SignPath

Documentation  ❯  Product updates

Component
Changes
Feed

 December 16, 2024

GitHub Connector 1.1.0

New Features:

  • Policy checks for branch rulesets, build and build runner are supported. See the documentation.

Bug Fixes:

  • Fixed a bug that prevented signing requests from being submitted when the “re-run failed jobs” feature of workflows was used for workflows with multiple jobs.

  • Fixed an integer overflow bug caused by large artifact IDs.

 December 10, 2024

Application 1.177.0

New Features:

  • Added GPG key management:

    • GPG keys can now be created directly in the SignPath UI.
    • They can currently be used for hash signing and create-raw-signature.

Improvements:

  • REST API additions and improvements regarding certificates and signing policies:

    • New route to retrieve signing policy details:
      • GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}
    • New route to retrieve certificate metadata and to directly download a X.509 certificate or GPG public key file for a signing policy:
      • GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}/Certificate
      • GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}/Certificate/X509Certificate
      • GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}/Certificate/GpgPublicKey
    • The following routes now return the X.509 certificate specific data in the x509CertificateData property instead of x509Certificate:
      • GET /v1/{organizationId}/Certificates
      • GET /v1/{organizationId}/Certificates/{slug}
      • Note that the x509Certificate property is included returned for backwards compatibility, but marked as “deprecated”.
    • For details see API definition.
  • Improved error reporting for projects with manual approval enabled (not available for hash-signing) for SignPath Crypto Providers.

Bug Fixes:

  • Fixed a concurrency issue which potentially caused signing request processing to stop for the affected organization.

    (SaaS only)

Application (self-hosted only) 1.177.0

Breaking Changes / Manual migration steps:

  • JAR signing is now disabled by default because it requires dedicated service instances. To enable it, you need to deploy the new javasigningmethodservice component via the chartSettings.javaSigningMethodService.replicaCount value and set up authentication configuration.

Improvements:

  • Improved basic authentication configuration (basicAuthenticationOptions sections):

    • Password hash and salt (server-side) have been combined into a single configuration value (passwordHash value).
    • Updated the Generate-Secret tool to generate the new format (see “Generate basic authentication passwords and hashes” in the installation guide).
    • Added an optional new previousPasswordHash value to allow zero-downtime rotation.

    This change is backwards-compatible. The legacy passwordSalt can be still used.

Crypto Providers 5.1.0

New Features:

  • Added support for using GPG keys generated by SignPath certificate management:

    • It is no longer required to locally generate GPG keys based on backing X.509 certificates. You can create GPG keys directly in the SignPath UI.
    • Requires SignPath version 1.177 or higher.
    • Adapted and simplified the Linux container samples for GPG hash signing.

Improvements:

  • Linux PKCS#11 CryptoProvider: Added support for Debian 12 “bookworm” and Ubuntu 24.04 distros.

 November 21, 2024

Application 1.176.0

Improvements:

  • JAR signing: Added a workaround for Java code signing using recent GlobalSign code signing certificates. (The default root certificate is not in the Java root trust list, so a special cross-signed certificate must be applied.)

  • Improved display of validation errors in the user invitation UI.

Application (self-hosted only) 1.176.0

New Features:

  • Azure Blob Storage and SQL Server connections: added support for Azure Workload Identity authentication. See “Azure Workload Identity” in the installation guide for details.

Improvements:

  • Reduced image size of the signpathio/signservice-setup-db container image and startup time of the SignService migration jobs.

 November 11, 2024

Application 1.175.1

Improvements:

  • Improved performance of event audit log REST API (GET /v1-pre/{organizationId}/AuditLog/Events) for organizations with high signing request volume.

  • Improved error handling for invalid paths in archive files.

Application (self-hosted only) 1.175.1

Breaking Changes / Manual migration steps:

  • In the signpath-application chart, the appSettings/appSecrets.shared.fastSigningRequestProcessorServiceClientOptions configuration section has been renamed to fastSigningServiceClientOptions (value unchanged).

 November 06, 2024

GitHub Connector 1.0.1

Bug Fixes:

  • Fixed a bug that prevented signing of artifactsf from GitHub.com. (GitHub’s global ID values crossed the max-int threshold on Nov. 5, 2024.)

 October 24, 2024

Application 1.174.1

Improvements:

  • Improved certificate list UI: added new “type” and key store information columns, dropped “valid from” column.

 October 22, 2024

Jenkins Plugin 2.1.0

New Features:

Improvements:

  • The API Token Credential can now be stored either in th System or a Global (recommended) scope.

  • Improved error messages.

 October 21, 2024

macOS CryptoTokenKit 2.0

Breaking Changes / Manual migration steps:

  • Renamed the command-line parameters to align with the other client tools.

New Features:

  • Added support for sha1 signatures required for productsign.

  • Added support for HTTP timeout and retry configuration.

Improvements:

  • Improved logging and logging configuration.

Bug Fixes:

  • Fixed a bug that prevented multiple certificates from being loaded at once.

  • Fixed a bug where the application failed when provided with an invalid configuration file.

 October 08, 2024

Application 1.173.0

Breaking Changes / Manual migration steps:

  • Renamed the X.509 certificate creation/upload REST API routes:

    • POST /v1/{organizationId}/Certificates/CreateSelfSignedCreateSelfSignedX509
    • POST /v1/{organizationId}/Certificates/CreateCsrBasedCreateCsrBasedX509
    • POST /v1/{organizationId}/Certificates/{slug}/UploadCertificateUploadX509Certificate

    Old routes are still available but deprecated. No changes in request bodies.

  • Breaking change in v1 response properties.

    Affected routes:

    • GET /v1/{organizationId}/Certificates
    • GET /v1/{organizationId}/Certificates/{slug}

    Changes:

    • Existing property type (top-level) now represents the certificate type (currently only X509).
    • Previous value of type is now in x509Certificate.creationMethod (SelfSigned, Csr, PfxImport, ImportedWithExistingKeyPair).

    (Rationale: we expect no external dependencies on the current value of type.)

New Features:

Improvements:

  • Signing request details page now shows HTTP response status code for failed artifact retrievals.

Bug Fixes:

  • Fixed broken base URL in Swagger UI (affected version 1.172).

 September 24, 2024

Application 1.172.0

Improvements:

  • Added origin information to the signing request list (verified origin or trusted build system name).

  • Improved quota display on the organization page.

    (SaaS only)
  • Artifact configuration visualization: multiple signing directives now displayed separately.

  • Signing request processing history now displayed indefinitely (was not displayed for “archived” signing requests, i.e. 31 days after completion in SaaS).

Bug Fixes:

  • Fixed disabled “Resubmit with current settings” button for archived signing requests (completion older than 31 days).

  • Fixed interactive user invitation flow for newly registered users.

    (SaaS only)

Application (self-hosted only) 1.172.0

Breaking Changes / Manual migration steps:

  • Changed recommended Kubernetes version to 1.29 and signpathio/kubectl image tag to 1.29.

Improvements:

  • Graceful container shutdown: termination of Pods is now delayed (default of 30 secs). This allows for request drain-out and safe shutdown (e.g. flushing Application Insights data).

 August 29, 2024

Application 1.171.0

Bug Fixes:

  • Fixed missing response models and response status codes in the API definition for the following REST API routes:

    • /v1/{organizationId}/CIUsers/{id}/RegenerateApiToken
    • /v1/{organizationId}/InteractiveUsers/{id}/RegenerateApiToken
    • /v1/{organizationId}/TrustedBuildSystems/{slug}/RegenerateTrustedBuildSystemToken
    • /v1/{organizationId}/SigningRequests/Resubmit (only status code was wrong)

Application (self-hosted only) 1.171.0

Bug Fixes:

  • All signpath-application Pods now correctly report application_Version to Application Insights (if enabled).

 August 16, 2024

GitHub Connector 1.0

New Features:

 August 13, 2024

Application 1.170.2

New Features:

  • All v1-pre REST API routes except audit log routes are now available as JSON APIs in v1.

