Skip to main content
Skip table of contents

SignServer 7.4 Release Notes

OCTOBER 2025

The SignServer team is pleased to announce the release of SignServer 7.4.0.

This release of SignServer brings new integrations for signing macOS and iOS binaries through the new Mac Agent, support for signing RPM packages as well as extended support for PQ HSMs. The release also adds support for OAuth for Administration Web access.

The SignServer 7.4 release is available for only container-based deployments. For available deployment types and associated versions, refer to Supported Versions.

Highlights

Mac Agent Integration for macOS and iOS Binary Signing

This release adds a new integration with our Signum product. This integration allows you to configure the signum-util agent to use SignServer as the backend. The new feature also supports using the Signum Mac Agent with any SignServer deployment type. This enables the use of macOS platform signing tools like codesign and productsign using SignServer Enterprise. See macOS Agent.

Support for Red Hat Package Manager (RPM) Packages

This release adds support for RPM signing with our OpenPGP Signer. The standard RPM tool is used to request signing by using the SignWrapper-GPG and SignClient. See Code Signing with RPM Signatures.

Enables HSM-backed PQ Signing

This release continues to expand on the product support for PQ signing. SignServer 7.4.0 supports Thales and Utimaco HSM in production environments. For the full list of supported HSMs, see Interoperability.

Adds Support for OAuth

This release adds support for OAuth to configure and access the Administration Web of your deployment. A new login page has been added for choosing OAuth to access the Administration Web. See Set up OpenID Connect (OIDC) using Auth0.

Announcements

New Login Page

This release introduces support for OAuth authentication for accessing the Administration Web, while retaining the option to use Client Certificate authentication. A new login page has been added and is available across all deployments. See Login and Logout.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.4.0.

Issues Resolved in 7.4.0

Released October 2025

New Features

DSS-3036 Add OIDC support in SignServer container

DSS-3230 Remove requirement for Crypto Workers to have a default key to be active

DSS-3234 Option to remove cmsAlgorithmProtect in ExtendedCMSSigner

DSS-3266 SignClient option for reading input from stdin \(working with rpmsign\)

DSS-3267 Support for RPM signing using SignWrapper-GPG

DSS-3279 Implement REST endpoints for listing workers/certificates supporting Signum MacOS Agent use case

DSS-3280 Add property to choose to use CRL or OCSP as priority in AdESSigner

Improvements

DSS-1814 PlainSigner should not require certificate

DSS-3025 Disable client certificate-based authorization in Admin web when OIDC is enabled \(by adding the oidc.properties file\)

DSS-3026 Error handling - oidc.properties file

DSS-3107 Add tests for OIDC implementation

DSS-3114 Remove EU repository cefdigital not needed anymore from pom.xml

DSS-3123 Issue with different provider rules

DSS-3124 Add visibility of authentication type in UI and style login/logout pages

DSS-3125 Add login/logout for client cert auth

DSS-3126 Add login/logout for OAuth

DSS-3147 Add validation of audience and configuration of it in oidc.properties

DSS-3160 Add support for Client side hashing for CAdES signer

DSS-3176 Add examples to OpenAPI and document the form-data fields

DSS-3202 Improve REST documentation

DSS-3224 Move hard coded callerGroupsClaim to oidc.properties

DSS-3226 Support Fortanix RSA with pre computed hash

DSS-3236 Allow caller to customize what's checked in healthcheck

DSS-3264 Change OpenPGPSigners to use RSA\_GENERAL instead of RSA\_SIGN or make it configurable

DSS-3265 Make OpenPGPSigner generated certificates with ECDSA work for RPM signing

DSS-3274 Change default signature algorithms in PlainSigner when client-side hashing is used

DSS-3294 Upgrade commons-lang3 to 3.18 or later due to CVE

DSS-3316 Change naming of managed key to be supported by AKV

DSS-3374 Upgrade commons-lang3 to 3.18 or later due to CVE

DSS-3392 OIDC callback servlet should not process callbacks when already logged in

DSS-3397 Improve list cert Ids test to not assume a specific order is returned

DSS-3400 Improve oidc.properties.sample

DSS-3402 Security hardening of legacy WS redirects

Bugs

DSS-3088 Documentation for enabling OpenAPI endpoint not working with WildFly 32/35 and EAP 8

DSS-3134 Incorrect "-" instead of "\_" in INTERNALLY-DETACHED/INTERNALLY\_DETACHED in template and docs

DSS-3146 cspPolicies cause to OIDC logout doesn't work properly in Chrome

DSS-3250 Admin web changes in the OIDC epic introduced new test failures

DSS-3255 Test keystore dss10\_signer1.p12 certificate expired Sun Jun 01 16:04:41 CEST 2025

DSS-3276 Authorization rule only imported for one worker when adding multiple using AdminCLI setproperties command

DSS-3345 Regression: Signing with PlainSigner always throws NullPointerException when NOCERTIFICATES=true and debug logging enabled

DSS-3361 PlainSigner set with NOCERTIFICATES=true with a Non existing DEFAULTKEY has Active status but throws an error when signing

DSS-3389 Regression: Status of worker is shown as OFFLINE if NOCERTIFICATES is used but key usage counter is not disabled and the key did not exist when the worker was loaded

DSS-3391 Regression: User name missing in top-right area in AdminWeb when client cert is used

DSS-3403 Regression: x509-common-util pom file breaks container build / pipeline that does not use JFrog repository

DSS-3410 Regression: Worker status reports error about missing key even when key has not been specified

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close