Community
    • Login

    Notepad++ v8.8.3 Release Candidate

    Scheduled Pinned Locked Moved Announcements
    38 Posts 9 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • xomxX
      xomx @Graham Norris
      last edited by

      @Graham-Norris said in Notepad++ v8.8.3 Release Candidate:

      I can’t find the previous (bad) certificate in the certification manager.

      Maybe you used for the N++ cert “Store location” Local Machine instead of the Current User?

      If so, try to launch “certlm.msc” MMC snap-in instead of the above mentioned “certmgr.msc”.

      1 Reply Last reply Reply Quote 3
      • donhoD
        donho @donho
        last edited by donho

        The latest, and I believe the last update:
        http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC4/

        Very sorry about that. Some errors have been found in the certificate and I have had to regenerate the ROOT CA & the signing certificate.
        Anyway, it seems all OK now, so I can promise you it’s the last one.

        1 Reply Last reply Reply Quote 3
        • mkupperM
          mkupper @xomx
          last edited by

          @xomx Thank you. When I downloaded and installed the certificate from https://notepad-plus-plus.org/nppRoot.crt that the installer process popped up:

          ---------------------------
          Security Warning
          ---------------------------
          You are about to install a certificate from a certification authority (CA) claiming to represent:
          
          Notepad++
          
          Windows cannot validate that the certificate is actually from "Notepad++". You should confirm its origin by contacting "Notepad++". The following number will assist you in this process:
          
          Thumbprint (sha1): C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB
          
          Warning:
          
          If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk.
          
          Do you want to install this certificate?
          
          ---------------------------
          Yes   No   
          ---------------------------
          

          The thumbprint C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB is not mentioned in the user manual. I tried Google for “C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB” and then “C4E7785B6DD1DAF2AEDE5C994BB3D495AF7B45AB” but it was not found.

          PeterJonesP 1 Reply Last reply Reply Quote 0
          • Xuân-Thơ HOÀNGX
            Xuân-Thơ HOÀNG
            last edited by

            I have no issue with v8.8.2

            But with v8.8.3 (all RC), installed the cert. (checked in Local Machine & Current User), i have the issue (newly program detected) by Trend Apex One (my company).

            Thanks for your support, Notepad++ is my favorite editor. I’m currenty using portable edition.

            1 Reply Last reply Reply Quote 0
            • PeterJonesP
              PeterJones @mkupper
              last edited by

              @mkupper said in Notepad++ v8.8.3 Release Candidate:

              The thumbprint C4E7785B 6DD1DAF2 AEDE5C99 4BB3D495 AF7B45AB is not mentioned

              @donho , did you want to add the links to the Root CA and CRL files on https://notepad-plus-plus.org/resources/ , along with the thumbprints for the Root CA and the current signing certificate you are using?

              Since you have the GPG there, it makes sense to also share the details of the new CA and signing certs there as well.

              I could then have the Manual link to that page for people to confirm the thumbprints for the certs.

              donhoD 1 Reply Last reply Reply Quote 0
              • donhoD
                donho @PeterJones
                last edited by

                @PeterJones said in Notepad++ v8.8.3 Release Candidate:

                @donho , did you want to add the links to the Root CA and CRL files on https://notepad-plus-plus.org/resources/ , along with the thumbprints for the Root CA and the current signing certificate you are using?

                The paths of revocation list (crl) and root certificate are indicated in the Notepad++ code signing certificate (you can find them in the section “Details”):

                CRL Distribution Point:

                [1]CRL Distribution Point
                     Distribution Point Name:
                          Full Name:
                               URL=http://notepad-plus-plus.org/nppRevoke.crl
                

                Authority Information Access:

                [1]Authority Info Access
                     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                     Alternative Name:
                          URL=http://notepad-plus-plus.org/nppRoot.crt
                

                So, firstly if we want to move these 2 files to resources directory, this code signing certificate should be revoked, then a new certificate can be regenerated with 2 modified paths. the RC should be signed again and RC5 should be checked again by the community…

                Secondly, since such information is imposed by the certificate, for me
                URL=http://notepad-plus-plus.org/nppRoot.crt
                looks more serious then
                URL=http://notepad-plus-plus.org/resources/nppRoot.crt,
                and they are more accessible for the antivirus vendors, IT ppl & users (just under the root - shorter and simpler).

