When I first started using Notepad++ and discovered this place, I was appalled that @donho (as the author) spent so little time here (of course he could be a 99% lurker and read every character of every post – we can’t know if that is true or not). :)

thanks for taking the time to answer each post in detail.
i respect and understand all your current decisions.

also many thanks for involving us and everyone at more brainstorming, personal evaluation thoughts, and giving us your personal insights lately.
imho, this has helped us a lot, as we are currently very well prepared for ourselves, as well as for supporting other notepad++ users, and we have a much better understanding of what’s behind the scenes.

i personally appreciate this a lot.
it is very motivating and seems to create a certain enthusiasm amongst readers, turning notepad++ into a passionate hobby in addition of being our every day tool. 👍

ps: sorry for writing so much, i guess the enthusiasm took over a bit 😉

Signing certificate guarantees not only the integrity of file, but also the source of file (we are sure that file is delivered by the signer).

I had a thought about this: often times, in the more linuxy areas of open source (for example, some Perl module distributions on CPAN, or many linux packages downloaded with apt-get and similar, if I’m remembering correctly), the packages are signed by an OpenPGP key controlled by the developer(s) of the open-source software, rather than using a certificate-authority like the windows code-signing. The gpg client can be used for that, and there is a Gpg4win windows implementation available.

You could create a public/private keypair under the Notepad++ name (since it relies on the web-of-trust rather than any given certification authority, it wouldn’t have to be a registered business name), and then make a detached signature which security-conscious users could download, and compare against the Notepad++ public key, which could be made available on the website (and in keyservers). The upside is that it’s using completely free and open-source software, and not relying on a paid certificate-authority; the downside is that it’s not the established windows way of doing things, so it wouldn’t help with the ugly “yellow-orange UAC popup on Notepad++'s installation”.

@PeterJones said:

There appear to be re-sellers who claim to sell Comodo certificates for sub-$100 per year, but I don’t know if that’s a sucker introductory price or whether they are on the up-and-up. Also, even if they are legit, they might require a valid organization or person instead of open-source-project-name like Certum. Given that uncertainty, it might not be worth the effort to investigate the re-sellers.

My one worry would be for enterprise environments – I don’t know if they would have more issues with a lack of code-signing (people in such enterprise I.T. groups would have to chime in to give reliable info).

I have tried Comodo. As you doubt they don’t approve Notepad++ as signer. Too bad.

@Ekopalypse said:

If the enterprise IT needs to have such a thing then I would argue that this could be their
chance to contribute to an open source project by sponsoring it.

Why not, but for how long? 3 years later I have to fight again for their comfort.

@Meta-Chuh said:

if requests for a signed release take overhands, you could always release another 7.6.5 sooner, using the cert issued to your name, as you already own it now.

Nope, I have no valid certificate - I didn’t continue the procedure because a certificate with my name is useless (to me).

note: i don’t think that people would ever mind if it is signed by an individual person, instead of an entity called “notepad++”, because your project is a human project, for human users, and it’s worth carrying your name.

Nope again - it might bother nobody but it does bother me.

@Pilskalns said:

Maybe you should start a donation campaign/goal trough some platform (besides donation buttons in the website). Then kindly ask to users to share that on all the geeky sites and forums out there. And don’t be shy about it, put a message in the next release notes that you are seeking for independent sponsor/s for cert.

People do the donation to the project themselves, that’s fine. I don’t ask money from people - not even for paying (so supporting) an overpriced industry.

@motazalnuweiri said:

Note: you should add a note to the Installer and to change.log for that.

Sure. I will make a page to make thing more clear.

@guy038 said:

This leads me to ask myself a question :

How does downloading a file from any ABC site, calculating the SHA-256 value of the downloaded file, for example with the built-in Notepad++ tool and checking that it is identical to the one, delivered by the ABC site, allow us to be sure that this file is free of viruses, and other malwares ?

To my mind, this only means that the file contained, on the ABC site, and the file I just downloaded are strictly identical ! Isn’t that right ? The integrity of the downloaded file is preserved !

