MP 1,1-5,1 Cannot install or use Nvidia Webdrivers anymore!

[takovej]

takovej – Can you briefly explain how to modify hosts file like you've done?

Just copy this to terminal and enter admin pwd when asked:

sudo sh -c 'echo "0.0.0.0 ocsp.apple.com" >> /etc/hosts' && sudo sh -c 'echo "0.0.0.0 ocsp2.apple.com" >> /etc/hosts' && sudo killall -HUP mDNSResponder

or you can add these two lines manually to /etc/hosts ie. using sudo vim /etc/hosts

0.0.0.0 ocsp.apple.com
0.0.0.0 ocsp2.apple.com

 

[funckdren]

Just copy this to terminal and enter admin pwd when asked:

sudo sh -c 'echo "0.0.0.0 ocsp.apple.com" >> /etc/hosts' && sudo sh -c 'echo "0.0.0.0 ocsp2.apple.com" >> /etc/hosts' && sudo killall -HUP mDNSResponder

or you can add these two lines manually to /etc/hosts ie. using sudo vim /etc/hosts

0.0.0.0 ocsp.apple.com
0.0.0.0 ocsp2.apple.com

Thank you! So once you've restored from Time Machine, you enter this Terminal Command at what stage of the process: After you've restarted and it completes? Or do you boot into Recovery mode after transfer of info and enter Terminal commands before the final restart to complete TIme Machine restore? Sorry, a bit confused here.

 

[Phaeton99]

I can report that the only stopgap solution that has worked for me is refreshing the certification database and rebooting while physically disconnected from the internet.

For reasons unknown, I have been consistently been unable to get the installer for the driver to complete successfully whenever I have been able to launch it after following the steps of other suggested solutions. The CUDA installer has no such trouble.

If anyone has any ideas why the driver installer always fails on an undefined error, I am all ears.

 

[adriandegar]

I can report that the only stopgap solution that has worked for me is refreshing the certification database and rebooting while physically disconnected from the internet.

For reasons unknown, I have been consistently been unable to get the installer for the driver to complete successfully whenever I have been able to launch it after following the steps of other suggested solutions. The CUDA installer has no such trouble.

If anyone has any ideas why the driver installer always fails on an undefined error, I am all ears.

Check my last reply. It’s failing because there’s deep locally stored record of the pkg signer revocation. I don’t know how to remove it

 

[raoultesla]

Some over in the MacProUpgrade group on Facebook are reporting that their Nvidia cards are running fine (not sure what OS yet) on systems with existing drivers. One thing I do know is that that I first noticed this problem after zapping my PRAM running High Sierra, which for some reason always tanks my Nvidia drivers. I went to do a simple reinstall of drivers and all hell broke loose. Before I figured out the problem, I booted to a back-up OS running Sierra, and everything booted up fine, so I know that the problem did not show up on a different startup disk with drivers already installed. Right now I'm tinkering now with a Time Machine back-up to see if I can get back to where I was on High Sierra before zapping PRAM, but does anyone know where Nvidia drivers and accompanying files are located, and if there's anyway to copy them at the finder level from a back up of your OS?

Thanks to mention zapping PRAM, that is exactly what I did before this whole debacle took place. I am MBP HS 10.13.6 build (17G14042). Cannot surmise, or guess if this is all the Cert Date Revocation, resetting PRAM, or both. You mentioning the MacPro people not having issue helps introduce more varialbes, and clarifies at the same time.
Cheers to bring in more outside info.

 

[paulcons]

10.13.6 (17G14042) is where my machine is at. Works fine. The last archived driver I have is WebDriver-378.10.10.10.15.114. I may have updated to xxx.140 as that matches my build number and failed to archive it. I will not touch their control panel at all, I do NOT need any heartache that may result.

 

[raoultesla]

Just giving another update. Another day has passed and everything is still working completely as it did before it broke, minus whatever I'm losing for blocking ocspd and trustd.

If anyone missed it, Dayo put together instructions for a permanent fix back on page 4 which has worked for me and a few others: https://forums.macrumors.com/thread...re.2346445/page-4?post=31142878#post-31142878
Of course since it involves blocking connections it's still less than ideal, but it has been working for me.

I second others when I say this whole thing has been super disruptive! I'm also in the middle of a big project and gosh that is not what you like to see.

Is very odd to me everything everyone is saying here is relevant to my situation, yet I am a MBPro. And besides one guy here mentioning he joined our headache after resetting PRAM, which I did as well, I cannot find any chatter anywhere about the nVidia driver issues from MBP populace.
Going to try the Dayo link. Wish me luck.

 

[takovej]

Thank you! So once you've restored from Time Machine, you enter this Terminal Command at what stage of the process: After you've restarted and it completes? Or do you boot into Recovery mode after transfer of info and enter Terminal commands before the final restart to complete TIme Machine restore? Sorry, a bit confused here.

