MP 1,1-5,1 Cannot install or use Nvidia Webdrivers anymore!

[motionSOUL]

btw:

I rolled back my High Sierra Copy to a state before all this fiddling,

installed the MyWebDriver.pkg

deleted the com.apple.trustd contents and locked it

Webdriver runs.

No /etc/hosts edited, correct date and Internet was up all the time.

see https://forums.macrumors.com/thread...idia-webdrivers-anymore.2346445/post-31169311

all credits to the contributers in the thread, I just got together what was written here

How did you installed the "MyWebDriver.pkg", my system simply refuses to open it due to certificate loss?

 

[startergo]

Therefore it will fail to list all files in some subdirectories even as root user.

Why would you need a sudo as a root user? Isn't this redundant? I was just testing the command. Anyway root and/or sudo issued and still some folders are protected. Hopefully the command is consistent for HS at least.

 

[Macschrauber]

I wrote a little script for deleting the com.apple.trustd content in /private/var/folders what displays a dialog with the command before execution.

So one has the ability to stop it if something runs mad.

I will give it some testing and post a link later.

 

[DTRX]

Why would you need a sudo as a root user? Isn't this redundant? I was just testing the command. Anyway root and/or sudo issued and still some folders are protected. Hopefully the command is consistent for HS at least.

I just added it to make sure root permissions are required to list and remove files in this special directory.

 

[DTRX]

I wrote a little script for deleting the com.apple.trustd content in /private/var/folders what displays a dialog with the command before execution.

So one has the ability to stop it if something runs mad.

I will give it some testing and post a link later.

I bet that would be helpful, thank you in advance.

 

[Macschrauber]

Here's a little script to walk thru /private/var/folders/ and delete the content of the com.apple.trustd folders and locks them for no more modification.

Those are the findings of @DTRX, I just put together what was written.

It displays first a dialog of the command what is being executed, so you can stop it before.

I am not responsible for any damage you do with it. As always backup before using a tool what deletes stuff.

For running the modded Webdrivers system integrity protection must be turned off. The script displays the sip status as well.

There are 2 scripts, one for just displaying the commands for a quick test run and the script what executes.


here's the AppleScript Code:

use AppleScript version "2.4" -- Yosemite (10.10) or later
use framework "Foundation"
use scripting additions


on run
    display dialog "This script by Macschrauber deletes all content of com.apple.trustd folders in /private/var/folders." & return & return & ¬
        "It displays the command first before executing so you can stop it by the Cancel button." & return & return & ¬
        "Do not use it if you are not exactly sure what you are doing !"
   
    set the_password to ""
   
    display dialog (do shell script "csrutil status")
   
   
    set the_list to do shell script "ls -R /private/var/folders/ | grep com.apple.trustd:" password the_password with administrator privileges
   
    repeat with the_line in every paragraph of the_list
       
        set com_apple_trustd_folder to items 1 thru -2 of the_line as text
       
        set remove_command to "rm -R " & com_apple_trustd_folder & "/*"
        set uchg_command to "chflags uchg " & com_apple_trustd_folder
       
        display dialog "execute " & remove_command
        try
            do shell script remove_command password the_password with administrator privileges
        end try
        display dialog "execute " & uchg_command
        try
            do shell script uchg_command password the_password with administrator privileges
        end try
    end repeat
   
end run

and a zip archive: https://www.dropbox.com/s/cc91kydozj4l72x/com_apple_trustd.zip?dl=0


Edit: Added an AppleScript "Mod WebDriver in Downloads" for patching the Webdriver. It downloads the Webdriver if not present in Downloads.

