Notepad++ v8.8.2 Release Candidate
-
Notepad++ release candidate 8.8.2 is available here:
http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC/Notepad++ 8.8.2 RC2 is available here:
http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC2/Notepad++ 8.8.2 RC3 is available here:
http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC3/A bug of new feature “Read-only attribute in Windows” has been fixed in RC3:
https://github.com/notepad-plus-plus/notepad-plus-plus/issues/16734Please note that the 8.8.2 RC binaries are not signed due to the expiration of Notepad++ code signing certificate issued by DigiCert.
As a result, the updater for both plugins & Notepad++ itself will not function - I will adjust the security mechanism to restore the functionality, and will post 8.8.2 RC2 here ASAP.
Edit: the security mechanism has been switched from the certificate check to SHA256 check. The updater & plugin manager will work in 8.8.2 RC2In order to renew the code signing certificate, I also have to renew the trademark (which, unfortunately, has expired as well). The trademark is currently under examination and listed as pending. I’ve contacted DigiCert validation team to ask whether it’s possible to issue the certificate to “Notepad++” while the trademark is still pending.
However, since they also require Notepad++ to be a recognized business entity, we’ll most likely proceed without code signing - at least for this version. :(Notepad++ v8.8.2 change log:
- Fix regression of folding state not being remembered through sessions. (Fix #16597, #16670)
- Fix “Go To Settings” links in Style Configurator regression (from v8.8). (Fix #16592)
- Fix small regression of tab background (hovered) highlighting issue after drag&drop. (Fix #16559)
- Fix an unresponsive (hang) issue due to hide lines. (Fix #16316)
- Installer component “WinGUp”: update cURL to 8.13.0 for fixing cURL’s security issue CVE-2025-0167. (Fix #16531, #16515)
- Update to scintilla 5.5.7 & Lexilla 5.4.5. (Implement #16649)
- Add feature to update Notepad++ on exit. (Fix #16601, #13749, #10317, #8495, #8457, #3755)
- Add “/relaunchNppAfterSilentInstall” command argument for installer. (Fix #issue)
- Add feature to set read-only attribute on file so user can toggle (set/remove) read-only attribute of a file. (Fix #326, #4594, #6216, #7841, #12520, #15571, #16603)
- Add new plugin API: NPPM_GETTOOLBARICONSETMODE & NPPN_TOOLBARICONSETCHANGED to get toolbar icon set choice. (Fix #16547, #16646)
- Deprecate 3 APIs: Deprecate NPPM_GETOPENFILENAMES, NPPM_GETOPENFILENAMESPRIMARY & NPPM_GETOPENFILENAMESSECOND. (Fix #15997)
- Add new feature of using first line of untitled document for its tab name. (Fix #3994, #16584)
- Enhance NPPM_DARKMODESUBCLASSANDTHEME: Enable darkmode progress bar for plugins. (Fix #16675)
- Various dark mode enhancements. (Fix #16668, #16674, #16560, #16537, #issue)
- Fix right click on caption bar unhidding main menu. (Fix #16652)
- Fix rename tab error message when tab name is unchanged. (Fix #16661)
- Fix Python FunctionList absorbing next function issue if space after colon. (Fix #16636)
- Remove .log from errorlist lexer’s default extensions. (Fix #16627)
- Make raw string syntax highlighting work for Golang. (Fix #16609)
- Fix Notepad++ tray icon lost after Windows Taskbar crashing & being relaunched. (Fix #16588)
- Fix changing toolbar icon set not updating to matching panel icon set. (Fix #16595)
- Fix Windows dialog file list not react with keystroke (character match). (Fix #2239)
- Add “*” mark on modified file entries in “Windows” dropdown menu. (Fix #16542)
-
@donho did Plugin Manager get excluded?
-
@donho said in Notepad++ v8.8.2 Release Candidate:
Notepad++ release candidate 8.8.2 is available here:
http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC/The names of nearly all the files are wrong (still saying 8.8.1)
-
@Snabel42 said in Notepad++ v8.8.2 Release Candidate:
did Plugin Manager get excluded?
I assume you mean Plugins Admin.
The nppPluginList.dll is in the right location, so it’s “included”. My bet is that because it’s not signed, like the installer, it’s not passing the permissions issue, so @donho will have to make sure that unsigned nppPluginList.dll works in RC2 as well.
