# [Test Build] Improved Driver Signing Options



## W1zzard (May 11, 2021)

This build adds an option to use an EAC-compatible signing method. Please test and feedback


----------



## R-T-B (May 19, 2021)

Works perfect here.


----------



## StefanM (May 19, 2021)

Tested random DELL driver on ASUS with EAC compatible method.
GPU-Z flags signature as unknown.


----------



## PersianShinobi (May 19, 2021)

Can confirm that EAC is not triggered. Thanks for your work!


----------



## W1zzard (May 19, 2021)

StefanM said:


> GPU-Z flags signature as unknown.


As expected. Underlying reason is that the EAC method removes some hashes from the .CAT file, which affects GPU-Z's verification method



PersianShinobi said:


> Can confirm that EAC is not triggered. Thanks for your work!


thanks!


----------



## StefanM (May 29, 2021)

Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.

You can force installation of new drivers by removing the build check:

[Manufacturer]
%NVIDIA_A% = NVIDIA_Devices,NTamd64.10.0...17098

[NVIDIA_Devices.NTamd64.10.0...17098]


----------



## W1zzard (May 29, 2021)

StefanM said:


> by removing the build check


any idea why they added this limitation? have you tested it on older windows builds?


----------



## StefanM (May 29, 2021)

W1zzard said:


> any idea why they added this limitation? have you tested it on older windows builds?


They cannot advertise RTX features under old Windows 10 versions.

Under Windows 7-8.1 there is some inconsistency: 
INF contains RTX desktop GPUs, but most mobile RTX are missing (i guess they overlooked the few remaining ones in the OEM INFs)

I did not test with old versions, guinea pigs are welcome...
Actually i came up with the idea after i had to help some guy who assembled a new rig with RTX, installed Windows from a 2016 DVD and then went nuts trying to install the GeForce driver.


----------



## AAF Optimus (Jun 1, 2021)

StefanM said:


> Another tidbit. For whatever reasons some users prefer antiquated Windows 10 builds or are not even aware of it.
> 
> You can force installation of new drivers by removing the build check:
> 
> ...


Exactly!


----------



## StefanM (Jun 2, 2021)

Alan Finotty said:


> Exactly!



So, do you (or anyone else) have an older Windows installation handy?
If so, edit INF manually.
Then in NVCleanstall tick _expert tweaks_ and _disable driver telemetry _to trigger rebuilding the signature.


----------



## Mismo_YT (Jun 2, 2021)

This 1.9.2 version worked to me with the Easy Anti Cheat


----------



## JackCY (Jun 3, 2021)

The compatible method works, tried it before last weekend. But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled  That also means my monitor settings got wiped and that is always a giant pain to setup again because Nvidia's adaptive sync code is a joke and black screens all connected monitors whether they are adaptive sync capable or not be it on DP or HDMI.

And yes the file that EAC complained about is indeed 2 years expired certificate signed. Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever. But that would be a dream come true if they had quality control or fixed issues reported via their own system (when it could still be found) wouldn't it.


----------



## W1zzard (Jun 3, 2021)

JackCY said:


> But one has to uninstall the Nvidia driver first otherwise it's not being reinstalled


First time I hear this, anyone else?



JackCY said:


> Someone tell Nvidia it's now 2021 not 2019 and that certificates don't last forever.


I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior.  Engineering has reported the issue to Microsoft."
I wrote back explaining that their answer is bs (with nicer words) and haven't heard from them since.

Try opening your own ticket, maybe you'll have more luck



JackCY said:


> expired certificate signed


What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that


----------



## JackCY (Jun 4, 2021)

W1zzard said:


> First time I hear this, anyone else?
> 
> Try opening your own ticket, maybe you'll have more luck
> 
> What's also interesting is that they're getting this timestamped with an expired certificate, and get a MS sig on top of that


Well I don't remember the exact setup menu listing details anymore after installation, if it said driver not installed there or nothing, one of those. The fact that EAC kept on complaining after system restart the same way as it did before the reinstall, my conclusion was that the driver itself was not changed. I also don't remember loosing monitor settings either, I use CRU to clean up the entries and raise refresh.

After uninstalling driver via regular modern Win10 add/remove program "control panel" and installing v1.9.2 modified driver, system restart, the CRU changes were lost and driver was now reinstalled with EAC stopping to complain.

I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.

I bet it detected no driver version upgrade and refused to reinstall/overwrite the files. Which I find understandable in modern applications as being more common though a bit annoying when the setup is launched by user to perform an action and then the setup itself decides it knows better than the user and does not perform what it was made for as if someone launched it by mistake. This is probably normal behavior of the NV setup and I don't expect it to be caused by NVCleanstall.

I tried to find the Nvidia bug/issue report page again but could not, anyone got a link? I know it existed because years ago I did report adaptive sync problems there. Nowadays all I found was that people should go to their forum and no link to the actual reporting page.

There is definitely some problem in the chain of trust when expired (invalid) certificates continue to be used. Normally I would expect the regular unmodified NV driver installer to fail when Windows tells it: no, go away, your certificate is invalid. But neither Windows nor MS's own driver certification seems to catch it.
When I search this, all I find is Virtualbox added hardening and does catch these Nvidia certificate shenanigans. One such report that also says that MS signed over the expired NV cert. And the sign over should somehow make it OK? I don't think so. #19743 (Hardening rejects DLL because of expired certificate nvldumdx.dll) – Oracle VM VirtualBox
The expired certificate problem definitely seems to be going a long while now. For the driver itself, one doesn't even have to use NVCleanstall to run into problems.


