Notepad++ drops code-signing for its releases from version 7.6.4 onwards

2 min read

On Wednesday, Don Ho, Notepad++ developer announced the release of Notepad++ 7.6.4. He also shared that from this release onwards, users will not see the blue-trusted User Access Control (UAC) popup as Notepad++ has dropped code signing for its releases. UAC is a Windows security feature which helps prevent unauthorized changes to operating systems.

Why Notepad++ decided to drop code-signing for its releases?

DigiCert, a US-based X.509 SSL certificate authority, donated a three years code signing certificate to Notepad++ in 2016, which has now expired. Now when Don Ho was trying to repurchase a new certificate from Certum, a Certification Authority, he was required to mention a Common Name (CN). The problem here is that as Notepad++ is not a company or organization, Certum did not allow him to use Notepad++ as CN.

Additionally, he also feels that these code-signing certificates are too overpriced. He added in the blog post, “Notepad++ has done without a certificate for more than 10 years, I don’t see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.”

This sparked a discussion on Hacker News, and many users supported the developer’s decision. One of the users commented, “Well I don’t care if the developer paid the certificate, and I don’t see why someone that develops FOSS should pay money for something that doesn’t bring to him any of that money back. At least for open source software certificates should be offered for free, in my opinion.”

Don Ho mentioned in the announcement that this decision will not have any effect on Notepad++ security whatsoever, but it will be less flexible from before:

As always, every release will come with SHA256 hash of the installed and other packages.
The SHA256 hash of all components such as ‘SciLexer.dll’, ‘GUP.exe’, and ‘nppPluginList.dll’ will be checked by Notepad++
Markdown support was planned to land in Notepad++ 7.6.3 version, but the needed file wasn’t deployed correctly by the installer. This bug is now fixed in Notepad++ 7.6.4.
Additionally, this release fixes a few vulnerable issues and some crash bugs identified in the European Commission’s Free and Open Source Software Auditing Bug Bounty program.

To read the original announcement, visit Notepad++’s official website.