SignServer 5.7 Release Notes

JULY 2021

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.7.

This release introduces support for PAdES and XAdES signature formats including all ETSI Baseline levels complying with EU eIDAS regulation for Advanced Electronic Signatures.

In the code signing area, SignServer 5.7 adds support for Microsoft CAT file signing. Further, the RSASSA-PSS algorithm is now supported for use with client-side hashing, relevant for firmware signing use cases, among others.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

PAdES Signature Format

SignServer 5.7 supports Baseline Signature Levels for PAdES as defined in ETSI EN 319 142. This includes signature levels PAdES-B, PAdES-T, PAdES-LT, and PAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation.

Level PAdES-B includes a document signature only. Level PAdES-T also includes a timestamp. In addition to the timestamp, level PAdES-LT also includes certificate revocation information. Level PAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.

SignServer support for PAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.

XAdES Signature Format

SignServer 5.7 supports Baseline Signature Levels for XAdES as defined in ETSI EN 319 132. This includes signature levels XAdES-B, XAdES-T, XAdES-LT, and XAdES-LTA. These signature formats fulfill the requirements for Advanced Electronic Signatures as per the EU eIDAS regulation. Level XAdES-B includes a document signature only. Level XAdES-T also includes a timestamp. In addition to the timestamp, level XAdES-LT also includes certificate revocation information. Level XAdES-LTA adds an additional timestamp and is suited for long-term archiving of documents.

XAdES signatures may be generated using different signature packaging modes, including ENVELOPED and DETACHED. SignServer support for XAdES signature format is implemented in the new AdES Signer. For more information, see AdES Signer.

Microsoft CAT File Signing

The SignServer MS Authenticode Signer now supports signing of Microsoft CAT files. The file type is automatically detected by SignServer. For more information, see MS Authenticode Signer and the Authenticode Code Signing Technical How-to.

RSASSA-PSS with Client-Side Hashing Supported in P11NG

SignServer 5.7 adds support for RSASSA-PSS with client-side hashing (NONEwithRSAandMGF1) similar to what has been supported in previous versions for NONEwithRSA. The RSASSA-PSS algorithm requires use of the P11NG provider (JackNJI11CryptoToken). For more information, see Client-Side Hashing.

Announcements

Deprecation of Java SE 8 as Runtime Environment

The recommended Java runtime environment for SignServer is Java SE 11. Java SE 8 is still supported but associated with certain limitations. Customers using Java SE 8 are advised to plan for upgrading to Java SE 11. With Java SE 17 being the next Long Term Support version for Java expected to become available later this year we plan to support Java 11 and Java 17 in the next major version of SignServer.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.7.0 is included in SignServer Hardware Appliance 3.9.0 and SignServer Cloud 1.9.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.7.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.7.0

Released July 2021

    New Features

    DSS-2248 - Per-request option for page and signature placement in PDF

    DSS-2272 - Signing of Microsoft catalog files

    DSS-2281 - PAdES-B baseline profile signature support

    DSS-2282 - PAdES-T baseline profile signature support

    DSS-2283 - PAdES-LT baseline profile signature support

    DSS-2284 - PAdES-LTA baseline profile signature support

    DSS-2286 - XAdES-LT baseline profile signature support

    DSS-2288 - Add support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG

    DSS-2290 - Support for overriding properties in the PDF Signer

    DSS-2303 - XAdES-B baseline profile signature support

    DSS-2304 - XAdES-T baseline profile signature support

    DSS-2305 - XAdES-LTA baseline profile signature support

    DSS-2337 - Worker property to configure extra/adjust signature size in PAdES

    Improvements

    DSS-2291 - Document getPKCS10CertificateRequestForAlias2 WS operation

    DSS-2295 - Introduce git ignore files and add some IDE specific ignores to SVN

    DSS-2298 - Upgrade external dependencies

    DSS-2346 - Previous worker name not removed from cache after rename

    DSS-2347 - Workers removed from AdminWeb kept in cache

    Tasks

    DSS-2299 - Add DSS library as dependency

    DSS-2300 - Document differences between old PDF Signer and PAdES Signer

    DSS-2301 - Create AdES module

    DSS-2302 - First Signer implementation (hard coded config)

    DSS-2311 - Remove any unneeded DSS dependencies and update JARs/project lists

    DSS-2323 - Add support for CRL in PAdES-LT and higher levels

    DSS-2327 - Switch from PDFBox to OpenPDF in AdES signer

    Bug Fixes

    DSS-2197 - Regression: RSASSA-PSS / SHA256withRSAandMGF1 etc. broken with P11NG

    DSS-2271 - PDF Signer worker property visible signature resize/scaling naming inconsistency

    DSS-2321 - Time-stamp signer test certificate expired

    DSS-2325 - Test certificate in dss10_signer3.p12 expired

    DSS-2326 - Hardcoded certificate in XMLValidatorTestData expired