Sign installers attached to project's "releases" page

[seanthegeek]

I realize there is a cost involved, but the unsigned Windows installers currently trigger Windows SmartScreen, which of course can be bypassed, but this may discourage new users.

[vladimiry]

Thanks for the input. I understand the concern but providing signed packages for Windows/macOS is not planned for the near future. Yes, the cost involved but also the maintenance burden increasing.

Relevant quote from the https://notepad-plus-plus.org/news/v764-released/ (also see hacker news discussion if interested):

I was trying to purchase another certificate with reasonable price. However I cannot use “Notepad++” as CN to sign because Notepad++ doesn’t exist as company or organization. I wasted hours and hours for getting one suitable certificate instead of working on essential thing - Notepad++ project. I realize that code signing certificate is just an overpriced masturbating toy for FOSS authors - Notepad++ has done without certificate for more than 10 years, I don’t see why I should add the dependency now (and be an accomplice of this overpricing industry). I decide to do without it.

[vladimiry]

By the way, signing the packages doesn't guarantee the packages attached to releases have been automatically assembled from the source code. So it doesn't help with ensuring that no tampered/random/backdoored/malicious stuff got selectively/manually injected into the packages. But the way for such verification is provided, see #183 (we print hashes on CI servers and attach links to the CI build logs to releases). So the better packages origin verification option is provided than just signing.