JULY 2021

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.7.

This release introduces support for PAdES and XAdES signature formats including all ETSI Baseline levels complying with EU eIDAS regulation for Advanced Electronic Signatures.

In the code signing area, SignServer 5.7 adds support for Microsoft CAT file signing. Further, the RSASSA-PSS algorithm is now supported for use with client-side hashing, relevant for firmware signing use cases, among others.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

PAdES Signature Format

SignServer 5.7 supports Baseline Signature Levels for PAdES as defined in ETSI EN 319 142. This includes signature levels PAdES-B, PAdES-T, PAdES-LT, and PAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation.

Level PAdES-B includes a document signature only. Level PAdES-T also includes a timestamp. In addition to the timestamp, level PAdES-LT also includes certificate revocation information. Level PAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.

SignServer support for PAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.

XAdES Signature Format

SignServer 5.7 supports Baseline Signature Levels for XAdES as defined in ETSI EN 319 132. This includes signature levels XAdES-B, XAdES-T, XAdES-LT, and XAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. Level XAdES-B includes a document signature only. Level XAdES-T also includes a timestamp. In addition to the timestamp, level XAdES-LT also includes certificate revocation information. Level XAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.

XAdES signatures may be generated using different signature packaging modes, including ENVELOPED and DETACHED. SignServer support for XAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.

Microsoft CAT File Signing

The SignServer MS Authenticode Signer now supports signing of Microsoft CAT files. The file type is automatically detected by SignServer. For more information, see MS Authenticode Signer and the Authenticode Code Signing Technical How-to.

RSASSA-PSS with Client-Side Hashing Supported in P11NG

SignServer 5.7 adds support for RSASSA-PSS with client-side hashing (NONEwithRSAandMGF1) similar to what has been supported in previous versions for NONEwithRSA. The RSASSA-PSS algorithm requires use of the P11NG provider (JackNJI11CryptoToken). For more information, see Client-Side Hashing.

Announcements

Deprecation of Java SE 8 as Runtime Environment

The recommended Java runtime environment for SignServer is Java SE 11. Java SE 8 is still supported but associated with certain limitations. Customers using Java SE 8 are advised to plan for upgrading to Java SE 11. With Java SE 17 being the next Long Term Support version for Java expected to become available later this year we plan to support Java 11 and Java 17 in the next major version of SignServer.

Upgrade Information

For upgrade instructions, see Upgrade SignServer.

SignServer 5.7.0 is included in Hardware Appliance 3.9.0 Release Notes and SignServer Cloud 1.9.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.7.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.7.0

Released July 2021

New Features

DSS-2248 - Per-request option for page and signature placement in PDF

DSS-2272 - Signing of Microsoft catalog files

DSS-2281 - PAdES-B baseline profile signature support

DSS-2282 - PAdES-T baseline profile signature support

DSS-2283 - PAdES-LT baseline profile signature support

DSS-2284 - PAdES-LTA baseline profile signature support

DSS-2286 - XAdES-LT baseline profile signature support

DSS-2288 - Add support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG

DSS-2290 - Support for overriding properties in the PDF Signer

DSS-2303 - XAdES-B baseline profile signature support

DSS-2304 - XAdES-T baseline profile signature support

DSS-2305 - XAdES-LTA baseline profile signature support

DSS-2337 - Worker property to configure extra/adjust signature size in PAdES

Improvements

DSS-2291 - Document getPKCS10CertificateRequestForAlias2 WS operation

DSS-2295 - Introduce git ignore files and add some IDE specific ignores to SVN

DSS-2298 - Upgrade external dependencies

DSS-2346 - Previous worker name not removed from cache after rename

DSS-2347 - Workers removed from AdminWeb kept in cache

Tasks

DSS-2299 - Add DSS library as dependency

DSS-2300 - Document differences between old PDF Signer and PAdES Signer

DSS-2301 - Create AdES module

DSS-2302 - First Signer implementation (hard coded config)

DSS-2311 - Remove any unneeded DSS dependencies and update JARs/project lists

DSS-2323 - Add support for CRL in PAdES-LT and higher levels

DSS-2327 - Switch from PDFBox to OpenPDF in AdES signer

Bug Fixes

DSS-2197 - Regression: RSASSA-PSS / SHA256withRSAandMGF1 etc. broken with P11NG

DSS-2271 - PDF Signer worker property visible signature resize/scaling naming inconsistency

DSS-2321 - Time-stamp signer test certificate expired

DSS-2325 - Test certificate in dss10_signer3.p12 expired

DSS-2326 - Hardcoded certificate in XMLValidatorTestData expired