@mkupper said in Notepad++ v8.8.3 Release Candidate:
Is the self-signed root cert going to be the permanent fix?
I hope not. In the long term, a public trusted CA cert is needed, such as the previously used DigiCert one.
But using a self-signed certificate is much much better from the BFU’s (or the Don’s grand-mom ;-) ) POV.
No one can expect that BFU will install Kleopatra (and create the needed OpenPGP key pair etc etc…!) to verify the N++ distributed sigs. But using the standard Windows Explorer and Certificate interface for checking of the N++ executable digital signature == ok, even if “unverifiable” for now:
npp-v883-1-unverifiable.png
it’s a halfway where to go (BTW I saw somewhere that some corporate takes an unsigned 3rd party app and signed it with their own MS Azure self-signed cert just for an internal re-distribution).
IMO - even if the above (very good!) description, for adding the N++ own cert to the trusted root ones, is not for every BFU in general, it’s still much better than want from them to learn how the OpenPGP (and public/private key stuff) works.
After N++ is in Trusted Root CA:
npp-v883-2-npp-cert-trusted.png
Now the N++ executables:
can be trusted (verified the origin, with some acceptable effort) prevents unnoticed modifications (common disk storage corruptions but also malicious modifs):npp-v883-3-npp-execode-modified.png
(Sidenote: I’d not overestimate the executables digital sign in the malware fighting - nowadays many sophisticated attacks use patching already loaded process in memory and so they do not touch the executable files on disk at all…)