Don Ho, developer of Windows editor Notepad++, announced that he no longer digitally sign the code starting with version 7.6.4.
Notepad++ is a highly popular open source text and source code editor for Windows. The code of this helpful tool has been digitally signed for the last 3 years by a donated DigiCert certificate. But now this certificate expires. Don Ho wrote in the release note for Notepad++ 7.6.4:
When you install Notepad++ version 7.6.4, You might notice there's no more blue-trusted UAC popup.
This is because Ho has removed the digitale signature from Notepad++ version 7.6.4. The reason for this decision has been explained as:
3 years ago DigiCert donated a 3 years code signing certificate to the project, and every good thing has its end, the certificate has been expired since the beginning of this year.
I was trying to purchase another certificate with reasonable price. However I cannot use "Notepad++" as CN to sign because Notepad++ doesn't exist as company or organization. I wasted hours and hours for getting one suitable certificate instead of working on essential thing – Notepad++ project.
I realize that code signing certificate is just an overpriced masturbating toy for FOSS authors – Notepad++ has done without certificate for more than 10 years, I don't see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.
This move doesn't mean there's less security in Notepad++, because SHA256 hash of Installer and other packages will be provided for every release as usual. Notepad++ will check the SHA256 of all the components (SciLexer.dll, GUP.exe and nppPluginList.dll) used by the program. The only thing changed: There is now a yellow-orange UAC popup during installation, warning, that the program isn't digitally signed and asks, if the user trust that program. (via)
Cookies helps to fund this blog: Cookie settings