                For the above reasons, let’s keep it as it is. If it’s really bothering, we can always change in 3 years.

                PeterJonesP xomxX 2 Replies Last reply Reply Quote 0
                • PeterJonesP
                  PeterJones @donho
                  last edited by PeterJones

                  @donho ,

                  Sorry, I think I didn’t communicate clearly enough. I meant add a paragraph/section to the page at https://notepad-plus-plus.org/resources/ , which will link to the files which can stay at https://notepad-plus-plus.org/nppRoot.crt and https://notepad-plus-plus.org/resources/nppRoot.crt , and give details about those files, just like you do for the “Release Key”. Something like:

                  a5581676-3a46-4119-b5ed-3669e2b22ca1-image.png

                  You don’t have to use exactly that phrasing – I just mocked it up similar to what you had in the earlier section on that page.

                  <h2>Self-Signed Root Certificate Authority & Signing Key</h2>
                  <p>Notepad++ currently uses its own Root Certificate Authority (CA) for creating signing keys.
                  </p>
                  <ul>
                      <li>URL = <a href="https://http://notepad-plus-plus.org/nppRoot.crt">https://http://notepad-plus-plus.org/nppRoot.crt</a></li>
                      <li>Issued to: Notepad++</li>
                      <li>Issued by: Notepad++</li>
                      <li>Valid from 7/7/2025 to 7/7/2055</li>
                      <li>Thumbprint = <tt>c4e7785b6dd1daf2aede5c994bb3d495af7b45ab</tt></li>
                      <li>Revocation List = <a href="https://notepad-plus-plus.org/nppRevoke.crl">https://notepad-plus-plus.org/nppRevoke.crl</a></li>
                      <li>Instructions = See the <a href="https://npp-user-manual.org/docs/getting-started/#notepad-self-signed-certificate-authority-for-binaries">User Manual: Getting Started: Self-Signed Certificate Authority</a></li>
                  </ul>
                  <p>The current signing certificate has the following details:</p>
                  <ul>
                      <li>Issued to: Notepad++</li>
                      <li>Issued by: Notepad++</li>
                      <li>Valid from 7/7/2025 to 7/7/2028</li>
                      <li>Thumbprint = <tt>1c20840863e00c00bcdc30362121693e54966a28</tt></li>
                  </ul>
                  

                  This information will allow people to verify that they have correctly downloaded the right Root Certificate Authority, similar to the way you let them verify the GPG signature.

                  To sum up: I wasn’t asking you to change the URL of the certs or to re-issue them. I was asking you to publish the data about them on the main website, similar to the way you publish the data about the GPG signature on the main website.

                  donhoD 1 Reply Last reply Reply Quote 1
                  • donhoD
                    donho @PeterJones
                    last edited by

                    @PeterJones said in Notepad++ v8.8.3 Release Candidate:

                    You don’t have to use exactly that phrasing – I just mocked it up similar to what you had in the earlier section on that page.

                    Yes, you’re right - I forgot the part of resources!
                    I will add the information into this page, so it will be available during the release process.
                    Thank you for the reminding!

                    1 Reply Last reply Reply Quote 1
                    • xomxX
                      xomx @donho
                      last edited by xomx

                      @donho said in Notepad++ v8.8.3 Release Candidate:

                      URL=http://notepad-plus-plus.org/nppRevoke.crl

                      URL=http://notepad-plus-plus.org/nppRoot.crt

                      Maybe I’m a little bit lost in all that RC versions, but now I dl again the RC4 ones x64 installer and it’s signed like the above statements, which is just wrong, isn’t it? (should be with https instead):

                      npp-cert-http(s).png

                      Edit: Seems like MS own signed executables have the same http-only.

                      donhoD 1 Reply Last reply Reply Quote 1
                      • donhoD
                        donho @xomx
                        last edited by

                        @xomx said in Notepad++ v8.8.3 Release Candidate:

                        Maybe I’m a little bit lost in all that RC versions, but now I dl again the RC4 ones x64 installer and it’s signed like the above statements, which is just wrong, isn’t it? (should be with https instead):

                        The use of “http” instead of “https” wasn’t a mistake - that’s simply how it was done. You can check other digitally signed programs to confirm this.

