[Test Build] Improved Driver Signing Options

[W1zzard]

This build adds an option to use an EAC-compatible signing method. Please test and feedback

 

[R-T-B]

Works perfect here.

 

[StefanM]

Tested random DELL driver on ASUS with EAC compatible method.
GPU-Z flags signature as unknown.

 

[PersianShinobi]

Can confirm that EAC is not triggered. Thanks for your work!

 

[W1zzard]

GPU-Z flags signature as unknown.

As expected. Underlying reason is that the EAC method removes some hashes from the .CAT file, which affects GPU-Z's verification method

Can confirm that EAC is not triggered. Thanks for your work!

thanks!

 

[StefanM]

Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]

 

[W1zzard]

by removing the build check

any idea why they added this limitation? have you tested it on older windows builds?

 

[StefanM]

any idea why they added this limitation? have you tested it on older windows builds?

They cannot advertise RTX features under old Windows 10 versions.

Under Windows 7-8.1 there is some inconsistency:
INF contains RTX desktop GPUs, but most mobile RTX are missing (i guess they overlooked the few remaining ones in the OEM INFs)

I did not test with old versions, guinea pigs are welcome...
Actually i came up with the idea after i had to help some guy who assembled a new rig with RTX, installed Windows from a 2016 DVD and then went nuts trying to install the GeForce driver.

 

[AAF Optimus]

Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]

Exactly!

 

[StefanM]

Exactly!

So, do you (or anyone else) have an older Windows installation handy?
If so, edit INF manually.
Then in NVCleanstall tick expert tweaks and disable driver telemetry to trigger rebuilding the signature.

 

[Mismo_YT]

This 1.9.2 version worked to me with the Easy Anti Cheat

 

[JackCY]

The compatible method works, tried it before last weekend. But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled That also means my monitor settings got wiped and that is always a giant pain to setup again because Nvidia's adaptive sync code is a joke and black screens all connected monitors whether they are adaptive sync capable or not be it on DP or HDMI.

And yes the file that EAC complained about is indeed 2 years expired certificate signed. Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever. But that would be a dream come true if they had quality control or fixed issues reported via their own system (when it could still be found) wouldn't it.

 

[W1zzard]

But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled

First time I hear this, anyone else?

Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever.

I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."
I wrote back explaining that their answer is bs (with nicer words) and haven't heard from them since.

Try opening your own ticket, maybe you'll have more luck

expired certificate signed

What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that

 

[JackCY]

First time I hear this, anyone else?

Try opening your own ticket, maybe you'll have more luck

What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that

Well I don't remember the exact setup menu listing details anymore after installation, if it said driver not installed there or nothing, one of those. The fact that EAC kept on complaining after system restart the same way as it did before the reinstall, my conclusion was that the driver itself was not changed. I also don't remember loosing monitor settings either, I use CRU to clean up the entries and raise refresh.

After uninstalling driver via regular modern Win10 add/remove program "control panel" and installing v1.9.2 modified driver, system restart, the CRU changes were lost and driver was now reinstalled with EAC stopping to complain.

I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.

I bet it detected no driver version upgrade and refused to reinstall/overwrite the files. Which I find understandable in modern applications as being more common though a bit annoying when the setup is launched by user to perform an action and then the setup itself decides it knows better than the user and does not perform what it was made for as if someone launched it by mistake. This is probably normal behavior of the NV setup and I don't expect it to be caused by NVCleanstall.

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link? I know it existed because years ago I did report adaptive sync problems there. Nowadays all I found was that people should go to their forum and no link to the actual reporting page.

There is definitely some problem in the chain of trust when expired (invalid) certificates continue to be used. Normally I would expect the regular unmodified NV driver installer to fail when Windows tells it: no, go away, your certificate is invalid. But neither Windows nor MS's own driver certification seems to catch it.
When I search this, all I find is Virtualbox added hardening and does catch these Nvidia certificate shenanigans. One such report that also says that MS signed over the expired NV cert. And the sign over should somehow make it OK? I don't think so. #19743 (Hardening rejects DLL because of expired certificate nvldumdx.dll) – Oracle VM VirtualBox
The expired certificate problem definitely seems to be going a long while now. For the driver itself, one doesn't even have to use NVCleanstall to run into problems.

 

[W1zzard]

I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.

That's pretty much what I've been using for testing dozens of times, just with non-DCH

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link?

NVIDIA

login

nvidia.custhelp.com

Include msinfo32's .nfo file in the initial submit, this will save you one round-trip with their 1st level support

Virtualbox

Nice find, I wasn't aware anyone else encountered this problem before. Unfortunately no solution and doesn't look like NVIDIA is planning to fix this. And I agree, this is probably human error

 

[phaolo]

Oh nice, but will I need to reinstall the driver from scratch then?
Will I be able to just select the graphic driver and avoid touching the HD audio part? (because this resets its setting every time)

 

[phaolo]

Doesn't anyone know this? I'd like to install the new version, but I'd like to avoid having to config everything again :\
Or maybe someone knows where the settings are stored?

 

[W1zzard]

where the settings are stored?

which settings?

 

[phaolo]

which settings?

I was talking about my post above, I meant the HD audio settings. They always get resetted in the normal installation.

 

[W1zzard]

I was talking about my post above, I meant the HD audio settings. They always get resetted in the normal installation.

Where do you change those settings? I didn't even know there was something to be configured

 

[phaolo]

Where do you change those settings? I didn't even know there was something to be configured

In Control Panel->Sound or right-clik on the sound icon in the taskbar.
Each capable device (mobo, GPU, soundcard, headphones, mic, etc) has its playback & recording input\outputs here.
The settings are in both Configure & Properties.

(I actually forgot to write down my previous config before the new installation, so I may have lost something )

 

[W1zzard]

and when you install a new driver version (install over, no ddu), these options get reset?

 

[phaolo]

and when you install a new driver version (install over, no ddu), these options get reset?

They got reset with the HD audio, I don't know if I can leave the current one alone.

Btw I wonder if avoiding a clean install would even work, since, when testing NVCleanstall, the setup reported that the same graphic driver version was already installed..

 

[Sora]

any idea why they added this limitation? have you tested it on older windows builds?

1803 is the minimum version where a driver vendor can sideload an appx package included within the driver package where the system is set to not permit it otherwise.

In the case below, a user cannot sideload an appx package themselves, however the driver is capable of doing so after 1803.

I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."

Explorer.exe cannot validate these signatures as the trusted authority does not exist within the user visible security store provided by the MMC snapin, these root authorities are embedded in Kernel DLL's (CI.dll to be exact)

The full chain is double time stamped by having both the vendor cert and the whck cert, so nvidia can continue using their expired certificate without any concerns, applications that need a valid trust chain should take all signatures on the file into account, it is fundamentally impossible to validate nvidia's own certificate chain at the user level even if it was within its validity period thanks to the chain breaking at "Microsoft Digital Media Authority 2005" which is embedded in CI.dll.

 

[K4sum1]

What does NVCleanstall resign? Is it the main driver .sys file? Is it just the inf? is it something else?