-
@PeterJones
I forgot to rebuild x86 & arm64 Notepad++, hence the wrong version value.
It’s fixed now. -
@PeterJones said in Notepad++ v8.8.2 Release Candidate:
@Snabel42 said in Notepad++ v8.8.2 Release Candidate:
did Plugin Manager get excluded?
I assume you mean Plugins Admin.
Yes, Plugins Admin
The nppPluginList.dll is in the right location, so it’s “included”. My bet is that because it’s not signed, like the installer, it’s not passing the permissions issue, so @donho will have to make sure that unsigned nppPluginList.dll works in RC2 as well.
I used npp.8.8.2.Installer.x64.exe to upgrade my existing installation. Plugins Admin is no longer visible in it’s previous spot on the Plugins menu.
-
@Snabel42 said in Notepad++ v8.8.2 Release Candidate:
Plugins Admin is no longer visible in it’s previous spot on the Plugins menu.
Sorry, I guess I was not explicit enough: My explanation paragraph was trying to say that I can confirm your finding, and thus I gave my best guess as to why it’s not working.
-
@donho said in Notepad++ v8.8.2 Release Candidate:
binaries are not signed
In such a case be prepared for an increase of AV false positives (which is unfortunate because it will also bring an increase of the risk of the app being compromised somehow (remember e.g. the CIA special ed…)).
updater for both plugins & Notepad++ itself will not function - I will adjust the security mechanism
So please do not trigger such a version for an auto-update!
This opens a door e.g. for a MITM attack. Doublecheck especially the downloaded & updated plugins. If only one of the plugins’ dl-sites will get compromised…
require Notepad++ to be a recognized business entity, we’ll most likely proceed without code signing
Did you consider the @Ekopalypse SignPath proposal?
I understand that it wouldn’t be ideal, and the cert will not bear the name “Notepad++”, but there would be the integration directly into the GitHub… -
IDK if it’s still true but I found an info that right now, Comodo is the only certauth that issues individual code signing certificates. The verification process conducted by Comodo requires you to provide three documents:
- Government-Issued Identification,
- Financial Documentation, and
- Non-Financial Documentation.
More here.
-
FYI: 8.8.2 RC2, which switches the security mechanism from the certificate check to SHA256 check to make updater & plugin manager work, is available here:
http://download.notepad-plus-plus.org/repository/8.x/8.8.2.RC2/ -
@donho said in Notepad++ v8.8.2 Release Candidate:
FYI: 8.8.2 RC2, which switches the security mechanism from the certificate check to SHA256 check to make updater & plugin manager work, is available here:
I can confirm that RC2 fixes the problem with Plugins Admin not showing up. Thanks!
-
Sorry, I guess I was not explicit enough: My explanation paragraph was trying to say that I can confirm your finding, and thus I gave my best guess as to why it’s not working.
I confirm what Peter has said. For giving more detail: Plugin Admin can be visible under 2 conditions:
- PluginList component exits & checked by SecurityGuard of Notepad++
- WinGUp component exits & checked by SecurityGuard of Notepad++
There are 2 methods for SecurityGuard to check components: by certificate or by SHA256.
In RC2 the mechanism of SHA256 is activated, so Plugin Admin will work in RC2, which is available on above post.In such a case be prepared for an increase of AV false positives
Yes, unfortunately we have to face to this situation.
(which is unfortunate because it will also bring an increase of the risk of the app being compromised somehow (remember e.g. the CIA special ed…)).
Back to the hack from CIA, Scintilla component was separated from Notepad++, and there was no verification at all while Notepad++ loading DLL of Scintilla.
The 8.8.2 RC2 has not the same situation: SHA256 of components are checked before they are loaded:
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/999ec7a6c140f8f2b895ef27e48c0c978f6d621dSo please do not trigger such a version for an auto-update!
This opens a door e.g. for a MITM attack. Doublecheck especially the downloaded & updated plugins. If only one of the plugins’ dl-sites will get compromised…So far, all the Notepad++ releases with the code signing don’t check the certificate of downloaded installer before lauching it. But indeed, users cannot know if the downloaded installer is authentic. I’ll see what I can do about it.
Did you consider the @Ekopalypse SignPath proposal?
It could be a solution despite all the inconveniences… I’ll consider it if other solutions fail.
IDK if it’s still true but I found an info that right now, Comodo is the only certauth that issues individual code signing certificates.
