
Notepad++ drops code signing for its releases - pmh
https://notepad-plus-plus.org/news/notepad-7.6.4-released.html
======
Svoka
Windows signing is a ripoff, $500/year you're getting nothing. Your
certificate is not trusted. You have to "get reputation for it" before Windows
Defender would stop giving users warnings. Also, renewing certificate is not a
thing. Every time you have to get a new one, with same story of "reputation"
again.

[1]
[https://www.digicert.com/order/order-1.php](https://www.digicert.com/order/order-1.php)

~~~
juliusmusseau
Funny thing about trust: I trust a developer who drops some $$$ on a code-
signing certificate more than I trust a developer who doesn't. Even if it's
just $20.

Also, the validation requirements to obtain a code-signing certificate, while
certainly not bulletproof, are not nothing: you need to send in articles of
incorporation and your business needs a listing with a physical address and
phone number in a public directory (e.g., bbb.org), and someone representing
your business needs to pick up that phone when the cert validator calls it.

Your business name and physical address are injected into the certificate.
Basically code-signing certificates make it easier for people to find you and
sue you if they truly want to. I suspect that's the whole point.

The problem here is that the Notepad++ developer wants his certificate to say
CN=Notepad++, but he won't be able to obtain that until he has some kind of
business or organization registered in his jurisdiction with that name.
Whereas CN=FIRSTNAME LASTNAME he could probably obtain immediately (just send
in his driver's license during validation).

~~~
msla
> Funny thing about trust: I trust a developer who drops some $$$ on a code-
> signing certificate more than I trust a developer who doesn't. Even if it's
> just $20.

Why? If I expect to make four figures on spreading malware/adware, and I can
assuage the nerves of people like you by spending two or three figures on a
certificate, I'm going to buy the certificate and make it look all nice and
pretty and take your money.

> Your business name and physical address are injected into the certificate.
> Basically code-signing certificates make it easier for people to find you
> and sue you if they truly want to. I suspect that's the whole point.

So I have to incorporate in Delaware, make up a fake address, and rent a
burner phone for a while. I'm not seeing the downside.

[https://www.bizfilings.com/toolkit/research-
topics/incorpora...](https://www.bizfilings.com/toolkit/research-
topics/incorporating-your-business/how-to-incorporate-a-business-in-delaware)

> Delaware does not require director names and addresses to be listed in the
> Certificate of Incorporation.

~~~
smacktoward
They didn't say they trust the developer who spends the money _absolutely_ ,
they said they trust the developer who spends the money _more than they trust
one who doesn 't._ Which is fair -- as you note, not every scammer will be
scared off by the need to spend some money to pull the scam off; but _some_
will, so the ratio of legitimate developers to illegitimate ones will be
higher in markets where there's some cost to entry.

~~~
landryraccoon
This is fallacious reasoning. A well intentioned open source developer who
does not earn any money out of a labor of love has no incentive to further
spend money to sign his app that he’s giving away for free anyway. On the flip
side, a malicious actor that expects to earn money through a scam has every
incentive to spend some money making the app look legit, especially if there
is no risk involved.

~~~
pvg
The signed app can be globally disabled.

~~~
angry_octet
This could be easily achieved by Microsoft running a free signing service.
Lowering the cost of signing to zero would significantly increase the
proportion of signed apps.

~~~
pvg
The question was 'is someone who spends money for code signing more
trustworthy than someone who doesn't' and it was being treated as if the trust
or at least, increase in comfort, somehow comes merely from the act of
spending money. It's an opt-in to a service that mitigates the impact of
malicious code.

~~~
angry_octet
The parent statement was that having signed apps made them easy to disable. If
all apps had to be signed, everything would have a reputation hook, and also
be easily disabled. It's the hang-up of using the for profit 'verified' code
signing ecosystem that makes signing ineffective.

Of course, MSFT/Apple etc will abuse it to kill apps they/govt don't like.

~~~
pvg
I don't really understand how any of this makes signing ineffective.

