SignServer 5.5 Release Notes

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.5.0.

With this release, we are introducing support for code signing of Microsoft PowerShell scripts and support for Android APK v2/v3 code signing schemes.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

Android APK v2 and v3 Signing Schemes

SignServer now supports all three Android application signing schemes.

All Android applications uploaded to Google Play store must be signed and the two recent Android APK v2 and v3 signing schemes enable enhanced security and performance of the application verification and install process on an Android device.

  • Android APK v2 scheme was introduced in Android version 7.
  • Android APK v3 scheme was introduced in Android version 9.

For maximum compatibility, developers are recommended to sign Android applications with all signature schemes.

For more information on SignServer Android signing, see Setting up Android Signing.

Authenticode Signing of Microsoft PowerShell Scripts

Execution of PowerShell scripts on Windows is controlled by the PowerShell script execution policy.

SignServer 5.5 supports signing of PowerShell scripts (.ps1, .psd1, .psm1) in addition to the file formats supported in previous SignServer versions. For more information, see MS Authenticode Signer.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.5.0 is included in the SignServer Hardware Appliance 3.5.4 and SignServer Cloud 1.7.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.5.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.5.0

Released September 2020

New Features

  • DSS-2151 - Support for accessing crypto instances from other signers
  • DSS-2186 - Add option to SignClient for providing an access token
  • DSS-2187 - Add PowerShell script (.ps1, .psm1, .psd1) signing support to MSAuthCodeSigner
  • DSS-2188 - Add PowerShell script (.ps1, .psm1, .psd1) signing support with client-side hashing

Tasks

  • DSS-2144 - Create skeleton ApkServerSideSigner
  • DSS-2145 - Include the sources for the library (temporarily)
  • DSS-2146 - Implement APK signing
  • DSS-2147 - Worker properties for ApkServerSideSigner (incl. unit tests)
  • DSS-2148 - Create sample APK files
  • DSS-2149 - System and P11 test for signing
  • DSS-2150 - Build library, publish to Central and remove the bundled sources
  • DSS-2153 - Create skeleton ApkRotateSigner
  • DSS-2154 - Implement ApkRotateSigner
  • DSS-2155 - Create skeleton ApkLineageSigner
  • DSS-2156 - Implement ApkLineageSigner
  • DSS-2157 - Document APK signing in operations guide etc.
  • DSS-2161 - Create skeleton ApkHashSigner
  • DSS-2162 - Support for pre-request in ApkHashSigner
  • DSS-2163 - Create skeleton APK handler in SignClient
  • DSS-2164 - Add the extraoptions for APK signing to APK handler
  • DSS-2165 - Parse APKHashSigner pre-response
  • DSS-2166 - Implement APK signing logic in SignClient
  • DSS-2167 - Implement minimal JCA provider sending signature requests from within SignClient
  • DSS-2168 - Implement system tests + P11 tests using SignClient for APK signing
  • DSS-2169 - Detect APK as filetype in SignClient
  • DSS-2173 - Add options for setting capabilities when using ApkRotateSigner
  • DSS-2174 - Rename NEXT_SIGNSERS to OTHER_SIGNERS
  • DSS-2175 - Implement ECDSA support in our APK signing provider
  • DSS-2176 - Properly make use of the SignClient internal infrastructure for sending the signature requests from the APK signing provider
  • DSS-2182 - Support for multiple signature algorithms in the provider

Improvements

  • DSS-2114 - SignClient distribution packages should include edition in file name
  • DSS-2143 - Upgrade to Jsign 3.1
  • DSS-2152 - Code cleanup after DSS-2147
  • DSS-2177 - Update checksum field of Portable Executables
  • DSS-2200 - Make deterministic sort order in jars-list.txt
  • DSS-2217 - Upgrade dependency: Jackson
  • DSS-2218 - Bump version of various dependencies
  • DSS-2221 - Put manifest in beginning and include directory entries in signed JARs

Bug Fixes

  • DSS-2142 - Changing INCLUDE_CERTIFICATE_LEVELS not taking effect for MSI files
  • DSS-2158 - Some MSI files can not be signed and verified properly if signature is not smaller than 4096 bytes
  • DSS-2183 - SignClient prints "File Not Found" on Windows (still/again)
  • DSS-2184 - PKCS#10 Certificate Signing Requests from AdminWeb are not linewrapped
  • DSS-2185 - ApkRotateSignerTest uses internal API
  • DSS-2191 - HelloApk contains files in META-INF that causes warnings when verifying