HP has told customers it will revoke a digital certificate used to code-sign software shipped with its products in 2010 after discovering it had accidentally signed malware.
The company last week began notifying customers that the certificate would be revoked on October 21, according to Krebs on Security.
It was reportedly alerted to the security issue by Symantec, which had found a four-year old Windows Trojan signed by the certificate.
The malware had infected the computer of an HP developer and renamed itself to mimic a typical file name HP uses in its software testing, HP CISO Brent Wahlin told Krebs on Security.
The malware was then accidentally included in an internal software package that was later signed. HP believes the malware then transfered a copy of itself back to its point of origin, Wahlin said.
He stressed that the affected software package never reached customers and had not been put into production.
“When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case,” Wahlin told Krebs.
“We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact.”
HP will now re-issue software packages with a new digital signature. It is expected to be a significant exercise given the large amount of software the certificate was used to sign.