MP 1,1-5,1 Cannot install or use Nvidia Webdrivers anymore!

[takovej]

Must be stored somewhere by ocsp. I've restored machine from the TM backup, blocked ocsp servers at hosts file and running fine since then online

(yes I know that blocking ocsp is not great solution but I take it as workaround until somebody works it out)

 

[ori69]

Must be stored somewhere by ocsp. I've restored machine from the TM backup, blocked ocsp servers at hosts file and running fine since then online

(yes I know that blocking ocsp is not great solution but I take it as workaround until somebody works it out)

Write exactly how you did it.

echo 0.0.0.0 ocsp.apple.com | sudo tee -a /etc/hosts

it's correct?

 

[lowcoste]

Reply from Nvidia after a massive rant at them: 'I can completely understand how frustrating and annoying the situation can be when something like this happens, but believe me this was never our intention'....which kinda says to me they knew this was gonna happen.

 

[Macschrauber]

I checked my El Capitan image also,
same problem, cannot run WebDriver installer.
So set date back to 2020, worked in this case.

The system told me when I have downloaded the web driver package: 5-31-2022 (!)

so set date back to 5-31-2022 and checked the certificate.

It expired 10-22-2022 (!)

So seriously there is something strange going on here.

 

[adriandegar]

Must be stored somewhere by ocsp. I've restored machine from the TM backup, blocked ocsp servers at hosts file and running fine since then online

(yes I know that blocking ocsp is not great solution but I take it as workaround until somebody works it out)

Must be stored somewhere by ocsp. I've restored machine from the TM backup, blocked ocsp servers at hosts file and running fine since then online

(yes I know that blocking ocsp is not great solution but I take it as workaround until somebody works it out)

Blocking ocsp or staying offline seems to make no difference if the revocation data has already been flagged deep across the drive. I have an older ccc image of my current drive on an external. I unfortunately tried running the driver pkg on it so it won’t boot with the kexts either

 

[startergo]

I remove certificate of this Package from Pkgutil command
but I can not test because I have no Nv card then No High Sierra 10.13
The command will downloads WebDriver-387.10.10.10.40.140.pkg then Unpack, repack

make sur you dont have the package in downloads folder, and Files folder because it will be deleted.
there is the script code

#!/bin/bash
# By chris1111

echo "Downloads WebDriver-387.10.10.10.40.140  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "

curl -L https://images.nvidia.com/mac/pkg/387/WebDriver-387.10.10.10.40.140.pkg -o $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg

# Expand the Packages with pkgutil
echo "Expand the Packages with pkgutil  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
pkgutil --expand $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg $HOME/Downloads/Files

# Flatten the Packages with pkgutil
echo "Flatten the Packages with pkgutil  "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "
pkgutil --flatten $HOME/Downloads/Files $HOME/Downloads/MyWebDriver-387.10.10.10.40.140.pkg

rm -rf $HOME/Downloads/WebDriver-387.10.10.10.40.140.pkg
rm -rf $HOME/Downloads/Files
echo "Done!   "
echo "= = = = = = = = = = = = = = = = = = = = = = = = =  "

This is popping up non-stop.

 

[majus]

....which kinda says to me they knew this was gonna happen.

Yes they did, but given the frigid non-relationship they have with Apple, there was nothing they could do about it. So Apple really is to blame for this. Apple likely also knew it would happen, but in the real world, they are a business, not a charity.

Apple wants us to buy new computers -- and I do want one. I have been wanting a new one since the new Mac Pro was introduced in 2019 but I don't need one that expensive. So Apple will get what they want from me, which was going to happen this year anyway. I have just been waiting to see what they might come out with along the lines of an expandable but lower-priced Mac Pro. If they don't do that this year then I will buy a Mac Studio and some peripherals to get the expansion capability I desire.

P.S. -- I do think it is an interesting coincidence the driver expired just as WWDC is set to begin -- where some desirable new computer hardware may be announced.

 

[mateo14]

Reply from Nvidia after a massive rant at them: 'I can completely understand how frustrating and annoying the situation can be when something like this happens, but believe me this was never our intention'....which kinda says to me they knew this was gonna happen.

I'm happy that few people decided to talk with the NVIDIA support on their chat.
I hope that more users will take a few minutes to speak with them.


I wouldn't worry too much if Apple or Nvidia decided to ignore this issue.

