Notepad++ No Longer Code Signed, Dev Won't Support Overpriced Cert Industry

The developer of the highly popular open source Notepad++ text and source code editor for Windows announced that the program will drop code signing support starting with the 7.6.4 release.

Don Ho, Notepad++ developer, says that the decision to remove code signing from the editor came after the certificate donated by DigiCert three years ago expired.

The time wasted in while trying to get a new signing certificate and the unreasonable price tags such a product comes with were two other causes behind Ho's decision to drop code signing from the Notepad++ 7.6.4 release.

This was the reason for Notepad++ dropping code signing support in the words of developer Don Ho:

3 years ago DigiCert donated a 3 years code signing certificate to the project, and every good thing has its end, the certificate has been expired since the beginning of this year.

I was trying to purchase another certificate with reasonable price. However I cannot use "Notepad++" as CN to sign because Notepad++ doesn’t exist as company or organization. I wasted hours and hours for getting one suitable certificate instead of working on essential thing - Notepad++ project. I realize that code signing certificate is just an overpriced *expletive* toy of FOSS authors - Notepad++ has done without certificate for more than 10 years, I don’t see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.

Code signing removed in Notepad++ 7.6.4
Code signing removed in Notepad++ 7.6.4

While the Notepad++ 7.6.4 release no longer comes with a digital signature, it doesn't mean that users are left with no way to verify the authenticity of the installer packages they download to install the application.

To be more exact, SHA-256, SHA-1, and MD5 digests are available for all binary packages available for download from the project's website.

The Notepad++ editor will also automatically check the SHA256 hash of all the components (SciLexer.dll, GUP.exe, and nppPluginList.dll) it uses to make sure that they haven't been tampered with.

Code signing certificates come with a $499 price tag per year

Right now, DigiCert advertises on its website code signing certificates available in the form of a subscription, for as low as $499 per year when paying for the certificate on a yearly basis, and it's slightly lowered to $474 if the developer wants to pay in advance for two or three years.

Software developers use Code Signing Certificates to digitally sign the software they create (apps, drivers, and more) to make it possible for their users to verify that the binary or code they run or download was not altered or in any way compromised by a third party.

Code integrity check using code signing certificates
Code integrity check using code signing certificates (Image: DigiCert)

Such certificates include information about the developer behind the signed software, including a signature, the company name, and a timestamp.

In addition, Code Signing Certificates are checked by Windows when software is launched and, when not present, the OS will display a User Account Control (UAC) warning during the installation process or when starting up the program.