Community
    • Login

    Notepad++ v8.8.3 Release Candidate

    Scheduled Pinned Locked Moved Announcements
    14 Posts 6 Posters 837 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mkupperM
      mkupper @PeterJones
      last edited by

      @PeterJones and others - Is the self-signed root cert going to be the permanent fix? It seems a lot of work being put into this by you and others.

      I have hoped that Notepad++ will soon get signed again via a normal CA.

      Related to that is will the https certificate for https://download.notepad-plus-plus.org/ will get renewed? It expired five years ago on Sat, 22 Feb 2020 19:46:00 GMT.

      PeterJonesP xomxX 2 Replies Last reply Reply Quote 0
      • PeterJonesP
        PeterJones @mkupper
        last edited by

        Related to that is will the https certificate for https://download.notepad-plus-plus.org/ will get renewed? It expired five years ago on Sat, 22 Feb 2020 19:46:00 GMT.

        Considering @donho said above, “BTW, I should make https work, I know - it’s on my TODO list.”, I can confidentally conclude that the goal is to get it renewed. ;-)

        Is the self-signed root cert going to be the permanent fix?

        My guess is that’s currently unknowable. It presumably depends on how long beaurocracy fights Don vs how much effort he is willing to expend.

        Given the number of complaints since v8.8.2, I think it’s worth the effort (at least, my tiny side of the effort) until such time as a different CA can be used: even if it’s only 1 version down the road (so a month later), saving that month of signed-installer posts will be worth it to me. :-)

        1 Reply Last reply Reply Quote 4
        • xomxX
          xomx @mkupper
          last edited by

          @mkupper said in Notepad++ v8.8.3 Release Candidate:

          Is the self-signed root cert going to be the permanent fix?

          I hope not. In the long term, a public trusted CA cert is needed, such as the previously used DigiCert one.

          But using a self-signed certificate is much much better from the BFU’s (or the Don’s grand-mom ;-) ) POV.

          No one can expect that BFU will install Kleopatra (and create the needed OpenPGP key pair etc etc…!) to verify the N++ distributed sigs. But using the standard Windows Explorer and Certificate interface for checking of the N++ executable digital signature == ok, even if “unverifiable” for now:

          npp-v883-1-unverifiable.png

          it’s a halfway where to go (BTW I saw somewhere that some corporate takes an unsigned 3rd party app and signed it with their own MS Azure self-signed cert just for an internal re-distribution).

          IMO - even if the above (very good!) description, for adding the N++ own cert to the trusted root ones, is not for every BFU in general, it’s still much better than want from them to learn how the OpenPGP (and public/private key stuff) works.
          After N++ is in Trusted Root CA:

          npp-v883-2-npp-cert-trusted.png

          Now the N++ executables:

          • can be trusted (verified the origin, with some acceptable effort)
          • prevents unnoticed modifications (common disk storage corruptions but also malicious modifs):

          npp-v883-3-npp-execode-modified.png

          (Sidenote: I’d not overestimate the executables digital sign in the malware fighting - nowadays many sophisticated attacks use patching already loaded process in memory and so they do not touch the executable files on disk at all…)

          mkupperM 1 Reply Last reply Reply Quote 4
          • donhoD
            donho @donho
            last edited by donho

            FYI, an error has been found in the certificates, so the root certificate and code signing certificate have been regenerated, and v8.8.3 RC binaries are signed again:
            http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC3/

            You can download both Notepad++ Root Certificate & Notepad++ Revocation list from the root of https://notepad-plus-plus.org.

            Graham NorrisG 1 Reply Last reply Reply Quote 1
            • Graham NorrisG
              Graham Norris @donho
              last edited by

              @donho How does one remove the previous one? I can’t find the previous (bad) certificate in the certification manager. Oh, and the revocation link doesn’t work: no file.

              donhoD xomxX 2 Replies Last reply Reply Quote 0
              • donhoD
                donho @Graham Norris
                last edited by

                @Graham-Norris said in Notepad++ v8.8.3 Release Candidate:

                Oh, and the revocation link doesn’t work: no file.

                Fixed now.

                1 Reply Last reply Reply Quote 1
                • xomxX
                  xomx @Graham Norris
                  last edited by

                  @Graham-Norris said in Notepad++ v8.8.3 Release Candidate:

                  I can’t find the previous (bad) certificate in the certification manager.

                  Maybe you used for the N++ cert “Store location” Local Machine instead of the Current User?

                  If so, try to launch “certlm.msc” MMC snap-in instead of the above mentioned “certmgr.msc”.

                  1 Reply Last reply Reply Quote 3
                  • donhoD
                    donho @donho
                    last edited by

                    The latest, and I believe the last update:
                    http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC4/

                    Very sorry about that. Some errors found in the certificate and I have had to regenerate the ROOT CA & the signing certificate.
                    Anyway, it seems all OK now, so I can promise you it’s the last one.

                    1 Reply Last reply Reply Quote 3
                    • mkupperM
                      mkupper @xomx
                      last edited by

                      @xomx Thank you. When I downloaded and installed the certificate from https://notepad-plus-plus.org/nppRoot.crt that the installer process popped up:

                      ---------------------------
Security Warning
---------------------------
You are about to install a certificate from a certification authority (CA) claiming to represent:

Notepad++

Windows cannot validate that the certificate is actually from "Notepad++". You should confirm its origin by contacting "Notepad++". The following number will assist you in this process:

Thumbprint (sha1): C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB

Warning:

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk.

Do you want to install this certificate?

---------------------------
Yes   No   
---------------------------

                      The thumbprint C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB is not mentioned in the user manual. I tried Google for “C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB” and then “C4E7785B6DD1DAF2AEDE5C994BB3D495AF7B45AB” but it was not found.

                      1 Reply Last reply Reply Quote 0
                      • Xuân-Thơ HOÀNGX
                        Xuân-Thơ HOÀNG
                        last edited by

                        I have no issue with v8.8.2

                        But with v8.8.3 (all RC), installed the cert. (checked in Local Machine & Current User), i have the issue (newly program detected) by Trend Apex One (my company).

                        Thanks for your support, Notepad++ is my favorite editor. I’m currenty using portable edition.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        The Community of users of the Notepad++ text editor.
                        Powered by NodeBB | Contributors