Notepad++ v8.8.7 Release Candidate

donho

Notepad++ 8.8.7 RC is available here:
https://download.notepad-plus-plus.org/repository/8.x/8.8.7.RC/

Notepad++ v8.8.7 new enhancement & bug-fixes:

1. Sign Notepad++ binaries with GlobalSign certificat to fix false-positive alerts. (Fix #16971, #16809, #16812, #16770, #16773, #16779, #16785, #17062)
2. Fix Monitoring in one view affects selections and position in second view. (Fix #17046)
3. Fix Shortcut Mapper memory leak issue. (Fix #17069)
4. Enhance Perl FunctionList for class. (Fix #17043)
5. Fix pressing Alt or Tab causes controls redrawing problem in UDL dialog. (Fix #17061)

Notepad++ v8.8.6 new features & bug-fixes:

1. Add capacity of pasting multiline into Find/Replace fields. (Fix #16952)
2. Improve UAC in Notepad++ for seamless elevated operations. (Fix #886, #8655, #9561, #10302, #14990, #15008, #15137, #15323)
3. Fix Pin Tab operation being too long with many opened documents. (Fix #16117)
4. Add 2 new full-readonly modes via command line argument (-fullReadOnly & -fullReadOnlySavingForbidden). (Fix #15993, #16532)
5. Add apply/remove read-only for all documents commands. (Fix #15993, #16532)
6. Column Editor enhancement: GUI input fields now support radix to match the output format. (Fix #16912)
7. Add Window dialog “File Modified Time” sorting capacity. (Fix #16953)
8. Fix NPPN_CMDLINEPLUGINMSG not working issue & define the pluginMessage usage protocol. (Fix #17024, #17022)
9. Fix pasting from column mode to multi-selection issue due to different EOL. (Fix #16889)
10. Add NPPM_GETNPPSETTINGSDIRPATH message to get Notepad++ settings directory path. (Fix #16944)
11. Enhance SQL function list parser. (Fix #16605)
12. Fix C# function list not working with comments. (Fix issue)
13. Add function list ability for CSS. (Implement #17006)
14. Allow user to customize max selected chars to auto-fill “Find what” field. (Fix #16955)
15. Restore undo/redo behaviour in Find/Replace fields after Copy/Paste or Ctrl-F. (Fix issue 1, issue 2)
16. Fix text corruption issue caused by selection within multibyte characters. (Fix #16879)
17. Fix DOCTYPE styling in xml and html. (Fix #17012)
18. Fix double clicking on edit zone’s border creates a new tab issue. (Fix issue)
19. Update cURL in WinGUp (Notepad++ updater) for fixing CVE-2025-5399. (Fix security issue)

The self-signed certificate is retained to verify the authenticity of components (WinGUp & NppPluginList) before Notepad++ launching them.
NppShell is signed only by GlobalSign certificate, due to the restriction of signature on MSIX file.

The official release will be out in 2-3 days (this Monday), provided no bugs are found.
Enjoy your shining newly signed Notepad++!

xomx

@donho said in Notepad++ v8.8.7 Release Candidate:

1. Sign Notepad++ binaries with GlobalSign certificat to fix false-positive alerts. (Fix (Fix #16971 , #16809 , #16812 )

I wouldn’t be modest about the No. 1 and add also the links to other security issues caused possibly by the lack of signing with a global OV certificate: #16770, #16773, #16779, #16785, #17062

This can be also taken as an accusation of some “antiviruses”, which confuse their work with detecting whether or not a given app is digitally signed.

donho

@xomx said in Notepad++ v8.8.7 Release Candidate:

I wouldn’t be modest about the No. 1

What’s your suggestion?

xomx

@donho

IDK, how about at least making it a little poetic ;-)

I worked for months, didn't regret time,
now with the new cert, N++ is again prime!

Hope I made you laugh at least a little with the above and thanks for completing this not so funny longtime “PR”.

donho

I just tried the x64 installer downloaded from the link I provided on my 2 laptops (one is the build machine), and both get the following screen:

Does it also happen to you guys?

However, the installers (the same binaries) generated locally on my build machine runs without problem:

donho

Just brought the local built installer to another laptop via a USB, and launch it - no SmartScreen.
The SmartScreen issue doesn’t come from the binaries, but from the download action or/and location.
Obviously it’s about ADS (alternate data streams). Any confirmation?

Ekopalypse

@donho

Yes, if I don’t unblock it, I see the same behavior.

Once that’s done, everything looks good.

sevem47

If observed a different behaviour. Already trying to download the file I receive the following message:

(Translation:
npp.8.8.7.Installer.x64.exe
https://download.notepad-plus-plus.org
This file is not downloaded frequently. Make sure you trust this file before opening it.

Keep / Delete)

When I select ‘Keep’ the following message appears:

(Translation:
Make sure you trust npp.8.8.7.Installer.x64.exe before opening it.
Microsoft Defender SmartScreen could not verify if this file is safe because it is not frequently downloaded. Make sure you trust the file you are downloading or the source it came from.)

Here again I select ‘Keep the file’.

Starting the downloaded installer, the regular UAC-dialog appears as shown by @donho

And yes, I think as well it is related to ADS (Mark of the Web). On the following page I found a short description of the mechanism: Mark of the Web

donho

Thank you guys’ confirmation. It’s indeed due to the ADS.
Doing the following powershell command removes the smartscreen:
Remove-Item -Path "npp.8.8.7.Installer.x64.exe" -Stream Zone.Identifier

PeterJones

@donho said in Notepad++ v8.8.7 Release Candidate:

Thank you guys’ confirmation. It’s indeed due to the ADS.
Doing the following powershell command removes the smartscreen:
Remove-Item -Path "npp.8.8.7.Installer.x64.exe" -Stream Zone.Identifier

Or right-click, properties, unblock

donho

@PeterJones
I don’t remember that I’ve got this issue before.
Is https://download.notepad-plus-plus.org/ considered no more a safe URL by SmartScreen since when Notepad++ being signed by “non-legit” certificate?

xomx

@donho

Yes, it’s the Zone.Identifier ADS. One can always tell if look carefully at the UAC File Origin: field:

But I’m concerned here about something else. I wonder if/why we couldn’t overcome this “not-enough-reputation-for-the-SmartScreen” by the help of that new GlobalSign OV-cert. When I clicked on the UAC “Show information about the publisher’s certificate”, the only cert I see there is the N++ own self-signed cert - could you confirm? Maybe that’s the problem. The v8.8.7rc installer has both the N++ and GlobalSign one (I checked) but maybe for the UAC/SmartScreen is somehow relevant only one of them?

So how about another RC2 test with only the GlobalSign cert?
Or try to switch the order of your current signing (1st GlobalSign, 2nd N++ or vice versa).
Maybe then it wouldn’t trigger the SmartScreen (even with the Zone.Identifier ADS)…