~~~
salawat
If the only way to play is to go through entrenched gatekeepers, who watches
the watchers, hmmm? If anything this should be seen as a power grab by
entrenched interests to have a cryptographic lever to pull to shut people out
of what should be a user's discretion decision pre-emptively. Walled gardening
at it's finest.

Code signing is a bit like gun control. It really doesn't solve the problem at
all. It just pushes it up a level, and makes things more difficult for
legitimate users.

It also lines up incentives such that the preferred model of software
distribution shifts in the grand scheme of things toward for profit code.

While code signing is a neat technical solution, it's still a technical
solution parading about as a solution to a social problem. And the social
problem it is a solution to (that of untrustworthy folks existing) is not in
any way mitigated by the act of signing as mentioned previously.

~~~
pvg
I don't really understand how any of this makes signing ineffective.

------
burtonator
I created a huge rant on code signing certificates here:

[https://www.youtube.com/watch?v=mwuk0E-tfeg](https://www.youtube.com/watch?v=mwuk0E-tfeg)

It's a nightmare. Complete scam.

I needed this for Polar: [https://getpolarized.io/](https://getpolarized.io/)

Mind you... it's Open Source but I still want my users to be able to download
it without warnings.

No joke - it took me 2 weeks to get the CSC with about 4 hours per day working
on just this CSC issue.

It's just a labyrinth of insanity from not having a listing on D&B to them
insisting I pay $2k to expedite it.

I still don't have one from Apple because it requires a D&B number so I had to
get a personal cert from them.

I went with a cheap one for Windows BUT it gives errors on install for like
the first 1k downloads until Windows says it's legit.

It's a complete scam.

BTW.. if you get in the MS App Store you don't have to worry about a CSC so
that's good I guess.

~~~
juliusmusseau
For those that don't know, D&B stands for Dun & Bradstreet
([https://www.dnb.com/](https://www.dnb.com/)). They have this concept of a
D-U-N-S Number which basically means information about your business is in
their database.

Last I checked expedited D&B was around $40 USD (10 business days) and same-
day D&B around $500 USD.

Free D&B said it would take 30 business days, but it actually only took them 5
business days when I applied for it.

~~~
robinwassen
Apple has a tool where you can lookup your DUNS number directly for free.

[https://developer.apple.com/support/D-U-
N-S/](https://developer.apple.com/support/D-U-N-S/)

------
fjabre
I remember the good old days when people were actually trusted to do their own
research before downloading a potentially dangerous exe.

Now all we have are app store and certificate rackets. Im looking at Google
and Apple too. Shame on the industry for accepting 30% revenue share on their
services. The idea of an app store is great but not when it excludes other
legitimate ways of installing software on device.

These practices are anticompetitive and monopolistic.

Good for Notepad++. I couldnt agree more with its sentiment.

~~~
duxup
>I remember the good old days when people were actually trusted to do their
own research before downloading a potentially dangerous exe.

Is there any evidence that was ever really a thing / effective?

How could you possibly know?

There are plenty of examples of previously trustworthy software becoming
untrustworthy, same with sites you download the code from.

That line reads like the absurd advice that security experts put out about
"only download something you trust" and ignoring that nobody has a clue how to
evaluate that aside form say limiting them self to FOSS and reading all the
code...

~~~
throwawaymath
_> absurd advice that security experts put out about "only download something
you trust"_

This is mostly a meme from the overzealous FOSS and privacy crowd, not the
security crowd. Professional security engineers do not, as a rule, encourage
software engineers (or end users more generally) to only use open source
software because "you can inspect the code for vulnerabilities."

Anyone with legitimate security expertise will understand the benefits of
specialization and core competencies. Namely that despite the ideological
perspective of many in the FOSS community, it is actually better to trust
someone else with the security of your software. Because you most likely can't
trust yourself with that task anyway.

The idea that most people can reliably identify security vulnerabilities in
the software they use just because it's open source is laughable. They might
find trivial low hanging fruit or _obvious_ malicious activity, but they won't
have a better picture of the overall security posture just because they can
read the code.

As an obvious case in point, consider how few people identify vulnerabilities
in Firefox versus how many people use Firefox. The people who _write_ complex
open source software don't even reliably find the issues in their own code.

