September 13, 2023
SignPath Application 1.148.2
New Features:
-
Added support for personal API tokens for interactive users. See authentication.
Improvements:
-
Renamed “CI user token” to “Api token” in the user interface and one pre-release API (
RegenerateApiToken
). -
Renamed artifact configuration XML attributes
productName
andproductVersion
toproduct-name
andproduct-version
, respectively. (Existing spelling is still valid for the current schema version.) -
The zip archive created when uploading multiple files for signing is now named
bundle.zip
. Seeui-multifile-upload
-
Renamed “Initial Login Email Address” of interactive users to “Account email address” in the user interface and
InteractiveUser
pre-release APIs.
Bug Fixes:
-
Fixed a bug that caused files to be submitted separately instead of being part of the
bundle.zip
when uploading multiple files for signing.
SignPath PowerShell Module 4.3.1
Improvements:
-
Renamed
-CIUserToken
parameter to-ApiToken
. The old name is still valid for this major version (4.x).
Crypto Providers 4.0.0
Breaking Changes / Manual migration steps:
-
Replaced
Timeouts.ServiceUnavailable
(andSIGNPATH_TIMEOUTS_SERVICE_UNAVAILABLE
) configuration value withTimeouts.FirstRetryDelay
andTimeouts.RetryCount
(See “Setting configuration values” section in the CryptoProviders documentation for details).
Improvements:
-
Changed the HTTP call error retry strategy to use an exponential back-off mechanism.
-
Added a warning logging for failed HTTP calls before retrying.
-
Improved error return values codes for KSP/CSP/Cryptoki functions for HTTP call errors to better express the underlying problem. (See the corresponding “Error return values” sections in the CryptoProviders documentation).
-
Improved the debug logging output for Cryptoki function calls.
-
Improved the error message for HTTP(S) errors on Linux.
August 21, 2023
SignPath Application 1.147.0
Improvements:
-
Added a “My profile” link in the user menu.
Bug Fixes:
-
Fixed incorrect handling of special characters in artifact file path during malware scanning and during OPC deep signing processing.
Self-hosted Installations 1.147.0
Improvements:
-
Added confirmation prompts in the administration utility for all commands and a
-y
argument. -
Added recommendation of
master
database SQL user creation to “Database logins and permissions” section in documentation.
August 07, 2023
SignPath Application 1.146.0
New Features:
-
Added possibility to upload multiple files in signing request web client UI.
-
Added “Multiple Office files with macros” default artifact configuration which allows to upload multiple Office files in the user interface.
Improvements:
-
Improved resilience of system against temporary database outages.
Self-hosted Installations 1.146.0
Improvements:
-
Limit number of maximum events per stored entity to avoid performance bottlenecks.
-
Added
chartSettings.signingProcessorService.dotNetGCHeapHardLimit
to reduce memory consumption ofsigningprocessorservice
pods.
Bug Fixes:
-
Fixed possible timeouts for long running malware scanning runs via
malwareScannerType: signPathMalwareScanningService
.
July 13, 2023
SignPath Application 1.145.1
Improvements:
-
Improved
/v1-pre/{organizationId}/AuditLog/SigningRequestEvents
responses:- Added
originalSigningRequestId
for resubmit events. - Added file name and hash fields for various submission event types.
- Added
-
Improved the performance of the
/v1-pre/{organizationId}/AuditLog/Events
REST API
Self-hosted Installations 1.145.1
Breaking Changes / Manual migration steps:
-
Changed the recommended Kubernetes version to 1.25 (note that 1.24 will go EOL on 2023-07-28) and the
signpathio/kubectl
image tag to1.25
. -
Changed the Web Client authentication ticket lifetime from 14 days to 12 hours. This means that after 12 hours without any request, the Web Client will re-authenticate via OIDC.
Improvements:
-
Allowed using multi-line PEM certificates in
chartSettings.trustedRootCertificates
/.intermediateCertificates
in all Helm Charts. -
Dropped the
supportOptions
andsigningRequestQueueThrottlingOptions
sections (both not relevant for self-hosted installations) insignpath-application
values. -
Removed mandatory SMTP server username/password overrides in the
signpath-application
values. -
Reduced the log noise in all web server based containers.
-
Added
SigningRequestProcessing-IndividualSignature
Application Insights events for hash signing requests.