Those commands came from @chris1111

try
    do shell script "ls $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg"
on error
    do shell script "curl -L https://images.nvidia.com/mac/pkg/387/WebDriver-387.10.10.10.40.140.pkg -o $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg"
end try

do shell script "pkgutil --expand $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg $HOME/Downloads/Files_MyWebDriver"
do shell script "pkgutil --flatten $HOME/Downloads/Files_MyWebDriver $HOME/Downloads/MyWebDriver-387.10.10.10.40.140.pkg"
do shell script "rm -R $HOME/Downloads/Files_MyWebDriver"

Edit 2:

added a script to patch the CUDADriver.pkg as well, it has to be in Downloads

 

[Dayo]

Nice. You need to include one that removes the locks in the package ... for later
I'll also suggest adding a version check on load and aborting if greater than Mojave (I think some hack Web drivers to work on Mojave)

 

[Macschrauber]

Nice. You need to include one that removes the locks in the package ... for later

I added a little modding AppleScript to the package what patches the webdriver.pkg and downloads it if not present in Downloads.

 

[takovej]

Mine (Mojave) works like yours as well.

Hmm, are you able to get HDMI audio output from nVidia in Mojave? Thx...

 

[Dayo]

its just what chris1111 wrote:

A user should be able to just run this without needing to strip certs and when a fix is published, they just remove the locks. Although I suppose the script needs to clear some other caches to be comprehensive. I.E., not only focus on the locks.

Hmm, are you able to get HDMI audio output from nVidia in Mojave? Thx...

I don't run Nvidia (at least not actively)

 

[Dayo]

Aug 2022 Update: Use this option only if the information in Post 1 does not work for you

Enhanced the initial script to allow deactivating the locks if/when an official fix is issued, cover the spectrum of items needed and accommodate switching from the previous method in Post 82.

First thing to do is to take a backup that can be restored if required.

There are 2 stages. The first involves removing the revoked certs and reinstalling. If this works for you then you are good and will keep your Mac's security level at what it currently is. You do not need the second stage.

If the first stage does not work for you, or you are unwilling/unable to copy and paste the commands into Terminal, then move to the second stage where you just have to run a script that will degrade the security level to allow things to work.


STAGE 1: STRIP CERTS AND REINSTALL

1. Run the following command in Terminal to fetch and run a script (from GitHub) for getting Nvidia Webdrivers directly from Nvidia: cd ~/Downloads && rm -fr ~/Downloads/Web-Driver-Toolkit && git clone https://github.com/corpnewt/Web-Driver-Toolkit && cd Web-Driver-Toolkit && chmod +x Run.command && ./Run.command
   1. The script will allow you to download Nvidia web drivers which will be saved in ~/Downloads/Web-Driver-Toolkit/Web Drivers.
      • Select the Download By Build Number option
      • While it may seem counterintuitive, to be absolutely sure the certificates are stripped out, DO NOT select the version of the driver matching your actual build number, but the build number before yours and then use the script option to patch this to what you need. The certificates will be stripped out as part of this patching.
        • To check your actual build number, run sw_vers -buildVersion in Terminal
   2. After the script is downloaded, use the Patch Install Package option in the script to patch the web driver. This will fully clear the revoked certificates from the package including from kexts used by the web driver.
2. 
Download the relevant CUDA package and run the following in Terminal to strip the certificates: cd ~/Downloads && rm -fr ~/Downloads/cxda_tyzp && pkgutil --expand /FULL/PATH/TO/CUDA/PKG ~/Downloads/cxda_tyzp && rm -fr /FULL/PATH/TO/CUDA/PKG && pkgutil --flatten ~/Downloads/cxda_tyzp /FULL/PATH/TO/CUDA/PKG && rm -fr ~/Downloads/cxda_tyzp
   • Paste the command into TextEdit, amend /FULL/PATH/TO/CUDA/PKG to suit and run this in Terminal
   • You can get the full path to the CUDA pkg by dragging and dropping the file into Terminal
3. 
Fully isolate your Mac from the web and boot into Safe Mode.
   1. Safe Mode will enable a basic GPU driver that will, while not accelerated, allow you to operate your Mac without web drivers. Importantly, booting into Safe Mode while disconnected from the web will purge several caches.
   2. To boot into Safe Mode, turn on or restart your Mac, then immediately press and hold the Shift key until you see the login window. Log in to your Mac (You might be asked to log in a second time).
   3. You can verify you are in Safe Mode as follows:
      • Go to About This Mac >> System Report >> Software
      • In the System Software Overview, look at the value listed next to the item labeled Boot Mode.
        • Safe: The Mac is using safe mode.
        • Normal: The Mac is not using safe mode.
   4. It might be a good idea to run crlrefresh rp in Terminal after logging in to ensure the caches are purged
4. Install both the patched web and CUDA drivers
5. Reconnect to the web, reboot into Normal Mode and activate the webdriver.