~~~
duxup
Yeah I didn't intend to tie FOSS advice to the security comment but
inadvertently my comment reads like that.

I intended it to just be a comparison of the "only download something you
trust" absurd advice you get from "security" people you see on TV or
something... and what the user was suggesting about the old days.

My FOSS comment was really meant to reflect the absolute rabbit hole you go
down when it is suggested people can simply protect themselves. It's never
ending flow of tasks and things you need to know that I don't think anyone can
do ...

------
Wowfunhappy
What _really_ pisses me off is code signing for drivers. To install an
unsigned driver in 64-bit Windows 10, you need to reboot your computer into a
special menu that can only be navigated with a USB keyboard (which I have to
lug out of the closet, since I normally use Bluetooth). That in itself
wouldn't be so bad, except the setting persists _only until the next reboot!_
†

This is all in stark contrast to macOS's System Integrity Protection, which I
can turn off once to never be bothered again.

I understand why Microsoft would enforce higher standards on drivers which can
touch the kernel. But, the same fundamental problem applies: it isn't
reasonable for non-profit, open source developers—many of whom _I_ consider
perfectly trustworthy—to pay hundreds of dollars for a certificate! Let me
make the final decision about who I trust. It's my machine—I even built it
myself!

The primary place I run into this problem is with drivers to support weird
video game controllers.

\---

† You can enable a "testsigning" mode via the command line which persists
across reboots, but this only seems to work for certain drivers. If anyone can
explain why it _sometimes_ works, I'd appreciate it, as my research has never
turned up anything.

------
billforsternz
I've been slowly improving my open source Windows chess program Tarrasch
[http://triplehappy.com](http://triplehappy.com) for nearly 10 years. One of
my improvement plans has been to put on my big boy pants, and spend the money
and time needed to sign the program. I thought it was a big part of the
program graduating and becoming a serious software citizen. After reading the
comments here I am reconsidering and might save myself the pain. Thanks Hacker
News!

------
fbelzile
I'm going through a "renewal" right now... The archaic maze of validation is
also getting on my nerves. It's been three weeks now that I'm waiting for a
phone call to validate my phone number. This article is making it so tempting
to cancel my order.

The plethora of support emails is what motivated me to get one in the first
place. I used to get accused of giving users a "virus" and getting into
infinite loops on why they should trust me. I'm sure I was wasting more than
$100/year of my time responding to these emails, so I just gave in and got
one.

Now, I don't know what to do.

~~~
ilaksh
Is it k-software/Comodo/Sectigo by any chance?

~~~
fbelzile
Yes, Sectigo via The SSL Store.

------
tabulatouch
Where do I sign for a petition to have a free CA like LetsEncrypt for Code
Signing?

~~~
gambler
LetsEncrypt is a hack to get HTTP encryption working without shelling out
money for meaningless identity "verification". Code signing has nothing to do
with encryption, so having analogous CA for code would be entirely
meaningless.

What does code signing in Windows _actually_ verify? That executable's author
at some point paid money to some company that Microsoft deemed an "authority"?

It's a rotten system. The whole CA pyramid is bullshit.

What we really need is a way to know that executable notepad++2.0 is signed by
the same person who signed notepad++1.0 already installed on your computer,
and that it's the same person who controls notepad-plus-plus.org, and that
this identity has existed for well over 10 years. _This_ is legitimately
useful info that would allow people to make more informed decisions about what
to install.

BTW, the part about historic record seems like one of the few good uses for
blockchain technology.

~~~
theandrewbailey
> LetsEncrypt is a hack to get HTTP encryption working without shelling out
> money for meaningless identity "verification".