    Changes in v1:

    • Changed from PATCH to POST:
      • /v1/{organizationId}/InteractiveUsers/{id}/Edit
      • /v1/{organizationId}/InteractiveUsers/{id}/SetDirectorySynchronized
      • /v1/{organizationId}/CIUsers/{id}/Edit
      • /v1/{organizationId}/UserGroups/{id}/Edit
      • /v1/{organizationId}/UserGroups/{id}/SetDirectorySynchronized
      • /v1/{organizationId}/Certificates/{slug}/Edit
      • /v1/{organizationId}/Projects/{slug}/Edit
      • /v1/{organizationId}/Projects/{projectSlug}/ArtifactConfigurations/{artifactConfigurationSlug}/Edit
      • /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}/Edit
      • /v1/{organizationId}/TrustedBuildSystems/{slug}/Edit
    • url response properties have been renamed to link:
      • GET /v1/{organizationId}/InteractiveUsers
      • GET /v1/{organizationId}/CIUsers
      • GET /v1/{organizationId}/UserGroups
      • GET /v1/{organizationId}/Projects/{slug} (artifactConfigurationXmlUrl and certificateUrl)
    • These remaining routes support JSON request bodies now:
      • POST /v1/{organizationId}/Projects
      • POST /v1/{organizationId}/Projects/{projectSlug}/ArtifactConfigurations
    • The name, slug and description properties are now in the request or response root object.
      • The "metadata" object has been dropped in all JSON requests and responses.
      • The metadata. prefix has been dropped in all multipart/form-data requests.

    See the API definition for more details.

    The v1-pre routes are unchanged but deprecated. They are no longer included in the API definition and will be removed in a future version.

    Note that these routes still use multipart/form-data:

    • POST /v1/{organizationId}/Certificates/{slug}/UploadCertificate
    • POST /v1/{organizationId}/SigningRequests
    • POST /v1/{organizationId}/SigningRequests/SubmitWithArtifactRetrievalLink

    For all other v1 APIs, multipart/form-data is no longer available.

  • Authenticode signing now supports the following optional attributes:

    • description and description-url
    • hash-algorithm

Bug Fixes:

  • Fixed failed JAR signing operations for JAR files with >20,000 items.

  • Fixed error during rendering of old failed signing requests with specific errors (e.g. artifact retrieval).

  • Added missing response body definition for GET /v1/{organizationId}/Projects/{projectSlug}/TrustedBuildSystemLink in the API definition.

Application (self-hosted only) 1.170.2

Improvements:

  • Improve error reporting for authentication errors in Operator Client.

Bug Fixes:

  • Fixed missing error detection in pairing restore startup script in HSM SignService.

 August 01, 2024

Application 1.169.0

Improvements:

  • Added support for JSON request bodies in the REST API.

    • Supported in all API routes except those with file inputs, like signing request submission or certificate upload.
    • Backwards-compatible: Content type multipart/form-data is still accepted in all changed APIs (but not exposed to the API definition).
    • See the API definition for more details.

Application (self-hosted only) 1.169.0

Breaking Changes / Manual migration steps:

  • Internal SignService API breaking change: when upgrading from a version below 1.165, follow the SignService breaking changes steps in the installation guide, section “Version compatibility”.

    Details: All file-based signing operations have been removed from the SignService API. Since version 1.165, all file-based signing operations have been executed by signing-processor-service.

 July 23, 2024

Crypto Providers 5.0.11

Improvements:

  • Improved warning and error logging for HTTP call errors: log message now includes details about the error incl. HTTP status and response body if available.

Bug Fixes:

  • Fixed unnecessary retries for non-recoverable errors like authentication errors or invalid artifact configurations (anything but hash-signing) in the SignPath project.

 July 22, 2024

Application 1.168.1

New Features:

Improvements:

  • Improved approval notification emails: added project, signing policy and artifact file name to email body.

Bug Fixes:

  • Fixed a display error if browser’s language is configured to Chinese (zh-CHS).

Application (self-hosted only) 1.168.1

Improvements:

  • Auto-restart detection mechanism extended to include a specific Luna Client startup error in signpath-signservice-lunahsm.

 July 08, 2024

Application 1.167.3

Improvements:

  • Added to organization page the number of “applied individual signatures” of the current month.

    (SaaS only)

Application (self-hosted only) 1.167.3

Improvements:

  • Reduced memory overhead in all Pods deployed by the signpath-signservice-<type> charts by switching the entry point from PowerShell to CMD.

PowerShell Module 4.4.1

Improvements:

  • Signing requests are new automatically cancelled after WaitForCompletionTimeoutInSeconds. This can be overridden with the new -CancellationTimeoutInSeconds parameter.

 June 10, 2024

Application 1.166.2

Improvements:

  • Added an optional cancellationTimeoutInSeconds parameter to the signing request submission REST APIs to automatically cancel signing requests after the provided timeout.

Application (self-hosted only) 1.166.2

Improvements:

  • Reduced memory overhead in all Pods deployed by the signpath-application chart by switching the entry point from PowerShell to CMD.

 July 04, 2024

Crypto Providers 5.0.7

Breaking Changes / Manual migration steps:

  • Changed default logging behavior:

    • File logging (with info level) is now enabled by default
      • The target directory on Windows is %TEMP%\SignPathLogs, on Linux /tmp/SignPathLogs.
      • Use SIGNPATH_LOG_CONSOLE_LEVEL=none to opt-out from file logging.
    • Console logging (if enabled) now logs to stderr instead of stdout by default.
      • Use the new SIGNPATH_LOG_CONSOLE_OUTPUT_STREAM configuration to switch back to stdout.
    • See Crypto Provider configuration for details.

New Features:

  • The Windows Crypto Providers (incl. KSP, CSP and Cryptoki library) now are delivered with a Windows MSI installer.

    • See install/uninstall docs. This also includes unattended installation options.
    • To upgrade from a previous manual installation/registration or from an InstallCspKsp.ps1 installation:
      • Install using the new MSI
      • In case you used a SIGNPATH_CONFIG_FILE JSON file: copy its content to %ProgramFiles%\SignPath\CryptoProviders\CryptoProvidersConfig.json
      • Delete the old installation target directory (including the old configuration file)

Improvements:

  • Linux container samples improvements:

    • Added a Bash port for the entry point script (run_scenario.sh) next to the existing PowerShell version (RunScenario.ps1).
    • The GenerateGpgKey scenario now allows to specify all key parameters like full name, email or expiration directly to the entry point script.
    • The GPG scenarios (e.g. SignRpm) now allow to specify the key’s ID (email) directly to the entry point script.
  • The CryptoProvider package now includes SBOM files.

Bug Fixes:

  • Linux container samples: fixed incompatibility with recent RedHat 8 and 9 repository changes concerning openssl and gnupg-pkcs11-scd.

 June 10, 2024

Application 1.165.2

Improvements:

  • Allow import of certificates that exceed RFC length limits in Distinguished Name components such as Common Name. Applies to Certificate Signing Request (CSR) certificate upload and PFX import.

  • Improve error reporting for PFX files with missing common name field in the contained certificate.

Bug Fixes:

  • Fixed error handling for invalid ClickOnce files with missing “deployment manifest” files.

 May 27, 2024

Application 1.164.3

New Features:

  • Added ECDSA certificate support for Authenticode.

Bug Fixes:

  • Fixed minor UI glitch for edit signing policy (approval deactivated when removing all approvers).

Application (self-hosted only) 1.164.3

Breaking Changes / Manual migration steps:

  • Changed the recommended Kubernetes version to 1.28 and the signpathio/kubectl image tag to 1.28.

Improvements:

  • Reduced the compressed signing-processor-service image size by 350 MB.

Bug Fixes:

  • Fixed false-positive exceptions for hash/fast signing operations when the client aborts the HTTP call.

  • Fixed failing hash/fast signing operations when malware scanning is disabled in the corresponding signing policy.

  • Fixed issue which can cause occasional failing signing requests under very high load. (Introduced in 1.154)

 May 13, 2024

Application 1.163.0

New Features:

  • Authenticode files can now be signature validated with the new <authenticode-verify /> artifact configuration directive. Use to ensure that third-party components are properly signed in deep signing configurations.

  • Office macro signing now supports ECDSA certificates.

Improvements:

  • Improved error reporting when a macro-enabled Office file contains no macros instead of generic “processing error”.

