HP Printer Driver Certificate Revoked
Many users are today reporting that their HP printer software has suddenly stopped working, with worrying messages implying that their software is malicious and “will damage your computer”.
[…]
You’re seeing that message because macOS is checking the signature on your HP printer software, and being told that its signing certificate has been revoked. What’s strange, though, is that this doesn’t appear to affect High Sierra and older versions of macOS. […] This may well be because they’re working with different databases.
No word yet on why. It’s a shame there’s no way to tell the system to trust it temporarily, especially given that the revocation may be in error.
We’re seeing a significant influx of support cases where users are seeing macOS identify what appear to be legit processes as malware, exactly what is being reported here[…]
Previously:
- Notarized Mac Malware
- Apple Remote-Kills Long-time Developer’s Apps
- Beware Apple Security Certificates After October 24
- Installing Old Versions of macOS
Update (2020-11-10): Patrick Wardle (also: William Gallagher, Hacker News):
As others have noted it appears certs used to sign apps such as Amazon Music, HP Printer drivers, etc. were revoked ...by?
Thus, macOS blocks the (legit) software from running ...and implies it is malware? 🤦♂️
It is a vicious circle - Apple says to call HP as they need to provide the drivers, I have not been able to speak to anyone at HP that can help.
Complaints from punters are building up on the Apple and HP support forums.
[…]
The Register understands from sources familiar with the matter that HP Inc asked Apple to revoke its printer driver code-signing certificates. It appears this request backfired as it left users unable to print.
Howard Oakley (also: Mr. Macintosh):
At some time during the night of 24-25 October, Apple PKI withdrew the revocation of HP’s certificate, presumably at HP’s request in response to the many complaints from users. HP’s software should therefore now work normally again.
[…]
HP has now published a support article explaining what affected users should do to remedy this problem.
Although there’s nothing to stop anyone using a security certificate from elsewhere, for macOS there’s only one source of the certificates required to sign code for Apple’s operating systems, Apple PKI. This is the team within Apple which issues signing (and other) certificates to Apple itself and its very many third-party developers. Not only do they issue certificates, but they can also revoke them, and have detailed and explicit procedures for doing both.
An unfortunate consequence of the lack of a Developer ID CRL is that you can’t obtain a list of all revoked Developer ID certs. You can only query the status of known certs one-by-one.
[…]
As the Certificate Authority, Apple can revoke a Developer ID certificate at any time. This is done when Apple discovers that a cert has been used to sign malware. Unfortunately, we’ve seen cases where Apple has revoked a Developer ID cert mistakenly, such as with the indie developer Charlie Monroe. Is it possible for a developer to revoke their own Developer ID cert? The answer is no.
[…]
The reason for this difference in policy is that revoking a Developer ID cert has severe consequences, as we’ve seen with HP printer software: Mac users will no longer be able to run software signed with the revoked cert. Developers are allowed to revoke their own Mac App Store code signing certificates, because those certs are only used for development purposes.
[…]
HP had to contact Apple and request for the cert to be revoked. Apparently Apple granted that request. So blame must be apportioned to both companies. There have been no reports of malware or private key compromise. Therefore, no good reason exists for HP to request that their cert be revoked, and no good reason exists for Apple to grant that misguided request.
The issue is the lack of communication. The system should check on download (of a new list) to see if anything will become disabled, then inform the user what, why and how to resolve. Because this was handled poorly, it created anger and frustration.
[…]
I do wonder if HP was trying to ensure that the build machines were using the latest certs and something went wrong, which they didn’t know about. So the question becomes how easy is to accidentally revoke identities?
I feel that Apple is responsible for this mess, because they built the system that allows apps (& drivers) to be “killed” remotely. The solution was designed to be silent.
Was this intentional or just an oversight? If Apple has designed the system to communicate to users that something they use will no longer work, why and what they can do about this. It becomes a non-issue, for two reasons. 1. HP would have to provide information to Apple as to why they wanted the identities revoked, which would help confirm that they wanted this action. 2. Customers would be aware of what’s going on, and could solve the problem themselves.
