Contribute
Register

The app’s authorization has been revoked (High Sierra NVIDIA graphics certificates expired)

Status
Not open for further replies.
If you get the NVidia Web-Drivers working - Yay!! - otherwise ... Stay with High Sierra disconnected from a time server, or the Internet altogether. But for an easier life swap to a supported AMD GPU and just relax. Heck most builders spend a genuine fortune on CPUs and GPUs these days, those stuck at High Sierra for old software reasons, are just plain missing out.
Short story. In late May, the Dortania developers (who also developed OpenCore Legacy Patcher) announced that it was successful to make Nvidia Web Driver run on Monterey without Metal. Days later, the infamous disaster began. The team also confirmed that Nvidia revoked the certificate.
 
The team also confirmed that Nvidia revoked the certificate.
The bottom line to this whole thing is that Apple wants nothing to do with Nvidia and Vice Versa. The last thing Nvidia would want is their GPUs working on the latest macOS versions. Was the timing of the certificate revocation just a coincidence ? We don't know for sure but we can be certain it's over for any kind of business relations between Apple and Nvidia. Time for everyone to move on. Plenty of other graphics and OS options are available now.
 
Last edited:
Yes, this method is one often quoted out on the web. How do you stop the system from verifying the certificate when connected to the Internet on Reboot?

Can you see what you have done by repacking the driver?

Glad it works for you but this is not repeatable for most ... I think Apple would call this a major flaw in their security if it was so easy to install unsigned kernel-extensions even in user-space, just by repacking someone else's driver. That's a back-door, wide open.

Sorry, but I stand by my post.
What happens when repackaging and I can tell you is speculation, I assume that it updates the dates of the packages and that already allows the installation of the drivers in new installations.

When modifying the host, the addresses where the verification of the certificates is performed are blocked, it does not have to be disconnected from the internet, it simply does not connect to these three verification addresses.

As far as not everyone can repeat it, it applies to any instructions given in these forums, we try to be as clear as possible but many times we can't make ourselves understood.

I think that panicking is not part of the steps to follow, and neither is going out to buy, since we produce a lot of garbage, and if a computer can give us another 5 years of use, welcome.
 
Yes, this method is one often quoted out on the web. How do you stop the system from verifying the certificate when connected to the Internet on Reboot?
Step 2 remaps three Apple servers to localhost, which presumably prevents any verification. That also permanently weakens security on the hack, so the solution comes at a cost.

The safest solution is to get a cheap supported AMD GPU. Second-hand Polaris should be cheap now—and compatible with 32-bit apps on High Sierra and Mojave.
 
I would like to add another point of view. For whatever reason, both of my computers running High Sierra 10.13.6 (build 17G14042) are still working with my nVidia Web Driver 387.10.10.10.140. Those computers are my "Mini-ITX 1" and "Mini-ITX 3" below. I have not had this problem so far, and have shut down/rebooted both at least several times. I don't know what is saving these computers from the certificate expiration, but I have a wild uneducated guess. My boot loader is the current released version of Open Core, 0.8.0, with Lilu version 1.6.0 and WhateverGreen version 1.5.8. If I look at "Show Package Contents" of WhateverGreen, its info.plist/Root/IOKitPersonalities contains "NVHDAEnabler" with a listing of a bunch of "stuff."

Here is my wild guess: WhateverGreen is somehow overriding my expired Web Driver certificate and enabling my nVidia graphics cards. I can see no other reason why everything still works. (Both computers are, and have been, connected to the Internet.)

FWIW, my /System/Library/Extensions/NVDAStartup.kext is version 10.32.0 dated 1/15/18, 4:02 PM. If I "Show Package Contents" on it, and look in its "_CodeSignature" folder, PlistEditPro can open its "CodeResources" file, and it contains probably the same "files2/hash2" data Value as everyone else's. Check it out:
B13639B6 9CEE8995 B4351E5F 2E6A014A 816EABCF D2E89CEE 55901BBE DE7C5095

I'm just spitballing that this is what's expired, and Open Core is enabling my cards to work because WhateverGreen isn't using that.