July 11, 2023
SignPath Application 1.144.1
Improvements:
-
New REST API route: reinvite interactive users
/v1-pre/{organizationId}/InteractiveUsers/{id}/Reinvite
. -
New REST API route:
/v1-pre/{organizationId}/Projects/{slug}/SetDefaultArtifactConfiguration
. -
Improved performance of REST API and UI HTTP responses.
Self-hosted Installations 1.144.1
Improvements:
-
Improved performance and reduced memory consumption of the
signPathMalwareScanningService
malware scanning client.
Bug Fixes:
-
Fixed duplicate
MalwareScannerOptions__MalwareScannerType
config map entries.
June 26, 2023
SignPath Application 1.143.2
Breaking Changes / Manual migration steps:
-
Event Audit Log API (preview): The
TrustedBuildSystem.Added
event has been renamed toTrustedBuildSystem.CustomAdded
.
Self-hosted Installations 1.143.2
Improvements:
-
Reduced memory consumption when signing jar files.
Bug Fixes:
-
Fixed aborted SignService deployments in cases using descheduler for Kubernetes with
RemovePodsViolatingTopologySpreadConstraint
.
June 14, 2023
Self-hosted Installations 1.142.1
New Features:
-
Added support for optionally moving contents to the Azure Blob store archive tier instead of deleting them.
Improvements:
-
Reduced amount of application logging for Azure Blob content store accesses.
Bug Fixes:
-
Fixed error when accessing Hangfire dashboard in special cases.
May 26, 2023
SignPath Application 1.141.1
Improvements:
-
Malformed hash values in hash signing are now gracefully reported to the API caller.
Bug Fixes:
-
Fixed a problem that caused some signing requests to be stuck in the
Queued
state. -
Fixed a problem where some signing request reports were truncated.
Self-hosted Installations 1.141.1
New Features:
-
Added support for client-mediated HA Group Pairing for Luna Network HSMs.
Improvements:
-
Added the “Signing Request Accepted” event to the reported “custom events” in Application Insights.
-
Various performance fixes regarding signing request archive database access.
May 12, 2023
SignPath Application 1.140.3
New Features:
-
Added support for signing Cyclone DX SBOMs.
-
Added support for XML file signing based on the W3C XMLDSig standard.
Bug Fixes:
-
Fixed timeouts that occurred during the creation of signing request reports.
-
Fixed timeouts in the Audit Log API.
SignPath PowerShell Module 4.3.0
New Features:
-
Support for using mutual TLS client certificates specified by a Microsoft template ID.
Self-hosted Installations
Breaking Changes / Manual migration steps:
-
No change required: After the upgrade the report model database will be automatically built up from scratch. This means that for a while (depending on the number of signing requests) the signing request list in the UI and the CSV report may be incomplete until the report model building reached the latest signing requests.
April 25, 2023
SignPath Application 1.139.0
Bug Fixes:
-
Fixed a bug that allowed users to be created via the API even though the quota limit has been met.
-
Fixed timeouts in the signing request Audit Log API.
-
Fixed the alignment of the buttons in the artifact configuration panel on the project page.
April 18, 2023
SignPath Application 1.138.0
Improvements:
-
Improved performance in UI when showing long history lists.
Bug Fixes:
-
Fixed potential issue that allowed very long running background tasks to run in parallel.
March 30, 2023
SignPath Application 1.137.0
Improvements:
-
SignPath now explicitly drops any secrets exposed in the build settings by AppVeyor. All affected parties were informed.
Self-hosted Installations 1.137.0
Bug Fixes:
-
Fixed the issue that not all application logging entries reached Application Insights.
-
Fixed missing error reporting details for failed malware scanning service calls.
March 23, 2023
SignPath Application 1.136.3
Improvements:
-
New REST API route
/v1-pre/{organizationId}/SigningRequests/{id}/ArtifactDescriptionXml
allows to retrieve the artifact description XML content for signing requests including file details for all contained signed files. -
Added a “Sign artifact” button in the artifact configuration list in the project page.
-
Added “Sign artifact” and “Show signing requests” buttons on the artifact configuration details page.
SignPath PowerShell Module 4.2.1
Improvements:
-
Improved error messages when a wrong URL is provided.
Crypto Providers 3.4.0
Improvements:
-
Cryptoki: Added
Cryptoki.DoNotFailOnReadWriteSessions
configuration flag to enable compatibility with Cryptoki / PKCS #11 clients which always open the session with the read/write option (e.g. pkcs11-tool in version lower than 0.23). -
Added documentation for
pkcs11-tool
usage and Linux Docker container sample scenario.
