Skip to main content
Skip table of contents

SignServer 7.5 Release Notes

DECEMBER 2025

The SignServer team is pleased to announce the release of SignServer 7.5.0.

This release of SignServer brings new features for the CMS Signer as well as the Authenticode Signer. The release also includes some technology upgrades with the added support of Java 21 and WildFly 38. SignServer 7.5 also extends PQ HSM support with the addition of Entrust nShield 5c.

For available deployment types and associated versions, refer to Supported Versions.

Highlights

New CMS Signing features

Configurable Signature Algorithm

The Extended CSM Signer now supports explicitly setting the signature algorithm to rsaEncryption. This is controlled with the USE_LEGACY_RSA_ENCRYPTION_OID property in the worker configuration.

Optional Exclusion of NULL Parameters in Message Digest

A new option allows the message digest algorithm parameters to be encoded as <ABSENT> rather than NULL during client-side hashing. This behavior is enabled by setting EXCLUDE_NULL_PARAMETERS_FROM_MESSAGE_DIGEST to true.

For more information, see Extended CMS Signer.

New Authenticode Signing feature

Authenticode Signers now use a default implementation based on JSign to embed signatures into MSI and MSIX files. To revert to the legacy embedding method, set the USE_LEGACY_MSAUTHCODE property to true in the configuration.

For more information, see Client-Side Hashing | Authenticode Signing.

Technology upgrades

SignServer 7.5.0 now supports running on Java 21, in addition to Java 17. Added compatibility with WildFly 38, alongside existing support for WildFly 32 and WildFly 35.

Certain limitations have been identified using Legacy XAdES or PKCS11CryptoToken under Java 21. Review configuration and test thoroughly before deploying in production.

Announcements

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.82. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Post-quantum Cryptography Support with Entrust nShield 5c

SignServer 7.5.0 continues extending HSM Post-quantum Cryptography support by now also supporting ML-DSA algorithms with Entrust nShield 5c HSM. See Interoperability.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

In SignServer 7.4.0, databaseprotection.properties using P11NG or SunPKCS11 failed during startup with an error about a missing property. This issue is resolved in SignServer 7.5.0 and does not affect earlier versions.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.5.0.

Issues Resolved in 7.5.0

December 2025

New Features

DSS-2130 Option in CMS Signer for specifying signature algorithm as rsaEncryption

DSS-3293 Option in CMS Signer to not add NULL for SHA-2

Improvements

DSS-3195 Add option to switch between using own implementation or Jsign for MSI in SignClient with client-side hashing \+ upgrading POI

DSS-3298 Merge epic branch for official java 21 support

DSS-3314 Community: Remove unused method with know race condition

DSS-3347 Support latest WildFly 37 version and upgrade base container image with it for November milestone

DSS-3348 Upgrade JNA to 5.12.1

DSS-3355 Upgrade to container base image with Java 21

DSS-3362 Upgrade to BC 1.82 \+ KFC libraries

DSS-3429 Fix ClientCertAuthorizerRdnTest failures introduced when running Java 21

DSS-3451 Support latest WildFly 38 version and upgrade base container image with it for November milestone

DSS-3476 Do not include SpcSpOpusInfo object in Authenticode signatures if both program name and URL are empty

Bugs

DSS-3158 Fix community/customer build failures due to service-manifest-builder

DSS-3412 Our legacy webtests needs updating to work after the introduction of login page and session

DSS-3430 SignServer Container having double JRE installations and pulls in additional dependencies

DSS-3453 Jenkins jobs P11NG\_with\_DB\_Protection and SunP11\_with\_DB\_Protection are using soft keys

DSS-3454 Regression: Database protection using P11NG or SunPKCS11 gives configuration error and stops deployment

DSS-3492 Regression: SignServer requires the OIDC extension in the application server even if OIDC is not going to be used

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close