Notepad++ v8.8.3 Release Candidate

mkupper

@PeterJones and others - Is the self-signed root cert going to be the permanent fix? It seems a lot of work being put into this by you and others.

I have hoped that Notepad++ will soon get signed again via a normal CA.

Related to that is will the https certificate for https://download.notepad-plus-plus.org/ will get renewed? It expired five years ago on Sat, 22 Feb 2020 19:46:00 GMT.

PeterJones

Related to that is will the https certificate for https://download.notepad-plus-plus.org/ will get renewed? It expired five years ago on Sat, 22 Feb 2020 19:46:00 GMT.

Considering @donho said above, “BTW, I should make https work, I know - it’s on my TODO list.”, I can confidentally conclude that the goal is to get it renewed. ;-)

Is the self-signed root cert going to be the permanent fix?

My guess is that’s currently unknowable. It presumably depends on how long beaurocracy fights Don vs how much effort he is willing to expend.

Given the number of complaints since v8.8.2, I think it’s worth the effort (at least, my tiny side of the effort) until such time as a different CA can be used: even if it’s only 1 version down the road (so a month later), saving that month of signed-installer posts will be worth it to me. :-)

xomx

@mkupper said in Notepad++ v8.8.3 Release Candidate:

Is the self-signed root cert going to be the permanent fix?

I hope not. In the long term, a public trusted CA cert is needed, such as the previously used DigiCert one.

But using a self-signed certificate is much much better from the BFU’s (or the Don’s grand-mom ;-) ) POV.

No one can expect that BFU will install Kleopatra (and create the needed OpenPGP key pair etc etc…!) to verify the N++ distributed sigs. But using the standard Windows Explorer and Certificate interface for checking of the N++ executable digital signature == ok, even if “unverifiable” for now:

it’s a halfway where to go (BTW I saw somewhere that some corporate takes an unsigned 3rd party app and signed it with their own MS Azure self-signed cert just for an internal re-distribution).

IMO - even if the above (very good!) description, for adding the N++ own cert to the trusted root ones, is not for every BFU in general, it’s still much better than want from them to learn how the OpenPGP (and public/private key stuff) works.
After N++ is in Trusted Root CA:

Now the N++ executables:

• can be trusted (verified the origin, with some acceptable effort)
• prevents unnoticed modifications (common disk storage corruptions but also malicious modifs):

(Sidenote: I’d not overestimate the executables digital sign in the malware fighting - nowadays many sophisticated attacks use patching already loaded process in memory and so they do not touch the executable files on disk at all…)

donho

FYI, an error has been found in the certificates, so the root certificate and code signing certificate have been regenerated, and v8.8.3 RC binaries are signed again:
http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC3/

You can download both Notepad++ Root Certificate & Notepad++ Revocation list from the root of https://notepad-plus-plus.org.

Graham Norris

@donho How does one remove the previous one? I can’t find the previous (bad) certificate in the certification manager. Oh, and the revocation link doesn’t work: no file.

donho

@Graham-Norris said in Notepad++ v8.8.3 Release Candidate:

Oh, and the revocation link doesn’t work: no file.

Fixed now.

xomx

@Graham-Norris said in Notepad++ v8.8.3 Release Candidate:

I can’t find the previous (bad) certificate in the certification manager.

Maybe you used for the N++ cert “Store location” Local Machine instead of the Current User?

If so, try to launch “certlm.msc” MMC snap-in instead of the above mentioned “certmgr.msc”.

donho

The latest, and I believe the last update:
http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC4/

Very sorry about that. Some errors have been found in the certificate and I have had to regenerate the ROOT CA & the signing certificate.
Anyway, it seems all OK now, so I can promise you it’s the last one.

mkupper

@xomx Thank you. When I downloaded and installed the certificate from https://notepad-plus-plus.org/nppRoot.crt that the installer process popped up:

---------------------------
Security Warning
---------------------------
You are about to install a certificate from a certification authority (CA) claiming to represent:

Notepad++

Windows cannot validate that the certificate is actually from "Notepad++". You should confirm its origin by contacting "Notepad++". The following number will assist you in this process:

Thumbprint (sha1): C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB

Warning:

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk.

