Community
    • Login

    Notepad++ v8.8.3 Release Candidate

    Scheduled Pinned Locked Moved Announcements
    38 Posts 9 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • donhoD
      donho @xomx
      last edited by

      @xomx said in Notepad++ v8.8.3 Release Candidate:

      Maybe I’m a little bit lost in all that RC versions, but now I dl again the RC4 ones x64 installer and it’s signed like the above statements, which is just wrong, isn’t it? (should be with https instead):

      The use of “http” instead of “https” wasn’t a mistake - that’s simply how it was done. You can check other digitally signed programs to confirm this.

      In RC5280 “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, Security Considerations section:

       CAs SHOULD NOT include URIs that specify https, ldaps, or similar
         schemes in extensions.  CAs that include an https URI in one of these
         extensions MUST ensure that the server's certificate can be validated
         without using the information that is pointed to by the URI.  Relying
         parties that choose to validate the server's certificate when
         obtaining information pointed to by an https URI in the
         cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess
         extensions MUST be prepared for the possibility that this will result
         in unbounded recursion.
      

      ref: https://datatracker.ietf.org/doc/html/rfc5280

      1 Reply Last reply Reply Quote 2
      • donhoD
        donho @donho
        last edited by donho

        While writing the release notes, I realized the both certificates (root certificate & code signing certificate) of RC4 have the same information while displaying:

        Issued to: Notepad++
        Issued by: Notepad++
        Valid from 7/7/2025 to XXXXX
        

        Only the the valid dates (to XXXXX) are different.

        To avoid users’ confusion, I did a new root certificate and a new code signing certificate and signed the release again:
        http://download.notepad-plus-plus.org/repository/8.x/8.8.3.RC5/

        xomxX 1 Reply Last reply Reply Quote 0
        • xomxX
          xomx @donho
          last edited by xomx

          @donho said in Notepad++ v8.8.3 Release Candidate:

          Only the the valid dates (to XXXXX) are different.

          To avoid users’ confusion, I did a new root certificate and a new code signing certificate and signed the release again:

          ?, the shown “to XXXXX” remains different as before:

          last root-cert: Valid from 7/9/2025 to 7/9/2055
          cert in signed RC5 binary: Valid from 7/9/2025 to 7/9/2028

          Root-certs usually have longer expiration date, I don’t see a problem with it.

          donhoD 1 Reply Last reply Reply Quote 0
          • donhoD
            donho @xomx
            last edited by donho

            @xomx said in Notepad++ v8.8.3 Release Candidate:

            Root-certs usually have longer expiration date, I don’t see a problem with it.

            The point is on “Issued to” & “Issued by”: the information should be difference between 2 certificates.
            It’s more clear in RC5 for users:

            Root certificate: (Self-signed root certificate)

            8ce32d0b-b12d-4ee8-9ebf-ebff98d5cd68-image.png


            Code signing certificate (Code signing certicate issued by Self-signed root certificate)

            c035d2f1-5e81-4ab0-a01e-1a54cf7534a7-image.png

            xomxX PeterJonesP 2 Replies Last reply Reply Quote 2
            • xomxX
              xomx @donho
              last edited by

              @donho said in Notepad++ v8.8.3 Release Candidate:

              The point is on “Issued to” & “Issued by”: the information should be difference between 2 certificates.

              Ah, now I see it, thanks.

              The important is, you left the code-signing one “Issued to” to be the Notepad++, so the possible future UAC pop-ups can say “Notepad++” as the “Verified publisher” (with the N++ cert in the Trusted Root CA) as it was before, right?

              1 Reply Last reply Reply Quote 2
              • PeterJonesP
                PeterJones @donho
                last edited by

                With the newest certificates and RC5, what I see is

                • Notepad++ Root Certificate
                  • General
                    • Issued To: Notepad++ Root Certificate
                    • Issued By: Notepad++ Root Certificate
                    • Valid from 7/8/2025 to 7/8/2055
                  • Details
                    • Thumbprint = c80539ff7076d22e73a01f164108dafbf06e45e4

                And on the signing certificate with the RC5 binary, I see:

                • Notepad++
                  • General
                    • Issued To: Notepad++
                    • Issued By: Notepad++ Root Certificate
                    • Valid from 7/8/2025 to 7/8/2028
                  • Details
                    • Thumbprint = 7f517e235584afc146f6d3b44cd34c6cc36a3ab2

                The dates are presumably different because of timezone differences, since early morning 7/9 in France was still 7/8 on the Western timezone in USA.

                @donho, Please confirm whether these are the correct Thumbprints, according to your records.

                donhoD 1 Reply Last reply Reply Quote 2
                • donhoD
                  donho @PeterJones
                  last edited by donho

                  @xomx

                  The important is, you left the code-signing one “Issued to” to be the Notepad++, so the possible future UAC pop-ups can say “Notepad++” as the “Verified publisher” (with the N++ cert in the Trusted Root CA) as it was before, right?

                  Yes, exactly - if the root certificate is installed on users’ machine.