If this sorts out your issues, then you can stop here and live happily ever after. It doesn't matter whether Nvidia/Apple fix the certs or not, you are good for good without needing to compromise on security. Whatever the outcome however, pester Nvidia for a fix. If it did not sort out your issues, you need to try STAGE 2.


STAGE 2: PURGE AND LOCK TRUSTD CACHES

1. Fully isolate your Mac from the web and boot into Safe Mode.
   1. See STAGE 1 above for details on booting into Safe Mode.
2. Download the attached file, unzip it and double click to open it in Script Editor built into MacOS
3. Once in Script Editor, click on the obvious button to run the script.
4. Select the script option to activate the workaround when presented.
   1. If the script asks for confirmation on the paths it will work on, check the listed paths and make sure they include either of:
      • /C/com.apple.trustd
      • /T/com.apple.trustd
   2. Click 'No' if any path does not include one of these paths and report the issue.
5. Reconnect to the web after running the script, reboot and you should be up and running.

If not up and running after this, restore the backup you took at the very start and switch to AMD or wait for a fix from Nvidia and/or Apple. Whatever the outcome, pester Nvidia for a fix.


To revert the changes made by the attached script (if/when a proper fix is available), run the script in normal boot mode and select the option to deactivate the workaround. You might also want to do this if you do decide to switch to AMD.


CREDITS:
@DTRX for the trustd cache blocking
@Macschrauber for the initial cache block script
GitHub User CorpNewt for the Web-Driver-Toolkit
Misc Others for tips and feedback


SCRIPT EDITS:
01. Lock/Unlock folders instead of contents
02. Misc Fine Tune
03. Structural Tweaks
04. Remove OCSP blocks in hosts file, Handle /Library/Keychains/crls
05. Misc Tidy Up
06. Reintroduce OCSP blocks in hosts file, Download and patch WebDriver-387.10.10.10.40.140
07. Prefers disconnection from the web, Prefers running under Safe Mode
08. Fixes missing 'WebDriver' variable
09. Misc Tidy Up
10. Remove web driver download/patching added in v06
11. Improve resilience ... allows support for LoSierra/Earlier
12. Improve support for LoSierra/Earlier
13. Adjust Some Sqlite DB Handling
14. Flush DNS to improve deactivation process

 

[Macschrauber]

I am just installing a completely fresh High Sierra System to test those things from scratch up.

It's a little off topic but worth to mention: If you are on 17G66 (latest MAS download) you cannot run 2020-006 Security Update as next step, it refuses the installation.

You need 2020-005 first.

...

it worked from scratch.


1. ) installed High Sierra 17g66
2.) did security update 2020-005
3.) did security update 2020-006
4.) turned off System Integrity Protection by booting into recovery and csrutil disable in Terminal.
5. ) run @Dayo's enhancement of my script (https://forums.macrumors.com/thread...idia-webdrivers-anymore.2346445/post-31170583)
6.) run modded webdriver installer package (https://forums.macrumors.com/thread...idia-webdrivers-anymore.2346445/post-31170213)
7.) rebooted - Webdriver is back


Installing a new system is not needed, I just wanted to disable all previous steps taken.



...

Edit:

also tested with just the com.apple.trustd removements and locks (from https://forums.macrumors.com/thread...idia-webdrivers-anymore.2346445/post-31170213) with a fresh untouched High Sierra System and the Webdriver also is working.

Time will tell if that's enough.

 

[Fullerfun]

For anyone who was unsuccessful with previous solutions early in this thread.
One reason it may not have worked would be if you hadn’t installed the security updates on the system.

go to Apple menu, about this Mac, click system report, click on software, make sure you are running (17G14042)....if not, you haven’t applied all updates.

I just updated a system that didn’t have all the High Sierra security updates...and the older solutions didn’t quite work.

updating to latest security update, force instal web drivers, block apple’s access, boot safe mode, apply terminal commands, restart. Boom worked.

