Notably Notepad++ was recently shipping unsigned/self-signed updates, apparently overlapping with the time of this incident, see releases 8.8.2-8.8.6: https://notepad-plus-plus.org/news/

▲

bakugo 7 hours ago | parent [-]

So they just conveniently decided not to sign their releases right around the time they were supposedly "hacked"?

Something doesn't seem right here.

▲

adzm 6 hours ago | parent [-]

Code signing certs are unfortunately expensive

▲

1una 2 hours ago | parent | next [-]

$0 at SignPath. Quite a few OSS projects use it.

▲

firesteelrain 6 hours ago | parent | prev [-]

$700+ at Sectigo for two years

Something of Notepad++ size might think about it now

▲

abeyer 4 hours ago | parent | next [-]

"of Notepad++ size" is basically one guy in his free time, no?

▲

eviks 4 hours ago | parent [-]

"But look at those downloads, they magically print money"

	▲	firesteelrain 2 hours ago \| parent [-]
		Notepad++ is Windows-based and could use the Windows store instead of the built in updater. Microsoft charges a one time fee. It would pass SmartScreen checks. His website has a bunch of ads integrated which I assume are there to help pay for hosting. Mr. Ho already has hosting charges and he uses GitHub. For those who use GitHub, he could continue his GnuPG method for signing. Additionally, GitHub integrates with Sigstore. Windows wouldn’t trust his signature but at least there would be better traceability. Version 8.8.7 labeled “authenticity guaranteed” is a step in that direction. The real “issue” here was his outside hosting platform for updates from my reading of the article.

▲

hjoutfbkfd 2 hours ago | parent | prev [-]

the issue was not the money, but that it was difficult to get a certificate without having some sort of legal entity

	▲	firesteelrain 2 hours ago \| parent [-]
		Certum.eu has this figured out. https://support.certum.eu/en/code-signing-required-documents... https://shop.certum.eu/open-source-code-signing-on-simplysig... $49 (EU) Gross