                        In RC5280 “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, Security Considerations section:

                         CAs SHOULD NOT include URIs that specify https, ldaps, or similar
                           schemes in extensions.  CAs that include an https URI in one of these
                           extensions MUST ensure that the server's certificate can be validated
                           without using the information that is pointed to by the URI.  Relying
                           parties that choose to validate the server's certificate when
                           obtaining information pointed to by an https URI in the
                           cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess
                           extensions MUST be prepared for the possibility that this will result
                           in unbounded recursion.
                        

                        ref: https://datatracker.ietf.org/doc/html/rfc5280

                        1 Reply Last reply Reply Quote 2
                        • donhoD
                          donho @donho
                          last edited by donho

                          While writing the release notes, I realized the both certificates (root certificate & code signing certificate) of RC4 have the same information while displaying:

                          Issued to: Notepad++
                          Issued by: Notepad++
                          Valid from 7/7/2025 to XXXXX
                          

                          Only the the valid dates (to XXXXX) are different.

                          To avoid users’ confusion, I did a new root certificate and a new code signing certificate and signed the release again:
                          http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC5/

                          xomxX 1 Reply Last reply Reply Quote 0
                          • xomxX
                            xomx @donho
                            last edited by xomx

                            @donho said in Notepad++ v8.8.3 Release Candidate:

                            Only the the valid dates (to XXXXX) are different.

                            To avoid users’ confusion, I did a new root certificate and a new code signing certificate and signed the release again:

                            ?, the shown “to XXXXX” remains different as before:

                            last root-cert: Valid from 7/9/2025 to 7/9/2055
                            cert in signed RC5 binary: Valid from 7/9/2025 to 7/9/2028

                            Root-certs usually have longer expiration date, I don’t see a problem with it.

                            donhoD 1 Reply Last reply Reply Quote 0
                            • donhoD
                              donho @xomx
                              last edited by donho

                              @xomx said in Notepad++ v8.8.3 Release Candidate:

                              Root-certs usually have longer expiration date, I don’t see a problem with it.

                              The point is on “Issued to” & “Issued by”: the information should be difference between 2 certificates.
                              It’s more clear in RC5 for users:

                              Root certificate: (Self-signed root certificate)

                              8ce32d0b-b12d-4ee8-9ebf-ebff98d5cd68-image.png


                              Code signing certificate (Code signing certicate issued by Self-signed root certificate)

                              c035d2f1-5e81-4ab0-a01e-1a54cf7534a7-image.png

                              xomxX PeterJonesP 2 Replies Last reply Reply Quote 2
                              • xomxX
                                xomx @donho
                                last edited by

                                @donho said in Notepad++ v8.8.3 Release Candidate:

                                The point is on “Issued to” & “Issued by”: the information should be difference between 2 certificates.

                                Ah, now I see it, thanks.

                                The important is, you left the code-signing one “Issued to” to be the Notepad++, so the possible future UAC pop-ups can say “Notepad++” as the “Verified publisher” (with the N++ cert in the Trusted Root CA) as it was before, right?

                                1 Reply Last reply Reply Quote 2
                                • PeterJonesP
                                  PeterJones @donho
                                  last edited by

                                  With the newest certificates and RC5, what I see is

                                  • Notepad++ Root Certificate
                                    • General
                                      • Issued To: Notepad++ Root Certificate
                                      • Issued By: Notepad++ Root Certificate
                                      • Valid from 7/8/2025 to 7/8/2055
                                    • Details
                                      • Thumbprint = c80539ff7076d22e73a01f164108dafbf06e45e4

                                  And on the signing certificate with the RC5 binary, I see:

                                  • Notepad++
                                    • General
                                      • Issued To: Notepad++
                                      • Issued By: Notepad++ Root Certificate
                                      • Valid from 7/8/2025 to 7/8/2028
                                    • Details
                                      • Thumbprint = 7f517e235584afc146f6d3b44cd34c6cc36a3ab2

                                  The dates are presumably different because of timezone differences, since early morning 7/9 in France was still 7/8 on the Western timezone in USA.

