McAfee accidentally revokes key for signing Mac apps
A McAfee employee revoked the company's digital key during a routine development hardware upgrade. The revoking of the code signing keys--which Apple (NASDAQ: AAPL) uses to certify trusted applications--meant that McAfee products for Macs could no longer be installed or upgraded, at least not without allowing untrusted certificates.
At the moment, Apple's certificate revocation list states that the reason for McAfee's certificate being revoked is a "key compromise," though McAfee officials have insisted that the company never lost control of the sensitive certificate. To be clear, a revoked certificate by itself doesn't cause any harm to users, though it certainly won't generate the security vendor any goodwill.
McAfee is asking its users to accept untrusted certificates as it scrambles to rectify the problem by resigning its portfolio of Mac apps with a new key. Even McAfee acknowledges that this is not good advice, however. "It's not something we would want to tell people," says Barney Bryan, McAfee's executive vice president of product development. "That is a workaround that would work, but it's not a workaround we'd be comfortable with."
The entire episode highlights the inherent complexity and risks of digital certificates. Earlier last year, malware signed with a stolen digital certificate forced certificate authority DigiNotar to suspend sales, before it eventually went bankrupt.