The SignServer team is pleased to announce the release of SignServer 6.2. This release extends the SignServer REST API with new endpoints for management of SignServer workers. SignServer 6.2 also supports Microsoft CAB file signing and HSM integration for post-quantum signing. Several improvements and error corrections are also included. 

Deployment options include SignServer Software Appliance, SignServer Hardware Appliance, and SignServer Cloud.


Post-Quantum Signing with HSM Support

SignServer supports the Dilithium and SPHINCS+ NIST post-quantum candidate algorithms since SignServer 6.0. SignServer 6.2 now introduces support for the use of a hardware security module (HSM) with support for the Dilithium algorithm. Since Dilithium is not part of the PKCS11 standard, it requires an HSM vendor-defined extension in the PKCS11 interface. For information about supported HSM vendors and models, contact Keyfactor.

Signatures by SignServer using the Dilithium algorithm integrated with an HSM may also be verified using the post-quantum verifier app on GitHub. For more information and instructions, see Post-quantum Code Signing How-to.

Note that the NIST post-quantum candidate algorithm is suitable for non-production use only. NIST standardization is planned for completion in 2024 and the Dilithium algorithm can be used for proof-of-concept (PoC) and post-quantum transition preparation activities until then.

REST API Extensions

The REST API in SignServer 6.2 has been extended with new endpoints and methods for managing SignServer Workers from external systems. The new methods can typically be used for automating SignServer setup as part of DevOps processes.

The API extensions enable use cases such as creating or reconfiguring Crypto Tokens and Signers in SignServer. Initiating signing operations through the REST API has been supported since SignServer 6.0. For more information about the SignServer REST API, see SignServer REST Interface.

Cabinet (CAB) File Support

The SignServer MS Authenticode Signer is now extended with support for signing Microsoft cabinet (CAB) files.


Deprecation of DSA Algorithm

The use of the DSA algorithm in SignServer is deprecated as of SignServer 6.2. DSA algorithm support is scheduled to be removed in an upcoming release, and users are advised to use other algorithms in its place.

Upgrade Information

Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.

SignServer 6.2 is included in SignServer Software Appliance 2.5, SignServer Hardware Appliance 3.13, and SignServer Cloud 2.0.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in SignServer 6.2.

Issues Resolved in 6.2

Released December 2023

New Features

DSS-2274 - Microsoft Cabinet file signing

DSS-2632 - Support for overriding worker properties in AdESSigner

DSS-2636 - Support for SignServer REST interface in SignClient

DSS-2656 - Add REST operations for adding, replacing, updating or removing worker configurations

DSS-2677 - Dilithium support with HSM integration

DSS-2683 - LMS signing support with HSM integration

DSS-2691 - Convert one test case from using remote EJB to REST(Admin Operation)

DSS-2696 - As an administrator I would like to use the REST API to be able to Add, Update, Replace and Remove a worker and to Reload the configuration


DSS-2610 - Publish documentation on used libraries/software bill of materials

DSS-2649 - Convert one test case from using remote EJB to REST(Client Operation)

DSS-2654 - Add new property "-baseurlpath" for protocols HTTP, Client WS and Web Services

DSS-2673 - Upgrade BC to 1.75, x509-common-util 0.10.5, P11NG 0.5.4 and JackNJI11 1.2.7

DSS-2686 - Upgrade BC in Post Quantum verifier app for SignServer 6.2 compatibility and verify end to end PQ signing

DSS-2692 - Add CONTRIBUTING guidelines PR #57

DSS-2700 - Add the REST interface OpenAPI document to the repository/release bundle

Bug Fixes

DSS-2645 - Test failures for REST interface in CE

DSS-2682 - Script to download depencecies not yet published to Maven Repositories is absent in source distribution

DSS-2687 - CAB compliance test failing

DSS-2707 - Issue providing truststore to SignClient with protocol REST