Self-hosted Installations 1.136.3
Breaking Changes / Manual migration steps:
-
The following configuration values have been moved from
appSettings
toappSecrets
:signpath-application
valueappSettings.shared.applicationInsights.connectionString
signpath-signservice-<variant>
valueappSettings.signService.applicationInsights.connectionString
New Features:
-
Added support for automatic artifact deletion after a configurable retention time (disabled by default).
Improvements:
-
The operator user name stored alongside all operations triggered by the administration utility can now be set via an environment variable.
-
Various malware scanning script performance fixes.
March 02, 2023
SignPath Application 1.135.0
New Features:
-
Added support for ECDSA X.509 (key type
ecdsa-x509
) certificates for Docker Signing.
Improvements:
-
Added new REST API for listing all projects as well as modifying projects, signing policies, and artifact configurations.
-
Improved dashboard loading performance.
Crypto Providers 3.3.0
New Features:
-
Added suppport for using a HTTP web proxy (Linux and Windows).
Improvements:
-
Improved the error reporting for the
sp-register-ksp
command (Windows).
Self-hosted Installations 1.135.0
New Features:
-
For Luna and DPoD HSMs it’s now possible to delete certificate keys on the HSM storage 60 days after the “Delete private key” action (Note: By default, deleted keys are only recorded for manual deletion.)
Breaking Changes / Manual migration steps:
-
The configuration parameters for NGINX proxy settings in the
signpath-application-ingress
chart have a new location. -
Custom malware scanning scripts must now be able to handle two new parameters:
-OriginalFileName
and-ExecutionTimeout
.
Improvements:
-
Added support in the Ingress chart to configure additional annotations on the Ingress resource and to opt-out from the NGINX default annotations.
-
Changed recommended Kubernetes version from 1.23 to 1.24.
-
Updated the
signpathio/kubectl
container image to include kubectl 1.24.10 (the image is tagged with both1.24
and1.24.10
). -
Dropped NGINX session affinity annotations (Note: reverse proxy session affinity has not been a requirement since release 1.133.).
-
Improved signing request triggering latency.
-
Changed the default replica count for
hangfireDashboard
to 1. -
Cleaned up the Ingress chart (removed the
tests
section). -
Cleaned the SignService Kubernetes Helm Charts (dropped unused sections).
-
The commands in the administration utility were cleaned up.
February 02, 2023
SignPath Application 1.133.0
New Features:
-
Artifact configurations can now be deactivated.
Improvements:
-
New REST API
/v1-pre/{organizationId}/Certificates
allows to list all certificates. -
Added REST APIs to modify, activate and deactivate CI Users.
-
HTTP requests where the TCP connection is dropped by the client are now automatically canceled.
Self-hosted Installations 1.133.0
Breaking Changes / Manual migration steps:
-
Added new mandatory database connection strings for the application:
DataProtectionDatabase
andDataProtectionDatabaseDdl
.- We recommend to rename the
ReportModel
database toApplicationShared
and use this database in the connections stringsReportModelDatabase
,ReportModelDatabaseDdl
and the two new connection strings. - Alternatively also a new database named
DataProtection
can be created and used. - See also the “Create databases” and “Data protection keys” sections in the installation guide.
- We recommend to rename the
Improvements:
-
Cleaned up and improved the default values in
values.yaml
in the Kubernetes Helm Charts. -
Improved the log format for multi-line log messages.
-
Changed the Kubernetes
topologySpreadConstraints.maxSkew
to 1 to advise K8s to preferably spawn pod replicas on different nodes.
Bug Fixes:
-
Fixed a bug that set maximum number of certificates quota to zero when changing subscriptions in certain cases.
January 12, 2023
SignPath Application 1.132.0
Breaking Changes / Manual migration steps:
-
Within the AuditLog API (preview) response, the
metadata.user
property has been renamed tometadata.actor
.
Improvements:
-
Changed web hooks to be triggered for all final signing request statuses, not only
Complete
. -
Improved error reporting when deep-signing MSI files with missing external files.
Bug Fixes:
-
Fixed artifact configuration generation for file names containing special characters like square brackets.
-
Fixed an HTML (non-XSS) injection vulnerability in the UI.
Self-hosted Installations 1.132.0
Improvements:
-
Uploaded artifact files can now be exempt from Windows Defender realtime scanning on Kubernetes hosts.
Bug Fixes:
-
Temporary files during HTTP uploads are now stored in an
emptyDir
volume, which can improve performance and fix disk usage issues (Kubernetes).