 

[DTRX]

I am just installing a completely fresh High Sierra to test those things from scratch up.

It's a little off topic but worth to mention: If you are on 17G66 (latest MAS download) you cannot run 2020-006 Security Update as next step, it refuses the installation.

You need 2020-005 first.

...

it worked from scratch.


1. ) installed High Sierra 17g66
2.) did security update 2020-005
3.) did security update 2020-006
4.) turned off System Integrity Protection by booting into recovery and csrutil disable in Terminal.
5. ) run @Dayo's enhancement of my script (https://forums.macrumors.com/thread...idia-webdrivers-anymore.2346445/post-31170583)
6.) run modded webdriver installer package (https://forums.macrumors.com/thread...idia-webdrivers-anymore.2346445/post-31170213)
7.) rebooted - Webdriver is back


Installing a new system is not needed, I just wanted to disable all previous steps taken.

Okay, I think it is finally solved. Thanks everyone!

 

[startergo]

Added my take on script to allow unlocking the items down the line and also clears some other items.
Also attached the file.

on run
    set ScriptName to "Nvidia Webdriver Revocation Workaround"
    do shell script ("echo ''") with administrator privileges
  
    -- Vet MacOS Version
    set VerStr to system version of (system info)
    considering numeric strings
        if VerStr is greater than "10.14.99" then
            set GeneralMsg to "Only Valid for MacOS 10.14 (Mojave) or Earlier"
            display alert ScriptName message GeneralMsg buttons {"Exit"}
            return
        end if
    end considering
  
    set GeneralMsg to "This script deletes and/or locks some system items to workaround using revoked Nvidia web drivers." & return & return & ¬
        "It requests confirmation before each step and can be stopped then." & return & return & ¬
        "The steps disable some security features and need to be reverted if/when Nvidia and/or Apple provide a fix." & return & return & ¬
        "Hence it optionally allows reverting the steps taken." & return & return & ¬
        "Ensure you take a backup before running this script." & return
    set UserResponse to button returned of (display alert ScriptName message GeneralMsg buttons {"Exit", "Continue"} default button "Exit")
    if UserResponse contains "Exit" then
        return
    end if
  
    set the_list to do shell script "ls -R /private/var/folders/ | grep com.apple.trustd:" with administrator privileges
    set LockItems to true
  
    set GeneralMsg to "Would you like to Delete/Lock or Unlock the items?"
    set UserResponse to button returned of (display alert ScriptName message GeneralMsg buttons {"Exit", "Delete/Lock Items", "Unlock Items"} default button "Exit")
    if UserResponse contains "Exit" then
        return
    else if UserResponse contains "Unlock Items" then
        set LockItems to false
    end if
  
    set SuccessFlag to false
    repeat with the_line in every paragraph of the_list
        set com_apple_trustd_folder to items 1 thru -2 of the_line as text
      
        set remove_command to "rm -R" & space & com_apple_trustd_folder & "/*"
        set uchg_command to "chflags uchg" & space & com_apple_trustd_folder
        set nouchg_command to "chflags nouchg" & space & com_apple_trustd_folder
      
        if LockItems is true then
            set GeneralMsg to "Recursively delete and/or lock items?" & return & return & com_apple_trustd_folder
            set UserResponse to button returned of (display alert ScriptName message GeneralMsg buttons {"Exit", "Yes"} default button "Exit")
            if UserResponse contains "Exit" then
                return
            end if
            try
                do shell script remove_command with administrator privileges
                do shell script uchg_command with administrator privileges
                set SuccessFlag to true
            end try
        else
            set GeneralMsg to "Remove lock on folder?" & return & return & com_apple_trustd_folder
            set UserResponse to button returned of (display alert ScriptName message GeneralMsg buttons {"Exit", "Yes"} default button "Exit")
            if UserResponse contains "Exit" then
                return
            end if
            try
                do shell script nouchg_command with administrator privileges
            end try
        end if
    end repeat
  
    if SuccessFlag is true then
        do shell script ("crlrefresh rp")
        do shell script ("rm -f /var/db/crls/*") with administrator privileges
        try
            do shell script ("sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp;'") with administrator privileges
        end try
    end if
end run

EDIT:
1. Lock/Unlock folders instead of contents
2. Misc Finetune

@Dayo how about doing backup first so it can be restored when Nvidia renews certificates?
Nevermind you are issuing a warning to create a backup.

