The app’s authorization has been revoked (High Sierra NVIDIA graphics certificates expired)

JoeH · Jun 9, 2022

UtterDisbelief said:
I'm sure that if running macOS without Metal API support is viable for some users, then great.

There is a lot of software out there that uses CUDA or OpenCL and has not been updated to use Metal. So the lack of Metal support just isn't that big of a deal for many users.

c-o-pr · Jun 9, 2022

eddapp said:
UPDATE!!! UPDATE!!! !!! UPDATE!!!
------------------------------------------------

I am trying to catch up on this thread...

So, can a recently revoked cert disable an already installed and otherwise working driver, breaking the machine?

If so, holy crap!

If not, then this is a re-installation issue?

Isn't the right way to move forward to unwrap the old installer and its contents from the signing? I would guess this is possible, though maybe difficult.

But maybe its academic, if such discussion contrary to the site rules on piracy, which line is already crossed by descriptions of clock fiddling and cert server black-holing.

For my part, I am very very much on side of right to repair, and general libre with respect to security measures. I believe that the point of security is to improve the health of the community, not protect the assets of rights holders against the commonwealth. I don't intend to digress, only to offer context for my previous comments. I think the open discussion of and tinkering with these factors is an essential freedom.

UtterDisbelief · Jun 9, 2022

JoeH said:
There is a lot of software out there that uses CUDA or OpenCL and has not been updated to use Metal. So the lack of Metal support just isn't that big of a deal for many users.

Hi there.

I do not doubt that at all. I have no issue with using a machine without Metal support if it helps get a job done. I'm glad @Bustycat brought that up.

My issue is simply with Nvidia Web-Driver workarounds which sound so easy, everyone will try them unaware of potential pitfalls and dangers. They don't always work and can leave the back gate swinging open.

I started my fact-checking about a very early post that was adamant a certain set of kexts and a command-line would override the Web-Driver signing problem for everyone. Since then, all I have been doing throughout this thread is dropping by to warn against miracle cures. Cures that despite the vehement certainty of it's adherents, are not always reproducible by other NVidia GPU users. What's more some tricks involve spoofing Apple servers to Local Host to prevent certificate validation.

Everyone is free to do as they wish, but encouraging others to follow blindly, without due warning, is not good advice.

UtterDisbelief · Jun 9, 2022

c-o-pr said:
So, can a recently revoked cert disable an already installed and otherwise working driver, breaking the machine?

Yep.

c-o-pr said:
Isn't the right way to move forward to unwrap the old installer and its contents from the signing? I would guess this is possible, though maybe difficult.

Nope.

c-o-pr said:
For my part, I am very very much on side of right to repair, and general libre with respect to security measures. I believe that the point of security is to improve the health of the community, not protect the assets of rights holders against the commonwealth. I don't intend to digress, only to offer context for my previous comments. I think the open discussion of and tinkering with these factors is an essential freedom.

I don't think this issue is a right-to-repair one. Yes, anyone can follow one of the workarounds in an attempt to get their NVidia Web-Drivers working again, to extend the useful life of their GPUs. I wouldn't blame them. This is nothing new. Before the present certificate expiration problem a coder called Chris1111 provided a workaround that allowed older, previously native, Nvidia GPUs to continue working in Monterey, when Apple had removed their own support.

If you are aware of the risks of playing with macOS security, try the workarounds. They may or may not work for you. However, drilling a hole through certificate validation is still something that people need warning about. That's all.

wstrohm · Jun 10, 2022

Not relevant, but just FYI, I just updated all 3 of my in-house computers from OpenCore 0.8.0 to 0.8.1 (dated June 6) and everything still works (including my Nvidia cards and WebDriver).

nierde111 · Jun 11, 2022

c-o-pr said:
Take a look at this...
From horses mouth and may offer clues for a way forward:

Apple’s kext signing bypassed…

I have found a very simple way to bypass Apple’s kext signing in El Capitan, like I did before in Yosemite and Mavericks before that. This time I did it differently, and this blog post is a s…

pikeralpha.wordpress.com

Also see:

GitHub - etrepum/strip_pkg_signature: Strips signature from Apple pkg files

Strips signature from Apple pkg files. Contribute to etrepum/strip_pkg_signature development by creating an account on GitHub.

