sha512 certificate cannot be validated
-
Hi,
The exe of Notepad++ has 2 certificates; the SHA256 from Globalsign which is validated and a SHA512 which fails validation. I believe this is the self-signed one. The msi only has the Globalsign certificate. Can the SHA512 one be removed from the exe? It is causing some issues in our organization where we allow certain applications to be installed based on vendor certificate.
Thanks! :-)
-
- It fails validation because you chose not to follow the instructions in the user manual (https://npp-user-manual.org/docs/getting-started/#notepad-self-signed-certificate-authority-for-binaries)
- If it passes one and fails the other, why don’t you trust the one it passes? Having multiple certificates is for the purpose of allowing organizations to choose who they will trust. If you don’t trust globalsign’s saying “it matches”, who are you going to trust? Or why would you trust them if they’re the only signer, but not if there’s multiple signatures? (in other words, if you trust globalsign, then you shouldn’t care if you’ve built trust with the other signer or not – globalsign’s valid certificate should be enough)
-
I have seen the instructions, but installing the self-signed certificate on all computers in the organization is not a practical solution. Also, why would you include a self-signed certificate if you also have “real” one that can be validated without extra steps? Lastly, it is not in the msi, so why is it in the exe?
-
@bvklaveren said in sha512 certificate cannot be validated:
I have seen the instructions, but installing the self-signed certificate on all computers in the organization is not a practical solution.
Okay. Then ignore the self-signed, since there’s a commercially-signed alternative that can give you confidence that the binary is being distributed by the one who it claims to be.
It only takes one certificate to give the confidence, but it also means that you can ignore any other certificate on the same file, because having two certificates (one self-signed that you choose to distrust and the other commerically-signed which you choose to trust) gives you exactly the same amount of confidence that the binary is valid as does having just the commercially-signed certificate with none others. Whereas for someone who does trust the self-signed, they can choose to trust that self-signed and ignore the commercially-signed as being tainted by money.
Also, why would you include a self-signed certificate if you also have “real” one that can be validated without extra steps?
The “why’s and wherefore’s” are all available in the public, in various discussions on this forum (search for
certificate) and the relevant section of the User Manual and in the various announcement pages in the official website. But I’ll sum it up, from my outside perspective:Because for months, there wasn’t a commercial certificate available, because the corporations behind the certificates are set up to make things difficult to open source projects. And once he did get the new globalsign cert, he didn’t feel it was worth it to undo all the effort he had put into creating the self-signed certificate.
Lastly, it is not in the msi, so why is it in the exe?
apples and oranges?
The MSI is a container, which can be signed, and is signed separately from any EXE or DLL that might be contined therein. So the developer apparently chose to only sign that MSI with the commercially-derived – probably because his system was already setup to sign the EXE with both (because it was setup to sign with just the self-signed, then he added the globalsign cert on top of that once it was available), whereas the MSI didn’t come until a month or two after the globalsign was available, so he probably didn’t think it was worth the extra effort to figure out how to sign the MSI with the self-signed as well.