----------



## W1zzard (Jun 4, 2021)

JackCY said:


> I have been installing 466.47-desktop-win10-64bit-international-dch-whql.exe modified with v1.9.2 over 466.47-desktop-win10-64bit-international-dch-whql.exe (same driver) modified with v1.9.0. In both I disable the telemetry, including any experimental and enable MSI.


That's pretty much what I've been using for testing dozens of times, just with non-DCH



JackCY said:


> I tried to find the Nvidia bug/issue report page again but could not, anyone got a link?








						NVIDIA
					

login




					nvidia.custhelp.com
				



Include msinfo32's .nfo file in the initial submit, this will save you one round-trip with their 1st level support



JackCY said:


> Virtualbox


Nice find, I wasn't aware anyone else encountered this problem before. Unfortunately no solution and doesn't look like NVIDIA is planning to fix this. And I agree, this is probably human error


----------



## phaolo (Jun 27, 2021)

Oh nice, but will I need to reinstall the driver from scratch then?
Will I be able to just select the graphic driver and avoid touching the HD audio part? (because this resets its setting every time)


----------



## phaolo (Jul 2, 2021)

Doesn't anyone know this? I'd like to install the new version, but I'd like to avoid having to config everything again :\
Or maybe someone knows where the settings are stored?


----------



## W1zzard (Jul 2, 2021)

phaolo said:


> where the settings are stored?


which settings?


----------



## phaolo (Jul 2, 2021)

W1zzard said:


> which settings?


I was talking about my post above, I meant the HD audio settings. They always get resetted in the normal installation.


----------



## W1zzard (Jul 2, 2021)

phaolo said:


> I was talking about my post above, I meant the HD audio settings. They always get resetted in the normal installation.


Where do you change those settings? I didn't even know there was something to be configured


----------



## phaolo (Jul 2, 2021)

W1zzard said:


> Where do you change those settings? I didn't even know there was something to be configured


In Control Panel->Sound or right-clik on the sound icon in the taskbar.
Each capable device (mobo, GPU, soundcard, headphones, mic, etc) has its playback & recording input\outputs here.
The settings are in both Configure & Properties.

(I actually forgot to write down my previous config before the new installation, so I may have lost something )


----------



## W1zzard (Jul 2, 2021)

and when you install a new driver version (install over, no ddu), these options get reset?


----------



## phaolo (Jul 2, 2021)

W1zzard said:


> and when you install a new driver version (install over, no ddu), these options get reset?


They got reset with the HD audio, I don't know if I can leave the current one alone.

Btw I wonder if avoiding a clean install would even work, since, when testing NVCleanstall, the setup reported that the same graphic driver version was already installed..


----------



## Sora (Jun 5, 2022)

W1zzard said:


> any idea why they added this limitation? have you tested it on older windows builds?



1803 is the minimum version where a driver vendor can sideload an appx package included within the driver package where the system is set to not permit it otherwise.

In the case below, a user cannot sideload an appx package themselves, however the driver is capable of doing so after 1803.








W1zzard said:


> I did, their response "The listed files are embed PE signed binaries. Unfortunately, the OS can't recognize these certificates and this is expected behavior. Engineering has reported the issue to Microsoft."



Explorer.exe cannot validate these signatures as the trusted authority does not exist within the user visible security store provided by the MMC snapin, these root authorities are embedded in Kernel DLL's (CI.dll to be exact)

The full chain is double time stamped by having both the vendor cert and the whck cert, so nvidia can continue using their expired certificate without any concerns, applications that need a valid trust chain should take all signatures on the file into account, it is fundamentally impossible to validate nvidia's own certificate chain at the user level even if it was within its validity period thanks to the chain breaking at "Microsoft Digital Media Authority 2005" which is embedded in CI.dll.


----------



## K4sum1 (Aug 3, 2022)

What does NVCleanstall resign? Is it the main driver .sys file? Is it just the inf? is it something else?


----------



## W1zzard (Aug 3, 2022)

The CAT, because NVCleanstall makes changes to the INF. The INF isn't signed it's just a text file (its signature is stored in the CAT)


----------



## K4sum1 (Aug 3, 2022)

That was really fast. Does EAC really check the .inf signature? I don't think I remember that being an issue with some of the earlier inf mods I've done before.


----------



## W1zzard (Aug 3, 2022)

K4sum1 said:


> That was really fast. Does EAC really check the .inf signature? I don't think I remember that being an issue with some of the earlier inf mods I've done before.


Not sure what specifically it checks, but EAC detects mismatched files without the "use compatible signing" method


----------



## K4sum1 (Aug 3, 2022)

I was wanting to try modifying the .sys file to remove the artifical lock preventing 3000 series cards from working on 8.x, so I was wondering if this would resign it. Guess it won't.


----------



## W1zzard (Aug 3, 2022)

You can use disable driver enforcement + test signing to work around that limitation.









						How to install nvidia driver for rtx3080 on windows 1709?
					

Need help anyone know how to install nvidia driver for windows 10 1709 or 1909? How to stop it from update to 21h2? Thanks




					www.techpowerup.com
				




This thread should help provide more info


----------



## K4sum1 (Aug 3, 2022)

W1zzard said:


> You can use disable driver enforcement + test signing to work around that limitation.


Yeah, I know that allows me to install and test the driver, but EAC is a bitch and will say no. Unless I mod the kernel to not check signatures by default, and fool around a bit, this will remain an issue.


----------



## W1zzard (Aug 3, 2022)

K4sum1 said:


> but EAC is a bitch and will say no


Oh right, yeah, no go then


----------



## K4sum1 (Oct 28, 2022)

How exactly does NVCleanstall change the .cat? I've done an inf mod to an AMD driver, and would like to make it work with EAC.


----------

