Community
    • Login

    New built-in Plugin Admin (Plugin Manager) is ready

    Scheduled Pinned Locked Moved Notepad++ & Plugin Development
    117 Posts 22 Posters 138.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • donhoD
      donho
      last edited by

      By the request of community, a built-in Plugin Admin will be available soon in Notepad++ future release. Plugin Admin shows the list of available plugins, allows users to install new plugins and to update/remove installed plugins. Any plugin is welcome to join in the list, which is also an open source project hosted in the GitHub: https://github.com/notepad-plus-plus/nppPluginList/

      Before doing your PR, please test locally listing/installation/removal/update your plugins, by following the instructions in the link below:
      https://notepad-plus-plus.org/features/plugin-admin.html

      Feel free to ask questions in this thread, I do my best to reply/solve you question/problem.

      1 Reply Last reply Reply Quote 5
      • chcgC
        chcg
        last edited by

        Are you planning to support legacy plugins, not packaged in the right format needed by the PA? At least for x86 there a plenty plugins not actively maintained, but still functional and which might get lost in this case.

        donhoD 1 Reply Last reply Reply Quote 0
        • chcgC
          chcg
          last edited by donho

          I think it is not clear from the description if the md5 “id” is the one of the zip file or the main dll.
          See https://en.wikipedia.org/wiki/Md5sum :

          The underlying MD5 algorithm is no longer deemed secure. Thus, while md5sum is well-suited for identifying known files in situations that are not security related, it should not be relied on if there is a chance that files have been purposefully and maliciously tampered. In the latter case, the use of a newer hashing tool such as sha256sum is recommended.

          donhoD Amanda JansenA 2 Replies Last reply Reply Quote 1
          • donhoD
            donho @chcg
            last edited by donho

            @chcg said:

            Are you planning to support legacy plugins, not packaged in the right format needed by the PA?

            The new plugin file system provides simpler and more elegant way to keep plugin own space, and keeping 2 systems working will be time consuming, so the answer is no.

            1 Reply Last reply Reply Quote 0
            • donhoD
              donho @chcg
              last edited by

              @chcg said:

              The underlying MD5 algorithm is no longer deemed secure. Thus, while md5sum is well-suited for identifying known files in situations that are not security related, it should not be relied on if there is a chance that files have been purposefully and maliciously tampered. In the latter case, the use of a newer hashing tool such as sha256sum is recommended.

              Agree with you.

              Plugin (DLL) hash is generated and submitted by plugin author in plugin list, and it will be verified by Notepad++ after the installation - if the hash is not matched then the installation will be removed.
              Using SHA1 or SHA2 instead of MD5 means Notepad++ should implement the SHA1 or SHA2 algorithm - I could be wrong but I think there’s no easy way to implement it without overhead (OpenSSL).
              Since MD5 has been already implemented in Notepad++, so it’s used currently:
              Security is like sex: when it's good, it's very, very good; when it's bad, it's better than nothing.

              If you know any easy way to implement SHA algo without including the overhead, please let me know.

              1 Reply Last reply Reply Quote 0
              • dinkumoilD
                dinkumoil
                last edited by

                @Don-Ho

                “not packaged in the right format needed by the PA” includes:

                1. Plugin ZIP files with an internal folder structure different from the required one.
                2. DLL files created without version infos. There seem to be programming languages which are not able to include them in the DLL file.

                The current PluginManager provides solutions for both of these points. For point 1 see here, for point 2 see here. If you would provide similar solutions in the new PA this would reduce the number of plugins which get lost.

                But furthermore there is another serious problem. Some plugins need additional files that have to be copied to a certain location. These files of course have to be deleted when uninstalling the plugin.

                My own plugins (AutoCodepage, AutoEolFormat, CustomLineNumbers) are packaged with a little .txt file containing some documentation. The NppExec plugin for instance needs some additional files to function properly (this is true for a lot of other valuable plugins). Currently the new PA can not handle such needs (tested with my AutoCodepage plugin). If you would provide a solution for point 1 mentioned above that would solve this problem too.

                Also in your documentation I can’t find a method to delete certain files when uninstalling a plugin.