Yes, that's it.

Restore from back-up (timemashine), without internet connection
Apply the command I've posted before to modify hosts file
Reconnect the internet, you should be fine.

EDIT: 35 hours and about 7 restarts so far and still running

 

[tripleVertex]

I am glad to have found this threat / group - I got the same issue with my old Mac Pro 5.1 - running a Titan X 12Gig card on it.. glad I never sold my original AMD card.. but the computer is not not usually for 3d anymore.. ; / - Does anyone have information about this issue that comes from Nvidia or Apple? Will there be a fix to it..? Thank You

 

[mateo14]

Is very odd to me everything everyone is saying here is relevant to my situation, yet I am a MBPro. And besides one guy here mentioning he joined our headache after resetting PRAM, which I did as well, I cannot find any chatter anywhere about the nVidia driver issues from MBP populace.
Going to try the Dayo link. Wish me luck.

That is weird.

Do you have the same issues with the built-in Nvidia drivers on MacBook Pro?

Why did you reset PRAM on your laptop?

I am glad to have found this threat / group - I got the same issue with my old Mac Pro 5.1 - running a Titan X 12Gig card on it.. glad I never sold my original AMD card.. but the computer is not not usually for 3d anymore.. ; / - Does anyone have information about this issue that comes from Nvidia or Apple? Will there be a fix to it..? Thank You

Yesterday, I reported this issue with CUDA drivers, and I'm still waiting for the answer. I hope they can fix it because their team is working on it.

I strongly suggest everyone report all the issues with NIVIDA drivers. They know about this issue and can see this thread on this forum. However, I'm not sure if it's enough for them to give this issue a high priority.

Nvidia chat

 

[majus]

They know about this issue and can see this thread on this forum. However, I'm not sure if it's enough for them to give this issue a high priority.

They should give it a high priority, otherwise it is going to be very bad PR for them because of a lot of very unhappy customers.

 

[chris1111]

I remove certificate of this Package from Pkgutil command
but I can not test because I have no Nv card then No High Sierra 10.13
The command will downloads WebDriver-387.10.10.10.40.140.pkg then Unpack, repack

make sur you dont have the package in downloads folder, and Files folder because it will be deleted.
there is the script code

#!/bin/bash
# By chris1111

echo "Downloads WebDriver-387.10.10.10.40.140  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "

curl -L https://images.nvidia.com/mac/pkg/387/WebDriver-387.10.10.10.40.140.pkg -o $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg

# Expand the Packages with pkgutil
echo "Expand the Packages with pkgutil  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
pkgutil --expand $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg $HOME/Downloads/Files

# Flatten the Packages with pkgutil
echo "Flatten the Packages with pkgutil  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
pkgutil --flatten $HOME/Downloads/Files $HOME/Downloads/MyWebDriver-387.10.10.10.40.140.pkg

rm -rf $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg
rm -rf $HOME/Downloads/Files
echo "Done!   "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "

Attaching command ⬇︎

 

[Ashok.Vardhan]

They should give it a high priority, otherwise it is going to be very bad PR for them because of a lot of very unhappy customers.

That's what we legacy GeForce GPU owners might expect, however, in their grand scheme of things, I sincerely doubt we matter to the NVidia teams ever since Apple and NVidia parted ways with the introduction of Metal in OSX 10.14.x

The last update we received was 2020.11.17 for MACOS DRIVER RELEASE 387.10.10.10.40.140 here: https://www.nvidia.com/download/driverResults.aspx/167083/

The corresponding last update for CUDA was with release of the CUDA toolkit ver10.2.89 here: https://developer.download.nvidia.com/compute/cuda/10.2/Prod/local_installers/cuda_10.2.89_mac.dmg

The CUDA toolkit (2.5GB) ver10.2.89 also contains the last supported CUDA driver (you can uncheck all other tools during the installation process to install just that driver alone)

 

[goMac]

There’s a lot of references in this thread to codesign which seems useless for packages.

As I understand it productsign it will only work with a developer account but would be able to solve the deeper issues with the pkg and underlying files.

Is getting a developer account to sign the pkg not a viable solution here?

KEXT signing is not normal signing. It requires a special certificate issued by Apple. It cannot be done with a normal developer account. (Source: I have developed and signed KEXTs.)

Also why Nvidia's certificate leak is likely to be a red herring. They can't use their own certificate to sign. They'd need to get one from Apple. If you look at the trace on the first page: The Nvidia drivers are signed with Apple's Root CA. Not Nvidia's.

My read on this is Apple voided their KEXT through Gatekeeper. Signed things usually don't just expire on their own, even if the cert expires.