Bug Fixes:

  • Malformed hash signing requests now result in a specific 400 validation error (invalid hash encoding or length, was a 500 response since version 1.160).

  • Fixed a rare concurrency issue on high Office macro signing load.

Application (self-hosted only) 1.163.0

Improvements:

  • Replaced the “readiness probes” in all K8s deployments with startup + liveness probes to improve startup perf and stability.

 April 25, 2024

Application 1.162.2

Improvements:

  • Improved history UI: table column alignment, use of screen estate.

  • Improved performance of ModifyMembers, ChangeMembers user group REST APIs.

Application (self-hosted only) 1.162.2

New Features:

  • HSM SignServices now provides “readonly” mode for operational/maintenance purposes, which disables key management while still allowing signing operations.

Improvements:

  • K8s readiness probe for signingprocessorservice switched from “readyfile” command probe to HTTP “healthz” probe to improve stability.

 April 11, 2024

Application (self-hosted only) 1.161.1

New Features:

  • When applying changes via helm upgrade, now all signpath-application deployments restart automatically (via rollout restart).

Improvements:

  • Added a safeguard mechanism for signpath-application pods which prevents startup on inactive colors due to deployment or configuration errors.

 March 28, 2024

Application 1.160.1

Improvements:

  • Artifact configuration: <create-raw-signature> supports input filename substitution via ${file.name}.

  • “Resubmit with current settings” now also works for signing requests which fail due to an artifact retrieval error.

Application (self-hosted only) 1.160.1

Breaking Changes / Manual migration steps:

  • Hash signing operations are now performed by signingprocessorservice.

    You need to configure basic authentication configuration:

    • signingprocessorservice: signingProcessorService.basicAuthenticationOptions
    • signpath-application: fastSigningRequestProcessorServiceClientOptions.basicAuthenticationPassword

    See “Generate basic authentication passwords and hashes” in the installation guide for more information.

Improvements:

  • The HSM SignServices watchdog doesn’t require a TSA URL anymore. The previously mandatory SignService values config entry appSettings.signService.cspWatchdogOptions.timestampingServerUrl can be removed.

 March 18, 2024

macOS CryptoTokenKit 1.0

New Features:

  • Initial release

 March 14, 2024

Application 1.159.0

Breaking Changes / Manual migration steps:

  • Provided dedicated REST APIs for modifying group memberships:

    • /ChangeMembers sets a new list of members
    • /ModifyMembers allows to add/remove members

    See the API definition for more details.

Improvements:

  • Added a new API route GET /v1-pre/<org-id>/SiginingRequests that allows listing Signing Requests. See the API definition for more details.

  • Improved the reliability of processing signing requests in case of temporary network errors.

Application (self-hosted only) 1.159.0

Improvements:

  • Added additional custom dimensions to AppInsights events.

  • The AdministrationUtility tool can now also log to AppInsights.

  • Added an additional safeguard mechanism that prevents the inactive color deployment from processing signing requests.

Bug Fixes:

  • Fixed the mechanism that restarts the SignService components when the connection to a Luna/Thales DPoD HSM becomes corrupt.

  • Added missing ActivityId entries to the log output to ensure a consistent logging experience.

Crypto Providers 4.4.1

Bug Fixes:

  • Fixed a bug that prevented the underlying error messages from being shown.

  • Fixed a bug that prevented retries from being executed properly in certain situations.

  • Fixed a bug in the Linux container samples for GPG signing.

 February 29, 2024

Application (self-hosted only) 1.158.0

New Features:

  • New “Operator REST API” (part of the Operator Client deployment) including organization list queries and organization creation APIs. Can be activated via appSettings.shared.globalFeatureToggleOptions.isOperatorApiEnabled configuration.

Improvements:

  • Added Generate-Secret tool to simplify secure encryption key, basic authentication secret and API token generation.

 February 15, 2024

Application 1.157.0

Improvements:

  • For failed singing requests, the “Retry with current settings” feature was replaced with “Resubmit with current settings”. This feature creates a new signing request (linking back to the “original singing request”) instead of retrying the same signing request.

  • Stricter validation of email address input.

  • Introduced file size limits for XML files (2 MB) and OPC files (40 MB) to improve operational stability.

Bug Fixes:

  • Fixed path validation issue for encoded paths in OPC, MSIX and APPX files.

Application (self-hosted only) 1.157.0

Breaking Changes / Manual migration steps:

  • Renamed the Hangfire dashboard application component K8s Deployment to “Operator Client”:

    • Renamed signpathio/hangfire-dashboard Docker image to signpathio/operator-client (you may need to update your Docker image mirroring)
    • Replaced the appSettings/appSecrets.hangfireDashboard values section with appSettings/appSecrets.operatorClient
    • Replaced chartSettings.hangfireDashboard section with chartSettings.operatorClient
    • Changed operatorClient authentication settings from basic auth to API token-based (see operatorClientOptions.operatorUsers section)

Improvements:

  • Added the possibility to expose the Operator Client via the Ingress (see “Enable Operator Client Ingress” installation guide).

  • Application Insights: greatly reduced the amount of “pulled empty batch” events in the CustomEvents telemetry to reduce log volume.

  • Increased default signingProcessorService.dotNetGCHeapHardLimit from 450 to 700 MB to avoid out of memory situations for XML and OPC signing.

Bug Fixes:

  • Fixed a migration job issue which left the old color Application Pods running in case of an Kubernetes API server outage.

 February 01, 2024

Application 1.156.0

New Features:

  • REST API: Added new routes for creating, querying and modifying Trusted Build Systems.

Improvements:

  • Improved error reporting of internal errors during Authenticode signing operations.

Bug Fixes:

  • Fixed a bug where changing the certificate before approving a signing request caused a processing error in certain situations.

  • Fixed a bug that hid the detailed error message in the user interface when an artifact fails to be scanned for malware.

Application (self-hosted only) 1.156.0

Breaking Changes / Manual migration steps:

  • Changed the recommended Kubernetes version to 1.27 and the signpathio/kubectl image tag to 1.27.

Improvements:

  • Application Insights: The custom dimension name has been renamed from LoggerName to CategoryName to comply with Microsoft standards.

  • Application Insights: Now the Trace (application logs) and Request (Incoming HTTP requests) telemetry types aren’t sampled anymore on high load (i.e. Application Insights receives a gapless log stream) by default. The default configuration can be overridden in signpath-application or Sign Service values in the additionalApplicationInsightsOptions section.

  • Container/Application Insights logs: Removed specific high volume, but unimportant log emitters to reduce log volume.

PowerShell Module 4.3.4

Bug Fixes:

  • Fixed a bug that prevented read-only files from being submitted for signing.

 January 22, 2024

Application 1.155.0

New Features:

  • REST API: Added new routes for (de)activating certificates, projects, signing policies and artifact configurations, and a new route for the “delete private key” certificate operation.

  • REST API: Added GET /v1-pre/{organizationId}/InteractiveUsers/Me route.

Improvements:

  • REST API: Added the ID of the created entity to the response body in various POST routes.

  • Improved the title line on the signing request detail page for long project/signing policy names.

Application (self-hosted only) 1.155.0

Breaking Changes / Manual migration steps:

  • In signpath-application values chartSettings section: removed malwareScanning.timeout configuration value, and instead introduced scanner-type specific values:

    • malwareScanning.signPathMalwareScanningService.scanningTimeout and .httpRequestTimeout
    • malwareScanning.customMalwareScanningScript.scriptTimeout

Improvements:

  • Added logging of the “User Agent” header to Application Insights requests.

  • Removed the signpathmalwarescanningservice config map resource (unused since 1.144).

Bug Fixes:

  • Fixed broken Application Insights sampling configuration for signservice Pods.

Show older releases

 December 20, 2023

Application 1.153.1

Bug Fixes:

  • Trusted build systems: Fixed validation error for Git repository SSH URLs.

 December 13, 2023

Crypto Providers 4.3.0

Improvements:

  • Improved GPG initialization and shadow key fetching in Linux container sample scripts (which also fixed a compatibility issue with GnuPG 2.3+).