                1 Reply Last reply Reply Quote 2
                • chcgC
                  chcg
                  last edited by

                  On SHA-2, maybe:
                  https://tls.mbed.org/sha-256-source-code
                  https://github.com/amosnier/sha-2
                  are usable.

                  donhoD 1 Reply Last reply Reply Quote 3
                  • dailD
                    dail
                    last edited by

                    My first thoughts:

                    1. The MD5 of just the main plugin DLL is not enough. This does not prevent MITM at all. Many plugins come with other DLL or Jar files which could just as easy contain malicious code. One could also argue that even text based config files or scripts could be modified to do malicious things.
                    2. Having the json file in the exe is nice for verification…but one of the biggest grips with the old plugin manager is that the list of plugins were not updated frequently enough. This caused plugin developers (such as myself) to worry that if there was a severe bug in their plugin being downloaded…there was a long time before there could be a fixed version available to users. This is even harder because there is no set schedule that the plugin list will be updated since it is dependent on Notepad++ being updated…which varies widely.

                    Security is like sex: when it's good, it's very, very good; when it's bad, it's better than nothing.

                    I would argue security is like a condom, it has to work perfectly, because even the slightest flaw means it is useless.

                    donhoD 1 Reply Last reply Reply Quote 9
                    • cmeriauxC
                      cmeriaux
                      last edited by

                      @donho can you add the release date information for each plugin ?
                      We could sort the plugin list with its release date in the GUI and find rapidly the new plugin released recently.

                      Thanks

                      1 Reply Last reply Reply Quote 6
                      • chcgC
                        chcg
                        last edited by

                        My assumption would be that it is planned to release\update the nppPluginList.dll independently of the N++ releases.
                        Is this correct?
                        I guess the merging of the PRs at https://github.com/notepad-plus-plus/nppPluginList might be a bottleneck in case of urgent plugin bugfixes.

                        With NppFTP the plugin start after installation via PluginAdmin while N++ is running seems not to work. It is using docking. Is there something for plugins to fullfill?

                        1 Reply Last reply Reply Quote 2
                        • dinkumoilD
                          dinkumoil
                          last edited by

                          @donho

                          I found another pitfall in the new PA.

                          The old PluginManager copies the plugin’s DLL file to the harddisk and performes a restart of Npp after that. Thus it is guaranteed that the NPPN_READY notification is send to all plugins when Npp starts up. In a handler of this notification plugins can process some initialization tasks required to work properly.

                          The new PA doesn’t init a restart of Npp. Thus after installing plugins their initialization code isn’t processed and they don’t work (tested with my AutoCodepage plugin).

                          Maybe that’s the reason for

                          @chcg said:

                          With NppFTP the plugin start after installation via PluginAdmin while N++ is running seems not to work.

                          donhoD 1 Reply Last reply Reply Quote 5
                          • donhoD
                            donho @chcg
                            last edited by

                            @chcg said:

                            On SHA-2, maybe:
                            https://tls.mbed.org/sha-256-source-code
                            https://github.com/amosnier/sha-2
                            are usable.

                            Thank you it’s very helpful! SHA-256 has been implemented in Notepad++ and SHA-256 hash will be used instead of MD5 one in the plugin list.

                            I’ve just updated the Notepad++ in debug mode binaries for plugin devs to add plugins into nppPluginList.

                            1 Reply Last reply Reply Quote 2
                            • donhoD
                              donho @dail
                              last edited by

                              @dail said:

                              The MD5 of just the main plugin DLL is not enough. This does not prevent MITM at all. Many plugins come with other DLL or Jar files which could just as easy contain malicious code. One could also argue that even text based config files or scripts could be modified to do malicious things.

                              Nice thought. Do you have any simple (as possible) solution for that?

                              Having the json file in the exe is nice for verification…but one of the biggest grips with the old plugin manager is that the list of plugins were not updated frequently enough. This caused plugin developers (such as myself) to worry that if there was a severe bug in their plugin being downloaded…there was a long time before there could be a fixed version available to users. This is even harder because there is no set schedule that the plugin list will be updated since it is dependent on Notepad++ being updated…which varies widely.

                              The release of nppPluginList will be independent from the release of Notepad++, and in the future, Notepad++ will be notified once there’s a new release of nppPluginList and download it.

