Many users are today reporting that their HP printer software has suddenly stopped working, with worrying messages implying that their software is malicious and “will damage your computer”. Given the recent problems with MRT version 1.68, it’s easy to ascribe this to the same update, although this message clearly isn’t coming from MRT. Could it be that the XProtect update was also broken?
Thanks to the work of Thomas Reed at Malwarebytes, I can answer that this is completely unassociated with XProtect or MRT. You’re seeing that message because macOS is checking the signature on your HP printer software, and being told that its signing certificate has been revoked. What’s strange, though, is that this doesn’t appear to affect High Sierra and older versions of macOS.
If you ever see an error alert reporting this type of problem, first check the signature on the software that it refers to. If you’re not adept at doing that in Terminal, open my free ArchiChect, drag and drop the item onto it to see its report.
At the top of the text you’ll see a line starting with a No Entry sign: this indicates a serious signature error, in this case indicating the code signing certificate has been revoked. macOS therefore won’t allow you to run this software. You can’t argue, and should next wonder why this might have happened. Maybe this certificate is being abused on other software which is behaving maliciously? If you’re uncertain what’s going on, contact Apple Support, and the vendor of the software, who may be able to provide further information.
So why don’t earlier versions of macOS reflect the same revocation?
This may well be because they’re working with different databases. Until a year ago, we thought that the certificate revocation database was stored locally, in what we termed the Gatekeeper security database. As I’ve recently reported, that hasn’t been updated for over a year now, and Catalina doesn’t seem to even open it any more. So different versions of macOS may well behave differently when Apple revokes certificates.
Thomas Reed has raised this revocation with Apple. As soon as we know anything more, I’ll update this article. If you’re interested in Mac security, you might like to follow Thomas on Twitter, @thomasareed.
In the meantime, all you can do is make alternative arrangements to support any HP printers affected, I’m afraid.
Update: The previously revoked signature has now been unrevoked, as of the night of 24-25 October. Thanks to Mr Macintosh for spotting this. Your old HP printer software should now work correctly again.
(0750 UTC 25 October 2020)
According to an unnamed spokesperson at HP quoted by The Register, this revocation wasn’t an error by Apple, but HP had instructed Apple to revoke the certificate. Note that the first part of that article referring to XProtect isn’t accurate: this had nothing to do with XProtect at all.
(0805 UTC 25 October)
Despite the apparent un-revocation of the certificate, many HP users are still reporting problems which appear to be related to signature errors. I’ve checked my HP software here, from 2017, and although its apps and some of its code now passes checks, at least on of its frameworks (HPMonitoringDevice.framework) still returns an error 3, reporting “source=Unnotarized Developer ID”, and might fail to load when required in Catalina.
If you still have problems, please contact HP Support. There seems little or nothing that we can do about this, and its resolution rests in the hands of the developer of the software. If you do attempt any surgery yourself, for example by removing the certificates, please ensure that you have good backups and some means to restore them, or you could make your problems worse.
(2240 UTC 26 October)
Postscript (27 October 2020):
HP has now published a support article explaining what affected users should do to remedy this problem. I suspect this only works with its software for relatively recent printer models. Thanks to @macinteractive for drawing my attention to this.