  • Linux PKCS#11 CryptoProvider: Added support for Debian 11 and RedHat 9 distros incl. updated Linux container samples.

  • Added CryptoProvider version info to the user agent header for backend REST calls.

Bug Fixes:

  • KSP CryptoProvider: Fixed a compatibility issue with ECDSA certificates.

 December 11, 2023

Application 1.153.0

New Features:

  • Added support for creating raw detached signature files.

Application (self-hosted only) 1.153.0

Improvements:

  • Added additionalApplicationInsightsOptions section to signpath-application values which allows to configure Application Insights sampling options.

 December 10, 2023

Jenkins Plugin 2.0.0

Breaking Changes / Manual migration steps:

  • Renamed CIUserToken to ApiToken.

Improvements:

  • Added configurable timeouts for HTTP requests and signing request processing.

  • Improved error messages.

 November 28, 2023

Application 1.152.1

Bug Fixes:

  • Restricted user role assignment for OSS subscriptions.

 November 23, 2023

Application 1.152.0

New Features:

  • Granular read-access authorization for signing requests. (Work in progress, available on request.)

Improvements:

  • Signing requests with artifact retrieval links: added support for HTTP content compression.

  • Improved reliability of HSM key store (additional retry conditions).

    (SaaS only)
  • Improved performance of ClickOnce signing operations.

  • Improved error messages for Office files without macros.

Bug Fixes:

  • Fixed PFX certificate import into certain HSM key stores (including SaaS HSM).

  • Fixed a bug that prevented signing with Crypto Providers using the new API token feature for interactive users.

Application (self-hosted only) 1.152.0

Breaking Changes / Manual migration steps:

  • Changed the recommended Kubernetes version to 1.26 and the signpathio/kubectl image tag to 1.26.

Improvements:

  • Added a Helm chart check which fails the installation in case the pod disruption budget’s minAvailable count is larger or equal to replicaCount.

 November 16, 2023

Crypto Providers 4.2.0

Improvements:

  • Renamed the CIUserToken configuration file property to ApiToken and SIGNPATH_CI_USER_TOKEN environment variable to SIGNPATH_API_TOKEN). Please adapt your configurations (you can use the same value for ApiToken). Note that the old names are still accepted, but will be removed in a future version.

  • Added documentation and Linux integration tests for the osslsigncode tool.

  • Implemented the Windows KSP EnumKeys function, which enables hash based Mage / ClickOnce signing.

 November 02, 2023

Application 1.151.1

New Features:

  • New REST API route: download the X509 certificate of a signing request GET /v1-pre/{organizationId}/SigningRequests/{id}/X509Certificate.

Improvements:

  • Improved error messages for AppX and MSIX files when the publisher name does not match the certificate subject.

  • Timestamping now falls back to alternative timestamping servers when primary server is unavailable.

    (SaaS only)
  • Project administrators can now configure Docker repositories.

  • User page shows date and time when an API token was generated.

Bug Fixes:

  • Fixed a bug that prevented importing PFX files generated by Microsoft CNG.

  • Fixed a bug that prevented adding CI users to the project configurators of a project.

Application (self-hosted only) 1.151.0

Improvements:

  • Dropped the JCE key “retargeting” when creating certificates on nShield HSMs (previously required for JAR signing).

Bug Fixes:

  • Fixed a problem that caused the sandbox.vhdx files of the Docker Mirantis runtime to grow continuously in Docker Compose installations.

 October 12, 2023

Application 1.150.2

Improvements:

  • Renamed certificate field “Thumbprint” to “SHA-1 Thumbprint” in the user interface and pre-release API.

  • Added improved error messages for analyzing SSO-related configuration issues.

Application (self-hosted only) 1.150.2

Improvements:

  • Improved logging login/logout errors by providing more details on OIDC related errors.

Bug Fixes:

  • Fixed issue of unnecessarily delay of automatic artifact deletion or archiving in content store of 23 days (affected versions 1.148 and 1.149).

  • Fixed incorrect logging of PathBase in HTTP request logging.

 October 02, 2023

Application 1.149.2

New Features:

  • Added limited administrator roles: User Administrator, Project Administrator and _Certificate Administrator. For more details, see the user roles documentation.

  • Select multiple files is now generally available.

  • Added support for deep signing of APPX and MSIX files. Read more about deep signing.

Bug Fixes:

  • Fixes incorrect display of malware scanning status for old signing requests.

    (SaaS only)
  • Fixed a race condition that caused multiple signing requests to be created when uploading multiple files instead of bundling them correctly into a single artifact.

  • Fixed a bug that led to failed signing requests for artifact configurations with a <zip-file> containing a path attribute as a root file element.

  • Fixed a bug that prevented signing with the Crypto Providers for interactive users and users that were added as submitters through group membership.

Application (self-hosted only) 1.149.2

Breaking Changes / Manual migration steps:

  • Configuration setting appSettings.shared.signingOptions.timestampingServerUrl has been renamed to timestampingServerUrlTemplate in signpath-application values.

  • The SignPath.Application.AdministrationUtility.exe tool in the Administration Utility pod has been renamed to SignPath.Application.Clients.AdministrationUtility.exe.

PowerShell Module 4.3.2

Improvements:

  • Improved the inline documentation

 September 27, 2023

Crypto Providers 4.1.0

Improvements:

  • Added installation/uninstallation PowerShell script for Windows CSP and KSP. Note that the old installation method (involving System32 file copying, sp-register-ksp, regsvr32) still works, but it’s recommended to switch to the installation script. For details and usage see the “CSP/KSP installation (Windows)” section in the CryptoProviders documentation.

 September 13, 2023

Application 1.148.2

New Features:

  • Added support for personal API tokens for interactive users. See authentication.

Improvements:

  • Renamed “CI user token” to “Api token” in the user interface and one pre-release API (RegenerateApiToken).

  • Renamed artifact configuration XML attributes productName and productVersion to product-name and product-version, respectively. (Existing spelling is still valid for the current schema version.)

  • The zip archive created when uploading multiple files for signing is now named bundle.zip. See ui-multifile-upload.

  • Renamed “Initial Login Email Address” of interactive users to “Account email address” in the user interface and InteractiveUser pre-release APIs.

Application (self-hosted only) 1.148.2

New Features:

  • Added support for “nginx.org” Ingress Controller distribution (see ingressAnnotations.nginx.ingressControllerDistribution configuration value).

Improvements:

  • Improved memory consumption of the Signing Processor Service pod (see signingProcessorService.dotNetGCHeapHardLimit configuration value).

  • Updated the default Ingress controller annotations to support 4 GB file uploads.

  • Removed unnecessary values in signpath-application-ingress.

  • Reduced logging noise in webclient and api containers.

Bug Fixes:

  • Fixed disk space leak which affected signpath-application containers with large logging volume.

PowerShell Module 4.3.1

Improvements:

  • Renamed -CIUserToken parameter to -ApiToken. The old name is still valid for this major version (4.x).

Crypto Providers 4.0.1

Breaking Changes / Manual migration steps:

  • Replaced Timeouts.ServiceUnavailable (and SIGNPATH_TIMEOUTS_SERVICE_UNAVAILABLE) configuration value with Timeouts.FirstRetryDelay and Timeouts.RetryCount (See “Setting configuration values” section in the CryptoProviders documentation for details).

Improvements:

  • Changed the HTTP call error retry strategy to use an exponential back-off mechanism.

  • Added a warning logging for failed HTTP calls before retrying.

  • Improved error return values codes for KSP/CSP/Cryptoki functions for HTTP call errors to better express the underlying problem. (See the corresponding “Error return values” sections in the CryptoProviders documentation).

  • Improved the debug logging output for Cryptoki function calls.

  • Improved the error message for HTTP(S) errors on Linux.

 August 21, 2023

Application 1.147.0

Improvements:

  • Added a “My profile” link in the user menu.

Bug Fixes:

  • Fixed incorrect handling of special characters in artifact file path during malware scanning and during OPC deep signing processing.

Application (self-hosted only) 1.147.0

Improvements:

  • Added confirmation prompts in the administration utility for all commands and a -y argument.

  • Added recommendation of master database SQL user creation to “Database logins and permissions” section in documentation.