Hey, it's a Hackintosh!
 
Last edited:
Step 2 remaps three Apple servers to localhost, which presumably prevents any verification. That also permanently weakens security on the hack, so the solution comes at a cost.
It does. And thank you for pointing that out. :thumbup:

We don't want to see Nvidia GPU users stampeding to compromise their systems, just for this, surely, temporary gain.

It is *not* a proper solution.

:)
 
Short story. In late May, the Dortania developers (who also developed OpenCore Legacy Patcher) announced that it was successful to make Nvidia Web Driver run on Monterey without Metal. Days later, the infamous disaster began. The team also confirmed that Nvidia revoked the certificate.

Is running a GPU on a modern macOS version without Metal API support a useful thing?

For sure I have built a few machines "behind the scenes" here using a GT1050 and GT1030 with both Big Sur and Monterey - using no hacked drivers. I had no hardware acceleration at all, but I got VESA output and could use the systems.

Simple Black Screens are not the sole symptom of certificate expiry.

I'm inclined to go with @trs96 's viewpoint about the odd "coincidence" that happened ...
 
Excellent. Thank you.

Hopefully we'll get feedback as more people try this.

(I still can't get my head around how Nvidia's revoked certificate can be re-signed just by repackaging it locally, but hey, if it works ... )

Perhaps the reason is that if you have SIP disabled the kexts will work without signing? Do you have SIP disabled?

Many builders these days keep SIP enabled for security.

:)

UPDATE!!! UPDATE!!! !!! UPDATE!!!
------------------------------------------------------------------------------------------------

The solution I used worked, until I had to reboot the system. after rebooting the system the gpu was working however the display picture would rip and tear moving windows on it then return to normal etc. Also Nvidia would not open from system pref although it shows it. The Nvidia control panel would not show at the top bar where the time is. So with the tearing being a more annoyance then a problem bc the monitor and display would work, I had to find a real solution and thus I came across these instructions which I can confirm even after a reboot, SOLVES this issue.
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Here’s the best current workaround, and brought my system back to life!. (by eierftucht on macrumors site)



Step 1. Physically disconnect the affected device from the web. Powering down the router for a few minutes will do just fine.

Step 2. Boot into Safe Mode. Everything will be extremely laggy, be patient. (-x in clover will boot safe mode, safe mode is essential step..will not work otherwise)

Step 3. Launch Terminal and enter the command ‘sudo nano /etc/hosts’, once prompted provide the password. (You can also use something like little snitch to block trustd instead of changing hosts...in step 3 &4)

Step 4. Append the following lines to the file’s contents:

127.0.0.1 ocsp.apple.com
127.0.0.1 ocsp2.apple.com
127.0.0.1 ocsp.digicert.com

Save changes and exit.

Step 5. Run the following batch of Terminal commands:

crlrefresh rp
sudo rm -f /var/db/crls/*cache?.db
sudo date -u 020200002020
sudo reboot

Your computer will immediately reboot after the last command. Upon seeing the desktop again, you should notice that everything is back to normal. You can now reconnect to the internet. System time and date will automatically adjust themselves upon reconnecting. If some apps throw errors related to bad time and date, another reboot will fix that. Don’t worry if you run into any scary messages upon the first reboot.

The ‘sudo date’ shift trick is 90% likely unnecessary but better safe than sorry. It’s there just to lure the system (now reverted to a clean state) into repeating any sneaky moves it’s compelled to make since the 1st of June, just to check it no longer breaks itself.

good to go!

--
Alternative way is:
Restore from time machine from date before June 1st.
Completely disconnect from internet.
Boot restored system.
Open terminal.
Paste this, hit enter, type in pass.
sudo sh -c 'echo "0.0.0.0 ocsp.apple.com" >> /etc/hosts' && sudo sh -c 'echo "0.0.0.0 ocsp2.apple.com" >> /etc/hosts' && sudo killall -HUP mDNSResponder

Restart, reconnect to internet.
Good to go.


