SignServer 5.3 Release Notes
The PrimeKey SignServer team is pleased to announce the release of SignServer 5.3.0.
This release brings support for APPX and Domain Name System Security Extensions (DNSSEC) signing.
Highlights
APPX Signing
SignServer Enterprise now supports APPX signing using the new signers Appx Signer and Appx CMS Signer.
APPX is a Microsoft application distribution file format for Universal Windows Platform (UWP) apps introduced with Microsoft Windows 8.
DNSSEC Signing
SignServer Enterprise now supports signing DNS zone files according to the DNSSEC standard using the new signers ZoneFileServerSideSigner, ZoneZipFileServerSideSigner and ZoneHashSigner.
DNS Security Extensions (DNSSEC) is a valuable tool for improving the trust and integrity of the Domain Name System (DNS), adding security on top of the Domain Name System (DNS).
Upgrade Information
No database changes are required for this release.
Review the SignServer Upgrade Notes for important information on changes and requirements to be aware of when upgrading SignServer. For upgrade instructions, see Upgrade SignServer.
SignServer 5.3 is included in Appliance version 3.4.4. For more information, refer to the PKI Appliance Release Notes.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.3, refer to our JIRA Issue Tracker.
Issues Resolved in 5.3.0
Released January 2020
New Features
DSS-2065 - Implement APPX Signing
DSS-2030 - Initial SignClient support for Zone signing
DSS-2032 - Initial Zone File server-side signer
DSS-2028 - Implement resigning avoidance algorithm in ZoneZipFile server-side signer
DSS-2026 - Releasable Zone File server-side signer
DSS-2046 - Fix issue in DNS Java library when PKCS#11 is used
DSS-2078 - Option to specify min remaining validity time for zone file signing with SignClient
DSS-2029 - Basic Zone Hash Signer
DSS-2027 - Basic ZoneZipFile server-side signer
DSS-2068 - Initial support for sending a pre-request in the SignClient file-specific handler SPI
Tasks
DSS-2107 - Update copyright year for 2020
DSS-2038 - Add the DNSSEC library
DSS-2036 - Create new module: SignServer-DNSSEC-Signer
DSS-2035 - Create new module: SignServer-DNSSEC-Common
DSS-2037 - Create new skeleton signer: ZoneFileServerSideSigner
DSS-2031 - Test resigning avoidance algorithm with SignClient client-side
Improvements
DSS-2025 - Improved bulk key generation in Admin Web
DSS-2053 - Remove hardcoded TTL values from ZoneFileServerSideSigner
DSS-2054 - Different output from SignServer vs. dnssec-signzone for customer provided zone file
DSS-2057 - Refactor out duplicated code from ZoneZipFileServerSideSigner & ZoneFileServerSideSigner
DSS-2063 - Fix OOM error when running ZoneFileSigner with large input
DSS-2066 - Implement tests for APPX
DSS-2070 - Cleanup and refactor the inital SignClient support for Zone signing
DSS-2071 - Proper Zone Hash Signer
DSS-2080 - Document zone signing options in SignClient with client-side hashing
DSS-2086 - Set path to WildFly 14 as default for running system tests from within the IDE
DSS-2088 - Implement test code helper for APPX verification
DSS-2091 - AppxCMSSigner should fail if FILE_TYPE request metadata property is not the expected
DSS-2101 - Security Hardening
DSS-2103 - Print KSK DNSKEY entries in status output
DSS-2106 - Build SignClient dist as part of release target
DSS-2111 - Keep publishing the previous ZSK
Bug Fixes
DSS-2052 - Different output from SignServer vs. dnssec-signzone for one entry
DSS-2067 - BaseZoneFileSignerServerSideSigner has fields changed during processing
DSS-2069 - ZoneZipSigningAlgorithmTest does not verify the signature at 'fixed time' causing test failure
DSS-2072 - Expired certificate in junit tests causes test failures
DSS-2090 - Zone file signing test failures with NoClassDefFoundError after merge to trunk
DSS-2092 - Getting NegativeArrayIndexException with large APPX package