Community
    • Login

    Digital certificate for open source projects

    Scheduled Pinned Locked Moved Security
    3 Posts 3 Posters 93 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Black WorkgroupB
      Black Workgroup
      last edited by

      Re: KNOWN ISSUE: The digital certificate is not available in version 8.8.2.

      Why not user sigstore.
      https://www.sigstore.dev/
      It provides certificates for open source projects.

      PeterJonesP 1 Reply Last reply Reply Quote 0
      • PeterJonesP
        PeterJones @Black Workgroup
        last edited by PeterJones

        @Black-Workgroup ,

        I’m not a decision maker on the project, but I took a brief look, and I’m not sure it does quite the same thing as Notepad++ needs. Unless I’ve misunderstood, it actually develops its own signing ecosystem (or maybe makes use of the docker/container signing ecosystem, but I’m not sure) for signing text files, blobs, and containers. As far as I understand, none of those would work in the way that Notepad++ needs, where it needs to be able to have the signature embedded in the executable in a way that the Windows OS will recognize the signature (ie, using signtool or equivalent) and be able to trace that signature to a Certificate Authority in the windows certificate manager store. At least at my initial look at their information, sigstore doesn’t seem to be doing that.

        If you believe I am wrong, could you point me to an open source project that uses sigstore to sign installer and/or application *.exe files, so I can try to grab one of that other projects’ executables, and make sure they are providing the service that Notepad++ needs. Or, if you could point me to where in their documentation they show how to sign a windows .exe in a way that will work akin to using signtool…

        (If, OTOH, they are just providing cryptographic hash verification using an external tool, then Notepad++ already provides a GPG signature on each release.)

        xomxX 1 Reply Last reply Reply Quote 2
        • xomxX
          xomx @PeterJones
          last edited by

          @PeterJones said in Digital certificate for open source projects:

          be able to trace that signature to a Certificate Authority in the windows certificate manager store

          IMO - not an option for N++.
          Even the GitHub does not recognize the sign, so I doubt the MS will, moreover the needed x509 cert is a short-lived one (expires immediately?):

          https://docs.sigstore.dev/about/faq/#i-signed-my-commit-with-gitsign-but-it-shows-up-as-unverified-in-my-github-repository-page-why

          The Sigstore CA root is not a part of GitHub’s trust root. 
Gitsign’s ephemeral keys are only valid for a short time,
so using standard x509 verification would consider
the certificate invalid after expiration.

Verification needs to include validation via the transparency log
to verify that the certificate was valid at the time it was used.
          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          The Community of users of the Notepad++ text editor.
          Powered by NodeBB | Contributors