The SignServer team is pleased to announce the release of SignServer 6.0.
This release includes advancements in IoT security, post-quantum readiness, and improved interoperability.
Deployment options include SignServer Hardware Appliance, SignServer Software Appliance, and SignServer Cloud.
SignServer 6 includes a REST interface for signing operations. The REST interface supports all existing authorizers. Future versions of SignServer will extend the functionality of the SignServer REST interface and new integrations are recommended to use the REST interface rather than SOAP/HTTP.
SignServer 6 adds support for the Dilithium candidate algorithm in CMS Signer. The final standard for the Dilithium algorithm is planned to be released by NIST during 2024 and the candidate algorithm shall not be used for production purposes. Still, with the support for the Dilithium candidate algorithm in SignServer, customers can prepare for the transition to quantum-safe algorithms. The Keyfactor Post Quantum Signature Verifier App on GitHub has been extended with support for the Dilithium candidate algorithm and can be used to test algorithms. For more information, see the guide Post-Quantum Code Signing How-to.
In SignServer 6 the Extended CMS Signer supports CMS re-signing. This enables using a combination of multiple algorithms in CMS signing. By signing data with one algorithm and then applying the output from the first signing operation as input in a second operation targeting an Extended CMS Signer configured for re-signing using a different algorithm, the output of the second signing operation will contain two signatures using different signing algorithms. CMS re-signing can be used for crypto-agile CMS signing in general and specifically in the transition to post-quantum algorithms. The decision to validate one or both signatures is made wherever the signature is used, for example in a secure firmware update scenario.
As a new major version the technology stack supported by SignServer 6 includes some important updates compared to SignServer 5. SignServer 6 supports running on Java 17 in addition to Java 11. Running on WildFly 26 as the application server is also supported and the SignServer use of application server is based on JEE8. Bouncy Castle has been upgraded to version 1.73.
Running on Java 8 not supported
Running on Java 8 has previously been deprecated in SignServer 5 and SignServer 6 does not support running on Java 8.
Old application servers not supported
Running SignServer 6 on WildFly 9, 10, 11, and 14 as well as JBoss EAP 7.0, 7.1, 7.2, 7.3 is not supported.
OOXML signer and ODF signer not supported
The OOXML signer and ODF signer have previously been deprecated and are not supported in SignServer 6.
Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.
SignServer 6.0 is included in SignServer Software Appliance 2.4 and SignServer Cloud 1.14. SignServer 6.0 will also be included in the SignServer Hardware Appliance 3.12 release.
Change Log: Resolved Issues
The following lists fixed bugs and implemented features in SignServer 6.0.
Released June 2023
DSS-2643 - Startup with audit log signing enabled using PKCS11CryptoToken broken after x509-common-utils migration
Released June 2023
DSS-2458 - Support for WildFly 26
DSS-2522 - Option to choose hash algorithm and to request certificate in performance test client
DSS-2529 - Use of other signature algorithm than SIGNATUREALGORITHM property for peers/remote key binding initiated signing requests
DSS-2538 - Dilithium algorithm support in CMS Signer
DSS-2539 - Support for CRYSTALS-Dilithium in Post Quantum verifier app
DSS-2560 - Add global configuration option to not display statuses on the workers page
DSS-2562 - CMS Signer re-signing support
DSS-2568 - Support for running on Java 17
DSS-2615 - Implement REST interface
DSS-1921 - Switch default time-stamp format for MSAuthCodeSigner to RFC3161
DSS-2104 - Remove AdminGUI standalone application
DSS-2552 - Upgrade to Jakarta EE 8 API
DSS-2553 - Switch Java source level to 11
DSS-2555 - Upgrade BC to 1.73
DSS-2559 - Increase Zone file signers admin performance and options for disabling checks
DSS-2561 - Rename JackNJI11CryptoToken to P11NGCryptoToken
DSS-2564 - Update documentation after dropping Java 8 support
DSS-2565 - Drop support for older application servers
DSS-2566 - Drop support for OOXML signer
DSS-2567 - Drop support for ODF signer
DSS-2574 - First preliminary import of P11NG build from KFC
DSS-2577 - Upgrade library
DSS-2579 - Add script for manually installing dependencies that are not yet in Central repo
DSS-2581 - Upgrade to Jakarta XML Web Services (still using javax namespace)
DSS-2582 - Upgrade OpenPDF to 1.3.30
DSS-2587 - Upgrade jjwt to 0.11.5 and jackson to 220.127.116.11
DSS-2592 - Upgrade cxf to 3.5.5 and httpcomponents and jetty etc.
DSS-2594 - Upgrade xmlsec to 2.2.3
DSS-2597 - Contribution: Fix typo in error message of SignClient
DSS-2603 - Second preliminary import of P11NG build from EJBCA/KFC
DSS-2609 - Updated SignServer logo based on Keyfactor rebranding
DSS-2611 - UI dropdowns for PQ algorithms
DSS-2616 - Upgrade Xalan to 2.7.3
DSS-2617 - EJBCA Peer connection support for TLS 1.3
DSS-2621 - Exclude SignServer release notes from release package
DSS-2527 - SignServer changes the uploaded file name if contains special characters like "ä"
DSS-2550 - Drop support for patched JRE/SunPKCS11 and re-enable Javadoc building in Java 11
DSS-2551 - Remove SHA1 and DSA from JArchive Unit tests and enable ECDSA tests
DSS-2554 - Split tests for Debian Dpkg-sig signer to fix CE failures in jenkins
DSS-2573 - Regression: BC version number not updated in jboss-deployment-structure.xml
DSS-2580 - Keys not listed with P11NG Crypto Token after activation until after 2 min or after a new key is generated
DSS-2602 - Regression: Webtest DssQa97_SelectAllCheckbox fails on generate CSR page
DSS-2607 - Regression on running SignServer 6.0.0.Alpha3 from container - KFC issue
DSS-2624 - Regression: SunP11 broken with Java 17 also in EE after P11NG 0.1.1 upgrade (Part of DSS-2614)
DSS-2627 - Generating CSR using Dilithium not working