Skip to main content
Skip table of contents

SignServer 7.1 Release Notes

NOVEMBER 2024

The SignServer team is pleased to announce the release of SignServer 7.1.1.

SignServer 7.1 includes support for NIST-approved quantum-safe algorithms ML-DSA and SLH-DSA, the first completed standards from NIST’s post-quantum cryptography (PQC) standardization project. The release also expands Microsoft AppX bundle signing support and addresses a potential security issue.

These release notes cover new features and improvements implemented in SignServer 7.1.0 and SignServer 7.1.1 (SignServer 7.1.0 was an internal release, not generally available for customers).

SignServer 7 introduced support for an upgraded technology stack, requiring WildFly 32 or JBoss EAP 8 as the application servers and Java 17 as the runtime environment. For more information, see the SignServer 7.0 Release Notes.

For available deployment options and associated versions, refer to Supported Versions.

Highlights

NIST Approved Quantum-Safe Algorithms ML-DSA and SLH-DSA

As of SignServer 7.1 NIST-approved implementations of both ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) algorithms have been added. These will replace the Quantum candidate algorithms, Dilithium and SPHINCS+ that existed previously.

Added AppX bundle signing support

It is now possible to directly sign Microsoft AppX bundle formats, like msix, directly with the AppX Signer and AppX CMS Signer in SignServer eliminating the need for extra processing outside of the application.

Announcements

Security Issues

The SignServer team would like to thank an external reporter for notifying us about the potential for non-confidential information disclosure related to the REST API about the existence of workers which goes against OWASP best practices. This has been corrected as of SignServer 7.1.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.1.0 and SignServer 7.1.1.

Issues Resolved in 7.1.1

Released November 2024

Bug Fixes

DSS-2961 PlainSigner produces incorrect signatures for data larger than 4096 bytes when using AzureKeyVaultCryptoToken

DSS-2963 AKV: Signing of large files broken with PlainSigner using AzureKeyVault as the crypto token puts all data in memory before hashing

Issues Resolved in 7.1.0

Released November 2024

New Features

DSS-2858 Replace ML-DSA to SignServer

DSS-2866 Replace SLH-DSA to SignServer

Improvements

DSS-2790 Extend Support of the AppX Signer to support bundle signing

DSS-2855 Implement BC Beta 1.79

DSS-2856 Remove All Experimental PQ from SignServer

DSS-2857 Implement final BC PQC Production version ~1.79

DSS-2890 Upgrade commons-io:commons-io to 2.14.0 or later

DSS-2893 Refactor checks on top of all REST API methods

DSS-2895 Upgrade BC Beta version for 7.1 Beta release \(BC release October 25th, 2024\)

DSS-2901 Add tests and documentation for APPX bundle signing

DSS-2934 Add default signature algorithm for SLH-DSA and ML-DSA when signing

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close