Let's say that I try to be skeptical for a few minutes.

We can always contact the popular tech websites and YouTube creators to spread this news.
I'm pretty sure that Apple doesn't want to explain to other computer vendors that their operating system can deactivate devices in their computers at any time.

Nvidia will have the same marketing issues if AMD decides to use it against them.

Nobody is going to buy hardware with an unknown expiration date.

This situation can be harmful to both companies if their competitors pick up this news.

 

[TonyTech]

That is my third issue with the expired certificate on the old Mac computers (iMac 2009 and Mac mini 2010) in this year.

However, you didn't point out what kind of old version of Mac OS X you use. I'm not sure it will be helpful, but you can try a few things.

I have the issues with a web browser on El Capitan, which were caused by the expired certificate:

Additionally, I had the issue activating DAEMON Tools on Mac OS X 10.6 was caused by the expired certificate.

How do I update my root certificates on an older version of Mac OS (e.g. El Capitan)?

I have difficulty reaching various secure web sites. They give me a certificate expired error. They work on Firefox but not Safari or Chrome. They also work on newer versions of macOS (e.g. Catalin...

apple.stackexchange.com

I used a certificate from High Sierra in Mac OS X 10.6 to sort it out.

I recommend using Arctic-Fox or InterWeb on Mac OS 10.6 for the most basic tasks.


We won't be able to use many games and Applications for the bit older versions of Mac OS X and the current one if we didn't buy them. Companies stopped releasing games and Applications on DVDs/CDs, which means you have a limited time to buy them. In this case, I don't blame Apple for behaving like other companies.

I'm currently using Mac OS 10.13.6, since I'm able to run Adobe Premiere Pro CS6 with CUDA acceleration and also run the most popular web browsers. I prefer to use Safari but some web sites are asking me to use a newer version. The problem is that you can't upgrade Safari without upgrading the OS. So for those web sites that don't want to play nice with Safari, I use Chrome, Edge, Firefox, or Brave.

 

[Dayo]

Blocking ocsp or staying offline seems to make no difference if the revocation data has already been flagged deep across the drive.

You have been banging on about this for a while now and you actually have a point as there is one place that such stuff is stored locally and will always cause a fail regardless of external connection, Gatekeeper's database of revoked stuff. (I assume it is updated on the fly ... not sure)

They are apparently in /var/db/gkopague.bundle and /var/db/gke.bundle:

Apple has added a new security database to Catalina, bringing 3 updates

Added support for this new security database in new versions of SilentKnight, LockRattler and silnite.

eclecticlight.co

So, the solution would be to block ocsp (so that the db is never updated) and then roll back to an earlier installation from before these two would have been updated. It may also be possible to grab the files from an earlier backup instance and paste them in to overwrite the current ones. (Would suggest creating a bootable clone first in such a case)

Obviously a bad idea to use SilentKnight to update stuff. (can it roll you back?)

As an aside, this presumably means this issue is out of Nvidia's hands and with Apple. I assume Apple would not accept an update from Nvidia even if they tried. Seems Apple has basically decided to kneecap Nvidia GPUs on Macs.

EDIT: Perhaps disabling Gatekeeper is easier?

 

[startergo]

installer -allowUntrusted -verbose -pkg WebDriver-387.10.10.10.40.140.pkg -target /

Should be:

 sudo installer -allowUntrusted -verbose -pkg /path_to/WebDriver-387.10.10.10.40.140_NoSignature.pkg  -target /

installer: Package name is NVIDIA Web Driver 387.10.10.10.40.140
installer: Upgrading at base path /
installer: Preparing for installation….....
installer: Preparing the disk….....
installer: Preparing NVIDIA Web Driver 387.10.10.10.40.140….....
installer: Waiting for other installations to complete….....
installer: Configuring the installation….....
installer:    
#
installer: Writing files….....
#
installer: Writing files….....
#
installer: Writing files….....
#
installer: Writing files….....
#
installer: Writing files….....
#
installer: Writing files….....
#
installer: Writing files….....
#
installer: Running package scripts….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
#
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Registering updated components….....
installer: Validating packages….....
#
installer: Registering updated applications….....
#
installer:     Running installer actions…
installer:    
installer: Finishing the Installation….....
installer:    
#
installer: The software was successfully installed......
installer: The upgrade was successful.
installer: The install requires restarting now.