Do you want to install this certificate?

---------------------------
Yes   No   
---------------------------

The thumbprint C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB is not mentioned in the user manual. I tried Google for “C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB” and then “C4E7785B6DD1DAF2AEDE5C994BB3D495AF7B45AB” but it was not found.

Xuân-Thơ HOÀNG

I have no issue with v8.8.2

But with v8.8.3 (all RC), installed the cert. (checked in Local Machine & Current User), i have the issue (newly program detected) by Trend Apex One (my company).

Thanks for your support, Notepad++ is my favorite editor. I’m currenty using portable edition.

PeterJones

@mkupper said in Notepad++ v8.8.3 Release Candidate:

The thumbprint C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB is not mentioned

@donho , did you want to add the links to the Root CA and CRL files on https://notepad-plus-plus.org/resources/ , along with the thumbprints for the Root CA and the current signing certificate you are using?

Since you have the GPG there, it makes sense to also share the details of the new CA and signing certs there as well.

I could then have the Manual link to that page for people to confirm the thumbprints for the certs.

donho

@PeterJones said in Notepad++ v8.8.3 Release Candidate:

@donho , did you want to add the links to the Root CA and CRL files on https://notepad-plus-plus.org/resources/ , along with the thumbprints for the Root CA and the current signing certificate you are using?

The paths of revocation list (crl) and root certificate are indicated in the Notepad++ code signing certificate (you can find them in the section “Details”):

CRL Distribution Point:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://notepad-plus-plus.org/nppRevoke.crl

Authority Information Access:

[1]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://notepad-plus-plus.org/nppRoot.crt

So, firstly if we want to move these 2 files to resources directory, this code signing certificate should be revoked, then a new certificate can be regenerated with 2 modified paths. the RC should be signed again and RC5 should be checked again by the community…

Secondly, since such information is imposed by the certificate, for me
URL=http://notepad-plus-plus.org/nppRoot.crt
looks more serious then
URL=http://notepad-plus-plus.org/resources/nppRoot.crt,
and they are more accessible for the antivirus vendors, IT ppl & users (just under the root - shorter and simpler).

For the above reasons, let’s keep it as it is. If it’s really bothering, we can always change in 3 years.

PeterJones

@donho ,

Sorry, I think I didn’t communicate clearly enough. I meant add a paragraph/section to the page at https://notepad-plus-plus.org/resources/ , which will link to the files which can stay at https://notepad-plus-plus.org/nppRoot.crt and https://notepad-plus-plus.org/resources/nppRoot.crt , and give details about those files, just like you do for the “Release Key”. Something like:

You don’t have to use exactly that phrasing – I just mocked it up similar to what you had in the earlier section on that page.

<h2>Self-Signed Root Certificate Authority & Signing Key</h2>
<p>Notepad++ currently uses its own Root Certificate Authority (CA) for creating signing keys.
</p>
<ul>
    <li>URL = <a href="https://http://notepad-plus-plus.org/nppRoot.crt">https://http://notepad-plus-plus.org/nppRoot.crt</a></li>
    <li>Issued to: Notepad++</li>
    <li>Issued by: Notepad++</li>
    <li>Valid from 7/7/2025 to 7/7/2055</li>
    <li>Thumbprint = <tt>c4e7785b6dd1daf2aede5c994bb3d495af7b45ab</tt></li>
    <li>Revocation List = <a href="https://notepad-plus-plus.org/nppRevoke.crl">https://notepad-plus-plus.org/nppRevoke.crl</a></li>
    <li>Instructions = See the <a href="https://npp-user-manual.org/docs/getting-started/#notepad-self-signed-certificate-authority-for-binaries">User Manual: Getting Started: Self-Signed Certificate Authority</a></li>
</ul>
<p>The current signing certificate has the following details:</p>
<ul>
    <li>Issued to: Notepad++</li>
    <li>Issued by: Notepad++</li>
    <li>Valid from 7/7/2025 to 7/7/2028</li>
    <li>Thumbprint = <tt>1c20840863e00c00bcdc30362121693e54966a28</tt></li>
</ul>

This information will allow people to verify that they have correctly downloaded the right Root Certificate Authority, similar to the way you let them verify the GPG signature.