Have you used Let's Encrypt? It verifies that you own the domain in question.
HTTPS requires that the server you're connecting to has been identified.

~~~
ghostly_s
Verifying domain control =/= verifying identity.

------
gruez
Why not use something like certum[1]? It's $69/year (cheaper if you already
have a smartcard), but the CN ends up with something like "Open source
developer, [full name]". It's not "notepad++" like the author wants, but it's
still better than nothing.

[1] [https://en.sklep.certum.pl/data-safety/code-signing-
certific...](https://en.sklep.certum.pl/data-safety/code-signing-
certificates/open-source-code-signing-984.html)

edit: updated price

~~~
gpm
"It's $828 per year" for ... a cert? What makes code signing this expensive?

~~~
eps
Greed, mostly.

Digicert lists EV code signing certs as $664/yr. But if you are to enter their
site through a side door or just plainly cry into the support's jacket, then
the price magically drops to $104/yr. And that's for an EV cert! So the only
reason there are $600 certs is that there are people who _do_ pay that.

~~~
jlongster
Yeah, I about an EV cert from digicert for ~$100/year. People pay >$600/year??
What? I never even saw those prices! Not sure how I landed on digicert but I
think it was a Microsoft article listing where to get EV certs.

------
foobarbazetc
In case anyone reads this far down:

[https://docs.microsoft.com/en-us/windows-
hardware/drivers/da...](https://docs.microsoft.com/en-us/windows-
hardware/drivers/dashboard/get-a-code-signing-certificate)

Follow the steps under “Buy a DigiCert EV code signing certificate“.

You’re welcome. ;)

~~~
fbelzile
I want to personally thank you for this. I cancelled my order with
Comodo/SSLStore and followed your suggestion. EV certificate is already in the
mail :)

------
asveikau
Interesting that they will check the hashes of dependencies at runtime. But
then I start to wonder - why dynamic linking if the library can't be replaced?

~~~
criddell
Why bother checking the signature of dependencies if the main executable
integrity isn't being checked?

What really surprises me is that the author of something as great as Notepad++
isn't making enough money from the project to easily be able to pay for the
certificate.

~~~
magnat
It's not about the price, but about name on the certificate:

> However I cannot use "Notepad++" as CN to sign because Notepad++ doesn’t
> exist as company or organization

CAs would put author's name as CN, which isn't great, especially for
collaborative project.

~~~
techsupporter
Yep and sometimes the name people know isn't the name that a CA will permit in
a certificate. I have one of those. I'm known as a shortened version of my
middle name, say Jack Quimby, but DigiCert and others insist that the cert be
issued to Alphonse Jackson Quimby, Jr.

OK I'll just buy an LLC from a state that's cheap (never mind the paperwork)
but that's no good either because the new entity had no listed phone number...

~~~
magnat
>OK I'll just buy an LLC

When I bought code signing certificate for my LLC, in their infinite wisdom CA
put "Spółka z ograniczoną odpowiedzialnością" as CN, because that's what they
saw on proof of ownership. "Spółka z ograniczoną odpowiedzialnością" literally
means "Limited liability company" in Polish.

~~~
kstrauser
I know that must have been a pain in the neck for you, but that's hilarious.
Thanks for sharing!

~~~
Leace
Then I think you'll find this Poland-related story amusing too:
[http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7899171....](http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7899171.stm)

~~~
kstrauser
I love it.

------
vkaku
Good for them! Certificates are a bad business today. The only reason I'd get
one is because things like letsencrypt exist;

Orthogonally, I also think that $99 App Store fees are a terrible waste of
money. You should get charged only when submitting to an app store for review.

There are plenty of root certificates that came installed on my computer, and
I don't even trust them. Why would these CAs charge so much for so little
value?

~~~
jmull
I believe Apple has a free tier. There are limitations. It sounds like you'd
be fine with some of them, like you can't distribute though the app store. But
I think apps you load on your device expire quickly and there are other
limitations, so it really is for development, and not a great way to side load
apps.

------
xpaulbettsx
At the end of the day, Notepad++ can't get a "Notepad++" cert because
"Notepad++" is not a Legal Entity (i.e. a corporation or living person). At
least from a policy perspective, Microsoft will only consider Legal Entities
to be valid code signatories.

Yes, this _is_ stupid and outdated, I agree - I personally think that Keybase
issuing code signing certificates and being able to verify that the person who
signed this also owns this GitHub and that Twitter account would still be
super valuable.

------
herf
Could post to Microsoft Store, which would let them do this for free.

