JUNE 2023

The SignServer team is pleased to announce the release of SignServer 6.0.

This release includes advancements in IoT security, post-quantum readiness, and improved interoperability.

Deployment options include SignServer Hardware Appliance, SignServer Software Appliance, and SignServer Cloud.

Highlights

REST Interface

SignServer 6 includes a REST interface for signing operations. The REST interface supports all existing authorizers. Future versions of SignServer will extend the functionality of the SignServer REST interface and new integrations are recommended to use the REST interface rather than SOAP/HTTP.

Post-Quantum Readiness

SignServer 6 adds support for the Dilithium candidate algorithm in CMS Signer. The final standard for the Dilithium algorithm is planned to be released by NIST during 2024 and the candidate algorithm shall not be used for production purposes. Still, with the support for the Dilithium candidate algorithm in SignServer, customers can prepare for the transition to quantum-safe algorithms. The Keyfactor Post Quantum Signature Verifier App on GitHub has been extended with support for the Dilithium candidate algorithm and can be used to test algorithms. For more information, see the guide Post-Quantum Code Signing How-to.

CMS re-signing

In SignServer 6 the Extended CMS Signer supports CMS re-signing. This enables using a combination of multiple algorithms in CMS signing. By signing data with one algorithm and then applying the output from the first signing operation as input in a second operation targeting an Extended CMS Signer configured for re-signing using a different algorithm, the output of the second signing operation will contain two signatures using different signing algorithms. CMS re-signing can be used for crypto-agile CMS signing in general and specifically in the transition to post-quantum algorithms. The decision to validate one or both signatures is made wherever the signature is used, for example in a secure firmware update scenario.   

Technology upgrades

As a new major version the technology stack supported by SignServer 6 includes some important updates compared to SignServer 5. SignServer 6 supports running on Java 17 in addition to Java 11. Running on WildFly 26 as the application server is also supported and the SignServer use of application server is based on JEE8. Bouncy Castle has been upgraded to version 1.73.

Announcements

Running on Java 8 not supported

Running on Java 8 has previously been deprecated in SignServer 5 and SignServer 6 does not support running on Java 8.

Old application servers not supported

Running SignServer 6 on WildFly 9, 10, 11, and 14 as well as JBoss EAP 7.0, 7.1, 7.2, 7.3 is not supported.

OOXML signer and ODF signer not supported

The OOXML signer and ODF signer have previously been deprecated and are not supported in SignServer 6.

Upgrade Information

Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.

SignServer 6.0 is included in SignServer Software Appliance 2.4 and SignServer Cloud 1.14. SignServer 6.0 will also be included in the SignServer Hardware Appliance 3.12 release.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in SignServer 6.0.

Issues Resolved in 6.0.0.1

Released June 2023

Bug Fixes

DSS-2643 - Startup with audit log signing enabled using PKCS11CryptoToken broken after x509-common-utils migration

Issues Resolved in 6.0

Released June 2023

New Features

DSS-2458 - Support for WildFly 26

DSS-2522 - Option to choose hash algorithm and to request certificate in performance test client

DSS-2529 - Use of other signature algorithm than SIGNATUREALGORITHM property for peers/remote key binding initiated signing requests

DSS-2538 - Dilithium algorithm support in CMS Signer

DSS-2539 - Support for CRYSTALS-Dilithium in Post Quantum verifier app

DSS-2560 - Add global configuration option to not display statuses on the workers page

DSS-2562 - CMS Signer re-signing support

DSS-2568 - Support for running on Java 17

DSS-2615 - Implement REST interface

Improvements

DSS-1921 - Switch default time-stamp format for MSAuthCodeSigner to RFC3161

DSS-2104 - Remove AdminGUI standalone application

DSS-2552 - Upgrade to Jakarta EE 8 API

DSS-2553 - Switch Java source level to 11

DSS-2555 - Upgrade BC to 1.73

DSS-2559 - Increase Zone file signers admin performance and options for disabling checks

DSS-2561 - Rename JackNJI11CryptoToken to P11NGCryptoToken

DSS-2564 - Update documentation after dropping Java 8 support

DSS-2565 - Drop support for older application servers

DSS-2566 - Drop support for OOXML signer

DSS-2567 - Drop support for ODF signer

DSS-2574 - First preliminary import of P11NG build from KFC

DSS-2577 - Upgrade library

DSS-2579 - Add script for manually installing dependencies that are not yet in Central repo

DSS-2581 - Upgrade to Jakarta XML Web Services (still using javax namespace)

DSS-2582 - Upgrade OpenPDF to 1.3.30

DSS-2587 - Upgrade jjwt to 0.11.5 and jackson to 2.12.6.1

DSS-2592 - Upgrade cxf to 3.5.5 and httpcomponents and jetty etc.

DSS-2594 - Upgrade xmlsec to 2.2.3

DSS-2597 - Contribution: Fix typo in error message of SignClient

DSS-2603 - Second preliminary import of P11NG build from EJBCA/KFC

DSS-2609 - Updated SignServer logo based on Keyfactor rebranding

DSS-2611 - UI dropdowns for PQ algorithms

DSS-2616 - Upgrade Xalan to 2.7.3

DSS-2617 - EJBCA Peer connection support for TLS 1.3

DSS-2621 - Exclude SignServer release notes from release package

Bug Fixes

DSS-2527 - SignServer changes the uploaded file name if contains special characters like "ä"

DSS-2550 - Drop support for patched JRE/SunPKCS11 and re-enable Javadoc building in Java 11

DSS-2551 - Remove SHA1 and DSA from JArchive Unit tests and enable ECDSA tests

DSS-2554 - Split tests for Debian Dpkg-sig signer to fix CE failures in jenkins

DSS-2573 - Regression: BC version number not updated in jboss-deployment-structure.xml

DSS-2580 - Keys not listed with P11NG Crypto Token after activation until after 2 min or after a new key is generated

DSS-2602 - Regression: Webtest DssQa97_SelectAllCheckbox fails on generate CSR page

DSS-2607 - Regression on running SignServer 6.0.0.Alpha3 from container - KFC issue

DSS-2624 - Regression: SunP11 broken with Java 17 also in EE after P11NG 0.1.1 upgrade (Part of DSS-2614)

DSS-2627 - Generating CSR using Dilithium not working