The SignServer team is pleased to announce the release of SignServer 5.10. This release adds support for the EdDSA signature scheme, key wrapping for Elliptic Curves, and post-quantum signing with the SPHINCS+ algorithm candidate implementation in Bouncy Castle.

Deployment options include SignServer Hardware Appliance, SignServer Software Appliance, and SignServer Cloud.


EdDSA Support

The Edwards-curve Digital Signature Algorithm (EdDSA) is gaining increased traction and enables a high level of security and performance even on resource-constrained devices. SignServer 5.10 introduces support for generating EdDSA signatures and the algorithms Ed25519 and Ed448 are now supported in the Plain signer, CMS signer, and Time Stamp signer. Use of the EdDSA algorithms requires utilizing the P11NG crypto token as well as HSM support for the selected algorithm.

Key Wrapping Support for Elliptic Curves

The SignServer key wrapping feature was previously limited to RSA keys. As of SignServer 5.10, key wrapping is supported also for EC keys. Use of the key wrapping feature requires utilizing the P11NG crypto token. For more information, see Key Wrapping.

Post-quantum Signing with upgraded SPHINCS+ Algorithm and new Bouncy Castle version

SignServer enables you to prepare for quantum-safe signing by using the NIST Post-Quantum Cryptography (PQC) candidate algorithm SPHINCS+ through Bouncy Castle. Using the CMS Signer and the Keystore Crypto Token together with the SPHINCS+ algorithm allows you to experiment with creating post-quantum keys and signatures. For more information, see the Post-quantum Code Signing How-to.

SignServer 5.10 has upgraded the Bouncy Castle version to 1.71.1 which includes support for the SPHINCS+ v3.1 algorithm.

Upgrade Information

Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.

SignServer 5.10.0 is included in SignServer Hardware Appliance 3.9.7, SignServer Software Appliance 2.2.2, and SignServer Cloud 1.12.0.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in SignServer 5.10.

Issues Resolved in 5.10.0

Released September 2022

New Features

DSS-2341 - Support for other character encodings for signing PowerShell scripts

DSS-2376 - Support for EdDSA with P11NG

DSS-2387 - EC support with P11NG - Support for ECDSA in P11NG tool

DSS-2388 - EC support with P11NG - Support for keywrapping with EC

DSS-2395 - Support for NONEwithECDSA in P11NG

DSS-2479 - Make JArchive Signer available in SignServer CE


DSS-1574 - Implement support for SLOTLABEL support in JackNJI11 crypto token implementations

DSS-2366 - Merge improvements with P11NG from EJBCA (7.8.1+)

DSS-2470 - Merge Update (GitHub PR #3)

DSS-2486 - Upgrade BC to 1.71.1

DSS-2487 - Upgrade internal library

Bug Fixes

DSS-2420 - JAR digest calculation for longer entries differs compared to jarsigner

DSS-2421 - Directory entries not kept in signed JAR if marked as compressed

DSS-2430 - JAR signing fails when MANIFEST.MF is not deflated

DSS-2447 - Regression: Error message "Key with ID or label onetime-signer00003-null already exists" using one-time crypto worker

DSS-2468 - Regression: NONEwithRSAandMGF1 broken with P11NG

DSS-2477 - Certain documents with shared objects/streams gets the visible signature page blank after signing

DSS-2480 - Regression: P11NG-tool dependency on EJBException

DSS-2484 - Regression: Unwrapped key generation with P11NG Tool fails after last P11NG merge

DSS-2485 - Regression: P11NG Provider closes sessions in case of error even for 'static session private keys'