 

[Core i99]

I have contacted NVIDIA customer support via chat. Waiting for them now.

 

[poof86]

KEXT signing is not normal signing. It requires a special certificate issued by Apple. It cannot be done with a normal developer account. (Source: I have developed and signed KEXTs.)

Also why Nvidia's certificate leak is likely to be a red herring. They can't use their own certificate to sign. They'd need to get one from Apple. If you look at the trace on the first page: The Nvidia drivers are signed with Apple's Root CA. Not Nvidia's.

My read on this is Apple voided their KEXT through Gatekeeper. Signed things usually don't just expire on their own, even if the cert expires.

Did you try re-signing all the driver files with your developer account?

I tried signing with a local self signed codesigning certificate, but it doesn’t seem replace the signature correctly, because I’m still getting the nvidia signature revoked error in my boot log or kextload -> kextutil test.

I’m new to codesigning, is it even possible to fully replace the signature in .kext and .bundle files? Should I use
codesign -s CERNAME --deep --force pathtofile
(I haven’t tried deep yet, but I read somewhere you are not supposed to…?)

I also extracted the certificates Nvidia used with
codesign -dvvv pathtofile --extract-certificates
And converted them into der files
openssl x509 -inform DER -in codesign0 -text > codesign0.der
To store them in my keychain and “always trust” them as if I’m part of the team

This didn’t work, because still my OS is giving the CER Revoked invalid error. Where is this revoke status stores??

I removed all the files in /var/db/crls/*
There was a files with *.revoked extension so I though better trash that too.

Also found another OCSP cache with this command
getconf DARWIN_USER_CACHE_DIR
and used this path to find the folder com.apple.trustd to edit the ocspcache.sqlite3 db with this app
sqlitebrowser.org
But you could probably use this command
sudo sqlite3 darwinconfpath/com.apple.trustd/ocspcache.sqlite3 ‘DELETE * FROM ocsp;’

My OS still is able to remember that the Nvidia dev certificate signature has been revoked (without internet) …

I think the best solution is probably to re-sign the driver ourselves? But how to do it fully and properly?

Or we find exactly where the Certificate Revocation List crl is stored and make it so our OS doesn’t remember or contact Apple ocsp about it.

Help

 

[goMac]

I tried signing with a local self signed codesigning certificate, but it doesn’t seem replace the signature correctly, because I’m still getting the nvidia signature revoked error in my boot log or kextload -> kextutil test.

KEXTs cannot be signed with a normal codesigning cert. You must submit an application to Apple that they will review, and then you get a special cert for KEXTs. (And they're not going to give you one.)

There is no way to resign the drivers.

Best path is probably to disable System Integrity Protection and disable the code signing checks completely. I have not tried that though, I do not have a Mac with an Nvidia card.

Messing with cert trust isn't going to fix things. The cert is fine, it's just been blacklisted by Gatekeeper for whatever reason. Trusted certs in Keychain won't override Gatekeeper. So: Disable Gatekeeper by disabling SIP.

 

[poof86]

KEXTs cannot be signed with a normal codesigning cert. You must submit an application to Apple that they will review, and then you get a special cert for KEXTs. (And they're not going to give you one.)

There is no way to resign the drivers.

Best path is probably to disable System Integrity Protection and disable the code signing checks completely. I have not tried that though, I do not have a Mac with an Nvidia card.

Messing with cert trust isn't going to fix things. The cert is fine, it's just been blacklisted by Gatekeeper for whatever reason. Trusted certs in Keychain won't override Gatekeeper. So: Disable Gatekeeper by disabling SIP.

Alright thank you I won’t try re-signing then.

I’m ging to see how to disable SIP fully in my Ozmosis setup next.

I’m wondering if maybe the revocation is stores inside the CA certificates in our keychain? 🧐

 

[tripleVertex]

I am glad to have found this threat / group - I got the same issue with my old Mac Pro 5.1 - running a Titan X 12Gig card on it.. glad I never sold my original AMD card.. but the computer is not not usually for 3d anymore.. ; / - Does anyone have information about this issue that comes from Nvidia or Apple? Will there be a fix to it..? Thank You

That is weird.

Do you have the same issues with the built-in Nvidia drivers on MacBook Pro?

Why did you reset PRAM on your laptop?



Yesterday, I reported this issue with CUDA drivers, and I'm still waiting for the answer. I hope they can fix it because their team is working on it.

I strongly suggest everyone report all the issues with NIVIDA drivers. They know about this issue and can see this thread on this forum. However, I'm not sure if it's enough for them to give this issue a high priority.

Nvidia chat

thank you Mateo14 - yes, I will report it to Nvidia as well - the more of us do it the better and it creates a sense of urgency ; ) - how did you contact Nvidia ? just created a ticket?