Earlier, we said that the issue was mostly related to HP printer drivers. There was another issue with a couple Amazon apps – Amazon Music and Amazon Workspaces – where users were seeing the same behavior. This led to a lot of speculation and finger pointing at Apple (in which yours truly regretfully participated), but this appears to have been an unrelated and coincidentally timed issue.
I have yet to hear an explanation for what happened with Amazon Music. Did Amazon also accidentally request revocation of its certificate?
13 Comments RSS · Twitter
Great customer experience Apple.
Thank you for breaking something that was working.
Thank you for not notifying me why it was broken.
Thank you for not providing me a way to fix.
Just thanks.
I also got a surprise when I couldn't print this morning at work... glad I jumped ship and now use Windows at home.
I've installed Cups and AirSane a couple of years ago on a RPi, then connected my old Canon printer to the RPi via USB. Now all my macs and iOS devices can print and scan without problems. I was surprised how easy it was and wondered why i didn't consider that option earlier.
I got this with 1Blocker yesterday. Was really confused, but ended up deleting the app from my computer... I guess it was just a false alarm...
Ran into this just last. Frustrating user experience with endless dialogues. Deleting the offending app files from finder, removing the printer, and adding the printer backed fixed it. AirPrint HP Printer/Scanner
So are people just okay with the company selling them their operating system, being able to just remotely disable software that is already installed on their computer? Even if it's not a mistake, like it probably is here? In what world would that ever be acceptable?
I can print from my IOS device without ever installing a driver, and have been able to do so for most of a decade now.
Why, in 2020, do we still need to install printer drivers on desktops and laptops? Why hasn't Apple just said, "going forward, macOS will only print using airprint"? Why hasn't Microsoft made driverless printing the default in Windows by now?
@guy:
So are people just OK with companies being able to install random spyware, adware, or malware on their computers without ever being stopped by the operating system? In what world would that ever be acceptable?
Apple might not be going about it in the best way, but they are moving in the right direction - towards a world in which all software must be signed with a valid signature in order to run, and bad actors get their signatures revoked.
@Glaurung:
If you've used AirPrint much, you will understand why Mac OS still uses drivers. AirPrint is convenient for the occasional basic printing. But there aren't even basic options like scaling, or printing only even or odd pages. And sometimes it comes out weird: Royal Mail PDF shipping labels printed over AirPrint always come out around 20% their actual size. With no scaling options, there's no way to correct this, whereas on the Mac I could (but don't need to, as with standard settings and no scaling, the Mac prints the label at the correct size by default). This doesn't even get into printers that have more complex device-specific options to collate, staple, etc.
AirPrint is great – almost seems magical a lot of the time – but it's only good for casual, occasional use.
Apple ... are moving in the right direction - towards a world in which all software must be signed with a valid signature in order to run, and bad actors get their signatures revoked.
Apple is moving towards a kindergarten curated by Apple. I can understand that the computer illiterate applaud such a move since they think big daddy Apple will protect them.
Some of us do not consider that the "right direction". The right direction is one in which computer literate users control what happens on their devices and have enough visibility to see what is happening. When Apple hides its own traffic from tools like Little Snitch which provide that visibility, they are hindered.
Making things "people friendly" is all very well and good, but it leads to people who depend on technology but do not understand it, and who end up losing any power. The increasing number of homeless people does not seem unrelated to me. If it's unacceptable in polite society not to know how to read and write, it should be equally unacceptable not to know not to download malware.
Here's a possible fix:
Here's the MacRumors.com forum thread:
https://forums.macrumors.com/threads/hp-driver-framework-broken-in-catalina-10-15-7.2262865/
@Glaurung: Because the industry standard for driverless printing, "IPP Everywhere", is 7 years old and still virtually no printers support it. Only 2 companies have it on any models at all. The three top-rated brands today -- Epson, Brother, Canon -- have produced a combined 0 printers with IPP Everywhere.
Apple went USB-only in 1998 with the iMac, and many people were annoyed with them because of it. Imagine if in 2005 there were still only 2 peripheral makers who made any USB devices. That's where driverless printing is today.
Is it any wonder that the biggest desktop OS ignored it, and the other one created their own system instead? The printer industry is a joke. Tell them to start producing hardware that isn't total crap first. You can't blame the OS for not supporting driverless printing, when the hardware doesn't support the driverless printing spec.