MP 1,1-5,1 Cannot install or use Nvidia Webdrivers anymore!

[takovej]

Maybe I will give a try this tool, looks interesting...

 

[chris1111]

Post edit here ⬇︎

https://forums.macrumors.com/threads/cannot-install-or-use-nvidia-webdrivers-anymore.2346445/page-7?post=31146171#post-31146171

 

[benjaprud]

Mine was working yesterday as well, but not anymore today. It may be a matter of days before yours gets hit. Maybe there's a periodical certificate check ?

 

[poof86]

Well, if you remove codesigning from the whole package, disable SIP & gatekeeper or maybe just add
kext-dev-mode=1 to the boot-args it might work with unsigned ones?

How would you remove the codesigning from the whole package? I unsigned the kext and bundle files but this didn’t help with booting

 

[takovej]

Have you applied this (codesign --remove-signature) to other app files within /Library/Preferemces (especially NVAgent.app & NVMenu.app)? They are located in the NVIDIA Driver Manager.prefPane content... I'm not sure if these need to be modified too...

 

[poof86]

Have you applied this (codesign --remove-signature) to other app files within /Library/Preferemces (especially NVAgent.app & NVMenu.app)? They are located in the NVIDIA Driver Manager.prefPane content..

Booting still doesn’t work, but the prefpane does open now

 

[adriandegar]

KEXT signing is not normal signing. It requires a special certificate issued by Apple. It cannot be done with a normal developer account. (Source: I have developed and signed KEXTs.)

Also why Nvidia's certificate leak is likely to be a red herring. They can't use their own certificate to sign. They'd need to get one from Apple. If you look at the trace on the first page: The Nvidia drivers are signed with Apple's Root CA. Not Nvidia's.

My read on this is Apple voided their KEXT through Gatekeeper. Signed things usually don't just expire on their own, even if the cert expires.

Ok everyone, I think this is indeed the issue.

Through Gatekeeper or some similar process informing the system of revocation, the pkg and Kext files were voided at a deep level. No matter what I do (like moving the date in recovery back or keeping internet off in safe mode) those kexts and the driver pkg are tainted locally.

We certainly can’t do anything with codesign and if productsign is not viable either, then we are truly at the mercy of Apple/NVIDIA to resign these.

 

[bogdanw]

Extracting kexts and preference pane from the WebDriver-387.10.10.10.40.140.pkg and removing their signatures

pkgutil --expand ~/Downloads/WebDriver-387.10.10.10.40.140.pkg ~/Desktop/WebDriver_temp
cd ~/Desktop/WebDriver_temp/1.8-103-387.10.10.10.40.140-NVWebDrivers.pkg
cat Payload | gunzip -dc |cpio -i
ditto ~/Desktop/WebDriver_temp/1.8-103-387.10.10.10.40.140-NVWebDrivers.pkg/Library ~/Desktop/WebDriver_temp/Library
ditto ~/Desktop/WebDriver_temp/1.8-103-387.10.10.10.40.140-NVWebDrivers.pkg/System ~/Desktop/WebDriver_temp/System
codesign --remove-signature ~/Desktop/WebDriver_temp/System/Library/Extensions/GeForceVADriverWeb.bundle
codesign --remove-signature ~/Desktop/WebDriver_temp/Library/Extensions/GeForceWeb.kext

cd ~/Desktop/WebDriver_temp/NVPrefPane.pkg
cat Payload | gunzip -dc |cpio -i
ditto  ~/Desktop/WebDriver_temp/NVPrefPane.pkg/NVIDIA\ Driver\ Manager.prefPane ~/Desktop/WebDriver_temp/NVIDIA\ Driver\ Manager.prefPane
codesign --remove-signature ~/Desktop/WebDriver_temp/NVIDIA\ Driver\ Manager.prefPane
codesign --remove-signature ~/Desktop/WebDriver_temp/NVIDIA\ Driver\ Manager.prefPane/Contents/MacOS/NVMenu.app

To check signature

codesign -dvv ~/Desktop/WebDriver_temp/Library/Extensions/GeForceWeb.kext

 

[grad]

I always blamed Apple for being the evil greedy dictator, like Microsoft was, not Nvidia, Epic, the independent developer, etc. Not that Nvidia is not at fault, but Apple did EVERYTHING they could to discard Nvidia and High Sierra alongside anything related to these or make it extremely difficult for anyone not wishing to "upgrade".

