Contribute
Register

The app’s authorization has been revoked (High Sierra NVIDIA graphics certificates expired)

Joined
Aug 12, 2018
Messages
11
Motherboard
GA-Z270X-UD3 - F8d
CPU
i7-7700K
Graphics
GTX 1060
Mac
  1. MacBook Pro
I'm sure that if running macOS without Metal API support is viable for some users, then great. :thumbup:
There is a lot of software out there that uses CUDA or OpenCL and has not been updated to use Metal. So the lack of Metal support just isn't that big of a deal for many users.
 
Joined
Apr 12, 2021
Messages
499
Motherboard
Asus z590 ROG Maximus XIII Hero
CPU
i9-11900K
Graphics
RX 6600 XT
Mac
  1. MacBook Pro
  2. Mac mini
  3. Mac Pro
Classic Mac
  1. Centris
  2. Power Mac
Mobile Phone
  1. iOS
UPDATE!!! UPDATE!!! !!! UPDATE!!!
------------------------------------------------

I am trying to catch up on this thread...

So, can a recently revoked cert disable an already installed and otherwise working driver, breaking the machine?

If so, holy crap!

If not, then this is a re-installation issue?

Isn't the right way to move forward to unwrap the old installer and its contents from the signing? I would guess this is possible, though maybe difficult.

But maybe its academic, if such discussion contrary to the site rules on piracy, which line is already crossed by descriptions of clock fiddling and cert server black-holing.

For my part, I am very very much on side of right to repair, and general libre with respect to security measures. I believe that the point of security is to improve the health of the community, not protect the assets of rights holders against the commonwealth. I don't intend to digress, only to offer context for my previous comments. I think the open discussion of and tinkering with these factors is an essential freedom.
 

UtterDisbelief

Moderator
Joined
Feb 13, 2012
Messages
8,026
Motherboard
Gigabyte Z590i Aorus Ultra - OC 0.8.0
CPU
i5-10600k
Graphics
Dell RX560
Mac
  1. iMac
  2. Mac mini
Classic Mac
  1. eMac
  2. iBook
Mobile Phone
  1. iOS
There is a lot of software out there that uses CUDA or OpenCL and has not been updated to use Metal. So the lack of Metal support just isn't that big of a deal for many users.

Hi there.

I do not doubt that at all. I have no issue with using a machine without Metal support if it helps get a job done. I'm glad @Bustycat brought that up.

My issue is simply with Nvidia Web-Driver workarounds which sound so easy, everyone will try them unaware of potential pitfalls and dangers. They don't always work and can leave the back gate swinging open.

I started my fact-checking about a very early post that was adamant a certain set of kexts and a command-line would override the Web-Driver signing problem for everyone. Since then, all I have been doing throughout this thread is dropping by to warn against miracle cures. Cures that despite the vehement certainty of it's adherents, are not always reproducible by other NVidia GPU users. What's more some tricks involve spoofing Apple servers to Local Host to prevent certificate validation.

Everyone is free to do as they wish, but encouraging others to follow blindly, without due warning, is not good advice.
 
Last edited:

UtterDisbelief

Moderator
Joined
Feb 13, 2012
Messages
8,026
Motherboard
Gigabyte Z590i Aorus Ultra - OC 0.8.0
CPU
i5-10600k
Graphics
Dell RX560
Mac
  1. iMac
  2. Mac mini
Classic Mac
  1. eMac
  2. iBook
Mobile Phone
  1. iOS
So, can a recently revoked cert disable an already installed and otherwise working driver, breaking the machine?

Yep.
Isn't the right way to move forward to unwrap the old installer and its contents from the signing? I would guess this is possible, though maybe difficult.

Nope.

For my part, I am very very much on side of right to repair, and general libre with respect to security measures. I believe that the point of security is to improve the health of the community, not protect the assets of rights holders against the commonwealth. I don't intend to digress, only to offer context for my previous comments. I think the open discussion of and tinkering with these factors is an essential freedom.

I don't think this issue is a right-to-repair one. Yes, anyone can follow one of the workarounds in an attempt to get their NVidia Web-Drivers working again, to extend the useful life of their GPUs. I wouldn't blame them. This is nothing new. Before the present certificate expiration problem a coder called Chris1111 provided a workaround that allowed older, previously native, Nvidia GPUs to continue working in Monterey, when Apple had removed their own support.

If you are aware of the risks of playing with macOS security, try the workarounds. They may or may not work for you. However, drilling a hole through certificate validation is still something that people need warning about. That's all.
 
