Skip to main content
Skip table of contents

SignServer 7.7 Release Notes

MAY 2026

The SignServer team is pleased to announce the release of SignServer 7.7.0.

This release of SignServer brings new features for the JWT Authorizer, External μ for post-quantum signing, a new Signer for Windows files, new REST endpoints, and improvements to the Helm Chart.

For available deployment types and associated versions, refer to Supported Versions.

Highlights

Key URL Support in JWT Authorizer

The JWT Authorizer now has added support for fetching trusted public keys from a JWKS endpoint dynamically. This is useful for cases where the IdP, such as Microsoft Entra ID, has a key rotation in place of the public key. The JWT Authorizer can be configured with the trusted URL where the authorization server’s public keys can be found. Also, a JWKS cache has been introduced to cache the keys per issuer.

For more information, see JWT Authorizer.

External μ Support with ML-DSA and Composites

SignServer introduces initial support for post-quantum client-side hashing. When using ML-DSA keys, the data or file is structured together with a provided public key in base64 encoding to calculate an External μ value, which is then signed on the server-side.

ML-DSA External μ can be used explicitly or implicitly, similar to client-side hashing, where the signature algorithm should be set to ML-DSA-EXTERNAL-MU alongside the other required parameters for performing the signing request.

The support is added to ML-DSA, as well as composite algorithms using the Plain Signer and the Keystore Crypto Token. Support will be expanded to P11NG Crypto Token in future release.

For an example of signing with ML-DSA External μ, see Code Signing with Client-side Hashing.

New MS Signer

This release introduces a new experimental signer, MS Signer, which signs Windows files in Microsoft Authenticode format. It supports all existing file types handled by the MS Authenticode Signer and APPX Signer.

MS Signer is under active development. Some file formats and configurations may not behave as expected in the current release. Support for more file types, as well as client-side hashing, will be added in future release.

For more information, see MS Signer.

New REST Endpoints

SignServer extends the supported REST endpoints with endpoints providing the public key as well as authorized certificates.

For more information, see Client REST Interface.

Added Support for SAN Values in CSR

Certain signing tools, such as cosign, require that the certificate include a Subject Alternative Name (SAN). Signserver has added support to provide an email address as SAN value during the CSR generation. The support has been added for the interfaces REST, Admin CLI, and Admin Web.

For Admin Web information, see Workers CSR Page.

Improved Support for RPM Signing

Improvements to the RPM signing has been made. SignServer now supports large files and client-side hashing for RPM signing.

For large file support, see SignClient signdocument command.

For client-side hashing, see Code Signing with RPM Signatures and Code Signing with Client-side Hashing.

Improvements to Helm Chart

This release includes improved guides for deploying Thales Luna, Utimaco, and Entrust nShield Connect HSMs, as well as the possibility to define custom deploy properties and secrets in the values.yaml file.

See SignServer Container Set documentation.

Recommended: NGINX Reverse Proxy. Kubernetes has announced the retirement of Ingress NGINX. The NGINX reverse proxy as a sidecar container is the recommended replacement for Ingress NGINX. For setup, see Configure a Reverse Proxy in SignServer.

Announcements

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.84. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.7.0.

Issues Resolved in 7.7.0

May 2026

New Features

DSS-3192 Add support for using a key URL to the JWT Authorizer

DSS-3320 Support for handling large input with the new -stdin flag

DSS-3387 Support for “-clientside” flag in SignClient in combination with the new “-stdin” flag

DSS-3475 Support for clientside hashing with PlainSigner and ML-DSA-EXTERNAL-MU

DSS-3535 Support for Composite signature in PlainSigner

DSS-3550 Support Generating SAN values in CSR

DSS-3579 Add support for NGINX as reverse proxy in SignServer Helm Chart

DSS-3633 Delete composite key

DSS-3689 Add get public key endpoint

DSS-3692 Add new Authenticode Signer using Jsign for all formats

Improvements

DSS-3243 OIDC environment variables for container

DSS-3310 Remove bundled selenium from SignServer

DSS-3383 Upgrade JJWT library

DSS-3668 Change loggings in CompositeHelper on each usage of a non-composite key to DEBUG

DSS-3688 Client-side hashing support for composites

DSS-3725 Update base image in container build for 7.7.0 release

DSS-3740 Upgrade log4j libs to version 2.25.4

Bug Fixes

DSS-3644 Can’t set composite key as a default key in CryptoToken.

DSS-3727 Regression: Container: 1G of memory not enough to deploy in WildFly

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close