Notepad++ v8.8.4 Release Candidate

donho

@xomx

I can confirm the issue.

Thank you for the conformation.

Maybe a restriction for the current self-signed NppShell certificate in Windows?

I don’t think so. If you check the certificate of NppShell.dll in the current v8.8.4 RC (after the installation), you will see it’s signed by the one issued from Notepad++ self-signed certificate - the same certificate used in the installers which don’t work. OTOH, thanks to you hypothesis, I’m wondering if the system (Windows 11) has got the fingerprint of old NppShell.dll binaries without/before the signature.
Can anyone here confirm my hypothesis?

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

Maybe a restriction for the current self-signed NppShell certificate in Windows?

I don’t think so.

You’re right. I did the following test:

1. Uninstalled N++.
2. Installed the working v8.8.4RC - new Win11 NppShell ctx menu functionality ok.
3. From your “the installers which doesn’t work”, I manually extracted the NppShell.dll & NppShell.msix (+ also the notepad++.exe to be completely sure) and replaced the working ones in the “C:\Program Files\Notepad++” and - new Win11 NppShell ctx menu still ok!
4. Tried logoff/logon sequence - new Win11 NppShell ctx menu still ok!
5. Uninstalled N++.
6. Installed your problematic “the installers which doesn’t work” - the new ctx menu is not visible.

So the problem should be in your latest installer (procedure?) and not in the NppShell.

donho

@xomx said in Notepad++ v8.8.4 Release Candidate:

So the problem should be in your latest installer (procedure?) and not in the NppShell.

The building installer procedure was almost not changed (same as v8.8.3, with even the same certificate), here’s the only change, so I don’t think the problem comes here.

BTW, I used the 2 old PCs + 1 new PC to recompile NppShell (latest master + NppShell v15 + NppShell v14) and build installers - not working as well, so it’s not about the compiler’s version, either about NppShell’s source code (regression).

That’s why I suppose it’s due to old NppShell build’s fingerprint.

xomx

@donho

Ok, I did another test and now I think it’s about the latest (“the installers which doesn’t work”) NppShell failing during the registration regsvr32 process.

I took Registry snapshots before&after installing v8.8.4rc and also after installing “the installers which doesn’t work ” over the working v8.8.4rc. Result is clear - your latest problematic installer removes the needed NppShell extension records from the Registry.

So my previous test was misleading, as I used the ok NppShell from the v8.8.4rc installation for the registration (“regsvr32 NppShell.dll”), which created the necessary records in the Registry 1st. Then the manual replacing with the problematic latest NppShell files were ok, as the needed registration has been already done before the replacement.

So you need to debug the NppShell module during its “regsvr32 NppShell.dll”.

donho

@xomx
Could you please get these 2 NppShell.dll (x86 & x64) from “the installers which don’t work” and sign them with your personal code signing certificate (you’ve got one, IIRC - if that doesn’t bother you, of course), and send them to me (don.h@free.fr) for some test from my side?

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

you’ve got one

do not have, can create a testing one, but it’s not necessary, I found the culprit of the issue - you forgot to sign also the NppShell.msix (in the latest installer) with your new cert.

Without the signed msix, you’ve got the TRUST_E_NOSIGNATURE (0x800B0100) in the NppShell::Installer::RegisterSparsePackage, that’s it.

donho

@xomx said in Notepad++ v8.8.4 Release Candidate:

I found the culprit of the issue - you forgot to sign also the NppShell.msix (in the latest installer) with your new cert.

In v8.8.3, NppShell.msix is not signed either, because of signing error for unknown reason.

do not have

OK, no problem. We can use the ones of v8.8.3 for the release v8.8.4.

Edit: I just realized the fact of not signing NppShell.msix again keeps its old validate signature of old certificate - it could be the cause indeed. So NppShell.msix is not signed COULD BE the problem. The thing is, even there’s no signing problem with the self-signed certificate on NppShell.msix, I wonder if the system tolerates it.

Edit2: For x32, NppShell.msix is not necessary. So that doesn’t explain why x86 version doesn’t work.