                              As well, nppPluginList will be maintained and released by people of community, since I’ll have not much vacant time for it.

                              I would argue security is like a condom, it has to work perfectly, because even the slightest flaw means it is useless.

                              Good quote! Makes sens BTW :)

                              dailD 1 Reply Last reply Reply Quote 2
                              • dinkumoilD
                                dinkumoil
                                last edited by

                                @donho

                                The plugin update process of the new PA doesn’t work.

                                1. I installed version 1.2.1 of my AutoCodepage plugin.
                                2. I exited Npp and patched my nppPluginList.json by inserting the data of version 1.2.2 of the plugin.
                                3. After a restart of Npp PA showed correctly that there is an update available for my plugin, I clicked button “Update”.
                                4. Npp pointed out that a restart would be required to install the plugin, I clicked “Yes”.
                                5. The window of Npp was closed and a message box appeared:

                                Can’t unzip:
                                Operation not permitted or decompression failed

                                The plugin was not updated, after a restart of Npp version 1.2.1 was still installed.

                                Installing directly version 1.2.2 of the plugin is no problem, only updating from older version.

                                Debug info of Npp:

                                Notepad++ v7.5.9 (32-bit)
                                Build time : Oct 24 2018 - 09:21:25
                                Path : C:\Users\Username\Desktop\Notepad++\notepad++.exe
                                Admin mode : OFF
                                Local Conf mode : ON
                                OS : Windows 7 (64-bit)

                                1 Reply Last reply Reply Quote 1
                                • dinkumoilD
                                  dinkumoil
                                  last edited by

                                  @donho

                                  I noticed that the bug I reported above only happens if the NppMenuSearch plugin is installed. I also noticed that after closing Npp there remains a “shadow” of the Document Map (its window frame and the transparent orange scroll block) on the screen and in Windows Taskmanager I can see that the Npp process doesn’t terminate.

                                  I have the NppMenuSearch plugin installed in a regular installation of Npp v7.5.9 (32 bit) too and there the plugin causes no such strange behaviour. But I understand if you are not willing to dig into that plugin-caused problem.

                                  Sorry for the inconvenience.

                                  1 Reply Last reply Reply Quote 1
                                  • dailD
                                    dail @donho
                                    last edited by

                                    @donho

                                    Nice thought. Do you have any simple (as possible) solution for that?

                                    Can’t you just hash the entire ZIP file itself? That way you know everything is as expected.

                                    1 Reply Last reply Reply Quote 4
                                    • chcgC
                                      chcg
                                      last edited by

                                      Regarding security:
                                      Checking the hash of the entire zip is also done by the 32bit PluginManager.
                                      Additionally it should be forced to use https download locations.
                                      Gup.exe companion libcurl needs to be up to date to avoid CVEs/bugs from that side.

                                      donhoD 1 Reply Last reply Reply Quote 2
                                      • donhoD
                                        donho @dinkumoil
                                        last edited by donho

                                        @dinkumoil said:

                                        I found another pitfall in the new PA.
                                        The new PA doesn’t init a restart of Npp. Thus after installing plugins their initialization code isn’t processed and they don’t work (tested with my AutoCodepage plugin).

                                        Nice catched! This bug is fixed now in 2 (32 & 64 bit) Notepad++ debug binaries. NPPN_READY is sent to the installed plugin after being loaded:
                                        https://github.com/notepad-plus-plus/notepad-plus-plus/commit/c531a4d42a9b4afe0136d48fdc3c376f67067bb0

                                        Both binaries are available to be downloaded.

                                        1 Reply Last reply Reply Quote 4
                                        • dinkumoilD
                                          dinkumoil
                                          last edited by

                                          @donho

                                          Tested and worked.

                                          1 Reply Last reply Reply Quote 1
                                          • chcgC
                                            chcg
                                            last edited by

                                            For NppFTP the NPPN_READY doesn’t solve it completely. Now the docking and the message window are constructed/ visible, but the content is still not there.
                                            Maybe there is another difference to the start of n++ itself.

                                            1 Reply Last reply Reply Quote 3
                                            • First post
                                              Last post
                                            The Community of users of the Notepad++ text editor.
                                            Powered by NodeBB | Contributors