github.com

fariddster said:
Hi guys, solution found

Update High Sierra till lates 17G14042
Cleanup NVIDIA Web driver (WEB-Drive-Toolkit From Github)
Make this in terminal console:
sudo chmod -R 755 /Library/Extensions/NVDAStartupWeb.kext
sudo chown -R root:wheel /Library/Extensions/NVDAStartupWeb.kext
sudo touch /System/Library/Extensions/ && sudo kextcache -u /
sudo touch /Library/Extensions && sudo kextcache -u /

Add boot arguments in clover configurator as in attached screenshot
Add kext as in attached screenshot
Reboot (If you have black screen add temporary boot atgument nv_disable=1)
Install official driver 387.10.10.10.40.140

Reboot and Be Happy

I tried fariddster's way first, and on the very last step, I still cannot install the 140 version driver. I can open it, but it keeps telling me installation failed.
After that I found c-o-pr's post, he mentioned a tool to fix expired pkg file, I downloaded and used it, then I successfully installed the 387.10.10.10.40.140.pkg driver!

I have even successfully installed CUDA by using this tool.
It called strip_pkg_signature from Bob Ippolito on Github.

Big thanks for all of you!

Actually not need to edit /etc/hosts

Jamesbond007 · Jun 12, 2022

c-o-pr said:
So, can a recently revoked cert disable an already installed and otherwise working driver, breaking the machine?

If so, holy crap!

If not, then this is a re-installation issue?

Apparently this is exactly what happened for people who reported this issue.

So important hardware (and software) drivers can be disabled like this whenever the vendor considers it necessary, breaking the system, at least on MacOS (not sure whether there is a similar mechanism at work in Windows).

I have not heard of any reason why the certificate was suddenly revoked other than it was "expired". But still I don't understand why they made it the way that the hardware driver could still be disabled after it was installed successfully in the past.

I can understand if the installation process is aborted due to a expired security certificate, but disabling the software after it was installed and was working fine due to an expired security certificate?

trs96 · Jun 12, 2022

wstrohm said:
Not relevant, but just FYI, I just updated all 3 of my in-house computers from OpenCore 0.8.0 to 0.8.1 (dated June 6) and everything still works (including my Nvidia cards and WebDriver).

What if the fact that you use HFS+ with High Sierra, while everyone else is using APFS, is the reason your web drivers continue to work and don't require any fixes. That seems to be the main difference between your system and what everyone else is doing. Just a thought I had. Not sure if it is the actual reason.

Maybe try a clean install of HS on a separate drive, format it APFS and then see if the web drivers work or not. I would test this myself but I don't have any Maxwell or Pascal based Nvidia cards.

zirkaiva · Jun 12, 2022

Jamesbond007 said:
was suddenly revoked other than it was "expired"

Nvidia certificates were long time expired (2015), but that is not the reason for them not to work. They were recently revoked due to Lapsus$'s security breach and subsequently malware found signed by the stolen certificates. This was done to invalidate them. Unfortunately as you can see that will affect all drivers signed with those certificates.

Stolen Nvidia certificates used to sign malware—here's what to do

Two Nvidia code signing certificates have been leaked by the LAPSUS$ ransomware group. We explain what it means and what you can do about it.

blog.malwarebytes.com

trs96 · Jun 12, 2022

Here's an article about the two compromised Nvidia code signing certificates.

Leaked stolen Nvidia key can code-sign Windows malware

70k staff email addresses and NTLM password hashes also dumped online

www.theregister.com

Lapsus$, according to the group's Telegram page, are threatening Nvidia with the public release of more internal materials and details of chip blueprints unless the company promises to remove LHR. It seems wholly implausible that Nvidia would give in to such blackmail. The gang also wants Nvidia to open-source its drivers for Macs, Linux, and Windows PCs.

Search

The app’s authorization has been revoked (High Sierra NVIDIA graphics certificates expired)

JoeH

c-o-pr

UtterDisbelief

Moderator

UtterDisbelief

Moderator

wstrohm

nierde111

Apple’s kext signing bypassed…

GitHub - etrepum/strip_pkg_signature: Strips signature from Apple pkg files

Jamesbond007

Moderator

trs96

Moderator

zirkaiva

Stolen Nvidia certificates used to sign malware—here's what to do

trs96

Moderator

Leaked stolen Nvidia key can code-sign Windows malware

Forum

Guides

Downloads