SignServer 6.2 Release Notes
DECEMBER 2023
The SignServer team is pleased to announce the release of SignServer 6.2. This release extends the SignServer REST API with new endpoints for management of SignServer workers. SignServer 6.2 also supports Microsoft CAB file signing and HSM integration for post-quantum signing. Several improvements and error corrections are also included.
Deployment options include SignServer Software Appliance, SignServer Hardware Appliance, and SignServer Cloud.
Highlights
Post-Quantum Signing with HSM Support
SignServer supports the Dilithium and SPHINCS+ NIST post-quantum candidate algorithms since SignServer 6.0. SignServer 6.2 now introduces support for the use of a hardware security module (HSM) with support for the Dilithium algorithm. Since Dilithium is not part of the PKCS11 standard, it requires an HSM vendor-defined extension in the PKCS11 interface. For information about supported HSM vendors and models, contact Keyfactor.
Signatures by SignServer using the Dilithium algorithm integrated with an HSM may also be verified using the post-quantum verifier app on GitHub. For more information and instructions, see Post-quantum Code Signing How-to.
Note that the NIST post-quantum candidate algorithm is suitable for non-production use only. NIST standardization is planned for completion in 2024 and the Dilithium algorithm can be used for proof-of-concept (PoC) and post-quantum transition preparation activities until then.
REST API Extensions
The REST API in SignServer 6.2 has been extended with new endpoints and methods for managing SignServer Workers from external systems. The new methods can typically be used for automating SignServer setup as part of DevOps processes.
The API extensions enable use cases such as creating or reconfiguring Crypto Tokens and Signers in SignServer. Initiating signing operations through the REST API has been supported since SignServer 6.0. For more information about the SignServer REST API, see SignServer REST Interface.
Cabinet (CAB) File Support
The SignServer MS Authenticode Signer is now extended with support for signing Microsoft cabinet (CAB) files.
Announcements
Deprecation of DSA Algorithm
The use of the DSA algorithm in SignServer is deprecated as of SignServer 6.2. DSA algorithm support is scheduled to be removed in an upcoming release, and users are advised to use other algorithms in its place.
Upgrade Information
Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.
SignServer 6.2 is included in SignServer Software Appliance 2.5, SignServer Hardware Appliance 3.13, and SignServer Cloud 2.0.
Change Log: Resolved Issues
The following lists fixed bugs and implemented features in SignServer 6.2.
Issues Resolved in 6.2
New Features
DSS-2274 - Microsoft Cabinet file signing
DSS-2632 - Support for overriding worker properties in AdESSigner
DSS-2636 - Support for SignServer REST interface in SignClient
DSS-2656 - Add REST operations for adding, replacing, updating or removing worker configurations
DSS-2677 - Dilithium support with HSM integration
DSS-2683 - LMS signing support with HSM integration
DSS-2691 - Convert one test case from using remote EJB to REST(Admin Operation)
DSS-2696 - As an administrator I would like to use the REST API to be able to Add, Update, Replace and Remove a worker and to Reload the configuration
Improvements
DSS-2610 - Publish documentation on used libraries/software bill of materials
DSS-2649 - Convert one test case from using remote EJB to REST(Client Operation)
DSS-2654 - Add new property "-baseurlpath" for protocols HTTP, Client WS and Web Services
DSS-2673 - Upgrade BC to 1.75, x509-common-util 0.10.5, P11NG 0.5.4 and JackNJI11 1.2.7
DSS-2686 - Upgrade BC in Post Quantum verifier app for SignServer 6.2 compatibility and verify end to end PQ signing
DSS-2692 - Add CONTRIBUTING guidelines PR #57
DSS-2700 - Add the REST interface OpenAPI document to the repository/release bundle
Bug Fixes
DSS-2645 - Test failures for REST interface in CE
DSS-2682 - Script to download depencecies not yet published to Maven Repositories is absent in source distribution
DSS-2687 - CAB compliance test failing
DSS-2707 - Issue providing truststore to SignClient with protocol REST