Notepad++ v8.8.3 Release: self-signed certificate

PeterJones

@PGomersall said in Notepad++ v8.8.3 Release: self-signed certificate:

Tried multiple systems all using MS Edge browser though but also via PowerShell with Invoke-WebRequest, all are returning a plain txt.

My post from 20 minutes ago was after I verified in Chrome. And I just now tried PowerShell

PS C:\Users\pryrt> cd Downloads                                                                                                                                                     PS C:\Users\pryrt\Downloads>  Invoke-WebRequest https://notepad-plus-plus.org/nppRoot.crt


StatusCode        : 200
StatusDescription : OK
Content           : {45, 45, 45, 45...}
RawContent        : HTTP/1.1 200 OK
                    Connection: keep-alive
                    platform: hostinger
                    panel: hpanel
                    content-security-policy: upgrade-insecure-requests
                    alt-svc: h3=":443"; ma=86400
                    x-hcdn-request-id: a5305815b661c200e85fa1...
Headers           : {[Connection, keep-alive], [platform, hostinger], [panel, hpanel], [content-security-policy, upgrade-insecure-requests]...}
RawContentLength  : 6380



PS C:\Users\pryrt\Downloads> Invoke-WebRequest https://npp-user-manual.org/docs/certs/nppRoot.crt


StatusCode        : 200
StatusDescription : OK
Content           : {45, 45, 45, 45...}
RawContent        : HTTP/1.1 200 OK
                    Connection: Keep-Alive
                    Keep-Alive: timeout=5, max=100
                    platform: hostinger
                    panel: hpanel
                    content-security-policy: upgrade-insecure-requests
                    alt-svc: h3=":443"; ma=2592000, h3-29="...
Headers           : {[Connection, Keep-Alive], [Keep-Alive, timeout=5, max=100], [platform, hostinger], [panel, hpanel]...}
RawContentLength  : 6380

It’s still working for me.

Approximately 1 hour ago it did download correctly.

And it’s still downloading correctly now, for me.

Out of curiousity, I ssh’d into a remote linux machine (which would use a different route/path between that machine and the upstream servers) – and both of those had errors. So there might be a routing issue between some providers and the various notepad++ servers.

yeah, I tried a tracert notepad-plus-plus.org from my PC , and it was able to find a route; but when I did tracert notepad-plus-plus.org from the remote machine, which has a different route to Notepad++, it wasn’t able to find a route.

So there might be a network issue somewhere between the Notepad++ servers (both are on the same hosting system, I think) and some other networks, but not all (since I still have access from my home internet connection)

PGomersall

@PeterJones
I just got https://notepad-plus-plus.org/nppRoot.crt to download correctly, but not the other 2 locations. Really need this to be bomb proof.

PeterJones

@PGomersall said in Notepad++ v8.8.3 Release: self-signed certificate:

Really need this to be bomb proof.

The second site is GitHub. And as I said in my earlier message with the URLs, the GitHub URL doesn’t return the raw cert, it returns the GitHub wrapper around the cert; you have to use the GitHub interface to download the raw. If you want a direct URL to the raw file, it’s at https://raw.githubusercontent.com/notepad-plus-plus/notepad-plus-plus/refs/heads/master/nppRoot.crt … but note that GitHub will give it text/plain headers (because inside, a .cer is often a BASE64-encoded file starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----…

So, for that matter, the certificates downloaded from the other URLs will be “plain text” as well. The question is what are the contents of that plain text. And you haven’t given any hint as to that.

Checking the contents you are receiving is really the next step. The hosting service that Don uses for Notepad++ websites often uses the “are you a human” checks to prevent DDOS attacks – so you might actually be getting a “403 Forbidden” error, especially when using the command-line based interfaces instead of a browser. So the contents might be either an error message, or an HTML version of an error message.

So if there are network/route errors, Don cannot do anything to fix that. If you are being “forbidden” because you haven’t done the “are you a human check”, there’s nothing Don can do to fix that. And if you are going to the non-raw github URL, it will of course be the github-wrapped version.

donho

@PeterJones

Sorry if I wasn’t fast enough for the Release Notes…

Better late than never (Not sure it exists in English, but the French sentence is “Mieux vaut tard que jamais”).

