Certificateless signature (CLS) has no need of public key certificates and also avoids excessive dependence to a third party like that in identity-based setting. Recently, Shim (IEEE Systems Journal, doi:10.1109/JSYST.2018.2844809) came up with a CLS scheme independent of random oracles and asserted that the construction can be immune to the public key replacement attacks and the malicious-but-passive key generation center (KGC) attacks. In this paper, we analyze the security of Shim's scheme and point out that his conclusions are incorrect by giving two concrete counter-examples. We repair the scheme and put forward a CLS scheme secure against public key replacement attacks and malicious-but-passive KGC attacks without relying on random oracles. Compared with Shim's scheme, our construction has lower execution cost for signing and verification, and achieves Girault's top-level security, which means that a victim can repudiate the forgeries based on a false secret key generated by the KGC.