July 2026
The SignServer team is pleased to announce the release of SignServer 7.8.
This release of SignServer brings additional PGP signing capability, new signing guides, and an automatic reload option for clustering.
For available deployment types and associated versions, refer to Supported Versions.
Highlights
HSM Improvements and Additional Support
Additional HSM Support for PGP Signing
SignServer now supports PGP signing for certain HSMs, such as AWS CloudHSM, that do not store PKCS#11 certificate objects.
Since these HSMs cannot store PKCS#11 certificate objects, PGP signing and CSR generation cannot rely on certificate metadata from the HSM to determine the key creation date. To be able to create keys for PGP signing, a creation date is required, which can be set with KEY_START_DATE.keyalias=YYYYMMDD Worker property. For more information, see P11NG Crypto Token.
Extending Support when Renewing Internal Key Binding Keys during Certificate Renewal
When a peer connection between SignServer and EJBCA is set up with an HSM that does not store PKCS#11 certificate objects, renewing internal key binding keys alongside the renewal of a certificate expects an existing certificate to be present in order to generate the new certificate and key pair. With no available certificate reference in the HSM (such as with AWS Cloud HSMs), this request failed.
Support for renewing keys alongside certificate objects for these types of HSMs was added by deriving the new certificate and key pair structure based on the specification of the existing key pair in question (if not explicitly requested by the user or configured in the Worker). See Peer Systems.
Signing Guides for Git Commits & Debsigs
This release adds guides for signing Git commits and for signing debsigs.
Signing Git commits has security and integration benefits, bolstering infrastructure integrity or setting up secure automation for poicies in developmental pipelines. See Sign Git Commits.
Signing debsigs, the process signatures in .deb packages, cryptographically secures their integrity and authenticates their origin. See Sign with Debsigs.
Automatic Reload for Shared Database (Clustering)
This release improves deploying SignServer in a clustered environment. SignServer now has improved clustering SignServer with one shared database. By default, configuration changes made on one node are not automatically applied to other nodes. A new automatic reload feature allows for a more scalable environment and reduced operational overhead. You can set automatic configuration reload through the ha.reloadconfig.enabled property in the deploy-time configuration.
See Multiple SignServer Nodes Sharing the Same Database.
Upgrade Information
Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.
Change Log: Resolved Issues
The following lists implemented features and fixed issues in SignServer 7.8.
Issues Resolved in 7.8
Released July 2026
New Features
DSS-3702 Add reload of cluster nodes to the admin interfaces
DSS-3774 Support for PGP signing with AWS Cloud HSM
DSS-3784 Introduce clustering mode where configuration is reloaded periodically
DSS-3785 Improve clustering mode to only reload changed configurations
DSS-3803 Add support to Renew Internal Key Binding Key During Certificate Renewal with AWS Cloud HSM
DSS-3834 Support for Git and Debian debsigs signing with SignWrapper GPG
Improvements
DSS-3657 Container: Set mandatory properties in the container in a default property file so they will not be mandatory in the user's deploy properties
Bug Fixes
DSS-3744 Hibernate error when using MS SQL Server and starting up SignServer with a non-empty database