To sum up: I wasn’t asking you to change the URL of the certs or to re-issue them. I was asking you to publish the data about them on the main website, similar to the way you publish the data about the GPG signature on the main website.

donho

@PeterJones said in Notepad++ v8.8.3 Release Candidate:

You don’t have to use exactly that phrasing – I just mocked it up similar to what you had in the earlier section on that page.

Yes, you’re right - I forgot the part of resources!
I will add the information into this page, so it will be available during the release process.
Thank you for the reminding!

xomx

@donho said in Notepad++ v8.8.3 Release Candidate:

URL=http://notepad-plus-plus.org/nppRevoke.crl

URL=http://notepad-plus-plus.org/nppRoot.crt

Maybe I’m a little bit lost in all that RC versions, but now I dl again the RC4 ones x64 installer and it’s signed like the above statements, which is just wrong, isn’t it? (should be with https instead):

Edit: Seems like MS own signed executables have the same http-only.

donho

@xomx said in Notepad++ v8.8.3 Release Candidate:

Maybe I’m a little bit lost in all that RC versions, but now I dl again the RC4 ones x64 installer and it’s signed like the above statements, which is just wrong, isn’t it? (should be with https instead):

The use of “http” instead of “https” wasn’t a mistake - that’s simply how it was done. You can check other digitally signed programs to confirm this.

In RC5280 “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, Security Considerations section:

 CAs SHOULD NOT include URIs that specify https, ldaps, or similar
   schemes in extensions.  CAs that include an https URI in one of these
   extensions MUST ensure that the server's certificate can be validated
   without using the information that is pointed to by the URI.  Relying
   parties that choose to validate the server's certificate when
   obtaining information pointed to by an https URI in the
   cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess
   extensions MUST be prepared for the possibility that this will result
   in unbounded recursion.

ref: https://datatracker.ietf.org/doc/html/rfc5280

donho

While writing the release notes, I realized the both certificates (root certificate & code signing certificate) of RC4 have the same information while displaying:

Issued to: Notepad++
Issued by: Notepad++
Valid from 7/7/2025 to XXXXX

Only the the valid dates (to XXXXX) are different.

To avoid users’ confusion, I did a new root certificate and a new code signing certificate and signed the release again:
http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC5/

xomx

@donho said in Notepad++ v8.8.3 Release Candidate:

Only the the valid dates (to XXXXX) are different.

To avoid users’ confusion, I did a new root certificate and a new code signing certificate and signed the release again:

?, the shown “to XXXXX” remains different as before:

last root-cert: Valid from 7/9/2025 to 7/9/2055
cert in signed RC5 binary: Valid from 7/9/2025 to 7/9/2028

Root-certs usually have longer expiration date, I don’t see a problem with it.

donho

@xomx said in Notepad++ v8.8.3 Release Candidate:

Root-certs usually have longer expiration date, I don’t see a problem with it.

The point is on “Issued to” & “Issued by”: the information should be difference between 2 certificates.
It’s more clear in RC5 for users:

Root certificate: (Self-signed root certificate)

---

Code signing certificate (Code signing certicate issued by Self-signed root certificate)

xomx

@donho said in Notepad++ v8.8.3 Release Candidate:

The point is on “Issued to” & “Issued by”: the information should be difference between 2 certificates.

Ah, now I see it, thanks.

The important is, you left the code-signing one “Issued to” to be the Notepad++, so the possible future UAC pop-ups can say “Notepad++” as the “Verified publisher” (with the N++ cert in the Trusted Root CA) as it was before, right?