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

NppShell.msix is not signed COULD BE the problem.

IT IS the problem.

For sparse packages registering, only the msix-file (with a valid sign) is important (I tried/debugged - one can have the NppShell.dll unsigned but if the NppShell.msix is signed according to its corresponding xml manifest (CN=“Notepad++”, O=“Notepad++”, L=Saint Cloud, S=Ile-de-France, C=FR), the new N++ Win11 context menu gets registered & works ok).

@donho said in Notepad++ v8.8.4 Release Candidate:

send them to me (don.h@free.fr ) for some test from my side

I sent you binaries of my x64 Debug build of the current NppShell master, signed by my fake N++ self-signing cert created. I tested them on my Win11 ok - new context menu works as it should.

No time yet for the x86 tests, sorry.

Edit: Please ignore (click on the OK btn) the debugger attaching point of my NppShell.dll binary sent:

Ekopalypse

It looks like 8.8.2 is the last version that allows a portable version to use the plugin admin to install plugins, or am I the only one having this problem? With the newer versions you still see the dialog that Npp needs to be restarted but the restart or installation of the plugin does not take place.

PeterJones

@Ekopalypse said in Notepad++ v8.8.4 Release Candidate:

am I the only one having this problem?

I concur. I saw it yesterday with DSpellCheck on 8.8.3, but thought it was just that one plugin, and didn’t look into it more deeply. I confirmed today with 8.8.3 portable and 8.8.4-RC portable that I cannot get DSpellCheck or ConfigUpdater or CollectionInterface plugins to install through Plugins Admin. (And confirmed that v8.8.2 portable is able to install plugins using Plugins Admin)

Looks like a regression in v8.8.3 that wasn’t noticed.

Ekopalypse

@PeterJones

its blocked

unblocking it solves it.

PeterJones

@Ekopalypse said in Notepad++ v8.8.4 Release Candidate:

unblocking it solves it.

Confirmed.

For future readers: you can also unblock the zipfile before unzipping, then none of the executables will be marked as “blocked” when they are extracted.

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

NppShell.msix is not signed either, because of signing error for unknown reason.

Probably because of:

donho

@xomx
It should match certificate’s Subject, not Issuer. (the issuer of the old certificate was DigiCert).
I’ve checked your “home-mde” certificate comes with NppShell.dll (Thank you BTW), the content of both issuer and subject is identical.
So with the new self-signed certificate, we need to add E=don.h@free.fr, at the begining.

However, I still have signing problem:

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885/0x8007000b)

Could you pass me your command to sign NppShell.MSIX please?

donho

NppShell.msix is not signed either, because of signing error for unknown reason.

With some searches, it seems that MSIX just cannot be signed by a self-signed certificate, a lot of ppl have the same issue:
https://techcommunity.microsoft.com/discussions/msix-discussions/can-not-sign-the-msix-pacakge-with-self-signed-certificate/218928

@xomx
I’m really curious how did you made it.

donho

@Ekopalypse said in Notepad++ v8.8.4 Release Candidate:

unblocking it solves it.

Is it due to its signature from the self-signed certificate?

PeterJones

@donho said in Notepad++ v8.8.4 Release Candidate:

Is it due to its signature from the self-signed certificate?

No, it’s the Mark of the Web that browsers add when you download a zip or exe. For a normal exe, when you run it if it has the MotW, Windows will just ask you if you agree it’s safe… but because the gup.exe wasn’t run from the GUI but from inside Notepad++, the OS apparently doesn’t ask you, so N++ just cannot spawn the gup.exe.

xomx

@donho said in Notepad++ v8.8.4 Release Candidate:

With some searches, it seems that MSIX just cannot be signed by a self-signed certificate, a lot of ppl have the same issue:
https://techcommunity.microsoft.com/discussions/msix-discussions/can-not-sign-the-msix-pacakge-with-self-signed-certificate/218928

@xomx
I’m really curious how did you made it.