                  @PeterJones

                  I confirm the above information.

                  BTW, the root certificate will be available in GitHub repository as well:
                  https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppRoot.crt

                  You might consider to include Notepad++ root certificate (nppRoot.crt) in npp-user-manual.org and also the following information:

                  Name: Notepad++ Root Certificate
                  Serial Number: 7A137FBEA48E8D469D2B43D49EBBCB21
                  Thumbprint: C80539FF7076D22E73A01F164108DAFBF06E45E4
                  SHA256: 443B4543C3A682804540849793556FFD3A6CE5D4721C9ADFDA6450223DDD54D7
                  Created: 2025-07-09
                  Expires: 2055-07-09

                  so users could have 3 sources to download the root certificate and do the croiss-verification.
                  It’s totally up to you. But if you do, please provide me the URL of nppRoot.crt - I will include it into my release note & Ressources page.

                  PGomersallP PeterJonesP 2 Replies Last reply Reply Quote 3
                  • PGomersallP
                    PGomersall @donho
                    last edited by

                    @donho said in Notepad++ v8.8.3 Release Candidate:

                    BTW, the root certificate will be available in GitHub repository as well:
                    https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppRoot.crt

                    @donho nppRoot.crt is not found at that location

                    PeterJonesP 1 Reply Last reply Reply Quote 0
                    • PeterJonesP
                      PeterJones @PGomersall
                      last edited by PeterJones

                      @PGomersall said in Notepad++ v8.8.3 Release Candidate:

                      nppRoot.crt is not found at that location

                      I think you missed two of Don’s words from his sentence: “the root certificate will be available” – “will be” implies future tense, so not yet.

                      –
                      update: an hour later, that file does exist at https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppRoot.crt … so no more waiting

                      1 Reply Last reply Reply Quote 1
                      • donhoD donho unpinned this topic on
                      • PeterJonesP
                        PeterJones @donho
                        last edited by

                        @donho said in Notepad++ v8.8.3 Release Candidate:

                        But if you do, please provide me the URL of nppRoot.crt - I will include it into my release note & Ressources page.

                        Sorry if I wasn’t fast enough for the Release Notes…

                        https://npp-user-manual.org/docs/certs/nppRoot.crt

                        1 Reply Last reply Reply Quote 3
                        • donhoD
                          donho @PeterJones
                          last edited by

                          @PeterJones said in Notepad++ v8.8.3 Release Candidate:

                          Considering @donho said above, “BTW, I should make https work, I know - it’s on my TODO list.”, I can confidentally conclude that the goal is to get it renewed. ;-)

                          FYI,
                          It’s done with let’s Encrypt:
                          https://download.notepad-plus-plus.org/repository/

                          Ben HB 1 Reply Last reply Reply Quote 2
                          • Ben HB
                            Ben H @donho
                            last edited by

                            @donho VirusTotal is flagging v8.8.3 with the following:
                            ffa02486-0bad-4976-92ab-0ccc969972ee-image.png

                            Is this a concern or a false positive?

                            Thanks.

                            donhoD 1 Reply Last reply Reply Quote 0
                            • donhoD
                              donho @Ben H
                              last edited by

                              @Ben-H
                              False positive.
                              Because if I put malware into Notepad++, I would not tell you.

                              Ben HB 1 Reply Last reply Reply Quote 3
                              • Ben HB
                                Ben H @donho
                                last edited by

                                @donho
                                Thanks. Is there a way to check with BKav Pro security vendor to see why it is a false positive? We just needed some explanation or confirmation that we are in the clear in order to satisfy the audit requirement by our company. Appreciate the Notepad++ team as always.

                                datatraveller1D 1 Reply Last reply Reply Quote 1
                                • datatraveller1D
                                  datatraveller1 @Ben H
                                  last edited by

                                  @Ben-H I have just written to BKAV customer services and asked them to disable the false positive. I’ve had a good experience with this company and I’m sure it will disappear soon.

                                  Ben HB 1 Reply Last reply Reply Quote 1
                                  • Ben HB
                                    Ben H @datatraveller1
                                    last edited by

                                    @datatraveller1
                                    Great. Thanks much!

                                    datatraveller1D 2 Replies Last reply Reply Quote 0
                                    • datatraveller1D
                                      datatraveller1 @Ben H
                                      last edited by

                                      This post is deleted!
                                      1 Reply Last reply Reply Quote 0
                                      • datatraveller1D
                                        datatraveller1 @Ben H
                                        last edited by

                                        @Ben-H The BKAV Pro False Positive has been fixed, everything is green now.

                                        Ben HB 1 Reply Last reply Reply Quote 2
                                        • Ben HB
                                          Ben H @datatraveller1
                                          last edited by

                                          @datatraveller1
                                          Awesome. You are the best!

                                          1 Reply Last reply Reply Quote 2
                                          • First post
                                            Last post
                                          The Community of users of the Notepad++ text editor.
                                          Powered by NodeBB | Contributors