But still getting this error:

https://forums.macrumors.com/threads/cannot-install-or-use-nvidia-webdrivers-anymore.2346445/post-31147355

 

[mohamedwanas]

This worked for me on High Sierra 10.13.6 (17G66):
First; Disconnect internet
1-Edit Host file; block these:
0.0.0.0 ocsp.apple.com
0.0.0.0 ocsp.apple.com

2-Block apple.com and nvidia driver manger preference pane in Little Snitch.
3-Remove WebDriver-387.10.10.10.40.140 completely.
4-Used Kext Utility and restart.
5-Reconnect internet cable.
6-Reinstall web driver suing terminal command.
7-Restart.
8-Reconnect internet cable and all things are fine and nvidia driver manger preference pane works fine except blocking it in Little Snitch as an extra step, you won't need to connect it often.
9-Re-restarted several times to insure and it Works fine.
Hope this help
My sincere best wishes to everyone and thank you to everyone who contributed to understanding this problem

 

[takovej]

Write exactly how you did it.



it's correct?

Hi, I think I've described all here and here already, if you have some particular question, feel free to send me PM.

 

[goMac]

so set date back to 5-31-2022 and checked the certificate.

It expired 10-22-2022 (!)

It's not an expiration. Signed things don't expire. Otherwise people would have apps and drivers that just stop working all the time. I still have 5-6 year old signed apps on my system that run no problem.

Expiration means the developer can't sign any more. But it normally means it will still run for customers.

This still looks to me like Nvidia's signing identity got added to a blacklist. And if that's true, Nvidia can't fix this unless Apple lets them.

 

[takovej]

This worked for me on High Sierra 10.13.6 (17G66):
First; Disconnect internet
1-Edit Host file; block these:
127.0.0.1 ocsp.apple.com
127.0.0.1 ocsp.apple.com
127.0.0.1 apple.com
2-Block apple.com and nvidia driver manger preference pane in Little Snitch.
3-Remove WebDriver-387.10.10.10.40.140 completely.
4-Used Kext Utility and restart.
5-Reconnect internet cable.
6-Reinstall web driver suing terminal command.
7-Restart.
8-Reconnect internet cable and all things are fine and nvidia driver manger preference pane works fine except blocking it in Little Snitch as an extra step, you won't need to connect him often.
9-Re-restarted several times to insure and it Works fine.
Hope this help
My sincere best wishes to everyone and thank you to everyone who contributed to understanding this problem

1/ you might need to block ocsp2.apple.com too
2/ no need to block apple.com IMHO
3/ it is better to use 0.0.0.0 instead of 127.0.0.1 (non-routable meta-address instead of loopback) but yes, both should work. However, when running a local server like Apache or using some apps that uses 127.0.0.1 during runtime, could
potentially cause problems. Using 0.0.0.0, the packet will not even be created in the first place, thus no waiting for a response as no packet is sent...

 

[startergo]

This still looks to me like Nvidia's signing identity got added to a blacklist. And if that's true, Nvidia can't fix this unless Apple lets them.

Apple will not allow stollen identity to be whitelisted. Nvidia will not want that either.

 

[adriandegar]

You have been banging on about this for a while now and you actually have a point as there is one place that such stuff is stored locally and will always cause a fail regardless of external connection, Gatekeeper's database of revoked stuff. (I assume it is updated on the fly ... not sure)

They are apparently in /var/db/gkopague.bundle and /var/db/gke.bundle:

Apple has added a new security database to Catalina, bringing 3 updates

Added support for this new security database in new versions of SilentKnight, LockRattler and silnite.

eclecticlight.co

So, the solution would be to block ocsp (so that the db is never updated) and then roll back to an earlier installation from before these two would have been updated. It may also be possible to grab the files from an earlier backup instance and paste them in to overwrite the current ones. (Would suggest creating a bootable clone first in such a case)

Obviously a bad idea to use SilentKnight to update stuff. (can it roll you back?)

As an aside, this presumably means this issue is out of Nvidia's hands and with Apple. I assume Apple would not accept an update from Nvidia even if they tried. Seems Apple has basically decided to kneecap Nvidia GPUs on Macs.

EDIT: Perhaps disabling Gatekeeper is easier?

I actually read that article two nights ago, but unfortunately those files haven't been modified in years (last time was 2016) and I'm on Sierra. Just to be sure I overwrote them from an old backup.