Edited Monday at 02:26 PM by fullerfun
 
UPDATE!!! UPDATE!!! !!! UPDATE!!!
------------------------------------------------------------------------------------------------

The solution I used worked, until I had to reboot the system. after rebooting the system the gpu was working however the display picture would rip and tear moving windows on it then return to normal etc. Also Nvidia would not open from system pref although it shows it. The Nvidia control panel would not show at the top bar where the time is. So with the tearing being a more annoyance then a problem bc the monitor and display would work, I had to find a real solution and thus I came across these instructions which I can confirm even after a reboot, SOLVES this issue.
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Here’s the best current workaround, and brought my system back to life!. (by eierftucht on macrumors site)



Step 1. Physically disconnect the affected device from the web. Powering down the router for a few minutes will do just fine.

Step 2. Boot into Safe Mode. Everything will be extremely laggy, be patient. (-x in clover will boot safe mode, safe mode is essential step..will not work otherwise)

Step 3. Launch Terminal and enter the command ‘sudo nano /etc/hosts’, once prompted provide the password. (You can also use something like little snitch to block trustd instead of changing hosts...in step 3 &4)

Step 4. Append the following lines to the file’s contents:

127.0.0.1 ocsp.apple.com
127.0.0.1 ocsp2.apple.com
127.0.0.1 ocsp.digicert.com

Save changes and exit.

Step 5. Run the following batch of Terminal commands:

crlrefresh rp
sudo rm -f /var/db/crls/*cache?.db
sudo date -u 020200002020
sudo reboot

Your computer will immediately reboot after the last command. Upon seeing the desktop again, you should notice that everything is back to normal. You can now reconnect to the internet. System time and date will automatically adjust themselves upon reconnecting. If some apps throw errors related to bad time and date, another reboot will fix that. Don’t worry if you run into any scary messages upon the first reboot.

The ‘sudo date’ shift trick is 90% likely unnecessary but better safe than sorry. It’s there just to lure the system (now reverted to a clean state) into repeating any sneaky moves it’s compelled to make since the 1st of June, just to check it no longer breaks itself.

good to go!

--
Alternative way is:
Restore from time machine from date before June 1st.
Completely disconnect from internet.
Boot restored system.
Open terminal.
Paste this, hit enter, type in pass.
sudo sh -c 'echo "0.0.0.0 ocsp.apple.com" >> /etc/hosts' && sudo sh -c 'echo "0.0.0.0 ocsp2.apple.com" >> /etc/hosts' && sudo killall -HUP mDNSResponder

Restart, reconnect to internet.
Good to go.


Edited Monday at 02:26 PM by fullerfun

Thank you, yes. This is now a known workaround BUT please go up the page to post #74.

Tricking the system has a downside.

If you are a Pro user who wants to stay on High Sierra for software reasons, and you really *do* earn money from your work, then I think it's now time to re-evaluate your reasoning - and expenditure.

(I can see I'm becoming a bit of an pain in the side for all these "wonder cures" for certificate expiration ... :D )
 
Step 2 remaps three Apple servers to localhost, which presumably prevents any verification. That also permanently weakens security on the hack, so the solution comes at a cost.

The safest solution is to get a cheap supported AMD GPU. Second-hand Polaris should be cheap now—and compatible with 32-bit apps on High Sierra and Mojave.
Not seeing those prices coming down all that much yet, and the higher end Polaris cards are still going for over $400-500 used or new from many places. Used prices all got pushed up over the last year or so. Cheapest price on a RX 580 I came across looking a couple weeks ago was $499.

I had started looking about half a dozen weeks ago as I was running into requirements for Mojave or later OS versions. It came down to either a RX 580 for $500 and either stay with High Sierra or upgrade to Mojave. Alternate was going to Monterey and installing a RX 6600 for about $325. But that would require running a VM of Mojave or lower to run a few 32-bit apps I haven't been able to replace. I looked at prices for RX 5000 series Navi and the high end RX 6000 Navi cards and those were a bit too much.

So your "safest solution" also comes at a monetary cost, and does not look as cheap as you think.
 
Status
Not open for further replies.
Back
Top