If things used to work fine until a couple of days ago but now they don't even work when offline, with the clock set 1 month in the past, and with no other security system updates etc being installed, what is the mechanism that prevents the kexts from loading ? Which CRL, OCSP, etc caches need to be deleted, where, and how ?

 

[Fullerfun]

Right,

It seems the answer is to simply completely disable all certificate revocation checks.
Not typically something recommended but I suppose it makes little difference when running HiSierra.

Two ways:

1. You have LittleSnitch
   • Download the web drivers in case you need to reinstall them
     • Only directly from the Nvidia website
   • Look for trustd in LittleSnitch and expand until you find ocsp and/or ocsp2 and/or ocspd
   • Block this/those process(es)
     • You may need to do this separately for user and for system
     • You may also want to block trustd altogether as well
   • Fully disconnect your Mac from the web
   • Run sudo crlrefresh rp && sudo sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp;' in Terminal to purge the current cached Certificate Revocation List
     • Ignore any error messages on running the above
     • You could also specifically delete the cache file(s) but perhaps better to only run crlrefresh first
     • To delete, run: sudo rm -f /var/db/crls/*cache.db && sudo rm -f /var/db/crls/*cache2.db
   • Run sudo date -u 120200002021 && sudo reboot in Terminal
     • You may want to reset your NVRAM on restart
   • Reconnect to the web and you should be good
     • If not good, disconnect from the web and rerun the purge and date commands above (in that order) and then reinstall the drivers before reconnecting
       • You could consider duplicating the drivers and then stripping the code signature out
         • This may help with installation if the original signed version fails to install
         • Duplication is to have an intact original in case you need this later
       • To strip the signature, try: sudo codesign --remove-signature DriverPackageName.pkg
     • If still not good, try the option below instead.
2. You do not have LittleSnitch
   • Download the web drivers in case you need to reinstall them
     • Only directly from the Nvidia website
   • Fully disconnect your Mac from the web
   • Run sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts' && sudo sh -c 'echo "127.0.0.1 ocsp2.apple.com" >> /etc/hosts' && sudo killall -HUP mDNSResponder in Terminal
   • Run sudo crlrefresh rp && sudo sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp;' in Terminal to purge the current cached Certificate Revocation List
     • Ignore any error messages on running the above
     • You could also specifically delete the cache file(s) but perhaps better to only run crlrefresh first
     • To delete, run: sudo rm -f /var/db/crls/*cache.db && sudo rm -f /var/db/crls/*cache2.db
   • Run sudo date -u 120200002021 && sudo reboot in Terminal
     • You may want to reset your NVRAM on restart
   • Reconnect to the web and you should be good
     • If not good, disconnect from the web and rerun the purge and date commands above (in that order) and then reinstall the drivers before reconnecting
       • You could consider duplicating the drivers and then stripping the code signature out
         • This may help with installation if the original signed version fails to install
         • Duplication is to have an intact original in case you need this later
       • To strip the signature, try: sudo codesign --remove-signature DriverPackageName.pkg
     • If still not good, you need to use this offline

EDIT:
Reverting the changes is as easy as unchecking the item(s) in LittleSnitch but a bit more involved with /etc/hosts edits.

You will need to...

1. Open Terminal, type sudo nano /private/etc/hosts and press "Enter"
   • I use Nano and forget what the default editor in Terminal is
   • If you don't have Nano, I think vim is most likely the default.
2. Delete the ocsp.apple.com and ocsp2.apple.com lines then save and close
3. Run sudo killall -HUP mDNSResponder && sudo reboot in Terminal to refresh the DNS cache and reboot

Just a random thought, but what about someone taking the cached database files from a time machine backup before June 1st, and just replacing the new ones with the backups. Then, would it work to lock and change the permissions to read only on those files, so they can’t be updated? Or, even better would be, maybe the database files can be edited or patched on boot, so the revoked info gets changed back to being fine?