                                  @donho, Please confirm whether these are the correct Thumbprints, according to your records.

                                  donhoD 1 Reply Last reply Reply Quote 2
                                  • donhoD
                                    donho @PeterJones
                                    last edited by donho

                                    @xomx

                                    The important is, you left the code-signing one “Issued to” to be the Notepad++, so the possible future UAC pop-ups can say “Notepad++” as the “Verified publisher” (with the N++ cert in the Trusted Root CA) as it was before, right?

                                    Yes, exactly - if the root certificate is installed on users’ machine.

                                    @PeterJones

                                    I confirm the above information.

                                    BTW, the root certificate will be available in GitHub repository as well:
                                    https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppRoot.crt

                                    You might consider to include Notepad++ root certificate (nppRoot.crt) in npp-user-manual.org and also the following information:

                                    Name: Notepad++ Root Certificate
                                    Serial Number: 7A137FBEA48E8D469D2B43D49EBBCB21
                                    Thumbprint: C80539FF7076D22E73A01F164108DAFBF06E45E4
                                    SHA256: 443B4543C3A682804540849793556FFD3A6CE5D4721C9ADFDA6450223DDD54D7
                                    Created: 2025-07-09
                                    Expires: 2055-07-09

                                    so users could have 3 sources to download the root certificate and do the croiss-verification.
                                    It’s totally up to you. But if you do, please provide me the URL of nppRoot.crt - I will include it into my release note & Ressources page.

                                    PGomersallP PeterJonesP 2 Replies Last reply Reply Quote 3
                                    • PGomersallP
                                      PGomersall @donho
                                      last edited by

                                      @donho said in Notepad++ v8.8.3 Release Candidate:

                                      BTW, the root certificate will be available in GitHub repository as well:
                                      https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppRoot.crt

                                      @donho nppRoot.crt is not found at that location

                                      PeterJonesP 1 Reply Last reply Reply Quote 0
                                      • PeterJonesP
                                        PeterJones @PGomersall
                                        last edited by PeterJones

                                        @PGomersall said in Notepad++ v8.8.3 Release Candidate:

                                        nppRoot.crt is not found at that location

                                        I think you missed two of Don’s words from his sentence: “the root certificate will be available” – “will be” implies future tense, so not yet.

                                        –
                                        update: an hour later, that file does exist at https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppRoot.crt … so no more waiting

                                        1 Reply Last reply Reply Quote 1
                                        • donhoD donho unpinned this topic on
                                        • PeterJonesP
                                          PeterJones @donho
                                          last edited by

                                          @donho said in Notepad++ v8.8.3 Release Candidate:

                                          But if you do, please provide me the URL of nppRoot.crt - I will include it into my release note & Ressources page.

                                          Sorry if I wasn’t fast enough for the Release Notes…

                                          https://npp-user-manual.org/docs/certs/nppRoot.crt

                                          1 Reply Last reply Reply Quote 3
                                          • donhoD
                                            donho @PeterJones
                                            last edited by

                                            @PeterJones said in Notepad++ v8.8.3 Release Candidate:

                                            Considering @donho said above, “BTW, I should make https work, I know - it’s on my TODO list.”, I can confidentally conclude that the goal is to get it renewed. ;-)

                                            FYI,
                                            It’s done with let’s Encrypt:
                                            https://download.notepad-plus-plus.org/repository/

                                            Ben HB 1 Reply Last reply Reply Quote 2
                                            • First post
                                              Last post
                                            The Community of users of the Notepad++ text editor.
                                            Powered by NodeBB | Contributors