Thank you for the link - I will check it.
-
@donho said in Notepad++ v8.8.2 Release Candidate:
In RC2 the mechanism of SHA256 is activated, so Plugin Admin will work in RC2, which is available on above post.
Confirmed
-
Need more room for localization of
Add new feature of using first line of untitled document for its tab name- https://github.com/notepad-plus-plus/notepad-plus-plus/commit/abc23714db987e699476f6b6a3af0fe44e0bc0a2#r159346955 -
@donho said in Notepad++ v8.8.2 Release Candidate:
SHA256 of components are checked before they are loaded:
Then it’s ok, indeed.
Please correct me if I am wrong but it’s ok only until someone will not refresh the CIA idea to distribute (MITM or fake N++ installers) modified notepad++.exe & nppPluginList.dll files (now, without the certs preventing modification, it will be an easy target for a covert malicious use…) -
@donho said in Notepad++ v8.8.2 Release Candidate:
- Add feature to set read-only attribute on file so user can toggle (set/remove) read-only attribute of a file.
Just fixed one (probably long standing) related issue:
fix toggleReadOnlyFlagFromFileAttributes when invalid file attribute(s) or insufficient user rights #16733
(for STR just create with admin-rights e.g.
C:\Program Files\test-RO.txtfile and set its R/O-attribute, then open it as a non-admin in N++ and try to toggle (in older N++ use the “Clear Read-Only Flag” menu item) that read-only file attribute, then check it in Explorer or simply Alt-Tab from/to N++ and see that the tab R/O-state is back as the file read-only attribute removing failed due to insufficient rights…) -
Just fixed one (probably long standing) related issue:
Merged into master now. Thank you.
I will add the warning message then update to the RC3.Please correct me if I am wrong but it’s ok only until someone will not refresh the CIA idea to distribute (MITM or fake N++ installers) modified notepad++.exe & nppPluginList.dll files (now, without the certs preventing modification, it will be an easy target for a covert malicious use…)
You’re not wrong. But even with the code signing protection, people can still do code signing on their home-made Notepad++ installer to gain the trust. I admit it’s much harder though.
-
@donho said in Notepad++ v8.8.2 Release Candidate:
I will add the warning message
Ok.
Just FYI - I have in progress (so far so good, I’m already using it, it just needs to be tested more) a native N++ replacement for the deprecated NppSaveAsAdminPlugin. My concept used there will allow an easy addition of another N++ ops requiring the UAC-prompt elevation. That’s why I left this comment in my above fix when the SetFileAttributes failed -
// probably the ERROR_ACCESS_DENIED (5) (TODO: UAC-prompt candidate).
One more thing - I don’t think I would be the only one here who would offer to share the costs of getting the new certificate so that you don’t have to finance it only yourself. Just say so if needed.
-
FYI, RC3, in which a bug of new feature “Read-only attribute in Windows” is fixed, is available now - you can download it from the 1st post.
-
Just FYI - I have in progress (so far so good, I’m already using it, it just needs to be tested more) a native N++ replacement for the deprecated NppSaveAsAdminPlugin. My concept used there will allow an easy addition of another N++ ops requiring the UAC-prompt elevation.
So is it also a plugin or it’s a piece of code? It’ll be very helpful for saving, which is part of core functions in Notepad++. Though I consider toggling R/O file attribute flag as a helper not part of core functions, it’s still nice to have.
One more thing - I don’t think I would be the only one here who would offer to share the costs of getting the new certificate so that you don’t have to finance it only yourself. Just say so if needed.
Thank you! And thank you guys willing to contribute to the cost of the new certificate!
In fact, before leaving X, I tweeted about the certificate expiration issue, and DigiCert (I believe someone from their market team) has responded positively, offering a free of charge certificate.Thanks to their generosity, I haven’t had to pay for a code signing certificate in the past 9 years:
However, the validation process is another story. It’s not the first time the name “Notepad++” has been rejected - I do understand the validation team’s position. But every single time I have had to communicate, negotiate, beg or/and shout on Twitter to gain a certificate issued under the name “Notepad++”. This circle repeats every 3 years, and frankly, I’m getting tired of it.
So thank you again for your kind & noble offer. Even if I had to pay for the certificate, it’s not about the money - it’s about signing our code under the name “Notepad++”. I believe we at least deserve that much.