 

[startergo]

How to sign .app on Mac OS using Codesign

When you download and run apps on Mac OS from not identified developers it's required to trust them by Gatekeeper. Codesign terminal tool allows you to manually sign any app on your MacBook. Using this technique you can for e.g. sign Adobe Zii app. Apple recently revoked TNT’s certificate.

kubadownload.com

When you download and run apps on Mac OS from not identified developers it's required to trust them by Gatekeeper. Codesign terminal tool allows you to manually sign any app on your MacBook. Using this technique you can for e.g. sign Adobe Zii app. Apple recently revoked TNT’s certificate.

 

[Dayo]

Just a random thought,

Do you mean to say you followed the outlined steps and you are unable to use the GPU?

 

[Terry 44]

hy. I tried all the tricks.nothing make it happening. Nvidia need to make a move on this . What a **** . 3 cards out I can install it but still no chance loading it . I’m getting tired after 6 hours fighting this

 

[majus]

Don't bother to try troubleshooting this driver issue because you cannot fix it; the best you can do is a workaround. The ball is in Apple/Nvidia's court now.

If you are like me, you didn't dispose of your original GPU so you can at least still use your computer, just perhaps not as fast.

 

[Ivan Shpak]

I want to note that after I turned off the GPU (GT120) (in my reserve 5.1) and booted up the computer, I entered openVNC and nothing worked, but after I inserted it and the next day the driver worked with the Internet turned on, this is very strange and it is not clear what certificate verification interval

 

[Terry 44]

Don't bother to try troubleshooting this driver issue because you cannot fix it; the best you can do is a workaround. The ball is in Apple/Nvidia's court now.

If you are like me, you didn't dispose of your original GPU so you can at least still use your computer, just perhaps not as fast.

I got my old gpu… but cannot do anything high level with it . Nvidia is just bad for this

 

[Txabi]

So, it just seems to work again! 30 or something reboots without any issues.

I still don't know what made it. Blocked ocsp with Little Snitch as well as with the terminal command and deleted caches. Also blocked trustd.

I hope i have successfully blocked any certificate validating "service" for all time by now and they all can put their "certificates" to where the sun don't shine for all coming times. I don't want to experience a "nice surprise" like that ever again! It costed me two whole working days and would have put me into serious trouble if happened in the middle of a time critical projekt. I really don't get the point of limiting the time vital parts of my system - which worked for years - can be run "safely". And i don't ever want someone somewhere on the net to decide and pull the plug as they like.

I whish everybody the best of luck in getting this fixed too!

Hi, Could you please help me (and all of us) understanding exactly what did you do to have your mac working again? I'm following this thread step by step and from the very begining, and I can´t fix the problem.

 

[Terry 44]

mac Pro 3.1 early 2008 - High sierra - gtx 970 - anydriver are not loading . Could install it but no way to load it - pref panel cannot open . shame to Nvidia and apple . Just sucks

 

[TonyTech]

I'm having the same problem with the Nvidia CUDA web drivers. When I booted my MacBook Pro 9,1 this morning, the progress bar got stuck halfway into the booting process. I restarted the computer in Recovery Mode and ran Disk Utility FirsAid. The problem persisted so I reinstalled Mac OS 10.13.6 (High Sierra). The OS reinstallation was successful so I went ahead I tried to reinstalled the Nvidia Web Drivers I have previously downloaded and saved, but now I'm getting the "Web Driver...can't be opened. You should move it to the Trash" message. How come something that was working perfectly yesterday, doesn't work anymore? I need the Nvidia CUDA drivers to accelerate playback on Premiere Pro CS6, After Effects CS6 ray tracing, and some older Blender 2.8 installs; the newer versions don't event support anything Nvidia on the Mac. I blame Apple, this is their way to force users of "legacy" products to buy new hardware.

 

[Frixo Cool]

Same problem here, I'll bother NVIDIA's support to death with this because this can't be legal. I had perfectly operational machine that is in my workflow and they bricked it for some administrative glitch?

There was no warning anywhere "Your NVIDIA GPU certificate will expire in year 2022 and you'll be no longer able to use it."

 

[TonyTech]

I always blamed Apple for being the evil greedy dictator, like Microsoft was, not Nvidia, Epic, the independent developer, etc. Not that Nvidia is not at fault, but Apple did EVERYTHING they could to discard Nvidia and High Sierra alongside anything related to these or make it extremely difficult for anyone not wishing to "upgrade".

