The developer of the highly popular open source Notepad++ text and source code editor for Windows announced that the program will drop code signing support starting with the 7.6.4 release.
Don Ho, Notepad++ developer, says that the decision to remove code signing from the editor came after the certificate donated by DigiCert three years ago expired.
The time wasted in while trying to get a new signing certificate and the unreasonable price tags such a product comes with were two other causes behind Ho's decision to drop code signing from the Notepad++ 7.6.4 release.
This was the reason for Notepad++ dropping code signing support in the words of developer Don Ho:
3 years ago DigiCert donated a 3 years code signing certificate to the project, and every good thing has its end, the certificate has been expired since the beginning of this year.
I was trying to purchase another certificate with reasonable price. However I cannot use "Notepad++" as CN to sign because Notepad++ doesn’t exist as company or organization. I wasted hours and hours for getting one suitable certificate instead of working on essential thing - Notepad++ project. I realize that code signing certificate is just an overpriced *expletive* toy of FOSS authors - Notepad++ has done without certificate for more than 10 years, I don’t see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.
While the Notepad++ 7.6.4 release no longer comes with a digital signature, it doesn't mean that users are left with no way to verify the authenticity of the installer packages they download to install the application.
To be more exact, SHA-256, SHA-1, and MD5 digests are available for all binary packages available for download from the project's website.
The Notepad++ editor will also automatically check the SHA256 hash of all the components (SciLexer.dll, GUP.exe, and nppPluginList.dll) it uses to make sure that they haven't been tampered with.
Code signing certificates come with a $499 price tag per year
Right now, DigiCert advertises on its website code signing certificates available in the form of a subscription, for as low as $499 per year when paying for the certificate on a yearly basis, and it's slightly lowered to $474 if the developer wants to pay in advance for two or three years.
Software developers use Code Signing Certificates to digitally sign the software they create (apps, drivers, and more) to make it possible for their users to verify that the binary or code they run or download was not altered or in any way compromised by a third party.
Such certificates include information about the developer behind the signed software, including a signature, the company name, and a timestamp.
In addition, Code Signing Certificates are checked by Windows when software is launched and, when not present, the OS will display a User Account Control (UAC) warning during the installation process or when starting up the program.
Comments
Demonslay335 - 5 years ago
They really should add better options for open-source or NFP developers. I get *why* it costs so much for corporations, but really shouldn't what it is for other situatinos.
GT500 - 5 years ago
There are cheaper than DigiCert, however the issue isn't just cost. Certificates are intentionally difficult to get. Notepad++ isn't the only open source project that has been forced to abandon digital signatures, since they could no longer fulfill the requirements to purchase one.
In order for open source projects to obtain code signing certificates, someone may actually need to register the project as a not-for-profit business (including obtaining a tax ID number and dealing with the any applicable laws/regulations in the country they registered their project as a business in). For most I imagine that would be a ridiculous requirement, and code signing certificates wouldn't be worth the hassle.
Dominique1 - 5 years ago
I'm all for dropping certificates. People have become lazy, when a simple hash check is all that is needed. Also, those cert sellers are pushy using end-of-the-world fear tactics. So fed up of this crap.
GT500 - 5 years ago
Hashes don't work for everything. For instance, whitelisting by hash in Anti-Virus software means you have to update the hash for every software you want to whitelist every time they get updated. It's essentially an unfeasible amount of work. Digital signatures essentially resolve this issue, allowing an Anti-Virus software to automatically trust all software from a trusted publisher, as long as they bothered to digitally sign all of their executables.
PerspectiveObjective - 5 years ago
Wish we could vote on these comments I love this one:::""""""" Also, those cert sellers are pushy using end-of-the-world fear tactics. "
Also like the hash followup """"" Hashes don't work for everything. For instance . . . "
bctway - 5 years ago
Finally was able to register after a lot of attempts with shitty Google recaptcha. Anyway, wanted to say that certum provides cheap code signing certificates for open source software developers. It costs 25 EUR now but it used to be 15 I think. Still cheap in my opinion, so someone please inform the Notepad++ developer.
GT500 - 5 years ago
The Notepad++ project has forums. Feel free to let them know (assuming it won't be seen as an advertisement):
https://notepad-plus-plus.org/community/
pcunite - 3 months ago
Well, prices have gone up even further now!