December 13, 2022
SignPath Application 1.130.0
Breaking Changes / Manual migration steps:
-
The Audit Log REST API (preview)
/v1-pre/{organizationId}/AuditLog/Events
doesn’t include signing request events anymore, instead they can be retrieved via the the new/v1-pre/{organizationId}/AuditLog/SigningRequestEvents
route.
New Features:
-
Added support for additional, organization-specific key stores.
Bug Fixes:
-
Signing requests with more than one signing policy are now properly returned in the REST API.
November 29, 2022
SignPath Application 1.129.0
New Features:
-
Enabled Swagger UI for the REST API at
/Api/swagger
.
Bug Fixes:
-
Fixed bug in elliptic curve certificate generation for the software key store.
Self-hosted Installations 1.129.0
Breaking Changes / Manual migration steps:
-
Renamed
signServiceOptions
tokeyStoreOptions
in the following places:appSecrets/appSettings.shared.signServiceOptions
(also changed the structure)appSettings.deletionProcessorService
appSettings.signingProcessorService
-
Configuration value
appSettings.notificationsProcessorService.smtpServerOptions.useSsl
has been renamed to.secureSocketMode
and the formerfalse
value now corresponds to'None'
, resp.true
value now corresponds to'Ssl'
.
New Features:
-
Added support for SMTP StartTLS protocol.
-
New AppInsights
customEvents
for individual signing operations.
November 15, 2022
SignPath Application 1.128.0
New Features:
-
Added possibility to disable malware scanning for individual signing policies.
Improvements:
-
Performance improvement for signing requests using the HSM key store.
-
New REST API routes (preview) to list all CI Users and regenerate CI User tokens.
SignPath PowerShell Module 4.2.0
New Features:
-
Artifact Retrieval: Instead of uploading the artifact file, a HTTPS retrieval link including authentication headers can now be passed to SignPath.
Crypto Providers 3.2.2
Improvements:
-
Linux: Added Debian package signing via
dpkg-sig
to signing scenarios. -
Linux: Added Maven GPG signing Docker container sample scenario.
Self-hosted Installations 1.128.0
New Features:
-
New Administration Utility
ChangeMultipleSubscriptions
command to (partially) update multiple organizations with new subscription options. -
Added support for including images files in custom notification email styling.
Improvements:
-
The versioning scheme of the Kubernetes Helm Charts has been changed to match the application version.
-
The
signService.lunaHsmKeyStoreOptions.slotIndex
configuration value is not necessary anymore and can be dropped.
October 13, 2022
SignPath Application 1.126.0
New Features:
-
Verifying that a signing request was submitted from a trusted build system (TBS) is now possible without requiring the TBS to provide origin information.
-
The certificate view now also lists the X509 Issuer, Serial Number, Thumbprint, Key Usage and Extended Key Usage flags for each certificate.
Improvements:
-
Changed the name of the initial artifact configuration when creating projects to “Initial version”.
Self-hosted Installations 1.126.0
Breaking Changes / Manual migration steps:
-
New mandatory
chartSettings.malwareScanning.malwareScannerType
configuration forsignpath-application
(Kubernetes only). -
New mandatory
signService.cspWatchdogOptions.keyId
app setting for Luna HSM SignService.
New Features:
-
Possibility to configure a custom malware scanning service (via PowerShell adapter script).
-
Luna HSM watchdog key IDs can now be configured.
Bug Fixes:
-
Fixed a bug where multiple Luna HSM watchdog keys were created on first startup (only relevant for Kubernetes installations with multiple replicas).
September 29, 2022
SignPath Application 1.125.0
New Features:
-
Added support for MSIX (Windows app package) signing.
-
Added UI support for Re-submission of signing requests.
Improvements:
-
Added new API routes to change a user’s
NotificationEmailAddress
andIdentity
fields.
SignPath PowerShell Module 4.1.3
Improvements:
-
Added a proper return message when an operation is not allowed.
-
Cleaned up the documentation.
Self-hosted Installations 1.125.0
Breaking Changes / Manual migration steps:
-
To continue using the REST API to resubmit signing requests (preview), a feature toggle needs to be enabled for every organization.
September 20, 2022
SignPath Application 1.124.0
New Features:
-
Interactive users can now be created via the REST API.
Improvements:
-
Various small UI/UX improvements:
- Used “email” instead of “e-mail” consistently.
- Entity names are only truncated when there is no more space available on the UI.
