Notepad++ v8.8.7 Release Candidate
-
@donho said in Notepad++ v8.8.7 Release Candidate:
- Sign Notepad++ binaries with GlobalSign certificat to fix false-positive alerts. (Fix (Fix #16971 , #16809 , #16812 )
I wouldn’t be modest about the No. 1 and add also the links to other security issues caused possibly by the lack of signing with a global OV certificate: #16770, #16773, #16779, #16785, #17062
This can be also taken as an accusation of some “antiviruses”, which confuse their work with detecting whether or not a given app is digitally signed.
-
@xomx said in Notepad++ v8.8.7 Release Candidate:
I wouldn’t be modest about the No. 1
What’s your suggestion?
-
IDK, how about at least making it a little poetic ;-)
I worked for months, didn't regret time, now with the new cert, N++ is again prime!Hope I made you laugh at least a little with the above and thanks for completing this not so funny longtime “PR”.
-
I just tried the x64 installer downloaded from the link I provided on my 2 laptops (one is the build machine), and both get the following screen:
Does it also happen to you guys?
However, the installers (the same binaries) generated locally on my build machine runs without problem:
-
Just brought the local built installer to another laptop via a USB, and launch it - no SmartScreen.
The SmartScreen issue doesn’t come from the binaries, but from the download action or/and location.
Obviously it’s about ADS (alternate data streams). Any confirmation? -
Yes, if I don’t unblock it, I see the same behavior.
Once that’s done, everything looks good.
-
If observed a different behaviour. Already trying to download the file I receive the following message:
(Translation:
npp.8.8.7.Installer.x64.exe
https://download.notepad-plus-plus.org
This file is not downloaded frequently. Make sure you trust this file before opening it.Keep / Delete)
When I select ‘Keep’ the following message appears:
(Translation:
Make sure you trust npp.8.8.7.Installer.x64.exe before opening it.
Microsoft Defender SmartScreen could not verify if this file is safe because it is not frequently downloaded. Make sure you trust the file you are downloading or the source it came from.)Here again I select ‘Keep the file’.
Starting the downloaded installer, the regular UAC-dialog appears as shown by @donho
And yes, I think as well it is related to ADS (Mark of the Web). On the following page I found a short description of the mechanism: Mark of the Web
-
Thank you guys’ confirmation. It’s indeed due to the ADS.
Doing the following powershell command removes the smartscreen:
Remove-Item -Path "npp.8.8.7.Installer.x64.exe" -Stream Zone.Identifier -
@donho said in Notepad++ v8.8.7 Release Candidate:
Thank you guys’ confirmation. It’s indeed due to the ADS.
Doing the following powershell command removes the smartscreen:
Remove-Item -Path "npp.8.8.7.Installer.x64.exe" -Stream Zone.IdentifierOr right-click, properties, unblock
-
@PeterJones
I don’t remember that I’ve got this issue before.
Is https://download.notepad-plus-plus.org/ considered no more a safe URL by SmartScreen since when Notepad++ being signed by “non-legit” certificate? -
Yes, it’s the Zone.Identifier ADS. One can always tell if look carefully at the UAC
File Origin:field:
But I’m concerned here about something else. I wonder if/why we couldn’t overcome this “not-enough-reputation-for-the-SmartScreen” by the help of that new GlobalSign OV-cert. When I clicked on the UAC “Show information about the publisher’s certificate”, the only cert I see there is the N++ own self-signed cert - could you confirm? Maybe that’s the problem. The v8.8.7rc installer has both the N++ and GlobalSign one (I checked) but maybe for the UAC/SmartScreen is somehow relevant only one of them?
So how about another RC2 test with only the GlobalSign cert?
Or try to switch the order of your current signing (1st GlobalSign, 2nd N++ or vice versa).
Maybe then it wouldn’t trigger the SmartScreen (even with the Zone.Identifier ADS)… -
@xomx said in Notepad++ v8.8.7 Release Candidate:
So how about another RC2 test with only the GlobalSign cert?
Here you go:
With GlobalSign 1st, Notepad++ Root 2nd:
https://download.notepad-plus-plus.org/repository/8.x/8.8.7.RC2/Only with GlobalSign:
https://download.notepad-plus-plus.org/repository/8.x/8.8.7.RC3/For my tests, both don’t make any difference.
-
https://download.notepad-plus-plus.org/repository/8.x/TEST4/
On my tests of 3 files downloaded from the above directory:
- npp.8.8.1.Installer.x64.exe - Signed with digcert
- vlc-3.0.21-win64.exe - Signed, downloade from the official website
- npp.8.8.5.Installer.x64.exe - Signed with NppRoot
After downloading them from https://download.notepad-plus-plus.org/,
- npp.8.8.1.Installer.x64.exe & vlc-3.0.21-win64.exe have no ADS, npp.8.8.5.Installer.x64.exe has Zon.Identifier ADS
- 3 of them are lauched without SmartScreen.
So I would say the release 8.8.7 just need the time to gain the trust.
-
I’ve got the same SmartScreen(SS)-triggering results with all the RC 1, 2 ,3 (in my testing VM, w/o internet access):
That’s unfortunate. Every info source about the SS I checked state that there is only one 100% way how to not trigger it in this situation - the EV-cert. For the new OV-cert there is a period in which it has to gain the reputation. I found an interesting real data about - if they can be trusted, installers with the new N++ OV-cert will need ~18 days and about ~430 app installations (the more installations, the fewer days and vice versa) before this annoying SS dlg disappears.
So to prevent another “is-it-really-safe?!” shitstorm from the users we can:
- sacrifice ourselves and manually install and click on all our comps with active SS and internet connection (and ask also the Community users to do the same), before triggering the v8.8.7 for autoupdate
- or you can try the 2nd advice for the app-owners in the MS FAQ: “Apply for a Windows Logo (To learn more visit the Windows Logo Program page on MSDN)”. But IDK what that would entail and if it would be 100% reliable against the SS.
- or be proactive and submit new N++ installers to MS for analysis, try to use the 3rd “Software Developer - SW providers wanting to validate detection of their product” link from: https://www.microsoft.com/en-us/wdsi/filesubmission