 

[tripleVertex]

and no - I

I am glad to have found this threat / group - I got the same issue with my old Mac Pro 5.1 - running a Titan X 12Gig card on it.. glad I never sold my original AMD card.. but the computer is not not usually for 3d anymore.. ; / - Does anyone have information about this issue that comes from Nvidia or Apple? Will there be a fix to it..? Thank You

thank you Mateo14 - yes, I will report it to Nvidia as well - the more of us do it the better and it creates a sense of urgency ; ) - how did you contact Nvidia ? just created a ticket?

an no - I am not using a MacBook Pro but a Mac Pro (Desktop) - I am using a custom built Titan X 12 Gig on - so I am kinda stuck with 10.13.. - Nvidia and Apple is like Oil and Water these days.. sad to see..

 

[poof86]

KEXTs cannot be signed with a normal codesigning cert. You must submit an application to Apple that they will review, and then you get a special cert for KEXTs. (And they're not going to give you one.)

There is no way to resign the drivers.

Best path is probably to disable System Integrity Protection and disable the code signing checks completely. I have not tried that though, I do not have a Mac with an Nvidia card.

Messing with cert trust isn't going to fix things. The cert is fine, it's just been blacklisted by Gatekeeper for whatever reason. Trusted certs in Keychain won't override Gatekeeper. So: Disable Gatekeeper by disabling SIP.

Disabling SIP completely doesn’t help
how can I remove the invalid signature on the kext and bundle files thoroughly?
Maybe they will load without a signature

 

[takovej]

Well, if you remove codesigning from the whole package, disable SIP & gatekeeper or maybe just add
kext-dev-mode=1 to the boot-args it might work with unsigned ones?

 

[Matty_TypeR]

Is this just a problem for un supported Nvidia cards with web drivers? do the GTX-680 models still work ok?

 

[Macschrauber]

I remove certificate of this Package from Pkgutil command
but I can not test because I have no Nv card then No High Sierra 10.13

View attachment 2013572

View attachment 2013531



Attaching command ⬇︎

it allows installation now,
but system preferences will not start the nvdiia control panel (urges to re-open system preferences, but does not help) neither the kexts will load

Version:    10.33.0
  Zuletzt geändert:    13.11.20, 08:35
  Paket-ID:    com.nvidia.web.NVDAGK100HalWeb
  Loaded:    Yes
  Informationen:    NVDAGK100HalWeb 10.33.0 387.10.10.10.40.140
  Erhalten von:    Unbekannt
  Art:    Intel
  Architekturen:    x86_64
  64-Bit (Intel):    Ja
  Ort:    /Library/Extensions/NVDAGK100HalWeb.kext
  Kext-Version:    10.3.3
  Lade-Adresse:    18446743521866500000
  Loadable:    No
  Fehler bei der Unterschriftenvalidierung:    Kext signature validation error code -2147409652
  Abhängigkeiten:    Erfüllt
  Signed from:    unknown

(translated the most important data points)


edit:
executing

installer -allowUntrusted -verbose -pkg ~/Downloads/MyWebDriver-387.10.10.10.40.140.pkg -target /

as suggested by @Syncretics didn't work either,
will try again without running MyWebDriver by the GUI



edit2:
- rolled back to a High Sierra Version before Security Update 2020-006
- uninstalled WebDriver
- reapplied the download and patch
- same outcome, still get the cert error

if someone wants to try variants I modded the command from @chris1111 a bit

(use a more specific temp folder than just Files)
(runs the special installer command after download and modding)

#!/bin/bash
# By chris1111

echo "Downloads WebDriver-387.10.10.10.40.140  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "

curl -L https://images.nvidia.com/mac/pkg/387/WebDriver-387.10.10.10.40.140.pkg -o $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg

# Expand the Packages with pkgutil
echo "Expand the Packages with pkgutil  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
pkgutil --expand $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg $HOME/Downloads/Files_MyWebDriver

# Flatten the Packages with pkgutil
echo "Flatten the Packages with pkgutil  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
pkgutil --flatten $HOME/Downloads/Files_MyWebDriver $HOME/Downloads/MyWebDriver-387.10.10.10.40.140.pkg

rm -rf $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg
rm -rf $HOME/Downloads/Files_MyWebDriver
echo "Download and modding Done!   "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
echo "starting the modded MyWebDriver, so admin password is needed"
sudo installer -allowUntrusted -verbose -pkg ~/Downloads/MyWebDriver-387.10.10.10.40.140.pkg -target /

 

[takovej]

I remove certificate of this Package from Pkgutil command
but I can not test because I have no Nv card then No High Sierra 10.13

Attaching command ⬇︎

I just hope nobody had ~/Downloads/Files folder there before, lol...