SignServer 6.2 Release Notes

DECEMBER 2023

The SignServer team is pleased to announce the release of SignServer 6.2. This release extends the SignServer REST API with new endpoints for management of SignServer workers. SignServer 6.2 also supports Microsoft CAB file signing and HSM integration for post-quantum signing. Several improvements and error corrections are also included. 

Deployment options include SignServer Software Appliance, SignServer Hardware Appliance, and SignServer Cloud.

Highlights

Post-Quantum Signing with HSM Support

SignServer supports the Dilithium and SPHINCS+ NIST post-quantum candidate algorithms since SignServer 6.0. SignServer 6.2 now introduces support for the use of a hardware security module (HSM) with support for the Dilithium algorithm. Since Dilithium is not part of the PKCS11 standard, it requires an HSM vendor-defined extension in the PKCS11 interface. For information about supported HSM vendors and models, contact Keyfactor.

Signatures by SignServer using the Dilithium algorithm integrated with an HSM may also be verified using the post-quantum verifier app on GitHub. For more information and instructions, see Post-quantum Code Signing How-to.

Note that the NIST post-quantum candidate algorithm is suitable for non-production use only. NIST standardization is planned for completion in 2024 and the Dilithium algorithm can be used for proof-of-concept (PoC) and post-quantum transition preparation activities until then.

REST API Extensions

The REST API in SignServer 6.2 has been extended with new endpoints and methods for managing SignServer Workers from external systems. The new methods can typically be used for automating SignServer setup as part of DevOps processes.

The API extensions enable use cases such as creating or reconfiguring Crypto Tokens and Signers in SignServer. Initiating signing operations through the REST API has been supported since SignServer 6.0. For more information about the SignServer REST API, see SignServer REST Interface.

Cabinet (CAB) File Support

The SignServer MS Authenticode Signer is now extended with support for signing Microsoft cabinet (CAB) files.

Announcements

Deprecation of DSA Algorithm

The use of the DSA algorithm in SignServer is deprecated as of SignServer 6.2. DSA algorithm support is scheduled to be removed in an upcoming release, and users are advised to use other algorithms in its place.

Upgrade Information

Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.

SignServer 6.2 is included in SignServer Software Appliance 2.5, SignServer Hardware Appliance 3.13, and SignServer Cloud 2.0.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in SignServer 6.2.

Issues Resolved in 6.2