When you install Notepad++ version 7.6.4, You might notice there's no more blue-trusted UAC popup. Here's the explanation for the reason that we remove code signing from Notepad++ :
3 years ago DigiCert donated a 3 years code signing certificate to the project, and every good thing has its end, the certificate has been expired since the beginning of this year.
I was trying to purchase another certificate with reasonable price. However I cannot use "Notepad++" as CN to sign because Notepad++ doesn’t exist as company or organization. I wasted hours and hours for getting one suitable certificate instead of working on essential thing - Notepad++ project. I realize that code signing certificate is just an overpriced masturbating toy for FOSS authors - Notepad++ has done without certificate for more than 10 years, I don’t see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.
It doesn’t mean there’s no more security in Notepad++, but it will be less flexible for sure:
SHA256 hash of Installer and other packages will be provided for every release as usual. Too bad for ugly yellow-orange UAC popup while installation.
Notepad++ will check the SHA256 of all the components (SciLexer.dll, GUP.exe and nppPluginList.dll) used by the program.
Markdown is supposed to work in v7.6.3, but the needed file isn't deployed correctly by the installer. The bug is fixed in this version. Additionally Markdown is available in every package from this release.
European Commission's Free and Open Source Software Auditing Bug Bounty program is still in progress, few vulnerable issues and some crash bugs are identified and fixed in this release thanks toHackerOneteam's help.
ince version 7.6.5 of Notepad++, the distributive packages are signed with digital signature by using GnuPG (GNU Privacy Guard). This allows users to reliably validate authenticity and integrity of Notepad++ packages.
On Windows you can use native GnuPG (https://gnupg.org) which works under the command line, or use Gpg4win (https://www.gpg4win.org) which is based on GnuPG and has a nice GUI. Of course you can also use PGP Desktop, which now days is provided by Symantec. Most Linux distributions ship with GnuPG installed by default. If you don't have it then install it using package management system present in your distribution.