Basically, hash verification provides the integrity of file to ensure it’s not altered. However the source of file is unknown if you only get the file and hash from no where. Signing certificate guarantees not only the integrity of file, but also the source of file (we are sure that file is delivered by the signer). Normally if users download Notepad++ from the official site and check the sha256 hash (reliable AFAICT) published on the official site with the downloaded binary - it should be enough to ensure the downloaded binary source and its integrity. The remain stuff is the ugly yellow-orange UAC popup on Notepad++'s installation, but I think users should realize that Notepad++ project is a little modest Spidey who tries his best to bring the same effect that non-budget-limited Advengers provide.

After reading all these posts, Don, I also consider that it is useless to worry about a code signing certificate. Points 1. and 2., which you mentioned last, should be enough ;-))

This leads me to ask myself a question :

How does downloading a file from any ABC site, calculating the SHA-256 value of the downloaded file, for example with the built-in Notepad++ tool and checking that it is identical to the one, delivered by the ABC site, allow us to be sure that this file is free of viruses, and other malwares ?

To my mind, this only means that the file contained, on the ABC site, and the file I just downloaded are strictly identical ! Isn’t that right ? The integrity of the downloaded file is preserved !

Of course, Don, don’t feel concerned, please ! For years I have been downloading N++, in zip version, as well as other downloads, from many technical sites, without any problem :-))

Despite a few hours of research and reading on the Net, I can’t find a satisfactory answer ! What if, deliberately or not, a file, offered for download, is already infected in any way ? If transmission is correct, the two “hash” values will be equal, anyway ! However, I would have downloaded an infected file: -(((

In the end, it is just the host’s responsibility to make sure that the files, offered for download, are really clean ( for instance with VirusTotal ) and, then the SHA-256 hash feature just verifies that the download process did send you the correct file !

Here are, below, among all the sites visited, three interesting addresses… but which leaves me wanting more about my specific question !

https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_messages_and_files

https://tiptopsecurity.com/what-is-cryptographic-hashing-md5-sha-and-more/

https://security.stackexchange.com/questions/98213/what-is-the-most-secure-hash-for-virus-definition-databases-in-2015

What do you think of, fellows ?

Best Regards

guy038

Maybe you should start a donation campaign/goal trough some platform (besides donation buttons in the website). Then kindly ask to users to share that on all the geeky sites and forums out there. And don’t be shy about it, put a message in the next release notes that you are seeking for independent sponsor/s for cert.

Millions and millions (i don’t know actually how much) use and benefit from N++. Even Microsoft had N++ on screen in their advertisement while ago. You should get something back, at least to keep going.

Best of luck!

i can not predict how the majority of corporate users will react, but if you wish, you can give it a try with an unsigned 7.6.4 release and we’ll see what comes towards us.

if requests for a signed release take overhands, you could always release another 7.6.5 sooner, using the cert issued to your name, as you already own it now.

note: i don’t think that people would ever mind if it is signed by an individual person, instead of an entity called “notepad++”, because your project is a human project, for human users, and it’s worth carrying your name.

It’s just a pain in the ass to get a certificate for an (every?) open source project. It should be a human right issue :)

I agree - I have to admit that I have no clue about what needs to be done to get a certificate but an
open source project shouldn’t be bothered going through this.

If the enterprise IT needs to have such a thing then I would argue that this could be their
chance to contribute to an open source project by sponsoring it.

So what do you think guys?

I am not personally bothered by the lack of code signing certificate.

There appear to be re-sellers who claim to sell Comodo certificates for sub-$100 per year, but I don’t know if that’s a sucker introductory price or whether they are on the up-and-up. Also, even if they are legit, they might require a valid organization or person instead of open-source-project-name like Certum. Given that uncertainty, it might not be worth the effort to investigate the re-sellers.

My one worry would be for enterprise environments – I don’t know if they would have more issues with a lack of code-signing (people in such enterprise I.T. groups would have to chime in to give reliable info).

Given costs (and annoyances) like that, I’d vote against signing.