Skip to main content
Skip table of contents

SignServer 7.3 Release Notes

JUNE 2025

The SignServer team is pleased to announce the release of SignServer 7.3.2.

This release of SignServer brings several new enhancements with expanded REST options, migration options, and production-ready PQC support. Several CVEs and bugs have also been addressed.

These release notes cover new features and improvements implemented in SignServer 7.3.0, SignServer 7.3.1, and SignServer 7.3.2 (SignServer 7.3.0 and SignServer 7.3.1 were internal releases, not generally available for customers).

For available deployment options and associated versions, refer to Supported Versions.

Highlights

NIST Approved Quantum-Safe Algorithm Support on Fortanix

This is the first release of SignServer to include end-to-end testing with an HSM provider using the recently standardized quantum-safe algorithms, ML-DSA and SLH-DSA. Customers using the Fortanix CryptoToken implementation in SignServer can take advantage of using these new algorithms today. As 2025 progresses and P11 standards are completed more providers will be added.

Soft Migration to P11NG Crypto Token

SignServer 7.3.2 includes an option for customers to experiment with switching from the legacy PKCS#11 provider to the newer P11NG implementation in SignServer, which has been the recommended P11 implementation in SignServer for the last several years. This new Migration feature makes it easy to test using P11NG without committing to the full migration.

We encourage customers to take advantage of this tool as the older PKCS#11 provider will eventually be deprecated in a future release.

For more information, see Soft Migration to P11NG Crypto Token.

REST API Extensions

This release of SignServer includes an enhancement to the REST API that allows users to pass files directly to be signed. This makes it very easy to implement signing into CI/CD pipeline scenarios where it may not be convenient to install signclient.

For more information, see REST Interface .

WildFly 35 Support

SignServer now includes support for the WildFly 35 application server.

Announcements

Security Issues

SignServer 7.3.2 resolves a security issue affecting file enumeration

Keyfactor rates the issue as having a severity level of low with a CVSS score of 2.4. Once 7.3.2 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2025-47220 will be published.

SignServer 7.3.2 resolves a security issue affecting file writing

Keyfactor rates the severity as medium with a CVSS score of CVSS 6.1. Once 7.3.2 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2025-47221 will be published.

SignServer 7.3.2 resolves a security issue affecting class name enumeration

Keyfactor rates the severity as low with a CVSS score of CVSS 2.4. Once 7.3.2 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2025-47222 will be published.

Customers can learn more at Keyfactor Support.

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.80. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.3.

Issues Resolved in 7.3.2

Released June 2025

Improvement

DSS-3076 Container: KFC - Add OIDC support extension in WildFly

Bug Fixes

DSS-3227 Duplicate error message when PDFSigner custom image path is misconfigured

DSS-3249 Regression: PDFSigner fails signing if visible signature is configured using file path

Issues Resolved in 7.3.1

Released Internally June 2025

Patched found vulnerabilities

Issues Resolved in 7.3.0

Released Internally May 2025

New Features

DSS-2803 Add Support for Thales DPOD for SignServer container

DSS-3014 Support for NONEwithRSAandMGF1 in SignumSigner

DSS-3069 Add support for WildFly 35.0.1.Final

DSS-3094 Contribution: Transaction support for signing and timed service (#111)

DSS-3117 Add support for running SignServer with all existing PKCS11 CryptoTokens instead backed by P11NG

Improvements

DSS-2798 Add support to REST for signing uploaded files

DSS-3077 Upgrade to BC 1.80 + KFC libraries

DSS-3104 Switch container base image to main keyfactor-commons/wildfly (using WF 35)

DSS-3105 Add support for AWS CloudHSM in container

DSS-3135 Implement KFC CryptoToken changes in SignServer for ML-DSA support in Fortanix

DSS-3155 Update container to use upgraded base image for SignServer 7.3.0

DSS-3178 Update documention link on public web to http://docs.keyfactor.com

Bug Fixes

DSS-2879 Can not sign (time-stamp) using Ed25519 with SoftHSM

DSS-3047 Regression: "Issue singing certificate" from EJBCA with peers/keybinding fails with only dummy cert in token

DSS-3119 OneTimeEJBCACAConnector and RenewalWorker etc., relaying on EjbcaWS/mTLS unsupported with P11NG

DSS-3120 OneTimeCryptoToken not working with P11NG

DSS-3139 OCSP required by AdESSigner even if signer certificate only has CRL, when level >= LT

DSS-3152 Make SunPKCS11 wrapper available from unnamed module for SignServer-DatabaseCLI to work with Java 17+

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close