If things used to work fine until a couple of days ago but now they don't even work when offline, with the clock set 1 month in the past, and with no other security system updates etc being installed, what is the mechanism that prevents the kexts from loading ? Which CRL, OCSP, etc caches need to be deleted, where, and how ?

I agree. I have some Apple "legacy products" that recently started having issues because they require new apps and new operating system that requires new hardware. I understand that new programs and OS will have different system requirements and will need more advanced hardware, but I just want to run old software on my old and trusty hardware. Things that I paid for and have served me well. I even have problems with something as simple as the web browser and the Youtube app; handicapping the usefulness of those devices.

 

[mateo14]

I even have problems with something as simple as the web browser and the Youtube app; handicapping the usefulness of those devices.

That is my third issue with the expired certificate on the old Mac computers (iMac 2009 and Mac mini 2010) in this year.

However, you didn't point out what kind of old version of Mac OS X you use. I'm not sure it will be helpful, but you can try a few things.

I have the issues with a web browser on El Capitan, which were caused by the expired certificate:

Additionally, I had the issue activating DAEMON Tools on Mac OS X 10.6 was caused by the expired certificate.

How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?

I have difficulty reaching various secure web sites. They give me a certificate expired error. They work on Firefox but not Safari or Chrome. They also work on newer versions of macOS (e.g. Catalin...

apple.stackexchange.com

I used a certificate from High Sierra in Mac OS X 10.6 to sort it out.

I recommend using Arctic-Fox or InterWeb on Mac OS 10.6 for the most basic tasks.


We won't be able to use many games and Applications for the bit older versions of Mac OS X and the current one if we didn't buy them. Companies stopped releasing games and Applications on DVDs/CDs, which means you have a limited time to buy them. In this case, I don't blame Apple for behaving like other companies.

 

[Phaeton99]

Just a random thought, but what about someone taking the cached database files from a time machine backup before June 1st, and just replacing the new ones with the backups. Then, would it work to lock and change the permissions to read only on those files, so they can’t be updated? Or, even better would be, maybe the database files can be edited or patched on boot, so the revoked info gets changed back to being fine?

If someone could identify those exact files, wherever they hide in the system hierarchy, I would think it should be possible to at least replace any autoupdated version with the ones that allow the GPU drivers to load. One would probably take the machine completely offline to perform the replacement and reboot, but that's a small matter, relatively speaking.

 

[Frixo Cool]

I just had a long chat with NVIDIA support. They ignore the information that it is just an expired certificate, they give useless advice "try to reinstall the whole system" and they ask for the exact part number of the card "because I may have installed the wrong driver" - although they know that there is only one driver package for Macs.

In the end, I told them that this was not a technical problem, but a legal one, and that my legal adviser told me that this could be categorized as "malicious blocking of hardware and software" and "breach of contract because nowhere is written that the purchased graphics card will stop work in 2022 when one of their certificates expires".

I also told them that this is not my personal problem, but that ALL professionals who use this combination of hardware have the same problem and that we are ready for a class action lawsuit. Because this is not a problem caused by an incompatible update, but a purely administrative problem of the expired certificate.

 

[Matty_TypeR]

I just had a long chat with NVIDIA support. They ignore the information that it is just an expired certificate, they give useless advice "try to reinstall the whole system" and they ask for the exact part number of the card "because I may have installed the wrong driver" - although they know that there is only one driver package for Macs.

In the end, I told them that this was not a technical problem, but a legal one, and that my legal adviser told me that this could be categorized as "malicious blocking of hardware and software" and "breach of contract because nowhere is written that the purchased graphics card will stop work in 2022 when one of their certificates expires".

I also told them that this is not my personal problem, but that ALL professionals who use this combination of hardware have the same problem and that we are ready for a class action lawsuit. Because this is not a problem caused by an incompatible update, but a purely administrative problem of the expired certificate.

I don't think its purely Nvidia, Apple also have to agree to sign it off. Apple and Nvidia get on like Ukraine and Russia so i wouldn't expect a fast fix for the issue. I run a GTX 680 in one of my mac pro's and its been running fine. so cant say i have had the Issue. hopefully both Apple and Nvidia will sort it out so people can run there cards. Just have to wait and see.

I just have a feeling Apple will be enjoying this on there foe.