~~~
jarjoura
I think if I remember correctly, they were opposed going the store route
because it took too much effort building on top of the store sandbox and new
installer packaging.

------
mc32
Microsoft should jump in and afford the developer the cert out of good will
given MS until recently never had a good alternative to NP++.

~~~
jvehent
They have Visual Studio Code.

~~~
skrebbel
> until recently

------
arunc
These kind of code-signing certificates should be free for free and open
source projects.

D Language community recently [1][2] bought a certificate reluctantly to
satisfy Windows defender, virus scan warning, etc. Sadly we are stuck with
this immoral blackmails.

[1]
[https://forum.dlang.org/post/sclqnbggytmyetwrxppb@forum.dlan...](https://forum.dlang.org/post/sclqnbggytmyetwrxppb@forum.dlang.org)

[2][https://dlang.org/changelog/2.082.0.html#signed_windows_bina...](https://dlang.org/changelog/2.082.0.html#signed_windows_binaries)

------
pierotofy
Beside the fact that code signing is a racket,
[https://codesigncert.com/](https://codesigncert.com/) gets you a Comodo cert
for $75.

------
newnewpdro
This is slightly off-topic, but do indie game developers publishing on Steam
have to jump through this hoop to support Windows? Are all Windows games on
Steam signed?

------
royce
I'm startled that there's no mention of app whitelisting yet.

Code signing reduces ops overhead and latency in environments that are using
app whitelisting.

If the code is signed, then the signing certificate can be trusted _once_. All
upgrades and patches that are signed with that certificate can be
_automatically_ whitelisted, with no intervention from teams managing the
whitelisting.

But if the code _isn 't_ signed, then if even a single byte changes in the
executable, it must be re-whitelisted - usually manually.

The more signed apps there are, the easier it is for companies to start using
application whitelisting, the fewer people are needed to maintain it, and the
faster patches to those applications can be deployed. Making it easier for
companies to move to whitelisting increases security for the ecosystem in the
aggregate.

------
JordanBoulan
Anyone have any source that cites it's sources for the profit margins on code
signing rackets. I imagine for mobile the margins are especially high since
phone o/s design makes it much easier to put less effort into audits. I bet
the profits margins in both mobile and standard are absolutely monsterous. By
the principals of business I assume they put in the least amount of effort
possible while still putting in enough to protect themselves from blame

------
jimktrains2
> I realize that code signing certificate is just an overpriced masturbating
> toy of FOSS authors.

I'm not sure what the author means by this.

~~~
tomc1985
Codesigning certs are a racket... the 'chain of trust' and documentation
requirements mean they are expensive and hard to get as an individual, yet oh-
so-essential for releasing software. Which also makes them status symbols,
which the author is rejecting.

I kind of see them like taxi medallions

~~~
gruez
>I kind of see them like taxi medallions

Taxi medallions are pricey because there's limited supply and high demand.
Code signing certificates have limited demand and unlimited supply, but are
expensive because they require manual verification (like EV certificates) and
has a bunch of startup costs (to get included as a root).

~~~
tomc1985
Factors keep both items expensive, and both are effectively required for doing
certain types of business.

~~~
cwyers
Medallions are an artificial constraint on supply -- the point of them is to
shrink the market. Code signing provides a benefit -- it's a way for a user to
ensure they have the right installer and that it wasn't changed by a nefarious
third party.

~~~
tomc1985
And are code-signing certs really so different? The reporting and regulatory
requirements behind them make me think that they are an intentional barrier-
to-entry for newcomers, amateurs, and startups, and the business student in me
admires their moat-like quality. Code-signing certs lock _a lot_ of people out
of certain channels of software distribution

------
crispyambulance
Does this mean that some users won't be allowed to install Notepad++ because
it's not signed? I know some corporate environments have restrictions on
downloaded installers.

Off topic, but I have to say that whenever I need to open _hundreds_ of files
at once and perform regex operations-- this editor rocks that task like no
other. Kudos to Notepad++

~~~
exodust
You might be right, although developers usually have local admin rights, so it
should be a matter of clicking past the warnings.

