SignServer 5.7 Release Notes

JULY 2021

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.7.

This release introduces support for PAdES and XAdES signature formats including all ETSI Baseline levels complying with EU eIDAS regulation for Advanced Electronic Signatures.

In the code signing area, SignServer 5.7 adds support for Microsoft CAT file signing. Further, the RSASSA-PSS algorithm is now supported for use with client-side hashing, relevant for firmware signing use cases, among others.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

PAdES Signature Format

SignServer 5.7 supports Baseline Signature Levels for PAdES as defined in ETSI EN 319 142. This includes signature levels PAdES-B, PAdES-T, PAdES-LT, and PAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation.

Level PAdES-B includes a document signature only. Level PAdES-T also includes a timestamp. In addition to the timestamp, level PAdES-LT also includes certificate revocation information. Level PAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.

SignServer support for PAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.

XAdES Signature Format

SignServer 5.7 supports Baseline Signature Levels for XAdES as defined in ETSI EN 319 132. This includes signature levels XAdES-B, XAdES-T, XAdES-LT, and XAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. Level XAdES-B includes a document signature only. Level XAdES-T also includes a timestamp. In addition to the timestamp, level XAdES-LT also includes certificate revocation information. Level XAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.

XAdES signatures may be generated using different signature packaging modes, including ENVELOPED and DETACHED. SignServer support for XAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.

Microsoft CAT File Signing

The SignServer MS Authenticode Signer now supports signing of Microsoft CAT files. The file type is automatically detected by SignServer. For more information, see MS Authenticode Signer and the Authenticode Code Signing Technical How-to.

RSASSA-PSS with Client-Side Hashing Supported in P11NG

SignServer 5.7 adds support for RSASSA-PSS with client-side hashing (NONEwithRSAandMGF1) similar to what has been supported in previous versions for NONEwithRSA. The RSASSA-PSS algorithm requires use of the P11NG provider (JackNJI11CryptoToken). For more information, see Client-Side Hashing.

Announcements

Deprecation of Java SE 8 as Runtime Environment

The recommended Java runtime environment for SignServer is Java SE 11. Java SE 8 is still supported but associated with certain limitations. Customers using Java SE 8 are advised to plan for upgrading to Java SE 11. With Java SE 17 being the next Long Term Support version for Java expected to become available later this year we plan to support Java 11 and Java 17 in the next major version of SignServer.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.7.0 is included in SignServer Hardware Appliance 3.9.0 and SignServer Cloud 1.9.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.7.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.7.0