Notepad++ v8.8.4 Release Candidate

donho

@Ekopalypse said in Notepad++ v8.8.4 Release Candidate:

unblocking it solves it.

Is it due to its signature from the self-signed certificate?

PeterJones

@donho said in Notepad++ v8.8.4 Release Candidate:

Is it due to its signature from the self-signed certificate?

No, it’s the Mark of the Web that browsers add when you download a zip or exe. For a normal exe, when you run it if it has the MotW, Windows will just ask you if you agree it’s safe… but because the gup.exe wasn’t run from the GUI but from inside Notepad++, the OS apparently doesn’t ask you, so N++ just cannot spawn the gup.exe.

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

With some searches, it seems that MSIX just cannot be signed by a self-signed certificate, a lot of ppl have the same issue:
https://techcommunity.microsoft.com/discussions/msix-discussions/can-not-sign-the-msix-pacakge-with-self-signed-certificate/218928

@xomx
I’m really curious how did you made it.

I had exactly the same

SignTool Error: An unexpected internal error has occurred.
Error information: “Error: SignerSign() failed.” (-2147024885/0x8007000b)

The 0x8007000b means ERROR_BAD_FORMAT. To find out more, I run Eventvwr.msc and checked the Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational

and found this details:

“error 0x8007000B: The app manifest publisher name (CN=“Notepad++”, O=“Notepad++”, L=Saint Cloud, S=Ile-de-France, C=FR) must match the subject name of the signing certificate (CN=…, O=…, C=…).”

There were real strings instead of the dots above (I used my own cert 1st).

So I went to create a fake Notepad++ cert to exactly match the mentioned CN=“Notepad++”, O=“Notepad++”, L=Saint Cloud, S=Ile-de-France, C=FR.
But there was a problem with the “++” chars in the “Notepad++” (CRYPT_E_INVALID_X500_STRING), so I used this in PowerShell (runas admin):

PS C:\WINDOWS\system32> $signname="`"Notepad++`""
PS C:\WINDOWS\system32> New-SelfSignedCertificate -Type Custom -KeyUsage DigitalSignature -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -Subject "CN=$signname, O=$signname, L=Saint Cloud, S=Ile-de-France, C=FR" -FriendlyName $signname

Then exported my new cert to a PFX-file:

PS C:\WINDOWS\system32> $password = ConvertTo-SecureString -String SOMEPWD -Force -AsPlainText
>> Export-PfxCertificate -cert "Cert:\CurrentUser\My\NEW_FAKE_NPP_CERT_THUMBPRINT" -FilePath C:\...SOMEPATH...\npp-test.pfx -Password $password

Then move the signing cert to LocalMachine\TrustedPeople:

PS C:\WINDOWS\system32> Import-PfxCertificate -CertStoreLocation "Cert:\LocalMachine\TrustedPeople" -Password $password -FilePath C:\...SOMEPATH...\npp-test.pfx

Then launched MSVS2022 x64 native tools command prompt and signed the binaries with:

SignTool sign /fd sha256 /a /f C:\...SOMEPATH...\npp-test.pfx /p SOMEPWD C:\...SOMEOTHERPATH...\nppShell-master\x64\Debug\NppShell.msix

and

SignTool sign /fd sha256 /a /f C:\...SOMEPATH...\npp-test.pfx /p SOMEPWD C:\...SOMEOTHERPATH...\nppShell-master\x64\Debug\NppShell.dll

donho

@donho said in Notepad++ v8.8.4 Release Candidate:

I’m really curious how did you made it.

@xomx
I noticed that your certificate’s hash algorithm: sha256 - so instead of using /fd SHA512, I use /fd SHA256 (old certificate hash algorithm: sha256, so /fd SHA256 was used to sign):

“C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe” sign /fd SHA256 /tr http://timestamp.acs.microsoft.com /td sha512 /a /f C:\myPath\NppP12File.pfx /p *********** /d “Notepad++” /du https://notepad-plus-plus.org/ …\bin64\NppShell.msix

Done Adding Additional Store
Successfully signed: …\bin64\NppShell.x64.dll

Size does matter ;)

Of course, your remark of Publisher field is essential to fix:

<Identity Name="NotepadPlusPlus" ProcessorArchitecture="neutral" 
Publisher="E=don.h@free.fr, CN=&quot;Notepad++&quot;, O=&quot;Notepad++&quot;, L=Saint Cloud, S=Ile-de-France, C=FR" 
Version="1.0.0.0" />

So both fixes make it correct again:
https://download.notepad-plus-plus.org/repository/MISC/NppShellWorking/

Thank you for taking time to investigate this issue.
I’ll redo & post the RC2 tomorrow.

donho

error 0x8007000B: The signature hash method specified (SHA512) must match the hash method used in the app package block map (SHA256).

