SignServer 5.1 Release Notes

The PrimeKey SignServer team is proud to announce the release of SignServer 5.1.0.

Highlights

Improved Client Certificate Authorization

Previously the client certificate authorization rules had to match on the certificate serial number causing a maintenance burden when renewing the certificates and all the rules had to be updated.

With this release we introduce the possibility of matching on other fields from the certificate, such as RDN:s from Subject DN like Common Name (CN), Organization Unit (OU), and User ID (UID), etc.

See Configure Client Certificate Authentication and Authorization for step-by-step instructions on how to start using this feature.

PGP Signing Support

In addition to supporting all X.509 based signers, we have now added support for PGP/GPG signing of software release packages and repositories, or for general signing.

The new OpenPGP Signer can produce both detached and clear-text signatures. For step-by-step instructions on configuring and using this new signer, see Setting up OpenPGP Signer.

Additionally, SignClient now supports PGP signing in client-side hashing mode (Enterprise only). For more information, see Client-Side Hashing.

Debian Package Signing Support

While the added PGP signing support allows signing Debian software repositories, this new signer also lets you sign individual Debian packages. For more information, see the new Debian Dpkg-sig Signer.

We also added support to SignClient for signing this format in client-side hashing mode (Enterprise only), see Client-Side Hashing.

Upgrade Information

No database changes are required for this release.

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.1.0, refer to our JIRA Issue Tracker.

Issues Resolved in 5.1.0

Released on 12 July 2019

New Features

DSS-976 - Create OpenPGP key management support and signer

DSS-1756 - PKCS#11 support for authentication key in SignClient

DSS-1822 - Create OpenPGP Plain Signer

DSS-1823 - SignClient client-side hashing support for OpenPGP detached signatures

DSS-1824 - SignClient client-side hashing support for OpenPGP clear-text signatures

DSS-1826 - SignClient client-side hashing support for Debian dpkg-sig signatures

DSS-1976 - Option to disable key generation operation

Tasks

DSS-1821 - Merge OpenPGP PoC implementation

DSS-1961 - Cleanup PGP PoC code

DSS-1962 - PGP algorithms support

DSS-1963 - PGP revocation certificate support

DSS-1964 - PGP Support for soft keystore (not just PKCS11CryptoToken)

DSS-1965 - Compliance tests with GPG

DSS-1967 - Create sample-config template for PGP signing

DSS-1968 - OpenPGP signer should not be active if the key does not exist

DSS-1969 - Create worker property for choosing detached signature

DSS-1970 - Add an option to specify if ASCII armoring or binary format should be used for output

DSS-1971 - Document OpenPGPSigner

DSS-1972 - Support in OpenPGPSigner for clear-text signatures

DSS-1973 - Create DebianDpkgSigSigner

DSS-1974 - Read input from stream in OpenPGPSigner

DSS-1975 - Signing systemtests with HSM for OpenPGPSigner

DSS-1977 - Create skeleton DebianDpkgSigSigner

DSS-1978 - Create method for building a Debian package metadata file

DSS-1980 - Compliance tests with dpkg-sig

DSS-1982 - Add AR parsing to Debian signer

DSS-1983 - Refactor signing logic in DebianDpkgSigSigner

DSS-1991 - Test AdminWeb invoked with IPv6 address

DSS-1992 - Test AdminGUI with IPv6 address

DSS-1993 - Test SignClient with IPv6

DSS-1998 - Test TimeMonitor with IPv6 address for the NTP server

Improvements

DSS-1955 - Use 'command' instead of 'which' in the scripts

DSS-2000 - Automatic test for key alias prompt

DSS-2005 - Add IPv6 localhost in demo TLS server cert

Bug Fixes

DSS-1840 - Authenticode signatures with SHA-512 not recognized by Windows (PE files)

DSS-1986 - Generate CSR for PGP key always uses key from PGPPUBLICKEY property if set

DSS-2003 - Link to admin web is broken with IPv6

DSS-2007 - Password prompt not working under Cygwin