Remove code signing from Notepad++



  • TL;NR
    The certificate to sign Notepad++ is expired, and I’ve done a lot of effort to get a new one with “Notepad++” as signer’s name but in vain. I’ve decided do the future releases without certificate. I want to hear your (community) opinions before it getting done.

    3 years ago DigiCert contacted me for offering a 3 years code signing certificate to the project, and I accepted their generous donation.
    Every good thing has its end, the certificate has been expired since the beginning of this year. As I’m happy with DigiCert, I’ve checked their certificate, but it’s too expensive for me (about $1400 for 3 years). I finally found a cheap one (still more than $500 for 3 years plus a token) by Certum, then my nightmare’s begun:
    I’ve found myself struggling for generating RSA bi-keys in the token with their inaccurate document and the poor software, finally successful on IE10 (failed under Chrome all the time)!! I then filled up the certificate info and waited (for the verification from Certum) - after 1 week of waiting I called the client support, and I learnt that I cannot use “Notepad++” as CN to sign because Notepad++ doesn’t exist as company or organization. I have to fill up the form again by using my real name.

    It’s just a pain in the ass to get a certificate for an (every?) open source project. It should be a human right issue :)

    Anyway, I wasted hours and hours for getting one certificate instead of working on essential thing - Notepad++ project. Even I can get one certificate I want easily this year, the nightmare will restart 3 years later. Notepad++ has done without certificate for more than 10 years, I don’t see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.

    It doesn’t mean there’s no more security in Notepad++, but it will be less flexible for sure:

    1. SHA256 hash of Installer and other packages will be provided for every release, just as usual. Too bad for UAC popup with “Publisher Unknown” while installation.
    2. Notepad++ will check the SHA256 of all the components (SciLexer.dll, GUP.exe and nppPluginList.dll) used by the program.

    .
    So what do you think guys?



  • But that can be changed without the signature? the notebook won’t work?



  • I see that you have spent a lot of time on this project, many years Notepad++ my companion .



  • @donho said,

    So what do you think guys?

    I am not personally bothered by the lack of code signing certificate.

    There appear to be re-sellers who claim to sell Comodo certificates for sub-$100 per year, but I don’t know if that’s a sucker introductory price or whether they are on the up-and-up. Also, even if they are legit, they might require a valid organization or person instead of open-source-project-name like Certum. Given that uncertainty, it might not be worth the effort to investigate the re-sellers.

    My one worry would be for enterprise environments – I don’t know if they would have more issues with a lack of code-signing (people in such enterprise I.T. groups would have to chime in to give reliable info).

    Given costs (and annoyances) like that, I’d vote against signing.



  • It’s just a pain in the ass to get a certificate for an (every?) open source project. It should be a human right issue :)

    I agree - I have to admit that I have no clue about what needs to be done to get a certificate but an
    open source project shouldn’t be bothered going through this.

    If the enterprise IT needs to have such a thing then I would argue that this could be their
    chance to contribute to an open source project by sponsoring it.



  • @donho

    i can not predict how the majority of corporate users will react, but if you wish, you can give it a try with an unsigned 7.6.4 release and we’ll see what comes towards us.

    if requests for a signed release take overhands, you could always release another 7.6.5 sooner, using the cert issued to your name, as you already own it now.

    note: i don’t think that people would ever mind if it is signed by an individual person, instead of an entity called “notepad++”, because your project is a human project, for human users, and it’s worth carrying your name.



  • @donho

    Maybe you should start a donation campaign/goal trough some platform (besides donation buttons in the website). Then kindly ask to users to share that on all the geeky sites and forums out there. And don’t be shy about it, put a message in the next release notes that you are seeking for independent sponsor/s for cert.

    Millions and millions (i don’t know actually how much) use and benefit from N++. Even Microsoft had N++ on screen in their advertisement while ago. You should get something back, at least to keep going.

    Best of luck!



  • It’s OK without certificate because they make it too hard and too expensive to get one.
    Note: you should add a note to the Installer and to change.log for that.



  • Hi, @don-ho and All,

    After reading all these posts, Don, I also consider that it is useless to worry about a code signing certificate. Points 1. and 2., which you mentioned last, should be enough ;-))


    This leads me to ask myself a question :

    How does downloading a file from any ABC site, calculating the SHA-256 value of the downloaded file, for example with the built-in Notepad++ tool and checking that it is identical to the one, delivered by the ABC site, allow us to be sure that this file is free of viruses, and other malwares ?

    To my mind, this only means that the file contained, on the ABC site, and the file I just downloaded are strictly identical ! Isn’t that right ? The integrity of the downloaded file is preserved !

    Of course, Don, don’t feel concerned, please ! For years I have been downloading N++, in zip version, as well as other downloads, from many technical sites, without any problem :-))

    Despite a few hours of research and reading on the Net, I can’t find a satisfactory answer ! What if, deliberately or not, a file, offered for download, is already infected in any way ? If transmission is correct, the two “hash” values will be equal, anyway ! However, I would have downloaded an infected file: -(((

    In the end, it is just the host’s responsibility to make sure that the files, offered for download, are really clean ( for instance with VirusTotal ) and, then the SHA-256 hash feature just verifies that the download process did send you the correct file !

