The PrimeKey SignServer team is pleased to announce the release of SignServer 5.7.
This release introduces support for PAdES and XAdES signature formats including all ETSI Baseline levels complying with EU eIDAS regulation for Advanced Electronic Signatures.
In the code signing area, SignServer 5.7 adds support for Microsoft CAT file signing. Further, the RSASSA-PSS algorithm is now supported for use with client-side hashing, relevant for firmware signing use cases, among others.
PAdES Signature Format
SignServer 5.7 supports Baseline Signature Levels for PAdES as defined in ETSI EN 319 142. This includes signature levels PAdES-B, PAdES-T, PAdES-LT, and PAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation.
Level PAdES-B includes a document signature only. Level PAdES-T also includes a timestamp. In addition to the timestamp, level PAdES-LT also includes certificate revocation information. Level PAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.
SignServer support for PAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.
XAdES Signature Format
SignServer 5.7 supports Baseline Signature Levels for XAdES as defined in ETSI EN 319 132. This includes signature levels XAdES-B, XAdES-T, XAdES-LT, and XAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. Level XAdES-B includes a document signature only. Level XAdES-T also includes a timestamp. In addition to the timestamp, level XAdES-LT also includes certificate revocation information. Level XAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.
XAdES signatures may be generated using different signature packaging modes, including ENVELOPED and DETACHED. SignServer support for XAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.
Microsoft CAT File Signing
The SignServer MS Authenticode Signer now supports signing of Microsoft CAT files. The file type is automatically detected by SignServer. For more information, see MS Authenticode Signer and the Authenticode Code Signing Technical How-to.
RSASSA-PSS with Client-Side Hashing Supported in P11NG
SignServer 5.7 adds support for RSASSA-PSS with client-side hashing (NONEwithRSAandMGF1) similar to what has been supported in previous versions for NONEwithRSA. The RSASSA-PSS algorithm requires use of the P11NG provider (JackNJI11CryptoToken). For more information, see Client-Side Hashing.
Deprecation of Java SE 8 as Runtime Environment
The recommended Java runtime environment for SignServer is Java SE 11. Java SE 8 is still supported but associated with certain limitations. Customers using Java SE 8 are advised to plan for upgrading to Java SE 11. With Java SE 17 being the next Long Term Support version for Java expected to become available later this year we plan to support Java 11 and Java 17 in the next major version of SignServer.
For upgrade instructions, see Upgrade SignServer.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.7.0, refer to our JIRA Issue Tracker.
DSS-2248 - Per-request option for page and signature placement in PDF
DSS-2272 - Signing of Microsoft catalog files
DSS-2281 - PAdES-B baseline profile signature support
DSS-2282 - PAdES-T baseline profile signature support
DSS-2283 - PAdES-LT baseline profile signature support
DSS-2284 - PAdES-LTA baseline profile signature support
DSS-2286 - XAdES-LT baseline profile signature support
DSS-2288 - Add support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG
DSS-2290 - Support for overriding properties in the PDF Signer
DSS-2303 - XAdES-B baseline profile signature support
DSS-2304 - XAdES-T baseline profile signature support
DSS-2305 - XAdES-LTA baseline profile signature support
DSS-2337 - Worker property to configure extra/adjust signature size in PAdES
DSS-2291 - Document getPKCS10CertificateRequestForAlias2 WS operation
DSS-2295 - Introduce git ignore files and add some IDE specific ignores to SVN
DSS-2298 - Upgrade external dependencies
DSS-2346 - Previous worker name not removed from cache after rename
DSS-2347 - Workers removed from AdminWeb kept in cache
DSS-2299 - Add DSS library as dependency
DSS-2300 - Document differences between old PDF Signer and PAdES Signer
DSS-2301 - Create AdES module
DSS-2302 - First Signer implementation (hard coded config)
DSS-2311 - Remove any unneeded DSS dependencies and update JARs/project lists
DSS-2323 - Add support for CRL in PAdES-LT and higher levels
DSS-2327 - Switch from PDFBox to OpenPDF in AdES signer
DSS-2197 - Regression: RSASSA-PSS / SHA256withRSAandMGF1 etc. broken with P11NG
DSS-2271 - PDF Signer worker property visible signature resize/scaling naming inconsistency
DSS-2321 - Time-stamp signer test certificate expired
DSS-2325 - Test certificate in dss10_signer3.p12 expired
DSS-2326 - Hardcoded certificate in XMLValidatorTestData expired