- It’s not possible to send empty feedback messages any longer.
- When using the “Copy to clipboard” functionality, a confirmation message is shown.
- When submitting forms, a spinning icon was added to indicate that the request is being processed.
- On pages containing forms, the first input field is automatically focused on.
- The interative user field “Display Identity” was renamed to “Initial Login Email Address”.
- The mouse cursor now indicates when an element can be interacted with.
- The date and time picker now does not open any more when the input field is focused, making it easier to enter a date using the keyboard.
Crypto Providers 3.2.1
Improvements:
-
Linux: Updated the statically linked dependencies to Boost 1.79.0, OpenSSL 1.1.1n/3.0.5, plog 1.1.8 and zlib 1.2.12
Bug Fixes:
-
Fixed a segmentation fault when using Cryptoki on Linux.
-
Fixed Cryptoki loading error on RedHat Linux v8.
-
Fixed missing CI User token redaction when passed on command line instead by configuration.
Self-hosted Installations 1.124.0
Improvements:
-
Improved pairing experience with nShield HSMs.
-
The “HashPassword” functionality doesn’t require a Windows container anymore.
Bug Fixes:
-
Fixed nShield HSM startup error in Kubernetes.
September 01, 2022
SignPath Application 1.123.0
Breaking Changes / Manual migration steps:
-
Compatibility with Internet Explorer 11 has been dropped.
New Features:
-
The artifact description in signing requests now contains the full path of files inside container artifacts.
-
The certificate’s key store ID is now also shown on the certificate details page (needs to be enabled per organization).
Improvements:
-
Modernization of the HTML UI framework including fixes of minor UI glitches.
-
Projects can now be configured to use multiple repository URLs for origin verification.
Bug Fixes:
-
Fixed broken signing request notifications for denied signing requests in special scenarios.
Crypto Providers 3.2.0
Bug Fixes:
-
Fixed Cryptoki loading errors on RedHat Linux 8.6.
August 11, 2022
Crypto Providers 3.1.0
New Features:
-
Collecting information about the invoking process (command line call and user account) is now also supported on Linux.
Bug Fixes:
-
Fixed missing support for libp11 (OpenSSL engine) version 0.4.12.
-
Fixed missing reporting of specific configuration errors (e.g. invalid CI user token registry location).
August 04, 2022
Crypto Providers 3.0.0
Breaking Changes / Manual migration steps:
-
The
SIGNPATH_LOG_LEVEL
configuration was split intoSIGNPATH_LOG_CONSOLE_LEVEL
andSIGNPATH_LOG_FILE_LEVEL
. -
The console logging was disabled by default (
SIGNPATH_LOG_CONSOLE_LEVEL=none
).
New Features:
-
Cryptoki: Added compatibility with
gnupg-pkcs11-scd
to support GnuPG PGP singing.
Self-hosted Installations 1.121.0
Improvements:
-
Improved error reporting for wrong configurations.
Bug Fixes:
-
Added missing error reporting in the Administration Utility.
July 29, 2022
SignPathDocker PowerShell Module 4.1.4
Bug Fixes:
-
Fixed interopability problems with the Azure Container Registry.
July 25, 2022
SignPath Application 1.120.0
New Features:
-
Added support for Windows Script Signing.
Improvements:
-
Improved error handling for invalid archives.
Bug Fixes:
-
Fixed bug that prevented project configurators from setting the default artifact configuration.
SignPath PowerShell Module 4.1.1
Improvements:
-
Added references to the online documentation.
Self-hosted Installations 1.120.0
Improvements:
-
Improved the pairing process for Thales Luna and DPoD Cloud HSMs.
-
Added support for Azure Application Insights logging.
July 14, 2022
SignPath Application 1.119.0
New Features:
-
Added the possibility to provide a reason when denying a signing request.
Improvements:
-
Improved error messages when submitting invalid NuGet packages.
Bug Fixes:
-
Fixed a bug that allowed deleting an unsigned artifact that was still referenced by a resubmitted signing request.
Self-hosted Installations 1.119.0
Bug Fixes:
-
Fixed a bug that that required self-hosted installations to configure a timestamping server URL for FreeTrial subscriptions.
June 08, 2022
SignPath Application 1.117.0
Bug Fixes:
-
Fixed a potential argument injection vulnerability in the jarsigner call.
-
Fixed a bug that prevented notification email changes from being shown in the history.