 August 07, 2023

Application 1.146.0

New Features:

  • Added ui-multifile-upload feature to upload multiple files in signing request web client UI (preview).

  • Added “Multiple Office files with macros” default artifact configuration which allows to upload multiple Office files in the user interface.

Improvements:

  • Improved resilience of system against temporary database outages.

Application (self-hosted only) 1.146.0

Improvements:

  • Limit number of maximum events per stored entity to avoid performance bottlenecks.

  • Added chartSettings.signingProcessorService.dotNetGCHeapHardLimit to reduce memory consumption of signingprocessorservice pods.

Bug Fixes:

  • Fixed possible timeouts for long running malware scanning runs via malwareScannerType: signPathMalwareScanningService.

 July 13, 2023

Application 1.145.1

Improvements:

  • Improved /v1-pre/{organizationId}/AuditLog/SigningRequestEvents responses:

    • Added originalSigningRequestId for resubmit events.
    • Added file name and hash fields for various submission event types.
  • Improved the performance of the /v1-pre/{organizationId}/AuditLog/Events REST API

Application (self-hosted only) 1.145.1

Breaking Changes / Manual migration steps:

  • Changed the recommended Kubernetes version to 1.25 (note that 1.24 will go EOL on 2023-07-28) and the signpathio/kubectl image tag to 1.25.

  • Changed the Web Client authentication ticket lifetime from 14 days to 12 hours. This means that after 12 hours without any request, the Web Client will re-authenticate via OIDC.

Improvements:

  • Allowed using multi-line PEM certificates in chartSettings.trustedRootCertificates/.intermediateCertificates in all Helm Charts.

  • Dropped the supportOptions and signingRequestQueueThrottlingOptions sections (both not relevant for self-hosted installations) in signpath-application values.

  • Removed mandatory SMTP server username/password overrides in the signpath-application values.

  • Reduced the log noise in all web server based containers.

  • Added SigningRequestProcessing-IndividualSignature Application Insights events for hash signing requests.

 July 11, 2023

Application 1.144.1

Improvements:

  • New REST API route: reinvite interactive users /v1-pre/{organizationId}/InteractiveUsers/{id}/Reinvite.

  • New REST API route: /v1-pre/{organizationId}/Projects/{slug}/SetDefaultArtifactConfiguration.

  • Improved performance of REST API and UI HTTP responses.

Application (self-hosted only) 1.144.1

Improvements:

  • Improved performance and reduced memory consumption of the signPathMalwareScanningService malware scanning client.

Bug Fixes:

  • Fixed duplicate MalwareScannerOptions__MalwareScannerType config map entries.

 June 26, 2023

Application 1.143.2

Breaking Changes / Manual migration steps:

  • Event Audit Log API (preview): The TrustedBuildSystem.Added event has been renamed to TrustedBuildSystem.CustomAdded.

Application (self-hosted only) 1.143.2

Improvements:

  • Reduced memory consumption when signing JAR files.

Bug Fixes:

  • Fixed aborted SignService deployments in cases using descheduler for Kubernetes with RemovePodsViolatingTopologySpreadConstraint.

 June 14, 2023

Application (self-hosted only) 1.142.1

New Features:

  • Added support for optionally moving contents to the Azure Blob store archive tier instead of deleting them.

Improvements:

  • Reduced amount of application logging for Azure Blob content store accesses.

Bug Fixes:

  • Fixed error when accessing Hangfire dashboard in special cases.

 May 26, 2023

Application 1.141.1

Improvements:

  • Malformed hash values in hash signing are now gracefully reported to the API caller.

Bug Fixes:

  • Fixed a problem that caused some signing requests to be stuck in the Queued state.

  • Fixed a problem where some signing request reports were truncated.

Application (self-hosted only) 1.141.1

New Features:

Improvements:

  • Added the “Signing Request Accepted” event to the reported “custom events” in Application Insights.

  • Various performance fixes regarding signing request archive database access.

 May 12, 2023

Application 1.140.3

New Features:

  • Added support for signing Cyclone DX SBOMs.

  • Added support for XML file signing based on the W3C XMLDSig standard.

Bug Fixes:

  • Fixed timeouts that occurred during the creation of signing request reports.

  • Fixed timeouts in the Audit Log API.

PowerShell Module 4.3.0

New Features:

  • Support for using mutual TLS client certificates specified by a Microsoft template ID.

Application (self-hosted only)

Breaking Changes / Manual migration steps:

  • No change required: After the upgrade the report model database will be automatically built up from scratch. This means that for a while (depending on the number of signing requests) the signing request list in the UI and the CSV report may be incomplete until the report model building reached the latest signing requests.

 April 25, 2023

Application 1.139.0

Bug Fixes:

  • Fixed a bug that allowed users to be created via the API even though the quota limit has been met.

  • Fixed timeouts in the signing request Audit Log API.

  • Fixed the alignment of the buttons in the artifact configuration panel on the project page.

 April 18, 2023

Application 1.138.0

Improvements:

  • Improved performance in UI when showing long history lists.

Bug Fixes:

  • Fixed potential issue that allowed very long running background tasks to run in parallel.

 March 30, 2023

Application 1.137.0

Improvements:

  • SignPath now explicitly drops any secrets exposed in the build settings by AppVeyor. All affected parties were informed.

Application (self-hosted only) 1.137.0

Bug Fixes:

  • Fixed the issue that not all application logging entries reached Application Insights.

  • Fixed missing error reporting details for failed malware scanning service calls.

 March 23, 2023

Application 1.136.3

Improvements:

  • New REST API route /v1-pre/{organizationId}/SigningRequests/{id}/ArtifactDescriptionXml allows to retrieve the artifact description XML content for signing requests including file details for all contained signed files.

  • Added a “Sign artifact” button in the artifact configuration list in the project page.

  • Added “Sign artifact” and “Show signing requests” buttons on the artifact configuration details page.

PowerShell Module 4.2.1

Improvements:

  • Improved error messages when a wrong URL is provided.

Crypto Providers 3.4.0

Improvements:

  • Cryptoki: Added Cryptoki.DoNotFailOnReadWriteSessions configuration flag to enable compatibility with Cryptoki / PKCS #11 clients which always open the session with the read/write option (e.g. pkcs11-tool in version lower than 0.23).

  • Added documentation for pkcs11-tool usage and Linux Docker container sample scenario.

Application (self-hosted only) 1.136.3

Breaking Changes / Manual migration steps:

  • The following configuration values have been moved from appSettings to appSecrets:

    • signpath-application value appSettings.shared.applicationInsights.connectionString
    • signpath-signservice-<variant> value appSettings.signService.applicationInsights.connectionString

New Features:

  • Added support for automatic artifact deletion after a configurable retention time (disabled by default).

Improvements:

  • The operator user name stored alongside all operations triggered by the administration utility can now be set via an environment variable.

  • Various malware scanning script performance fixes.

 March 02, 2023

Application 1.135.0

New Features:

  • Added support for ECDSA X.509 (key type ecdsa-x509) certificates for Docker Signing.

Improvements:

  • Added new REST API for listing all projects as well as modifying projects, signing policies, and artifact configurations.

  • Improved dashboard loading performance.

Crypto Providers 3.3.0

New Features:

  • Added suppport for using a HTTP web proxy (Linux and Windows).

Improvements:

  • Improved the error reporting for the sp-register-ksp command (Windows).

Application (self-hosted only) 1.135.0

New Features:

  • For Luna and DPoD HSMs it’s now possible to delete certificate keys on the HSM storage 60 days after the “Delete private key” action (Note: By default, deleted keys are only recorded for manual deletion.)

Breaking Changes / Manual migration steps:

  • The configuration parameters for NGINX proxy settings in the signpath-application-ingress chart have a new location.

  • Custom malware scanning scripts must now be able to handle two new parameters: -OriginalFileName and -ExecutionTimeout.

Improvements:

  • Added support in the Ingress chart to configure additional annotations on the Ingress resource and to opt-out from the NGINX default annotations.

  • Changed recommended Kubernetes version from 1.23 to 1.24.

  • Updated the signpathio/kubectl container image to include kubectl 1.24.10 (the image is tagged with both 1.24 and 1.24.10).