Updated. Please check:
https://notepad-plus-plus.org/downloads/v8.8.3/
https://notepad-plus-plus.org/news/v883-self-signed-certificate/
https://notepad-plus-plus.org/resources/
and
https://github.com/notepad-plus-plus/notepad-plus-plus/tree/master

Jordi Sole

Good Morning

I downloaded the latest version of N++ and I installed the certificate npproot.crt.
When I try to execute npp.8.8.3.Installer.exe it appears the following screen

With npp.8.8.2.Installer.exe it’s ok.

Any suggestion?

xomx

@Jordi-Sole said in Notepad++ v8.8.3 Release: self-signed certificate:

Any suggestion?

Just wait for a while, the AVs need some time to handle (update its info) the new Notepad++ self-signed certificate.

I just tried the VirusTotal and ok (much much better from what we saw at the unsigned v8.8.2 release time - only 1 AV from 72 flagged the npp.8.8.3.Installer.x64.exe as malware):

https://www.virustotal.com/gui/file/7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd

sevem47

For me it seems, that the information for the root certificate in the user manual got somehow mixed up a little bit.
Thumbprint value is taken of the current root certificate, whereas value of the serial number is of the previous certificate.

PeterJones

@sevem47 said in Notepad++ v8.8.3 Release: self-signed certificate:

Thumbprint value is taken of the current root certificate, whereas value of the serial number is of the previous certificate.

Both values match what was published in this post and this page

sevem47

@PeterJones
This I have seen, but unfortunately this does not match with the current root certificate that can be downloaded:

xomx

@PeterJones

I also see for the current nppRoot.crt:

Serial number: 63a633d265f1ffed66c5c67cbd9b7189
Thumbprint: c80539ff7076d22e73a01f164108dafbf06e45e4

donho

@sevem47 said in Notepad++ v8.8.3 Release: self-signed certificate:

@PeterJones
This I have seen, but unfortunately this does not match with the current root certificate that can be downloaded:

It should be 63a633d265f1ffed66c5c67cbd9b7189
Fixed in https://notepad-plus-plus.org/resources/

PeterJones

fixed usermanual

SwordReign8

Hello,

It appears that the hash that generates from the nppRoot.crt file does not match the sequence, “443B4543C3A682804540849793556FFD3A6CE5D4721C9ADFDA6450223DDD54D7,” listed within both the Resources heading and the Notepad++ User Manual. I could not find any posts or comments regarding this issue, after combing through the manual, the Notepad++ v8.8.3 Release Candidate topic, and this release topic. The good side is that the serial number and thumbprint are correct when the file is run with the Windows Crypto Shell Extensions app.

PeterJones

@SwordReign8 ,

does not match the sequence, “443B4543C3A682804540849793556FFD3A6CE5D4721C9ADFDA6450223DDD54D7,”

I concur that when I download the .crt from any of the three locations, it gives e133b9302aae0aa7d9f6db63289aeea709fb57346dc702357f9d71b1bd3ffb21, not the value listed in @donho’s posts

I am not convinced that a SHA256 generated from the .crt file is overly useful. Internally, the .crt file is a BASE64-encoded version of the binary certificate data; it doesn’t actually matter whether the newlines are LF-only or CRLF, or whether there is a final newline after the -----END CERTIFICATE----- or not (but those all change the SHA256); the only critical thing is whether when the BASE64 data is decoded that it resolve into the certificate data that matches the thumbprint and signature – which it does. (I am not a security expert; this is just my opinion on the matter.)

@donho: I would recommend that you remove the SHA256 from the /resources/ page and I’ll remove it from the usermanual, to avoid end-user confusion. If you agree, let me know, and I’ll work on removing it on my end; if you disagree, and want to keep publishing the SHA256, could you please re-confirm the value, because the SHA256 that I can calculate does not agree with your published data.

donho

@SwordReign8

It appears that the hash that generates from the nppRoot.crt file does not match the sequence, “443B4543C3A682804540849793556FFD3A6CE5D4721C9ADFDA6450223DDD54D7,” listed within both the Resources heading and the Notepad++ User Manual.

