SignServer 5.3 Release Notes

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.3.0.

This release brings support for APPX and Domain Name System Security Extensions (DNSSEC) signing.

Highlights

APPX Signing

SignServer Enterprise now supports APPX signing using the new signers Appx Signer and Appx CMS Signer.

APPX is a Microsoft application distribution file format for Universal Windows Platform (UWP) apps introduced with Microsoft Windows 8.

DNSSEC Signing

SignServer Enterprise now supports signing DNS zone files according to the DNSSEC standard using the new signers ZoneFileServerSideSigner, ZoneZipFileServerSideSigner and ZoneHashSigner.

DNS Security Extensions (DNSSEC) is a valuable tool for improving the trust and integrity of the Domain Name System (DNS), adding security on top of the Domain Name System (DNS).

Upgrade Information

No database changes are required for this release.

Review the SignServer Upgrade Notes for important information on changes and requirements to be aware of when upgrading SignServer. For upgrade instructions, see Upgrade SignServer.

SignServer 5.3 is included in Appliance version 3.4.4. For more information, refer to the PKI Appliance Release Notes.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.3, refer to our JIRA Issue Tracker.

Issues Resolved in 5.3.0

Released January 2020

New Features

DSS-2065 - Implement APPX Signing

DSS-2030 - Initial SignClient support for Zone signing

DSS-2032 - Initial Zone File server-side signer

DSS-2028 - Implement resigning avoidance algorithm in ZoneZipFile server-side signer

DSS-2026 - Releasable Zone File server-side signer

DSS-2046 - Fix issue in DNS Java library when PKCS#11 is used

DSS-2078 - Option to specify min remaining validity time for zone file signing with SignClient

DSS-2029 - Basic Zone Hash Signer

DSS-2027 - Basic ZoneZipFile server-side signer

DSS-2068 - Initial support for sending a pre-request in the SignClient file-specific handler SPI

Tasks

DSS-2107 - Update copyright year for 2020

DSS-2038 - Add the DNSSEC library

DSS-2036 - Create new module: SignServer-DNSSEC-Signer

DSS-2035 - Create new module: SignServer-DNSSEC-Common

DSS-2037 - Create new skeleton signer: ZoneFileServerSideSigner

DSS-2031 - Test resigning avoidance algorithm with SignClient client-side

Improvements

DSS-2025 - Improved bulk key generation in Admin Web

DSS-2053 - Remove hardcoded TTL values from ZoneFileServerSideSigner

DSS-2054 - Different output from SignServer vs. dnssec-signzone for customer provided zone file

DSS-2057 - Refactor out duplicated code from ZoneZipFileServerSideSigner & ZoneFileServerSideSigner

DSS-2063 - Fix OOM error when running ZoneFileSigner with large input

DSS-2066 - Implement tests for APPX

DSS-2070 - Cleanup and refactor the inital SignClient support for Zone signing

DSS-2071 - Proper Zone Hash Signer

DSS-2080 - Document zone signing options in SignClient with client-side hashing

DSS-2086 - Set path to WildFly 14 as default for running system tests from within the IDE

DSS-2088 - Implement test code helper for APPX verification

DSS-2091 - AppxCMSSigner should fail if FILE_TYPE request metadata property is not the expected

DSS-2101 - Security Hardening

DSS-2103 - Print KSK DNSKEY entries in status output

DSS-2106 - Build SignClient dist as part of release target

DSS-2111 - Keep publishing the previous ZSK

Bug Fixes

DSS-2052 - Different output from SignServer vs. dnssec-signzone for one entry

DSS-2067 - BaseZoneFileSignerServerSideSigner has fields changed during processing

DSS-2069 - ZoneZipSigningAlgorithmTest does not verify the signature at 'fixed time' causing test failure

DSS-2072 - Expired certificate in junit tests causes test failures

DSS-2090 - Zone file signing test failures with NoClassDefFoundError after merge to trunk

DSS-2092 - Getting NegativeArrayIndexException with large APPX package