  • Dropped NGINX session affinity annotations (Note: reverse proxy session affinity has not been a requirement since release 1.133.).

  • Improved signing request triggering latency.

  • Changed the default replica count for hangfireDashboard to 1.

  • Cleaned up the Ingress chart (removed the tests section).

  • Cleaned the SignService Kubernetes Helm Charts (dropped unused sections).

  • The commands in the administration utility were cleaned up.

 February 02, 2023

Application 1.133.0

New Features:

  • Artifact configurations can now be deactivated.

Improvements:

  • New REST API /v1-pre/{organizationId}/Certificates allows to list all certificates.

  • Added REST APIs to modify, activate and deactivate CI Users.

  • HTTP requests where the TCP connection is dropped by the client are now automatically canceled.

Application (self-hosted only) 1.133.0

Breaking Changes / Manual migration steps:

  • Added new mandatory database connection strings for the application: DataProtectionDatabase and DataProtectionDatabaseDdl.

    • We recommend to rename the ReportModel database to ApplicationShared and use this database in the connections strings ReportModelDatabase, ReportModelDatabaseDdl and the two new connection strings.
    • Alternatively also a new database named DataProtection can be created and used.
    • See also the “Create databases” and “Data protection keys” sections in the installation guide.

Improvements:

  • Cleaned up and improved the default values in values.yaml in the Kubernetes Helm Charts.

  • Improved the log format for multi-line log messages.

  • Changed the Kubernetes topologySpreadConstraints.maxSkew to 1 to advise K8s to preferably spawn pod replicas on different nodes.

Bug Fixes:

  • Fixed a bug that set maximum number of certificates quota to zero when changing subscriptions in certain cases.

 January 30, 2023

Jenkins Plugin 1.1.0

Improvements:

  • Removed PowerShell dependency.

Bug Fixes:

  • Fixed a bug that allowed a potential attacker to submit files other than the build artifacts.

 January 12, 2023

Application 1.132.0

Breaking Changes / Manual migration steps:

  • Within the AuditLog API (preview) response, the metadata.user property has been renamed to metadata.actor.

Improvements:

  • Changed web hooks to be triggered for all final signing request statuses, not only Complete.

  • Improved error reporting when deep-signing MSI files with missing external files.

Bug Fixes:

  • Fixed artifact configuration generation for file names containing special characters like square brackets.

  • Fixed an HTML (non-XSS) injection vulnerability in the UI.

Application (self-hosted only) 1.132.0

Improvements:

  • Uploaded artifact files can now be exempt from Windows Defender realtime scanning on Kubernetes hosts.

Bug Fixes:

  • Temporary files during HTTP uploads are now stored in an emptyDir volume, which can improve performance and fix disk usage issues (Kubernetes).

 December 13, 2022

Application 1.130.0

Breaking Changes / Manual migration steps:

  • The Audit Log REST API (preview) /v1-pre/{organizationId}/AuditLog/Events doesn’t include signing request events anymore, instead they can be retrieved via the the new /v1-pre/{organizationId}/AuditLog/SigningRequestEvents route.

New Features:

  • Added support for additional, organization-specific key stores.

Bug Fixes:

  • Signing requests with more than one signing policy are now properly returned in the REST API.

 November 29, 2022

Application 1.129.0

New Features:

  • Enabled Swagger UI for the REST API at /Api/swagger.

Bug Fixes:

  • Fixed bug in elliptic curve certificate generation for the software key store.

Application (self-hosted only) 1.129.0

Breaking Changes / Manual migration steps:

  • Renamed signServiceOptions to keyStoreOptions in the following places:

    • appSecrets/appSettings.shared.signServiceOptions (also changed the structure)
    • appSettings.deletionProcessorService
    • appSettings.signingProcessorService
  • Configuration value appSettings.notificationsProcessorService.smtpServerOptions.useSsl has been renamed to .secureSocketMode. Change false to 'None' and true to 'Ssl'.

New Features:

  • Added support for SMTP StartTLS protocol.

  • New AppInsights customEvents for individual signing operations.

 November 15, 2022

Application 1.128.0

New Features:

  • Added possibility to disable malware scanning for individual signing policies.

Improvements:

  • Performance improvement for signing requests using the HSM key store.

  • New REST API routes (preview) to list all CI Users and regenerate CI User tokens.

PowerShell Module 4.2.0

New Features:

  • Artifact Retrieval: Instead of uploading the artifact file, a HTTPS retrieval link including authentication headers can now be passed to SignPath.

Crypto Providers 3.2.2

Improvements:

  • Linux: Added Debian package signing via dpkg-sig to signing scenarios.

  • Linux: Added Maven GPG signing Docker container sample scenario.

Application (self-hosted only) 1.128.0

New Features:

  • New Administration Utility ChangeMultipleSubscriptions command to (partially) update multiple organizations with new subscription options.

  • Added support for including images files in custom notification email styling.

Improvements:

  • The versioning scheme of the Kubernetes Helm Charts has been changed to match the application version.

  • The signService.lunaHsmKeyStoreOptions.slotIndex configuration value is not necessary anymore and can be dropped.

 October 13, 2022

Application 1.126.0

New Features:

  • Verifying that a signing request was submitted from a trusted build system (TBS) is now possible without requiring the TBS to provide origin information.

  • The certificate view now also lists the X509 Issuer, Serial Number, Thumbprint, Key Usage and Extended Key Usage flags for each certificate.

Improvements:

  • Changed the name of the initial artifact configuration when creating projects to “Initial version”.

Application (self-hosted only) 1.126.0

Breaking Changes / Manual migration steps:

  • New mandatory chartSettings.malwareScanning.malwareScannerType configuration for signpath-application (Kubernetes only).

  • New mandatory signService.cspWatchdogOptions.keyId app setting for Luna HSM SignService.

New Features:

  • Possibility to configure a custom malware scanning service (via PowerShell adapter script).

  • Luna HSM watchdog key IDs can now be configured.

Bug Fixes:

  • Fixed a bug where multiple Luna HSM watchdog keys were created on first startup (only relevant for Kubernetes installations with multiple replicas).

 September 29, 2022

Application 1.125.0

New Features:

  • Added support for MSIX (Windows app package) signing.

  • Added UI support for Re-submission of signing requests.

Improvements:

  • Added new API routes to change a user’s NotificationEmailAddress and Identity fields.

PowerShell Module 4.1.3

Improvements:

  • Added a proper return message when an operation is not allowed.

  • Cleaned up the documentation.

Application (self-hosted only) 1.125.0

Breaking Changes / Manual migration steps:

  • To continue using the REST API to resubmit signing requests (preview), a feature toggle needs to be enabled for every organization.

 September 20, 2022

Application 1.124.0

New Features:

  • Interactive users can now be created via the REST API.

Improvements:

  • Various small UI/UX improvements:

    • Used “email” instead of “e-mail” consistently.
    • Entity names are only truncated when there is no more space available on the UI.
    • It’s not possible to send empty feedback messages any longer.
    • When using the “Copy to clipboard” functionality, a confirmation message is shown.
    • When submitting forms, a spinning icon was added to indicate that the request is being processed.
    • On pages containing forms, the first input field is automatically focused on.
    • The interative user field “Display Identity” was renamed to “Initial Login Email Address”.
    • The mouse cursor now indicates when an element can be interacted with.
    • The date and time picker now does not open any more when the input field is focused, making it easier to enter a date using the keyboard.

Crypto Providers 3.2.1

Improvements:

  • Linux: Updated the statically linked dependencies to Boost 1.79.0, OpenSSL 1.1.1n/3.0.5, plog 1.1.8 and zlib 1.2.12

Bug Fixes:

  • Fixed a segmentation fault when using Cryptoki on Linux.

  • Fixed Cryptoki loading error on RedHat Linux v8.

  • Fixed missing CI User token redaction when passed on command line instead by configuration.

Application (self-hosted only) 1.124.0

Improvements:

  • Improved pairing experience with nShield HSMs.

  • The “HashPassword” functionality doesn’t require a Windows container anymore.

Bug Fixes:

  • Fixed nShield HSM startup error in Kubernetes.