May 16, 2022
SignPath Application
Improvements:
-
New REST API route (preview):
/v1-pre/{organizationId}/CIUsers/Me
returns information about the authenticated CI user.
Self-hosted Installations 1.117.0
Improvements:
-
In Kubernetes installations, an improved migration mode ensures that all container images are ready before to the new version starts, ensuring a minimum downtime.
May 02, 2022
SignPath Application 1.115.0
Bug Fixes:
-
Fixed Content-Security-Policy rules that prevented some SVG icons from being loaded.
Self-hosted Installations 1.115.0
Breaking Changes / Manual migration steps:
-
A new
ReportModel
database needs to be created. See the installation guide for more details.
Improvements:
-
Administrators are now prevented from deploying to the wrong color.
-
Added a new
/healthzd
route to the API that checks the health of the SignServices.
April 14, 2022
Self-hosted Installations 1.114.0
Improvements:
-
Calling SetupDBs.ps1 now prints out a usage message when no parameters are supplied in the Docker Compose setup.
-
Improved default values in configuration files.
March 31, 2022
SignPath Application 1.113.0
Bug Fixes:
-
Fixed a bug that prevented Docker Signing to work when using the Azure Container Registry.
SignPath PowerShell Module 4.1.0
Improvements:
-
An error message is shown when an artifact is no longer available for download.
Self-hosted Installations 1.113.0
New Features:
-
Artifacts can now be deleted using the administration utility.
Improvements:
-
The database connection strings used in the initial setup and during the migration are now read from the configuration files.
March 21, 2022
SignPath Application 1.112.0
Improvements:
-
New REST API route (preview):
/v1-pre/{organizationId}/Organization
to query organization and quota information.
Crypto Providers 2.1.0
New Features:
-
Support for DPAPI-encrypted CI User tokens.
-
Dedicated support for signing of Microsoft Office macros.
Improvements:
-
Separate versions for 32- and 64-bit architectures.
Self-hosted Installations 1.112.0
Improvements:
-
NShield HSM keys are automatically retargeted to be used for Java signing.
Bug Fixes:
-
Fixed Malware Scanner warnings on startup on Windows Server machines using Docker Compose.
March 03, 2022
SignPath Application 1.111.0
Improvements:
-
Limited the maximum file size for artifact retrieval to 4GB in SaaS.
(SaaS only)
Crypto Providers 2.0.0
Breaking Changes / Manual migration steps:
-
Configuration and parameter names changed. All Crypto Providers now use a common naming schema. Environment variables have precedence over the configuration file. Command line parameters have precedence over environment variables.
Improvements:
-
All Crypto Providers can now gracefully handle application downtimes and will retry HTTP requests if the application is temporarily unavailable.
Self-hosted Installations 1.111.0
Improvements:
-
Introduced a configurable file size limit for the artifact retrieval feature (defaults to 4GB).
February 21, 2022
SignPath Application 1.110.0
New Features:
-
Introduced the option to re-download a Certificate Signing Request (CSR) and to re-upload certificates.
Improvements:
-
Updated Java Runtime to JDK 12.
Bug Fixes:
-
Fixed a bug that prevented the Audit Log API from handling
Webhook.Deleted
events.
Self-hosted Installations 1.110.0
New Features:
-
Introduced option to change the log4net configuration used in SignPath.
January 20, 2022
SignPath Application 1.108.0
New Features:
-
Audit Log REST API is now available in preview.
Bug Fixes:
-
Expiration emails for already expired certificates are no longer sent out.
Crypto Providers 1.1.0
New Features:
-
Windows only: Information about the invoking process (command line call and user account) is collected.
-
Windows only: Mutual TLS (mTLS) client certificates can be specified.
Self-hosted Installations 1.108.0
Breaking Changes / Manual migration steps:
-
Only for nShield HSMs: Move the
kneti-hardserver
file from theNShieldHardserverPath
directory to a subdirectoryhardserver
in theNShieldPairingDataPath
directory. (Note: TheNShieldHardserverPath
configuration value has been removed.)
January 11, 2022
SignPath Application 1.107.0
Improvements:
-
The API now returns concrete error messages in the body of HTTP 401 Unauthorized responses.
-
The signing request ID is now included in the HTTP response body of the submit API routes.
-
Extended the build system integration for Appveyor to allow private projects for non-OSS subscriptions.
December 09, 2021
SignPath Application 1.106.0
Improvements:
-
For Hash Signing, the metadata is now included in the signed artifact payload file.