The hashAlgorithm specified in the /fd parameter is incorrect. Rerun SignTool using hashAlgorithm that matches the app package block map (used to create the app package)

Ref: https://learn.microsoft.com/en-us/windows/msix/package/signing-known-issues

donho

@xomx said in Notepad++ v8.8.4 Release Candidate:

SignTool sign /fd sha256

Aha ! :)

donho

FYI: RC2 is available:
http://download.notepad-plus-plus.org/repository/8.x/8.8.4.RC2/

Lycan Thrope

@donho,

I installed this one as a portable, and it still doesn’t allow plugins to be installed, after the installation. It goes through the process of warning, closing but never comes back up, and doesn’t install anything. I’m guessing this is what you were trying to fix?

Notepad++ v8.8.4   (64-bit)
Build time: Aug  4 2025 - 18:01:28
Scintilla/Lexilla included: 5.5.7/5.4.5
Boost Regex included: 1_85
Path: C:\Users\camilee\Documents\Development Tools Downloads\Notepad++ Versions\npp.8.8.4.RC2portable.x64\notepad++.exe
Command Line: 
Admin mode: OFF
Local Conf mode: ON
Cloud Config: OFF
Periodic Backup: ON
Placeholders: OFF
Scintilla Rendering Mode: SC_TECHNOLOGY_DIRECTWRITE (1)
Multi-instance Mode: monoInst
asNotepad: OFF
File Status Auto-Detection: cdEnabledNew (for current file/tab only)
Dark Mode: OFF
Display Info:
    primary monitor: 1600x900, scaling 100%
    visible monitors count: 1
    installed Display Class adapters: 
        0000: Description - AMD Radeon HD 8400 / R3 Series
        0000: DriverVersion - 27.20.1034.6
OS Name: Windows 10 Home (64-bit)
OS Version: 22H2
OS Build: 19045.6093
Current ANSI codepage: 1252
Plugins: 
    mimeTools (3.1)
    NppConverter (4.6)
    NppExport (0.4)

Edit: I looked back at the previous discussions and saw that the gup.exe needs to be unblocked, and that fixed it, but I thought this update was supposed to take care of that aspect. Correct me if I misunderstood the fix we were testing for in this RC2 version.

PeterJones

@Lycan-Thrope said in Notepad++ v8.8.4 Release Candidate:

Edit: I looked back at the previous discussions and saw that the gup.exe needs to be unblocked, and that fixed it, but I thought this update was supposed to take care of that aspect. Correct me if I misunderstood the fix we were testing for in this RC2 version.

Nope. The Mark of the Web (for portable) was a separate issue from the signature of the installer. RC2 fixed the MSIX signature for the installer.

@Ekopalypse had mentioned originally that 8.8.2 portable worked for him for plugins, but 8.8.3/8.8.4-portable did not…

But I just ran the experiment: if I download a copy of 8.8.2-portable from https://download.notepad-plus-plus.org/repository/8.x/8.8.2/ , the zipfile has the MotW, and when you unzip, the gup.exe also has MotW, so it’s not version dependent. I did the same thing from https://notepad-plus-plus.org/downloads/v8.8.2/ , which downloads from GitHub instead, and the zipfile and the resulting gup.exe also had the MotW.

I did some web searching: other than manually deleting the MotW using the Properties on the zipfile before unzipping, or on the individual exe after unzipping, one can use the old Windows “Internet Options” (accessible thru Control Panel (even in Win11), or directly running inetcpl.cpl), and go to Security, then click on Trusted Sites, then Add https://download.notepad-plus-plus.org/ and https://*.github.com/ to allow downloads directly from the NPP downloads server or from the github server to be “trusted” and not necessarily add the MotW. (I am just explaining how that setting can be changed, not whether it is a good idea; and I don’t guarantee that your given browser will honor that setting; I believe a browser can choose to add the MotW even despite that “trusted” setting.)

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

FYI: RC2 is available:
http://download.notepad-plus-plus.org/repository/8.x/8.8.4.RC2/

Just tried and so far so good, the new Win11 ctx menu works again, thanks for the NppShell & N++ PRs.

Have you checked/resolved your x86 issues reported here? (I didn’t even try to check it, sorry.).

Ekopalypse

@PeterJones

Does that mean if you are using 8.8.2 you can’t use the plugin admin to install plugins without unlocking gup.exe first? Because I just checked again and I can.
It probably has something to do with Windows Smartscreen, because with 8.8.2 I don’t get a warning that Npp could be “dangerous”, with the newer versions I do.

donho

@xomx said in Notepad++ v8.8.4 Release Candidate:

Have you checked/resolved your x86 issues reported here? (I didn’t even try to check it, sorry.).

Yes, x86 NppShell.dll (with no msix) which comes with Notepad++ x86 installer does work well as before, according my test.

PeterJones

@Ekopalypse said in Notepad++ v8.8.4 Release Candidate:

Does that mean if you are using 8.8.2 you can’t use the plugin admin to install plugins without unlocking gup.exe first? Because I just checked again and I can.

Weird. I had assumed that if the MotW existed on gup.exe, it wouldn’t run. But no, with v8.8.2 portable, if gup.exe has MotW, Plugins Admin will still install plugins; but on v8.8.3 portable and v8.8.4-RC2 portable, if gup.exe has MotW, Plugins Admin will not install plugins