------
joelennon
You can buy a Windows code signing certificate from DigiCert for $74/yr (EV
certs are $104/yr) by going through this link -
[https://www.digicert.com/friends/sysdev/](https://www.digicert.com/friends/sysdev/)
\- much easier to swallow than the standard $499!

------
forgery--
Companies using Carbon Black Protection (Bit9) or similar application
whitelisting systems use signing certificates to help approve software. Once I
approve the "Simon Tatham" certificate for my company, anyone can download the
latest version of PuTTY and run it without issue. I wish the trend was for
more software to be signed.

------
wozer
In Germany, Notepad++ is ubiquitous on Windows computers (every developer has
it). Is it like this in the US, too?

~~~
russdpale
In my experience, npp has been surpassed by vscode or atom. however, I have
recently found the markdown npp plugin and because of npp's speed, its become
my go to markdown editor/viewer.

If I need to just edit one file quickly with a simple change, npp is still my
go to.

------
runarb
I am in a similar situation myself with Portable-VirtualBox. Does anyone know
where one can get a reasonably priced code signing certificate?

Preferably one that does not require a USB dongle. Did order one from Comodo,
but was not able to get the USB dongle to work.

------
laythea
I can't be alone in not caring too much about the cert.

Notepad++ - Crack on!

------
keithnz
other than Microsofts signed software, the fact it is signed doesn't really
mean much to me as I have no idea what anything should be signed with. What I
tend to trust is that I know specifically where I went to get a piece of
software. It is easier for me to tell what an official site is rather than an
official signature

------
agumonkey
Let's see if that affects usage or not. I'm sure people like it so much they
won't care.

------
duxup
> I realize that code signing certificate is just an overpriced masturbating
> toy of FOSS authors

What does that mean?

------
docode
I'm on the same track. Definitely we need Let's Encrypt for code signing
certificates!

------
blibble
register Notepad++ Limited for about £10/$15?

~~~
tonyedgecombe
That comes with a ton of additional bureaucratic work.

~~~
blibble
in the UK a company takes about 10 minutes to setup and if not actively
trading requires about 5 minutes of work per year to keep going

------
everyone
Good on 'im!

------
draw_down
Feels like there's an opportunity for some kind organization to help open-
source developers out with this. It shouldn't be this hard for someone trying
to give away good work to the world. I used Notepad++ for a long time, and
still might if I spent any time in Windows.

~~~
tomc1985
I wonder if Lets Encrypt is working on code-signing certs? That would be a
huge win for FOSS

~~~
cm2187
How would let's encrypt verify the identity of the author?

~~~
ars
They could sign an email address instead of a name.

~~~
Spivak
Why bother with an email address? You could just punt the identity
verification to the domain registrars and sign the domain.

I don't really think this scheme would benefit the end user though.

~~~
vbezhenar
I would prefer notepad-plus-plus.org rather than some vague "Notepad, LLC",
registered somewhere in the world.

------
kpcyrd
It seems the author is very focused on signing with x509.

I'm wondering if they are aware of free alternatives like signify or pgp that
would work just as well (minus the windows UAC thing). Right now there are
only checksums but no way to verify they are from the author and are
distributed on the same server as the binary, so the only security layer is
https.

~~~
mariusmg
>(minus the windows UAC thing)

As Windows only project, UAC is the only thing that matters in this equation.

~~~
kpcyrd
I've just edited my comment to make this clearer. Doing code signing with
signify or pgp gives you a way the verify the binary you downloaded is
actually the file the developer built on their laptop, even if the webserver
is compromised. Linux ISOs are very commonly distributed that way. I agree
that it's extremely uncommon for windows users to verify this though.

~~~
prepend
Windows does not care about non-windows recognized signatures.

So this works fine for users who care about gpg verification, but fails the
“Windows doesn’t prompt me about insecure stuff” test.

~~~
someguydave
presumably the user who understands how GPG signing works also doesn't care
what windows thinks