Bug Fixes:
-
Fixed a bug that caused expiration notifications to be sent out even if a new certificate was re-imported.
SignPath PowerShell Module 4.0.0
Breaking Changes / Manual migration steps:
-
The
Submit-SigningRequestResubmit
command has been removed. Resubmit is now possible using the-Resubmit
flag of the regularSubmit-SigningRequest
command.
Self-hosted Installations 1.106.0
Upgrade Information:
The Configuration.yml
file does not contain settings for the connection strings any more. Connection strings are now handled as secrets by default. However, for migration purposes, the connection strings can still be added to the Configuration.yml
and referencing secret files is still supported.
Improvements:
-
The secret handling has been unified between the Docker Compose and K8s deployment targets.
November 25, 2021
SignPath Application 1.105.0
New Features:
-
Signing request filters: The signing request list can be filtered by status and artifact configuration (when viewing signing requests for a specific project or signing policy).
-
User roles can also be configured for CI Users. Permissions will be applied to API calls accordingly.
Bug Fixes:
-
Fixed a bug that prevented artifact names of signing requests submitted via the artifact retrieval workflow from being included in the signing request report.
Self-hosted Installations 1.105.0
Bug Fixes:
-
Fixed a bug that hid an error message when the configuration file could not be properly read.
November 10, 2021
SignPath Application 1.104.0
Improvements:
-
The content of signing request lists has been cleaned up and only includes the artifact name once.
Bug Fixes:
-
Fixed a UI glitch in the webhook body editor.
-
The correct HTTP response code (403) is now returned for requesting unknown resources.
SignPath PowerShell Module 3.2.1
Bug Fixes:
-
Fixed a bug that prevented an error message from being shown when a parameter is missing.
Self-hosted Installations 1.104.0
Bug Fixes:
-
Special characters are now handled correctly during the creation of the ENV-file.
November 02, 2021
SignPath Application 1.103.0
New Features:
-
Added global reader and project reader roles.
-
Signing requests can now be resubmitted via the PowerShell module or via the API.
Improvements:
-
An additional certificate expiration notification is sent 10 days prior to the certificate expiration date.
Bug Fixes:
-
Errors that are caused by an unexpected timestamping algorithm are now handled properly again.
October 14, 2021
SignPath Application 1.102.0
New Features:
-
Support for Thales DPoD cloud HSMs are in pre-release status.
Improvements:
-
The signing request status values have been reduced. Multiple status are now combined as “In Progress”.
-
Artifact sizes are now displayed in a human readable format.
Bug Fixes:
-
Fixed a bug that prevented the artifact configuration XML from being downloaded if there were special characters in the configuration’s name.
Self-hosted Installations 1.102.0
Breaking Changes / Manual migration steps:
-
In the
Docker.LunaPairingDataPath
orDocker.NShieldPairingDataPath
directory respectively, replace all characters in the filenames that do not fall in the following patterns with underscores (_
):^[-._a-zA-Z0-9]+$
. -
Dropped support for file-based content stores. Use content stores compatible with the Amazon S3 interface instead.
Improvements:
-
The pairing data files have been renamed to only contain a reduced set of characters (for the upcoming Kubernetes support).
-
Loosened the restrictions on the timestamping server protocol to allow the use of more timestamping servers.
September 30, 2021
SignPath Application 1.101.0
Bug Fixes:
-
Fixed a bug that caused exception stack traces during startup.
September 16, 2021
SignPath Application 1.100.0
New Features:
-
Project configurators: Configurator permissions can be granted to users that allow them to edit the artifact configurations and webhooks for specific projects only.
Improvements:
-
The signing request report now includes a link to the web page of the respective signing request.
Self-hosted Installations 1.100.0
New Features:
-
Support for the (AWS) S3 content store backend. (Note: The file-based content-store will be dropped in the next version.)
Bug Fixes:
-
The health check route of the Hangfire Dashboard works again.
September 02, 2021
SignPath Application 1.99.0
Improvements:
-
Hardenend the content-security-policy settings.
Self-hosted Installations 1.99.0
Improvements:
-
Improved logging during the database setup phase.
-
Fixed order of elements in Configuration.yml for easier comparison between versions.
August 23, 2021
SignPath Application 1.98.0
New Features:
-
Notification Levels: Users can now select a notification level for each signing policy separately. By default, administrators will stop receiving notifications for signing requests unless they are configured as submitters or approvers.
Improvements:
-
Improved performance when processing artifacts.
Bug Fixes:
-
Removed the invalid required marker for Docker repositories on the create projects page.
