SignServer 5.10 Release Notes
SEPTEMBER 2022
The SignServer team is pleased to announce the release of SignServer 5.10. This release adds support for the EdDSA signature scheme, key wrapping for Elliptic Curves, and post-quantum signing with the SPHINCS+ algorithm candidate implementation in Bouncy Castle.
Deployment options include SignServer Hardware Appliance, SignServer Software Appliance, and SignServer Cloud.
Highlights
EdDSA Support
The Edwards-curve Digital Signature Algorithm (EdDSA) is gaining increased traction and enables a high level of security and performance even on resource-constrained devices. SignServer 5.10 introduces support for generating EdDSA signatures and the algorithms Ed25519 and Ed448 are now supported in the Plain signer, CMS signer, and Time Stamp signer. Use of the EdDSA algorithms requires utilizing the P11NG crypto token as well as HSM support for the selected algorithm.
Key Wrapping Support for Elliptic Curves
The SignServer key wrapping feature was previously limited to RSA keys. As of SignServer 5.10, key wrapping is supported also for EC keys. Use of the key wrapping feature requires utilizing the P11NG crypto token. For more information, see Key Wrapping.
Post-quantum Signing with upgraded SPHINCS+ Algorithm and new Bouncy Castle version
SignServer enables you to prepare for quantum-safe signing by using the NIST Post-Quantum Cryptography (PQC) candidate algorithm SPHINCS+ through Bouncy Castle. Using the CMS Signer and the Keystore Crypto Token together with the SPHINCS+ algorithm allows you to experiment with creating post-quantum keys and signatures. For more information, see the Post-quantum Code Signing How-to.
SignServer 5.10 has upgraded the Bouncy Castle version to 1.71.1 which includes support for the SPHINCS+ v3.1 algorithm.
Upgrade Information
Review the SignServer Upgrade Notes for important upgrade information. For upgrade instructions, see Upgrade SignServer.
SignServer 5.10.0 is included in SignServer Hardware Appliance 3.9.7, SignServer Software Appliance 2.2.2, and SignServer Cloud 1.12.0.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.10.0, refer to our Jira Issue Tracker.
Issues Resolved in 5.10.0
Released September 2022
New Features
DSS-2341 - Support for other character encodings for signing PowerShell scripts
DSS-2376 - Support for EdDSA with P11NG
DSS-2387 - EC support with P11NG - Support for ECDSA in P11NG tool
DSS-2388 - EC support with P11NG - Support for keywrapping with EC
DSS-2395 - Support for NONEwithECDSA in P11NG
DSS-2479 - Make JArchive Signer available in SignServer CE
Improvements
DSS-1574 - Implement support for SLOTLABEL support in JackNJI11 crypto token implementations
DSS-2366 - Merge improvements with P11NG from EJBCA (7.8.1+)
DSS-2470 - Merge Update README.md (GitHub PR #3)
DSS-2486 - Upgrade BC to 1.71.1
DSS-2487 - Upgrade internal library
Bug Fixes
DSS-2420 - JAR digest calculation for longer entries differs compared to jarsigner
DSS-2421 - Directory entries not kept in signed JAR if marked as compressed
DSS-2430 - JAR signing fails when MANIFEST.MF is not deflated
DSS-2447 - Regression: Error message "Key with ID or label onetime-signer00003-null already exists" using one-time crypto worker
DSS-2468 - Regression: NONEwithRSAandMGF1 broken with P11NG
DSS-2477 - Certain documents with shared objects/streams gets the visible signature page blank after signing
DSS-2480 - Regression: P11NG-tool dependency on EJBException
DSS-2484 - Regression: Unwrapped key generation with P11NG Tool fails after last P11NG merge
DSS-2485 - Regression: P11NG Provider closes sessions in case of error even for 'static session private keys'