(Dutch article) https://tweakers.net/nieuws/105137/d-link-blundert-met-vrijgeven-privesleutels-van-certificaten.html In short, D-Link makes source code from a lot of firmware open source, and forgot to remove private keys (incl. the necessary passphrase..) This would enable anyone to give executable files a valid authenticode signature. The certificates have now been revoked.
In blunder threatening Windows users, D-Link publishes code-signing key http://arstechnica.co.uk/security/2...dows-users-d-link-publishes-code-signing-key/