I fact I do need 17G65 instead of 17G66 because of webdriver , as it was before my system make me get crazy I just found it. It's the 13.0.64 install of HS 17G65 10.13.6. Anyway . I will consider to make a windows machine with that mac pro if all that tricks u gave here won't work for me . I'm Lost for now because I was on a project on that mac .

Try high sierra seurity update 2020-01

Download Security Update 2020-001 (High Sierra) - Apple Support

Security Update 2020-001 is recommended for all users and improves the security of macOS.

support.apple.com

 

[Terry 44]

Try high sierra seurity update 2020-01

Download Security Update 2020-001 (High Sierra) - Apple Support

Security Update 2020-001 is recommended for all users and improves the security of macOS.

support.apple.com

I cannot update a patched OSX on unsupported mac . If I do It failed all the os and then I need to reinstall All. No way .

 

[LongWelsh]

Might be useful for an admin to sticky a solution to the top of this thread.

Fix worked really well blocking OSCP in hosts file. Nvidia driver panel still messed up inrestarting loop on System Preferences, I’m guessing it would have to be a repeat of the fix removing the certs and resetting time? Good to know in case the web driver switches off randomly as it occasionally does after an NVRAM reset or something like that.

 

[Terry 44]

Might be useful for an admin to sticky a solution to the top of this thread.

Fix worked really well blocking OSCP in hosts file. Nvidia driver panel still messed up inrestarting loop on System Preferences, I’m guessing it would have to be a repeat of the fix removing the certs and resetting time? Good to know in case the web driver switches off randomly as it occasionally does after an NVRAM reset or something like that.

Ok so the pref pane of the nvidia webdriver still meesing up after a good install ? Good to know if it is

 

[eierfrucht]

I’ve done all the process but I could not purge the current certificate revocation list : it’s says couldn’t open database file and when itry to install web driver it’s says that I have to put it to trash as before … no luck for me date set as said etc … don’t know if the reason is that my OS X is 17g66 or else ?

You must figure out why out fails. You should be using Safe Mode, not Recovery Mode or Single User Mode. The ‘crlrefresh rp’ command must be run as a regular user, not as root and not via sudo.

Nvidia driver panel still messed up inrestarting loop on System Preferences,

Use UninstallPKG to completely purge the web drivers, do the whole hosts blocking spiel again, reinstall drivers. I see no reason why the prefpane would break like that unless previously tampered with.

I normally keep Gatekeeper off. If yours was on, it might have smart-assedly Quarantined the actual installed .prefpane file wherever it’s stored on the disk. Quarantined apps spawn a corresponding pop-up on launch. Quarantined prefpanes that have already been installed into the system? Who knows! Maybe they just crash.

Even with the date change in terminal, the date came back on today after fews minutes , no internet connection, no cable on.

That’s weird. Resetting the date normally makes the auto apfs check freak out in the boot log, maybe some service eventually adjusts the time/date to a value greater than the last access time/date attested by the APFS volume metadata.

Anyway the ‘sudo date’ step is not essential, like I mentioned before. It’s just to make sure that passing the 1st of June results in ocsp being unable to fetch the blacklist.

don’t know if the reason is that my OS X is 17g66 or else ?

My suggested solution works for Nvidia Web Driver 387.10.10.10.40.140 running on High Sierra build 17G1404. If yours is different and you are unwilling to update, you are completely on your own. Screw around and find out.