Notepad++ 7.6.6 released with GPG signatures
2019-04-04
Since version 7.6.5 of Notepad++, the distributive packages are signed with digital signature by using GnuPG (GNU Privacy Guard). This allows users to reliably validate authenticity and integrity of Notepad++ packages.
On Windows you can use native GnuPG (https://gnupg.org) which works under the command line, or use Gpg4win (https://www.gpg4win.org) which is based on GnuPG and has a nice GUI. Of course you can also use PGP Desktop, which now days is provided by Symantec. Most Linux distributions ship with GnuPG installed by default. If you don’t have it then install it using package management system present in your distribution.
Release Key
Notepad++ packages and GitHub commits are signed using the Release Key, which has the following characteristics:
- Signer: Notepad++
- E-mail: don.h@free.fr
- Key ID: 0x8D84F46E
- Key fingerprint: 14BC E436 2749 B2B5 1F8C 7122 6C42 9F1D 8D84 F46E
- Key type: RSA 4096 / 4096
- Created: 2019-03-11
- Expiries: 2021-03-10
Obtaining and validating Release Key
To make signature verification possible, you need to obtain a copy of our Release Key, or you can get it from Notepad++’s GitHub page:
https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/nppGpgPub.asc
Then get the key ID from here:
https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/README.md#notepad-release-key
You should compare it against other copies downloaded from keyserver to minimize the risk of obtaining the malicious key. To do this, use the key ID to find the key in one of the following key servers:
- http://keys.gnupg.net
- https://keyserver.ubuntu.com
- https://pgp.mit.edu
- https://zimmermann.mayfirst.org
In case of Gpg4win you can also search for key on the key server via Kleopatra. PGP Desktop also has such function.
After making sure that the downloaded key match with the key downloaded from the key server, you can import it to your key store. Double click on the file with the Release Key, validate it’s characteristics and make sure that all of them are exactly the same as provided ones. Then sign the Release Key with your private key and set the level of trust which you like.
Validating Digital Signature
To validate the Digital Signature (and thus the file authenticity and integrity) you need to download the signature file for the packages you’ve obtained. Link to the signature file (.sig) is located near the package download link.
After download make sure that both files (i.e. package and .sig file) are located in the same location. Then double click on signature to start validation process.
The result should say that file was signed by don.h@free.fr
.
- When using Kleopatra, make sure that label has green background. If it’s in red, then the package is tampered or broken and should be deleted immediately:
- When using PGP Desktop, make sure that the result has green check mark. Otherwise get rid of the package:
In case of invalid signature please don’t panic, but contact us immediately, because there is a possibility that the malicious file was somehow put on our server. Your response could help us to investigate the problem and take appropriate actions.
Apart from GPG signature, a long waiting issue about file auto change detection is enhanced in this release. A regressions concerning encoding (language) detection since v7.6 is fixed as well. EC-FOSS Bug Bounty program is near the end, some crash bugs are fixed in this release thanks to HackerOne team’s help.
Download 7.6.6 here:
Auto-updater will be triggered in few days if there’s no critical issue found.
If you find any regression or critical bug, please report here:
https://notepad-plus-plus.org/community/topic/17399/notepad-v7-6-6-gpg-signatures