 September 01, 2022

Application 1.123.0

Breaking Changes / Manual migration steps:

  • Compatibility with Internet Explorer 11 has been dropped.

New Features:

  • The artifact description in signing requests now contains the full path of files inside container artifacts.

  • The certificate’s key store ID is now also shown on the certificate details page (needs to be enabled per organization).

Improvements:

  • Modernization of the HTML UI framework including fixes of minor UI glitches.

  • Projects can now be configured to use multiple repository URLs for origin verification.

Bug Fixes:

  • Fixed broken signing request notifications for denied signing requests in special scenarios.

Crypto Providers 3.2.0

Bug Fixes:

  • Fixed Cryptoki loading errors on RedHat Linux 8.6.

 August 11, 2022

Crypto Providers 3.1.0

New Features:

  • Collecting information about the invoking process (command line call and user account) is now also supported on Linux.

Bug Fixes:

  • Fixed missing support for libp11 (OpenSSL engine) version 0.4.12.

  • Fixed missing reporting of specific configuration errors (e.g. invalid CI user token registry location).

 August 04, 2022

Crypto Providers 3.0.0

Breaking Changes / Manual migration steps:

  • The SIGNPATH_LOG_LEVEL configuration was split into SIGNPATH_LOG_CONSOLE_LEVEL and SIGNPATH_LOG_FILE_LEVEL.

  • The console logging was disabled by default (SIGNPATH_LOG_CONSOLE_LEVEL=none).

New Features:

  • Cryptoki: Added compatibility with gnupg-pkcs11-scd to support GnuPG PGP singing.

Application (self-hosted only) 1.121.0

Improvements:

  • Improved error reporting for wrong configurations.

Bug Fixes:

  • Added missing error reporting in the Administration Utility.

 July 29, 2022

Docker PowerShell Module 4.1.4

Bug Fixes:

  • Fixed interopability problems with the Azure Container Registry.

 July 25, 2022

Application 1.120.0

New Features:

  • Added support for Windows Script Signing.

Improvements:

  • Improved error handling for invalid archives.

Bug Fixes:

  • Fixed bug that prevented project configurators from setting the default artifact configuration.

PowerShell Module 4.1.1

Improvements:

  • Added references to the online documentation.

Application (self-hosted only) 1.120.0

Improvements:

  • Improved the pairing process for Thales Luna and DPoD Cloud HSMs.

  • Added support for Azure Application Insights logging.

 July 14, 2022

Application 1.119.0

New Features:

  • Added the possibility to provide a reason when denying a signing request.

Improvements:

  • Improved error messages when submitting invalid NuGet packages.

Bug Fixes:

  • Fixed a bug that allowed deleting an unsigned artifact that was still referenced by a resubmitted signing request.

Application (self-hosted only) 1.119.0

Bug Fixes:

  • Fixed a bug that that required self-hosted installations to configure a timestamping server URL for FreeTrial subscriptions.

 June 08, 2022

Application 1.117.0

Bug Fixes:

  • Fixed a potential argument injection vulnerability in the jarsigner call.

  • Fixed a bug that prevented notification email changes from being shown in the history.

 May 16, 2022

Application

Improvements:

  • New REST API route (preview): /v1-pre/{organizationId}/CIUsers/Me returns information about the authenticated CI user.

Application (self-hosted only) 1.117.0

Improvements:

  • In Kubernetes installations, an improved migration mode ensures that all container images are ready before to the new version starts, ensuring a minimum downtime.

 May 02, 2022

Application 1.115.0

Bug Fixes:

  • Fixed Content-Security-Policy rules that prevented some SVG icons from being loaded.

Application (self-hosted only) 1.115.0

Breaking Changes / Manual migration steps:

  • A new ReportModel database needs to be created. See the installation guide for more details.

Improvements:

  • Administrators are now prevented from deploying to the wrong color.

  • Added a new /healthzd route to the API that checks the health of the SignServices.

 April 14, 2022

Application (self-hosted only) 1.114.0

Improvements:

  • Calling SetupDBs.ps1 now prints out a usage message when no parameters are supplied in the Docker Compose setup.

  • Improved default values in configuration files.

 March 31, 2022

Application 1.113.0

Bug Fixes:

  • Fixed a bug that prevented Docker Signing to work when using the Azure Container Registry.

PowerShell Module 4.1.0

Improvements:

  • An error message is shown when an artifact is no longer available for download.

Application (self-hosted only) 1.113.0

New Features:

  • Artifacts can now be deleted using the administration utility.

Improvements:

  • The database connection strings used in the initial setup and during the migration are now read from the configuration files.

 March 21, 2022

Application 1.112.0

Improvements:

  • New REST API route (preview): /v1-pre/{organizationId}/Organization to query organization and quota information.

Crypto Providers 2.1.0

New Features:

  • Support for DPAPI-encrypted CI User tokens.

  • Dedicated support for signing of Microsoft Office macros.

Improvements:

  • Separate versions for 32- and 64-bit architectures.

Application (self-hosted only) 1.112.0

Improvements:

  • NShield HSM keys are automatically retargeted to be used for Java signing.

Bug Fixes:

  • Fixed Malware Scanner warnings on startup on Windows Server machines using Docker Compose.

 March 03, 2022

Application 1.111.0

Improvements:

  • Limited the maximum file size for artifact retrieval to 4GB in SaaS.

    (SaaS only)

Crypto Providers 2.0.0

Breaking Changes / Manual migration steps:

  • Configuration and parameter names changed. All Crypto Providers now use a common naming schema. Environment variables have precedence over the configuration file. Command line parameters have precedence over environment variables.

Improvements:

  • All Crypto Providers can now gracefully handle application downtimes and will retry HTTP requests if the application is temporarily unavailable.

Application (self-hosted only) 1.111.0

Improvements:

  • Introduced a configurable file size limit for the artifact retrieval feature (defaults to 4GB).

 February 21, 2022

Application 1.110.0

New Features:

  • Introduced the option to re-download a Certificate Signing Request (CSR) and to re-upload certificates.

Improvements:

  • Updated Java Runtime to JDK 12.

Bug Fixes:

  • Fixed a bug that prevented the Audit Log API from handling Webhook.Deleted events.

Application (self-hosted only) 1.110.0

New Features:

  • Introduced option to change the log4net configuration used in SignPath.

 January 20, 2022

Application 1.108.0

New Features:

  • Audit Log REST API is now available in preview.

Bug Fixes:

  • Expiration emails for already expired certificates are no longer sent out.

Crypto Providers 1.1.0

New Features:

  • Windows only: Information about the invoking process (command line call and user account) is collected.

  • Windows only: Mutual TLS (mTLS) client certificates can be specified.

Application (self-hosted only) 1.108.0

Breaking Changes / Manual migration steps:

  • Only for nShield HSMs: Move the kneti-hardserver file from the NShieldHardserverPath directory to a subdirectory hardserver in the NShieldPairingDataPath directory. (Note: The NShieldHardserverPath configuration value has been removed.)

 January 11, 2022

Application 1.107.0

Improvements:

  • The API now returns concrete error messages in the body of HTTP 401 Unauthorized responses.

  • The signing request ID is now included in the HTTP response body of the submit API routes.

  • Extended the build system integration for Appveyor to allow private projects for non-OSS subscriptions.

 December 09, 2021

Application 1.106.0

Improvements:

  • For Hash Signing, the metadata is now included in the signed artifact payload file.

Bug Fixes:

  • Fixed a bug that caused expiration notifications to be sent out even if a new certificate was re-imported.

PowerShell Module 4.0.0

Breaking Changes / Manual migration steps:

  • The Submit-SigningRequestResubmit command has been removed. Resubmit is now possible using the -Resubmit flag of the regular Submit-SigningRequest command.

Application (self-hosted only) 1.106.0

Upgrade Information:

The Configuration.yml file does not contain settings for the connection strings any more. Connection strings are now handled as secrets by default. However, for migration purposes, the connection strings can still be added to the Configuration.yml and referencing secret files is still supported.

Improvements:

  • The secret handling has been unified between the Docker Compose and K8s deployment targets.

 November 25, 2021

Application 1.105.0

New Features:

  • Signing request filters: The signing request list can be filtered by status and artifact configuration (when viewing signing requests for a specific project or signing policy).

