Community
    • Login

    Notepad++ v8.8.3 Release: self-signed certificate

    Scheduled Pinned Locked Moved Announcements
    22 Posts 8 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PeterJonesP
      PeterJones @donho
      last edited by

      @donho said in Notepad++ v8.8.3 Release: self-signed certificate:

      You can use openssl … to verify them

      Right.

      I have openssl on Windows, and it can confirm:

      C:\Users\pryrt\Downloads>ls -latr nppRoot-primary*.crt
-rw-rw-rw-  1 pryrt 0 6380 2025-07-11 10:07 nppRoot-primary.crt
-rw-rw-rw-  1 pryrt 0 6480 2025-07-11 10:13 nppRoot-primary-crlf.crt

C:\Users\pryrt\Downloads>openssl x509 -in nppRoot-primary.crt -noout -fingerprint -sha256
sha256 Fingerprint=44:3B:45:43:C3:A6:82:80:45:40:84:97:93:55:6F:FD:3A:6C:E5:D4:72:1C:9A:DF:DA:64:50:22:3D:DD:54:D7

C:\Users\pryrt\Downloads>openssl x509 -in nppRoot-primary-crlf.crt -noout -fingerprint -sha256
sha256 Fingerprint=44:3B:45:43:C3:A6:82:80:45:40:84:97:93:55:6F:FD:3A:6C:E5:D4:72:1C:9A:DF:DA:64:50:22:3D:DD:54:D7

      That is giving the SHA256 fingerprint of the binary data, not the SHA256 for the BASE64-encoded text file.

      What do you think

      Since the MS Windows certificate viewer (Crypto Shell extension) doesn’t show the SHA256 fingerprint, and the since an external tool (like Notepad++ > Tools > SHA-256 > Generate from files) will show the SHA256 of the bytes of the file they downloaded, not the hash of the underlying encoded binary data, the user would get something like

      cce7717c8a38afec9e6de523d108cdd3615a3e1543aeb6e31663b6b7dbc19c90  nppRoot-primary-crlf.crt
e133b9302aae0aa7d9f6db63289aeea709fb57346dc702357f9d71b1bd3ffb21  nppRoot-primary.crt

      depending on whether their copy of the file has CRLF (first) or just LF as originally published (second) – and neither of those match the hash of the internal binary data.

      That causes user confusion, which is bad (and may lead them to incorrectly conclude there is a problem with the file).

      SHA256 is removed in Resources page.

      Thanks. It will be removed from the User Manual soon.

      datatraveller1D 1 Reply Last reply Reply Quote 1
      • datatraveller1D
        datatraveller1 @PeterJones
        last edited by datatraveller1

        BTW (just for information), VirusTotal has an “invalid-signature” tag at
        https://www.virustotal.com/gui/file/7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd?nocache=1
        Ah sorry, I have just read this is normal for self-signed certificates.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        The Community of users of the Notepad++ text editor.
        Powered by NodeBB | Contributors