Last edited:
Joined
Mar 2, 2014
Messages
1,504
Motherboard
Gigabyte Z390 I AORUS PRO WIFI
CPU
i9-9900K
Graphics
RX 580
Mac
  1. MacBook Air
Classic Mac
  1. Power Mac
Not relevant, but just FYI, I just updated all 3 of my in-house computers from OpenCore 0.8.0 to 0.8.1 (dated June 6) and everything still works (including my Nvidia cards and WebDriver).
 
Joined
Jun 11, 2022
Messages
1
Motherboard
Gigabyte H97M-D3H
CPU
i7-4790K
Graphics
GTX 1060 6GB
Take a look at this...
From horses mouth and may offer clues for a way forward:


Also see:

Hi guys, solution found

Update High Sierra till lates 17G14042
Cleanup NVIDIA Web driver (WEB-Drive-Toolkit From Github)
Make this in terminal console:
sudo chmod -R 755 /Library/Extensions/NVDAStartupWeb.kext
sudo chown -R root:wheel /Library/Extensions/NVDAStartupWeb.kext
sudo touch /System/Library/Extensions/ && sudo kextcache -u /
sudo touch /Library/Extensions && sudo kextcache -u /

Add boot arguments in clover configurator as in attached screenshot
Add kext as in attached screenshot
Reboot (If you have black screen add temporary boot atgument nv_disable=1)
Install official driver 387.10.10.10.40.140

Reboot and Be Happy

I tried fariddster's way first, and on the very last step, I still cannot install the 140 version driver. I can open it, but it keeps telling me installation failed.
After that I found c-o-pr's post, he mentioned a tool to fix expired pkg file, I downloaded and used it, then I successfully installed the 387.10.10.10.40.140.pkg driver!

I have even successfully installed CUDA by using this tool.
It called strip_pkg_signature from Bob Ippolito on Github.

Big thanks for all of you!


Actually not need to edit /etc/hosts
 

Jamesbond007

Moderator
Joined
May 21, 2011
Messages
6,539
Motherboard
Z390 Designare
CPU
i7 9700KF
Graphics
RX 580
Mac
  1. Mac mini
Mobile Phone
  1. iOS
So, can a recently revoked cert disable an already installed and otherwise working driver, breaking the machine?

If so, holy crap!

If not, then this is a re-installation issue?
Apparently this is exactly what happened for people who reported this issue.

So important hardware (and software) drivers can be disabled like this whenever the vendor considers it necessary, breaking the system, at least on MacOS (not sure whether there is a similar mechanism at work in Windows).

I have not heard of any reason why the certificate was suddenly revoked other than it was "expired". But still I don't understand why they made it the way that the hardware driver could still be disabled after it was installed successfully in the past.

I can understand if the installation process is aborted due to a expired security certificate, but disabling the software after it was installed and was working fine due to an expired security certificate?
 

trs96

Moderator
Joined
Jul 30, 2012
Messages
22,902
Motherboard
GA-Z97X-UD3H-BK
CPU
i5-4690K
Graphics
HD4600 / RX 570
Mac
  1. MacBook Pro
  2. Mac mini
Mobile Phone
  1. Android
Not relevant, but just FYI, I just updated all 3 of my in-house computers from OpenCore 0.8.0 to 0.8.1 (dated June 6) and everything still works (including my Nvidia cards and WebDriver).
What if the fact that you use HFS+ with High Sierra, while everyone else is using APFS, is the reason your web drivers continue to work and don't require any fixes. That seems to be the main difference between your system and what everyone else is doing. Just a thought I had. Not sure if it is the actual reason.

Maybe try a clean install of HS on a separate drive, format it APFS and then see if the web drivers work or not. I would test this myself but I don't have any Maxwell or Pascal based Nvidia cards.
 
Last edited:
Joined
May 10, 2012
Messages
131
Motherboard
Asus X299 PRO/SE
CPU
i9-10920X
Graphics
6900XT, W6600, W6800
Mac
  1. Mac Pro
was suddenly revoked other than it was "expired"
Nvidia certificates were long time expired (2015), but that is not the reason for them not to work. They were recently revoked due to Lapsus$'s security breach and subsequently malware found signed by the stolen certificates. This was done to invalidate them. Unfortunately as you can see that will affect all drivers signed with those certificates.
 
Last edited:

trs96

Moderator
Joined
Jul 30, 2012
Messages
22,902
Motherboard
GA-Z97X-UD3H-BK
CPU
i5-4690K
Graphics
HD4600 / RX 570
Mac
  1. MacBook Pro
  2. Mac mini
Mobile Phone
  1. Android
Here's an article about the two compromised Nvidia code signing certificates.

Lapsus$, according to the group's Telegram page, are threatening Nvidia with the public release of more internal materials and details of chip blueprints unless the company promises to remove LHR. It seems wholly implausible that Nvidia would give in to such blackmail. The gang also wants Nvidia to open-source its drivers for Macs, Linux, and Windows PCs.
 
Top