I had exactly the same

SignTool Error: An unexpected internal error has occurred.
Error information: “Error: SignerSign() failed.” (-2147024885/0x8007000b)

The 0x8007000b means ERROR_BAD_FORMAT. To find out more, I run Eventvwr.msc and checked the Event Viewer (Local) > Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational

and found this details:

“error 0x8007000B: The app manifest publisher name (CN=“Notepad++”, O=“Notepad++”, L=Saint Cloud, S=Ile-de-France, C=FR) must match the subject name of the signing certificate (CN=…, O=…, C=…).”

There were real strings instead of the dots above (I used my own cert 1st).

So I went to create a fake Notepad++ cert to exactly match the mentioned CN=“Notepad++”, O=“Notepad++”, L=Saint Cloud, S=Ile-de-France, C=FR.
But there was a problem with the “++” chars in the “Notepad++” (CRYPT_E_INVALID_X500_STRING), so I used this in PowerShell (runas admin):

PS C:\WINDOWS\system32> $signname="`"Notepad++`""
PS C:\WINDOWS\system32> New-SelfSignedCertificate -Type Custom -KeyUsage DigitalSignature -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -Subject "CN=$signname, O=$signname, L=Saint Cloud, S=Ile-de-France, C=FR" -FriendlyName $signname

Then exported my new cert to a PFX-file:

PS C:\WINDOWS\system32> $password = ConvertTo-SecureString -String SOMEPWD -Force -AsPlainText
>> Export-PfxCertificate -cert "Cert:\CurrentUser\My\NEW_FAKE_NPP_CERT_THUMBPRINT" -FilePath C:\...SOMEPATH...\npp-test.pfx -Password $password

Then move the signing cert to LocalMachine\TrustedPeople:

PS C:\WINDOWS\system32> Import-PfxCertificate -CertStoreLocation "Cert:\LocalMachine\TrustedPeople" -Password $password -FilePath C:\...SOMEPATH...\npp-test.pfx

Then launched MSVS2022 x64 native tools command prompt and signed the binaries with:

SignTool sign /fd sha256 /a /f C:\...SOMEPATH...\npp-test.pfx /p SOMEPWD C:\...SOMEOTHERPATH...\nppShell-master\x64\Debug\NppShell.msix

and

SignTool sign /fd sha256 /a /f C:\...SOMEPATH...\npp-test.pfx /p SOMEPWD C:\...SOMEOTHERPATH...\nppShell-master\x64\Debug\NppShell.dll

donho

@donho said in Notepad++ v8.8.4 Release Candidate:

I’m really curious how did you made it.

@xomx
I noticed that your certificate’s hash algorithm: sha256 - so instead of using /fd SHA512, I use /fd SHA256 (old certificate hash algorithm: sha256, so /fd SHA256 was used to sign):

“C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe” sign /fd SHA256 /tr http://timestamp.acs.microsoft.com /td sha512 /a /f C:\myPath\NppP12File.pfx /p *********** /d “Notepad++” /du https://notepad-plus-plus.org/ …\bin64\NppShell.msix

Done Adding Additional Store
Successfully signed: …\bin64\NppShell.x64.dll

Size does matter ;)

Of course, your remark of Publisher field is essential to fix:

<Identity Name="NotepadPlusPlus" ProcessorArchitecture="neutral" 
Publisher="E=don.h@free.fr, CN=&quot;Notepad++&quot;, O=&quot;Notepad++&quot;, L=Saint Cloud, S=Ile-de-France, C=FR" 
Version="1.0.0.0" />

So both fixes make it correct again:
https://download.notepad-plus-plus.org/repository/MISC/NppShellWorking/

Thank you for taking time to investigate this issue.
I’ll redo & post the RC2 tomorrow.

donho

error 0x8007000B: The signature hash method specified (SHA512) must match the hash method used in the app package block map (SHA256).

The hashAlgorithm specified in the /fd parameter is incorrect. Rerun SignTool using hashAlgorithm that matches the app package block map (used to create the app package)

Ref: https://learn.microsoft.com/en-us/windows/msix/package/signing-known-issues