    Here are, below, among all the sites visited, three interesting addresses… but which leaves me wanting more about my specific question !

    https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_messages_and_files

    https://tiptopsecurity.com/what-is-cryptographic-hashing-md5-sha-and-more/

    https://security.stackexchange.com/questions/98213/what-is-the-most-secure-hash-for-virus-definition-databases-in-2015

    What do you think of, fellows ?

    Best Regards

    guy038





  • Thank you for your opinions.

    @PeterJones said:

    There appear to be re-sellers who claim to sell Comodo certificates for sub-$100 per year, but I don’t know if that’s a sucker introductory price or whether they are on the up-and-up. Also, even if they are legit, they might require a valid organization or person instead of open-source-project-name like Certum. Given that uncertainty, it might not be worth the effort to investigate the re-sellers.

    My one worry would be for enterprise environments – I don’t know if they would have more issues with a lack of code-signing (people in such enterprise I.T. groups would have to chime in to give reliable info).

    I have tried Comodo. As you doubt they don’t approve Notepad++ as signer. Too bad.

    @Ekopalypse said:

    If the enterprise IT needs to have such a thing then I would argue that this could be their
    chance to contribute to an open source project by sponsoring it.

    Why not, but for how long? 3 years later I have to fight again for their comfort.

    @Meta-Chuh said:

    if requests for a signed release take overhands, you could always release another 7.6.5 sooner, using the cert issued to your name, as you already own it now.

    Nope, I have no valid certificate - I didn’t continue the procedure because a certificate with my name is useless (to me).

    note: i don’t think that people would ever mind if it is signed by an individual person, instead of an entity called “notepad++”, because your project is a human project, for human users, and it’s worth carrying your name.

    Nope again - it might bother nobody but it does bother me.

    @Pilskalns said:

    Maybe you should start a donation campaign/goal trough some platform (besides donation buttons in the website). Then kindly ask to users to share that on all the geeky sites and forums out there. And don’t be shy about it, put a message in the next release notes that you are seeking for independent sponsor/s for cert.

    People do the donation to the project themselves, that’s fine. I don’t ask money from people - not even for paying (so supporting) an overpriced industry.

    @motazalnuweiri said:

    Note: you should add a note to the Installer and to change.log for that.

    Sure. I will make a page to make thing more clear.

    @guy038 said:

    This leads me to ask myself a question :

    How does downloading a file from any ABC site, calculating the SHA-256 value of the downloaded file, for example with the built-in Notepad++ tool and checking that it is identical to the one, delivered by the ABC site, allow us to be sure that this file is free of viruses, and other malwares ?

    To my mind, this only means that the file contained, on the ABC site, and the file I just downloaded are strictly identical ! Isn’t that right ? The integrity of the downloaded file is preserved !

    Basically, hash verification provides the integrity of file to ensure it’s not altered. However the source of file is unknown if you only get the file and hash from no where. Signing certificate guarantees not only the integrity of file, but also the source of file (we are sure that file is delivered by the signer). Normally if users download Notepad++ from the official site and check the sha256 hash (reliable AFAICT) published on the official site with the downloaded binary - it should be enough to ensure the downloaded binary source and its integrity. The remain stuff is the ugly yellow-orange UAC popup on Notepad++'s installation, but I think users should realize that Notepad++ project is a little modest Spidey who tries his best to bring the same effect that non-budget-limited Advengers provide.



  • @donho ,

    Signing certificate guarantees not only the integrity of file, but also the source of file (we are sure that file is delivered by the signer).

    I had a thought about this: often times, in the more linuxy areas of open source (for example, some Perl module distributions on CPAN, or many linux packages downloaded with apt-get and similar, if I’m remembering correctly), the packages are signed by an OpenPGP key controlled by the developer(s) of the open-source software, rather than using a certificate-authority like the windows code-signing. The gpg client can be used for that, and there is a Gpg4win windows implementation available.

    You could create a public/private keypair under the Notepad++ name (since it relies on the web-of-trust rather than any given certification authority, it wouldn’t have to be a registered business name), and then make a detached signature which security-conscious users could download, and compare against the Notepad++ public key, which could be made available on the website (and in keyservers). The upside is that it’s using completely free and open-source software, and not relying on a paid certificate-authority; the downside is that it’s not the established windows way of doing things, so it wouldn’t help with the ugly “yellow-orange UAC popup on Notepad++'s installation”.



  • Why not use crowdfunding to buy the certificate from DigiCert ?



  • @donho

    thanks for taking the time to answer each post in detail.
    i respect and understand all your current decisions.

    also many thanks for involving us and everyone at more brainstorming, personal evaluation thoughts, and giving us your personal insights lately.
    imho, this has helped us a lot, as we are currently very well prepared for ourselves, as well as for supporting other notepad++ users, and we have a much better understanding of what’s behind the scenes.

    i personally appreciate this a lot.
    it is very motivating and seems to create a certain enthusiasm amongst readers, turning notepad++ into a passionate hobby in addition of being our every day tool. 👍

    ps: sorry for writing so much, i guess the enthusiasm took over a bit 😉



  • I have to second @Meta-Chuh 's thanks to @donho for involving the “community” more and more lately. There are some really smart people here; valuable opinions on important things!

    When I first started using Notepad++ and discovered this place, I was appalled that @donho (as the author) spent so little time here (of course he could be a 99% lurker and read every character of every post – we can’t know if that is true or not). :)


Log in to reply