The data has to be stored elsewhere (my WiFi is off, I'm blocking ocsp in hosts, csrutil status is SIP disabled and spctl status is assessments disabled), look in the screenshot of my error log what happens when I run the pkg and it fails before it attempts to install the drivers, there's knowledge of the session uuid (not a receipt), which then locally looks somewhere in the system to find CSSMERR_TP_CERT_REVOKED for com.nvidia.web-driver

 

[adriandegar]

Apple will not allow stollen identity to be whitelisted. Nvidia will not want that either.

I just spoke to Apple and they said they would never revoke old certificates. They are pointing the finger at NVIDIA and directed me back to them.

 

[takovej]

You have been banging on about this for a while now and you actually have a point as there is one place that such stuff is stored locally and will always cause a fail regardless of external connection, Gatekeeper's database of revoked stuff. (I assume it is updated on the fly ... not sure)

They are apparently in /var/db/gkopague.bundle and /var/db/gke.bundle:

Apple has added a new security database to Catalina, bringing 3 updates

Added support for this new security database in new versions of SilentKnight, LockRattler and silnite.

eclecticlight.co

So, the solution would be to block ocsp (so that the db is never updated) and then roll back to an earlier installation from before these two would have been updated. It may also be possible to grab the files from an earlier backup instance and paste them in to overwrite the current ones. (Would suggest creating a bootable clone first in such a case)

Obviously a bad idea to use SilentKnight to update stuff. (can it roll you back?)

As an aside, this presumably means this issue is out of Nvidia's hands and with Apple. I assume Apple would not accept an update from Nvidia even if they tried. Seems Apple has basically decided to kneecap Nvidia GPUs on Macs.

EDIT: Perhaps disabling Gatekeeper is easier?

Yep, that's what I've described here

 

[Dayo]

The data has to be stored elsewhere (my WiFi is off, I'm blocking ocsp in hosts, csrutil status is SIP disabled and spctl status is assessments disabled), look in the screenshot of my error log what happens when I run the pkg and it fails before it attempts to install the drivers, there's knowledge of the session uuid (not a receipt), which then locally looks somewhere in the system to find CSSMERR_TP_CERT_REVOKED for com.nvidia.web-driver

Well must be some other similar db. Seems Apple has more or less hidden the Gatekeeper database but there is/must still be one somewhere. Unfortunately, no one seems to know exactly where it is right now. Seems to be updated by Syspolicy.

Either way, blocking the relevant connections and rolling back should sort stuff out reliably.
Some have not needed to roll back and have things working following process in Post 82.
Think it is better to roll back where possible though.

 

[Dayo]

I just spoke to Apple and they said they would never revoke old certificates. They are pointing the finger at NVIDIA and directed me back to them.

To be fair to Apple, there was an issue once where an HP printer driver cert was apparently revoked by Apple from one day to the next ... until it turned out later that it was in fact HP that had made a mistake while cleaning up stuff and had ended up revoking more than they had wanted to.

Can easily see that playing out again here with Nvidia given the leak thing.

 

[takovej]

Agree, I'm aware of HP case. I would still blame Apple for nVidia one, if you block their ocsp servers, you are fine... Reminds me earlier case from this year where their bluetooth certificate expired so you were not able to connect any 3rd party BT speaker after that date... still they never released update for legacy systems (10.12 & below) so far. Or should I mention iCloud issue too?

 

[Dayo]

Agree, I'm aware of HP case. I would still blame Apple for nVidia one, if you block their ocsp servers, you are fine

OCSP servers pick up and update what has been revoked.
Not sure it necessarily points at who has done the revocation.

 

[flowrider]

Apple - User - Nvidia

Lou

 

[goMac]

I just spoke to Apple and they said they would never revoke old certificates. They are pointing the finger at NVIDIA and directed me back to them.

Thats a lie. They can and have revoked code signing before. The entire reason they force KEXTs to be signed is so they can revoke them. It's part of their malware control strategy. If there was a virus using kexts to bypass security they can nuke it remotely.

The figment of truth there is that Apple wouldn't revoke code signing just for being old. Like I said earlier in the thread, code signing doesn't expire. Otherwise old apps would break all the time for signing reasons.

I don't have evidence that's what happened here. But they have done it before. And computers are blocking the KEXTs after they phone home. Soooo...