Skip to main content
Skip table of contents

SignServer 7.6 Release Notes

FEBRUARY 2026

The SignServer team is pleased to announce the release of SignServer 7.6.0.

This release of SignServer adds support for composite certificates, addresses some security issues, brings improvements for CloudHSM migrations, and adds support for WildFly 39.

For available deployment types and associated versions, refer to Supported Versions.

Highlights

Composite Certificates

SignServer 7.6.0 adds support for creating composite keys. A composite consists of both a classical-cryptography key (RSA, ECDSA, or EdDSA) and a post-quantum key (ML-DSA-44, ML-DSA-65, or ML-DSA-87). For more information, see SignServer Composite Certificates.

Improved CloudHSM support

SignServer now supports deploying with a CloudHSM with existing keys in the HSM. For configuring existing CloudHSM keys to be available in SignServer, see P11NG Crypto Token.

Worker Configurations

SignServer 7.6.0 adds the option to configure a worker as read-only through the remote interfaces. Additionally, there is an option to specify the starting number for auto-generated worker IDs. For property configuration instructions, see Worker ID configuration in Deploy-time Configuration.

Announcements

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.83. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Security Issues

SignServer 7.6.0 resolves a security issue affecting file writing

Keyfactor rates the severity as medium with a CVSS score of CVSS 6.9. Once 7.6.0 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2026-25825 will be published.

SignServer 7.6.0 resolves a security issue affecting information disclosure

Keyfactor rates the severity as medium with a CVSS score of CVSS 4.6. Once 7.6.0 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2026-25826 will be published.

SignServer 7.6.0 resolves a security issue affecting file enumeration

Keyfactor rates the severity as medium with a CVSS score of CVSS 5.1. Once 7.6.0 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2026-25827 will be published.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

Support for WildFly 39

SignServer 7.6.0 introduces support for WildFly 39.0.1. For more information on software requirements, see Installation Prerequisites.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.6.0.

Issues Resolved in 7.6.0

February 2026

New Features

DSS-3350 Introduce new role for managed API calls by deploy-time configuration

DSS-3351 Support for read-only workers by deploy-time configuration

DSS-3352 Option to disallow the 'allow-any admin' setting by deploy-time configuration

DSS-3353 Support for making generated worker IDs start at a higher value by deploy-time configuration

DSS-3536 Sign with Extended CMSSigner and composite key

DSS-3635 Add support for the remaining composite algorithms supported by EJBCA and create test suite for all supported composite algorithms

Improvements

DSS-3500 Fix different base image being used for Ant download & Introduce ARG in Dockerfile to use the same everywhere

DSS-3522 Upgrade to BC 1.83

DSS-3526 Upgrade to P11NG 0.27.0

DSS-3559 Update copyright year for 2026

DSS-3565 Managed REST module should not startup if Managed roles are configured incorrectly

DSS-3571 Expose startup probe configuration in values.yaml for the SignServer Helm

DSS-3609 Support WildFly 39.0.1.Final and upgrade container to use it

DSS-3632 Update CloudHSM Docs to demonstrate how to set IDs of existing keys

Bug Fixes

DSS-3317 Make the SignServer Container runnable by other UID than 0 and 10001

DSS-3495 Regression: SoftHSM Clenkins job now broken with older SoftHSM version after fix supporting newer versions

DSS-3507 Regression: Failing timed services can cause excessive log output and increasing heap space usage

DSS-3610 Worker Name property is case sensitive when updating using different interfaces and allows duplicated worker names

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close