SignServer 5.1 Release Notes
The PrimeKey SignServer team is proud to announce the release of SignServer 5.1.0.
Highlights
Improved Client Certificate Authorization
Previously the client certificate authorization rules had to match on the certificate serial number causing a maintenance burden when renewing the certificates and all the rules had to be updated.
With this release we introduce the possibility of matching on other fields from the certificate, such as RDN:s from Subject DN like Common Name (CN), Organization Unit (OU), and User ID (UID), etc.
See Configure Client Certificate Authentication and Authorization for step-by-step instructions on how to start using this feature.
PGP Signing Support
In addition to supporting all X.509 based signers, we have now added support for PGP/GPG signing of software release packages and repositories, or for general signing.
The new OpenPGP Signer can produce both detached and clear-text signatures. For step-by-step instructions on configuring and using this new signer, see Setting up OpenPGP Signer.
Additionally, SignClient now supports PGP signing in client-side hashing mode (Enterprise only). For more information, see Client-Side Hashing.
Debian Package Signing Support
While the added PGP signing support allows signing Debian software repositories, this new signer also lets you sign individual Debian packages. For more information, see the new Debian Dpkg-sig Signer.
We also added support to SignClient for signing this format in client-side hashing mode (Enterprise only), see Client-Side Hashing.
Upgrade Information
No database changes are required for this release.
Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.1.0, refer to our JIRA Issue Tracker.
New Features
DSS-976 - Create OpenPGP key management support and signer
DSS-1756 - PKCS#11 support for authentication key in SignClient
DSS-1822 - Create OpenPGP Plain Signer
DSS-1823 - SignClient client-side hashing support for OpenPGP detached signatures
DSS-1824 - SignClient client-side hashing support for OpenPGP clear-text signatures
DSS-1826 - SignClient client-side hashing support for Debian dpkg-sig signatures
DSS-1976 - Option to disable key generation operation
Tasks
DSS-1821 - Merge OpenPGP PoC implementation
DSS-1961 - Cleanup PGP PoC code
DSS-1962 - PGP algorithms support
DSS-1963 - PGP revocation certificate support
DSS-1964 - PGP Support for soft keystore (not just PKCS11CryptoToken)
DSS-1965 - Compliance tests with GPG
DSS-1967 - Create sample-config template for PGP signing
DSS-1968 - OpenPGP signer should not be active if the key does not exist
DSS-1969 - Create worker property for choosing detached signature
DSS-1970 - Add an option to specify if ASCII armoring or binary format should be used for output
DSS-1971 - Document OpenPGPSigner
DSS-1972 - Support in OpenPGPSigner for clear-text signatures
DSS-1973 - Create DebianDpkgSigSigner
DSS-1974 - Read input from stream in OpenPGPSigner
DSS-1975 - Signing systemtests with HSM for OpenPGPSigner
DSS-1977 - Create skeleton DebianDpkgSigSigner
DSS-1978 - Create method for building a Debian package metadata file
DSS-1980 - Compliance tests with dpkg-sig
DSS-1982 - Add AR parsing to Debian signer
DSS-1983 - Refactor signing logic in DebianDpkgSigSigner
DSS-1991 - Test AdminWeb invoked with IPv6 address
DSS-1992 - Test AdminGUI with IPv6 address
DSS-1993 - Test SignClient with IPv6
DSS-1998 - Test TimeMonitor with IPv6 address for the NTP server