 

[Dayo]

Seems like it will over complicate things with minimal gain as whatever was previously present should be recreated as needed once the locks are removed. The point of the lock is to stop this from happening as that is the normal state.

The user needs to back everything up beforehand obviously but that is a different type of backup (to restore in case things break)

 

[MacKing3000]

@Macschrauber @Dayo Thank you both for the combined scripts. Going to run thia on my machine today.. but just wanted to check.. I only have SIERRA installed on my mid 2010 - the webdriver packages listed wont work on my machine correct? I need to use ones for 10.12.6 - could u let me know if just downloaded ones from Nvidia site will work.. or will i run into a snag instaling after step 1 of the script is run.. apologies in advance if this sounds like a daft question. Just want to make sure the whatever drivers i re-install work

 

[Demigod Mac]

Correct me if I'm wrong, but wouldn't blocking these on your router do the job without having to modify your Mac's HOSTS file?
ocsp.apple.com
ocsp2.apple.com
ocsp.digicert.com

 

[Dayo]

This is independent of one specific webdriver or another AFAIK and just deals with certificate revocation in general.
I do see @Macschrauber has some webdriver related stuff going on but I can't see why that is needed. He might be able to elaborate

 

[Dayo]

Correct me if I'm wrong

Things have moved on from blocking such connections

 

[Fullerfun]

Correct me if I'm wrong, but wouldn't blocking these on your router do the job without having to modify your Mac's HOSTS file?
ocsp.apple.com
ocsp2.apple.com
ocsp.digicert.com

Yes if your router can do that. The latest solution here is a different approach, which basically disables trustd. Trustd does other things besides just verifying certificates....so if you only want to block that function of Trustd, stick with the solutions from a few days ago. If you want to completely block everything that Trustd does, try the things being discussed today.

 

[Macschrauber]

@Macschrauber @Dayo Thank you both for the combined scripts. Going to run thia on my machine today.. but just wanted to check.. I only have SIERRA installed on my mid 2010 - the webdriver packages listed wont work on my machine correct? I need to use ones for 10.12.6 - could u let me know if just downloaded ones from Nvidia site will work.. or will i run into a snag instaling after step 1 of the script is run.. apologies in advance if this sounds like a daft question. Just want to make sure the whatever drivers i re-install work

try the scripts from my package, I tested it with a fresh install.

Either edit the script for modding the webdriver or rename your webdriver to WebDriver-387.10.10.10.40.140.pkg and copy it to your Downloads folder to let the mod script run thru.

Post if that worked for you.

 

[Dayo]

I tested it with a fresh install.

I get it now. If you already have a webdriver installed, whichever version, and it just stopped working because of the revocation, you shouldn't need to reinstall if you just run the script but I suppose it is a different story when doing a general re-installation.

 

[Dayo]

if you only want to block that function of Trustd, stick with the solutions from a few days ago.

The potential problem with blocking 2 or 3 out of the dozen or so domains in play is explained here:

https://forums.macrumors.com/posts/31169235

Additionally, I looked at one of my system files and the domain for checks on my unit is valid.apple.com. Seems to be why those approaches fail for some. You basically need to add all the relevant domains listed on that support page to be sure.

 

[Macschrauber]

I get it now. If you already have a webdriver installed, whichever version, and it just stopped working because of the revocation, you shouldn't need to reinstall if you just run the script but I suppose it is a different story when doing a general re-installation.

kind of, my High Sierra test ssd had a Webdriver installed what stopped supporting my Kepler GPUs. I followed a lot of suggestions and it worked. But I never had the chance to nail it down to step a b c.

So I better started from zero to be sure what steps really work.

As I use Kepler GPUs what are supported I do not need the Webdriver for myself but I want to be able to support my customers if in need.