-
Fixed a UI glitch: The “View documentation” links are right-aligned again.
Self-hosted Installations 1.98.0
Improvements:
-
Improved migration times
-
Unified
replaceme
placeholders in configuration files. -
Disabled free trial organizations by default.
Bug Fixes:
-
Patched version for Thales DPoD support.
July 08, 2021
SignPath Application 1.96.0
Improvements:
-
Better error reporting for archives that contain multiple files with the same name.
-
Performance improvements when loading signing request lists.
-
The “resubmit” functionality that allows a failed signing request to be executed again was renamed to “retry”.
SignPath PowerShell Module 3.1.3
Improvements:
-
Cleaned up the code.
Self-hosted Installations 1.96.0
Improvements:
-
Changed the default isolation mode from Hyper-V to Process.
-
Removed necessity to set Multiple Active Result Set (MARS) in the connection strings explictly when upgrading.
June 24, 2021
SignPath Application 1.95.0
Improvements:
-
Improved performance for hash-signing operations.
Self-hosted Installations 1.95.0
Improvements:
-
Docker images are now pulled from DockerHub instead of being included in the installation package.
May 27, 2021
SignPath Application 1.94.0
Improvements:
-
The default key size was increased to 4096 bits when creating keys via the user interface. This change was necessary to meet the new baseline requirements for code signing certificates as published by the CA/Browser forum. Existing certificates are not affected by this change.
-
Authenticode signatures may contain a description field that is displayed by Windows User Account Controls (UAC) and possibly other mechanisms. If present, SignPath will now use the FileDescription value of the PE file
VERSIONINFO
resource (VER_FILEDESCRIPTION_STR
). Otherwise the file name will be used as before. -
The malware scanning step is now displayed as a separate entry in the processing log of each new signing request.
May 17, 2021
Self-hosted Installations 1.92.0
Improvements:
-
Improved migration performance by reducing the number of events.
Bug Fixes:
-
Fixed wrong metadata type entry in content store for signed/unsigned artifacts.
April 29, 2021
SignPath Application 1.91.0
Improvements:
-
Various small UX improvements:
- Renamed “Build information” to “Build data”.
- Improved the display of the file name of artifacts submitted using the artifact retrieval functionality
-
In the SaaS deployment, the login process has been improved and handles correlation errors more gracefully.
(SaaS only)
Bug Fixes:
-
Fixed a bug where certain directory structures in clickonce application bundles resulted in unusable artifact configurations when created from a sample upload.
SignPath PowerShell Module 3.1.0
New Features:
-
Added support for user-defined parameters.
Self-hosted Installations 1.91.0
Breaking Changes / Manual migration steps:
-
Move all configuration values from the
.env
file to the respective section in theConfiguration.yml
file.
New Features:
-
Added possibility to configure an external malware scanner.
Improvements:
-
Switched to a YAML-based hierarchical configuration system.
-
The performance of the Administration Utility has been improved.
April 15, 2021
SignPath Application 1.90.0
Improvements:
-
Changed webhook URLs to only allow HTTPS.
-
Group memberships are also shown for user groups.
-
The repository URL is also shown on the signing policy detail page (if origin verification is enabled).
SignPath PowerShell Module 3.0.2
Improvements:
-
Added more explicit error messages when a Trusted Build System Link is missing in the Project configuration.
Self-hosted Installations 1.90.0
Breaking Changes / Manual migration steps:
-
Move all secrets from the
.env
file to the respective secret files.
New Features:
-
Switched to using Docker-Compose secrets.
Improvements:
-
SQL connection strings for the SignService databases are also encrypted by default.
-
Improved error messages in case of missing configuration values.
-
Cleaned up the Docker images.
April 01, 2021
SignPath Application 1.89.0
Improvements:
-
Signing request reports now also include the user IDs of all submitters and approvers.
SignPath PowerShell Module 3.0.1
Improvements:
-
Added
-Verbose
flag for better debugging experience. -
The
-ClientCertificate
parameter is now also supported in theGet-SignedArtifact
command.
Bug Fixes:
-
File handles are now closed correctly even if an error occurs.
Self-hosted Installations 1.89.0
New Features:
-
Reverse proxies are now supported, recommended and enabled by default.
March 17, 2021
SignPath Application 1.88.0
New Features:
-
Artifact configurations now support user-defined parameters.
Bug Fixes:
-
Fixed a bug that did not show the organization name on the invitation page.