Both fingerprints (SHA1 & SHA254) are correct on the Resources heading and the Notepad++ User Manual.

You can use openssl under Git Bash to verify them:

yyy@XXXXXXX MINGW64 /c/aaaa/bbbb (master)
$ openssl x509 -in /c/abc/nppRoot.crt -noout -fingerprint -sha1
SHA1 Fingerprint=C8:05:39:FF:70:76:D2:2E:73:A0:1F:16:41:08:DA:FB:F0:6E:45:E4

yyy@XXXXXXX MINGW64 /c/aaaa/bbbb (master)
$ openssl x509 -in /c/abc/nppRoot.crt -noout -fingerprint -sha256
SHA256 Fingerprint=44:3B:45:43:C3:A6:82:80:45:40:84:97:93:55:6F:FD:3A:6C:E5:D4:72:1C:9A:DF:DA:64:50:22:3D:DD:54:D7

That said, SHA256 may be removed from the root certificate info, to avoid the users’ confusion, since such info can not be found in certificate opened by Crypto Shell extension of Windows.

What do you think @PeterJones ?

donho

@PeterJones said in Notepad++ v8.8.3 Release: self-signed certificate:

@donho: I would recommend that you remove the SHA256 from the /resources/ page and I’ll remove it from the usermanual, to avoid end-user confusion. If you agree, let me know, and I’ll work on removing it on my end; if you disagree, and want to keep publishing the SHA256, could you please re-confirm the value, because the SHA256 that I can calculate does not agree with your published data.

SHA256 is removed in Resources page.

PeterJones

@donho said in Notepad++ v8.8.3 Release: self-signed certificate:

You can use openssl … to verify them

Right.

I have openssl on Windows, and it can confirm:

C:\Users\pryrt\Downloads>ls -latr nppRoot-primary*.crt
-rw-rw-rw-  1 pryrt 0 6380 2025-07-11 10:07 nppRoot-primary.crt
-rw-rw-rw-  1 pryrt 0 6480 2025-07-11 10:13 nppRoot-primary-crlf.crt

C:\Users\pryrt\Downloads>openssl x509 -in nppRoot-primary.crt -noout -fingerprint -sha256
sha256 Fingerprint=44:3B:45:43:C3:A6:82:80:45:40:84:97:93:55:6F:FD:3A:6C:E5:D4:72:1C:9A:DF:DA:64:50:22:3D:DD:54:D7

C:\Users\pryrt\Downloads>openssl x509 -in nppRoot-primary-crlf.crt -noout -fingerprint -sha256
sha256 Fingerprint=44:3B:45:43:C3:A6:82:80:45:40:84:97:93:55:6F:FD:3A:6C:E5:D4:72:1C:9A:DF:DA:64:50:22:3D:DD:54:D7

That is giving the SHA256 fingerprint of the binary data, not the SHA256 for the BASE64-encoded text file.

What do you think

Since the MS Windows certificate viewer (Crypto Shell extension) doesn’t show the SHA256 fingerprint, and the since an external tool (like Notepad++ > Tools > SHA-256 > Generate from files) will show the SHA256 of the bytes of the file they downloaded, not the hash of the underlying encoded binary data, the user would get something like

cce7717c8a38afec9e6de523d108cdd3615a3e1543aeb6e31663b6b7dbc19c90  nppRoot-primary-crlf.crt
e133b9302aae0aa7d9f6db63289aeea709fb57346dc702357f9d71b1bd3ffb21  nppRoot-primary.crt

depending on whether their copy of the file has CRLF (first) or just LF as originally published (second) – and neither of those match the hash of the internal binary data.

That causes user confusion, which is bad (and may lead them to incorrectly conclude there is a problem with the file).

SHA256 is removed in Resources page.

Thanks. It will be removed from the User Manual soon.

datatraveller1

BTW (just for information), VirusTotal has an “invalid-signature” tag at
https://www.virustotal.com/gui/file/7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd?nocache=1
Ah sorry, I have just read this is normal for self-signed certificates.

donho

FYI, auto-updater has been triggered to v8.8.3.

Lycan Thrope

@donho , worked without a hitch or a hiccup. No problems with the update on my Standard Install version.