  • User roles can also be configured for CI Users. Permissions will be applied to API calls accordingly.

Bug Fixes:

  • Fixed a bug that prevented artifact names of signing requests submitted via the artifact retrieval workflow from being included in the signing request report.

Application (self-hosted only) 1.105.0

Bug Fixes:

  • Fixed a bug that hid an error message when the configuration file could not be properly read.

 November 19, 2021

Jenkins Plugin 1.0.6

Improvements:

  • Security-hardened handling of tokens and artifacts within the plugin.

Bug Fixes:

  • Fixed a bug that caused Jenkins to run into timeouts when uploading large artifacts for signing.

 November 10, 2021

Application 1.104.0

Improvements:

  • The content of signing request lists has been cleaned up and only includes the artifact name once.

Bug Fixes:

  • Fixed a UI glitch in the webhook body editor.

  • The correct HTTP response code (403) is now returned for requesting unknown resources.

PowerShell Module 3.2.1

Bug Fixes:

  • Fixed a bug that prevented an error message from being shown when a parameter is missing.

Application (self-hosted only) 1.104.0

Bug Fixes:

  • Special characters are now handled correctly during the creation of the ENV-file.

 November 02, 2021

Application 1.103.0

New Features:

  • Added global reader and project reader roles.

  • Signing requests can now be resubmitted via the PowerShell module or via the API.

Improvements:

  • An additional certificate expiration notification is sent 10 days prior to the certificate expiration date.

Bug Fixes:

  • Errors that are caused by an unexpected timestamping algorithm are now handled properly again.

 October 14, 2021

Application 1.102.0

New Features:

  • Support for Thales DPoD cloud HSMs are in pre-release status.

Improvements:

  • The signing request status values have been reduced. Multiple status are now combined as “In Progress”.

  • Artifact sizes are now displayed in a human readable format.

Bug Fixes:

  • Fixed a bug that prevented the artifact configuration XML from being downloaded if there were special characters in the configuration’s name.

Application (self-hosted only) 1.102.0

Breaking Changes / Manual migration steps:

  • In the Docker.LunaPairingDataPath or Docker.NShieldPairingDataPath directory respectively, replace all characters in the filenames that do not fall in the following patterns with underscores (_): ^[-._a-zA-Z0-9]+$.

  • Dropped support for file-based content stores. Use content stores compatible with the Amazon S3 interface instead.

Improvements:

  • The pairing data files have been renamed to only contain a reduced set of characters (for the upcoming Kubernetes support).

  • Loosened the restrictions on the timestamping server protocol to allow the use of more timestamping servers.

 September 30, 2021

Application 1.101.0

Bug Fixes:

  • Fixed a bug that caused exception stack traces during startup.

 September 16, 2021

Application 1.100.0

New Features:

  • Project configurators: Configurator permissions can be granted to users that allow them to edit the artifact configurations and webhooks for specific projects only.

Improvements:

  • The signing request report now includes a link to the web page of the respective signing request.

Application (self-hosted only) 1.100.0

New Features:

  • Support for the (AWS) S3 content store backend. (Note: The file-based content-store will be dropped in the next version.)

Bug Fixes:

  • The health check route of the Hangfire Dashboard works again.

 September 02, 2021

Application 1.99.0

Improvements:

  • Hardenend the content-security-policy settings.

Application (self-hosted only) 1.99.0

Improvements:

  • Improved logging during the database setup phase.

  • Fixed order of elements in Configuration.yml for easier comparison between versions.

 August 23, 2021

Application 1.98.0

New Features:

  • Notification Levels: Users can now select a notification level for each signing policy separately. By default, administrators will stop receiving notifications for signing requests unless they are configured as submitters or approvers.

Improvements:

  • Improved performance when processing artifacts.

Bug Fixes:

  • Removed the invalid required marker for Docker repositories on the create projects page.

  • Fixed a UI glitch: The “View documentation” links are right-aligned again.

Application (self-hosted only) 1.98.0

Improvements:

  • Improved migration times

  • Unified replaceme placeholders in configuration files.

  • Disabled free trial organizations by default.

Bug Fixes:

  • Patched version for Thales DPoD support.

 July 08, 2021

Application 1.96.0

Improvements:

  • Better error reporting for archives that contain multiple files with the same name.

  • Performance improvements when loading signing request lists.

  • The “resubmit” functionality that allows a failed signing request to be executed again was renamed to “retry”.

PowerShell Module 3.1.3

Improvements:

  • Cleaned up the code.

Application (self-hosted only) 1.96.0

Improvements:

  • Changed the default isolation mode from Hyper-V to Process.

  • Removed necessity to set Multiple Active Result Set (MARS) in the connection strings explictly when upgrading.

 June 24, 2021

Application 1.95.0

Improvements:

  • Improved performance for hash-signing operations.

Application (self-hosted only) 1.95.0

Improvements:

  • Docker images are now pulled from DockerHub instead of being included in the installation package.

 May 27, 2021

Application 1.94.0

Improvements:

  • The default key size was increased to 4096 bits when creating keys via the user interface. This change was necessary to meet the new baseline requirements for code signing certificates as published by the CA/Browser forum. Existing certificates are not affected by this change.

  • Authenticode signatures may contain a description field that is displayed by Windows User Account Controls (UAC) and possibly other mechanisms. If present, SignPath will now use the FileDescription value of the PE file VERSIONINFO resource (VER_FILEDESCRIPTION_STR). Otherwise the file name will be used as before.

  • The malware scanning step is now displayed as a separate entry in the processing log of each new signing request.

 May 17, 2021

Application (self-hosted only) 1.92.0

Improvements:

  • Improved migration performance by reducing the number of events.

Bug Fixes:

  • Fixed wrong metadata type entry in content store for signed/unsigned artifacts.

 April 29, 2021

Application 1.91.0

Improvements:

  • Various small UX improvements:

    • Renamed “Build information” to “Build data”.
    • Improved the display of the file name of artifacts submitted using the artifact retrieval functionality
  • In the SaaS deployment, the login process has been improved and handles correlation errors more gracefully.

    (SaaS only)

Bug Fixes:

  • Fixed a bug where certain directory structures in clickonce application bundles resulted in unusable artifact configurations when created from a sample upload.

PowerShell Module 3.1.0

New Features:

  • Added support for user-defined parameters.

Application (self-hosted only) 1.91.0

Breaking Changes / Manual migration steps:

  • Move all configuration values from the .env file to the respective section in the Configuration.yml file.

New Features:

  • Added possibility to configure an external malware scanner.

Improvements:

  • Switched to a YAML-based hierarchical configuration system.

  • The performance of the Administration Utility has been improved.

 April 15, 2021

Application 1.90.0

Improvements:

  • Changed webhook URLs to only allow HTTPS.

  • Group memberships are also shown for user groups.

  • The repository URL is also shown on the signing policy detail page (if origin verification is enabled).

PowerShell Module 3.0.2

Improvements:

  • Added more explicit error messages when a Trusted Build System Link is missing in the Project configuration.

Application (self-hosted only) 1.90.0

Breaking Changes / Manual migration steps:

  • Move all secrets from the .env file to the respective secret files.

New Features:

  • Switched to using Docker-Compose secrets.

Improvements:

  • SQL connection strings for the SignService databases are also encrypted by default.

  • Improved error messages in case of missing configuration values.

  • Cleaned up the Docker images.

 April 01, 2021

Application 1.89.0

Improvements:

  • Signing request reports now also include the user IDs of all submitters and approvers.

PowerShell Module 3.0.1

Improvements:

  • Added -Verbose flag for better debugging experience.

  • The -ClientCertificate parameter is now also supported in the Get-SignedArtifact command.

Bug Fixes:

  • File handles are now closed correctly even if an error occurs.

Application (self-hosted only) 1.89.0

New Features:

  • Reverse proxies are now supported, recommended and enabled by default.

 March 17, 2021

Application 1.88.0

New Features:

  • Artifact configurations now support user-defined parameters.

Bug Fixes:

  • Fixed a bug that did not show the organization name on the invitation page.

Sign up for news and special offers