SignServer 7.8 Release Notes

July 2026

The SignServer team is pleased to announce the release of SignServer 7.8.

This release of SignServer brings additional PGP signing capability, new signing guides, and an automatic reload option for clustering.

For available deployment types and associated versions, refer to Supported Versions.

Highlights

HSM Improvements and Additional Support

Additional HSM Support for PGP Signing

SignServer now supports PGP signing for certain HSMs, such as AWS CloudHSM, that do not store PKCS#11 certificate objects.

Since these HSMs cannot store PKCS#11 certificate objects, PGP signing and CSR generation cannot rely on certificate metadata from the HSM to determine the key creation date. To be able to create keys for PGP signing, a creation date is required, which can be set with KEY_START_DATE.keyalias=YYYYMMDD Worker property. For more information, see P11NG Crypto Token.

Extending Support when Renewing Internal Key Binding Keys during Certificate Renewal

When a peer connection between SignServer and EJBCA is set up with an HSM that does not store PKCS#11 certificate objects, renewing internal key binding keys alongside the renewal of a certificate expects an existing certificate to be present in order to generate the new certificate and key pair. With no available certificate reference in the HSM (such as with AWS Cloud HSMs), this request failed.

Support for renewing keys alongside certificate objects for these types of HSMs was added by deriving the new certificate and key pair structure based on the specification of the existing key pair in question (if not explicitly requested by the user or configured in the Worker). See Peer Systems.

Signing Guides for Git Commits & Debsigs

This release adds guides for signing Git commits and for signing debsigs.

Signing Git commits has security and integration benefits, bolstering infrastructure integrity or setting up secure automation for poicies in developmental pipelines. See Sign Git Commits.

Signing debsigs, the process signatures in .deb packages, cryptographically secures their integrity and authenticates their origin. See Sign with Debsigs.

Automatic Reload for Shared Database (Clustering)

This release improves deploying SignServer in a clustered environment. SignServer now has improved clustering SignServer with one shared database. By default, configuration changes made on one node are not automatically applied to other nodes. A new automatic reload feature allows for a more scalable environment and reduced operational overhead. You can set automatic configuration reload through the ha.reloadconfig.enabled property in the deploy-time configuration.

See Multiple SignServer Nodes Sharing the Same Database.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in SignServer 7.8.

Issues Resolved in 7.8

Released July 2026

New Features

DSS-3702 Add reload of cluster nodes to the admin interfaces

DSS-3774 Support for PGP signing with AWS Cloud HSM

DSS-3784 Introduce clustering mode where configuration is reloaded periodically

DSS-3785 Improve clustering mode to only reload changed configurations

DSS-3803 Add support to Renew Internal Key Binding Key During Certificate Renewal with AWS Cloud HSM

DSS-3834 Support for Git and Debian debsigs signing with SignWrapper GPG

Improvements

DSS-3657 Container: Set mandatory properties in the container in a default property file so they will not be mandatory in the user's deploy properties

Bug Fixes

DSS-3744 Hibernate error when using MS SQL Server and starting up SignServer with a non-empty database