I'm wondering how others are dealing with the Notepad++ 8.8.3 release following the CVE-2025-49144 vulnerability. Their code-signing certificate expired, and since they're not set up as a business, it's been tough for them to renew it with DigiCert. As a result, version 8.8.3 was released with a self-signed certificate. While this is better than having an unsigned binary, it means we need to add this self-signed cert to our Trusted Root CA store, which feels risky given the potential exposure to threats from malicious binaries that could get signed with it. The developers are still trying to obtain a cert from a recognized authority for future releases, but the outlook seems grim. What are the best practices for handling this, and should we just wait for a future release with a proper cert?
5 Answers
It's a tricky spot. They've really put their users in a bind with this situation. The idea of supporting them by crowdfunding for a proper cert could be useful, but I imagine there's more to it.
Right? The community should brainstorm safer deployment options to get through this.
Honestly, it's a big question mark for me too. I'm not keen on using software that doesn't have a valid public trust cert, but being a popular tool like Notepad++, it’s hard to ignore. I wish they had a better plan.
I just held off on updating until there's a stable version with a proper cert. It's frustrating how these vulnerabilities get handled.
Totally! I still use 7-zip, and I wasn't worried about its signing, but in a business context, this feels different. And the CVE issues raised a lot of alarms.
It seems like they might need to consider using services like Azure Code Signing instead of pursuing their own certificate. The newer restrictions on code signing can really complicate things. We've had to get our own signing cert, and using Azure Key Vault has made that process smoother, all without needing USB keys. It's just easier than trying to get a physical token to work with distributed development.
Totally agree! We switched to Azure too, but it can feel like you're giving up ownership if everything turns into a subscription. It's a tricky balance.
And I hear DigiCert doesn't even require USB keys anymore for signing certificates. Something like Keylocker Cloud could be a good alternative.
I wouldn't add that self-signed cert to our trusted store. It's a valid concern to avoid relying on a third-party self-signed CA. There's a lot of risk involved with that, especially with their history of being hacked.
Exactly. If they don't have proper policies and auditing, trusting such a CA can be dangerous. It seems better to use a private PKI provider to streamline things.
Right! It's naive to think a self-signed cert is secure enough when it could theoretically sign for any hostname.
I decided to build it from source and use my own code-signing certificate issued by our internal CA. It's a hassle but ensures that we maintain control over security.
The problem isn't finances; they literally can't get a proper cert because they're not a registered business.