HP軟體遭蘋果取消憑證，使Mac用戶無法使用印表機

News from: iThome

部分用戶mac電腦顯示「HPDeviceMonitoring.framework可能傷害電腦」的訊息，另有用戶開啟HP公用程式後，卻看到程式簽章無效的訊息 。HP印表機的驅動程式日前傳出遭蘋果取消憑證，導致許多Mac電腦用戶無法使用。

上周起Mac電腦及HP印表機用戶在HP論壇，及向電腦服務業者反映無法用印表機，用戶mac電腦並顯示「HPDeviceMonitoring.framework可能傷害電腦」的訊息。另有用戶開啟HP公用程式卻看到程式簽章無效（Code Signature Invalid）的訊息。判斷問題出在驅動程式上的用戶，即使重新安裝HP Printer Drivers 5.1版也沒有用。

這個問題發生安裝macOS 10.15 Catalina及10.14 Mojave的電腦，使用的HP印表機則有許多機型。

原因是HP驅動程式憑證過期遭到蘋果取消。根據蘋果網站，HP Printer Drivers 5.1版憑證發放時間是2017年10月24日，有使用者懷疑已經過期。同時間，到Mac電腦「設定」下的「印表機和掃瞄器」頁，也會看見「加密憑證已經過期」（Encryption credentials have expired）的訊息。

在Mac電腦上是由XProtect管理app的憑證取消，一旦在偵測到未具備有效憑證的app，XProtect就會封鎖執行，並對用戶發出警告。

The Register報導，XProtect並未維護一個統一的資料庫來集中所有被取消的憑證，而是一個作業系統各有一個資料庫。對於HP Printer Drivers 5.1，Catalina及Mojave被選上取消憑證。但是不清楚是蘋果自己選擇或HP要求取消兩個作業系統的憑證。

這個問題可以經由使用者自行更新憑證來解決。BleeingComputer (https://www.bleepingcomputer.com/news/security/mac-users-unable-to-print-after-apple-revoked-hp-certificate/) 提供了方法，包括到電腦系統偏好中的「印表機及掃瞄器」，點入「印表機設定」，再點到「顯示印表機網頁」，接著順著步驟連上HP網站 (https://support.hp.com/gb-en/document/c06447928) 產生為印表機自己簽發的憑證。接著重新回到「印表機及掃瞄器」按下「重設印表機」，這個步驟會移除印表機。之後再重新加上印表機即可，也不會再出現加密憑證過期的訊息。

---------------------------------------------------------------------------------

Mac users unable to print after Apple revoked HP certificate

Apple macOS X users with HP printers are left unable to print from their computers after Apple revoked a certificate that signed HP's print drivers.

The result was print drivers being mistaken on macOS X for malware, and user complaints springing up over the weekend.

Print drivers mistook for malware

As observed by BleepingComputer, when printing a document from a MacBook running macOS Catalina (10.15.7 (19H2)) to an HP printer, the job remains in print queue but does not complete. That's because the corresponding print driver is being mistaken as malware.

Reports of macOS users with HP printers experiencing the issue emerged on Apple, HP forums, and of course, Twitter.

The problem seems to impact both macOS Catalina (10.15) and Mojave (10.14) users with HP printers. Furthermore, the print queue shows a mysterious "Encryption credentials have expired" message.

The issue stems from Apple having recently revoked the digital certificate installed on HP's printers via XProtect. XProtect is a feature by which Apple can prevent Mac devices from running certain applications it no longer deems trustworthy. 

Apple does so by revoking the cryptographic code-signing certificates associated with these applications. "There is no central database of certs cancelled by XProtect, there's one for each OS version it seems, and Catalina and Mojave were selected in particular. Apple chose to revoke the HP driver cert, or perhaps was asked to do so by HP," explained The Register. 

How to resolve the issue?

macOS X users can resolve the issue by following a series of steps outlined below. The advice specifically applies to HP OfficeJet models with wireless printing and the printer's web interface enabled.

1.Remove the /Library/Printers/hp folder to delete any old drivers that are being     incorrectly flagged as malware

2.Open System Preferences on your macOS X and navigate to the Printers & Scanners area.

 
3.Double-click on the printer and then select "Printer settings." and then click "Show Printer Web Page..."

4.Once on the printer's web page, follow the steps provided by HP's Knowledge 

   Base to generate a new Self-Signed certificate for the device.

5.This generates a new certificate for your HP printer with 10-year validity. Ignore the 

   "Not Secure" warning; that is typical for self-signed certificates.

6. Now return to the Printers & Scanners area, right-click (Cmd+click) on your printer 

    and select the "Reset printing system..." option

8.This will uninstall and remove the printer from the list. Now click the "+" icon to re-

   add it.

8.Select the printer as it re-appears on the list. Make sure "Secure AirPrint" is selected 

   next to the "Use" dropdown and click "Add."

   You may also use the "IP" option to add the printer by its IP address should the 

   "Bonjour" (AirPrint) connectivity fail.

You should now be able to print from applications such as your web browser and Preview seamlessly to your printer.

The "Encryption credentials have expired" message should also no longer appear in your print queue.

While SSL certificate expiry dates and revocations are essential security features, these can become a hindrance in legitimate use cases if not planned properly by the industry players.

In Apple's case, revoking HP's certificates without a heads up left very many users without a means to print and having to deal with confusing "malware" alerts.

----------------------------------------------------------------------------------------

HP Printers - 'Encryption Credentials Expired' Error Displays (macOS, iOS)

This document is for HP AirPrint-compatible printers and macOS or iOS.

When printing from macOS or iOS, an Encryption Credentials Expired error displays and you are unable to print.

This error displays when the Embedded Web Server (EWS) has an expired certificate that is not accepted by the operating system. This certification is necessary to secure connections with AirPrint and Secure Internet Printing Protocol (IPPs).

To prevent the error, generate a new self-signed certificate from the EWS:

1. Enter the printer’s IP address in an internet browser address bar from any Windows desktop or notebook PC. The printer’s EWS opens.
   For more information on how to open the EWS, see Using the Printer Embedded Web Server (EWS).

   NOTE: 

   You must perform these steps from the desktop view in the EWS. The mobile view of the EWS does not have the Certificates menu option.

2. In the EWS, click the Network tab.
3. Click the plus sign next to Advanced Settings to expand the list, and then click Certificates.
4. Click Configure, select Create a New Self-Signed Certificate, and then click Next.
5. Click Finish. The printer generates a new certificate that defaults to 10 years from the valid date.

6.Close the EWS window.