Software Trust Manager

In the release creation workflow, we've updated the default setting to display only keypairs with associated certificates, enhancing user experience. Users retain the flexibility to view all keypairs by deselecting the filter box if needed, ensuring seamless navigation. This change aims to streamline selection processes while providing greater clarity and efficiency.

We have rectified an error in the import certificate workflow where the "Certificate alias" field was incorrectly labeled as "Keypair alias"; it now displays accurately. This fix ensures clarity and accuracy in the workflow for all users.

We updated translation files to enhance multilingual support across the platform, excluding Japanese. These updates ensure improved clarity and consistency for users worldwide. We remain committed to delivering a seamless experience for our diverse user base.

We became aware that user's were receiving the following error: "Attempt to create duplicate resource. Please check data provided." when attempting to create or update a user group in Software Trust Manager and the API. We have resolved this issue and users should be able to create and update user groups as expected.

Our client tool packages were updated with version 1.3.0.0 of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

When teams are enabled, and a member of the team generated a keypair via SMCTL, the keypair was generated with open access instead of restricted to the team. This has been corrected and when teams are enabled and a user generates a keypair via SMCTL, the user will be required to provide the Team ID so that the keypair's use is restricted to that specific team.

We identified that the excel report generated after downloading via the Most recent 10,000 signature logs method did not include relevant metadata. We fixed this issue and relevant metadata should show in these reports.

When a user ran the smctl healthcheck command and no signing tools were found in their system, the log files listed the following error message: "Error Tools cannot be null." We updated the error message to: "Unable to detect compatible signing tools." to improve the clarity that the user needs to install third-party signing tools.

When a user runs the smctl windows certsync command without providing environment variables first, the log files listed a long string of information. We updated the error messages to be more concise: "Error occurred while trying to connect to service. No Host provided in request URL."

You may have been notified about an new version of Software Trust Manager client tools; however, if you have already downloaded version 1.44.0 of the Software Trust Manager tools, there is no need to update your client tools to the latest version as the changes made do not affect Software Trust Manager users.

As an ongoing effort, we have improved the scalability and reliability of Software Trust Manager. These updates ensures seamless operations even during peak usage and provides our users with a more efficient and robust user experience.

We have addressed the issue of slow downloading for signature logs via the latest 10,000 option as well as the archived signature logs workflows. This change optimizes the download speed and prevents timeout errors.

Previously when users downloaded an SBOM report, Software Trust Manager showed no indicator that the download was in progress. We have enhanced this workflow by disabling the "Download" button after it is clicked and display a spinner to assure users that the download is in progress. This enhancement also prevents users from unnecessarily clicking the download button multiple time and duplicating the SBOM reports.

Deleted certificates were still listed in Windows certificate store even after running the smctl windows certsync command. We have fixed this issue and deleted certificates should no longer display in the certificate store after running the smctl windows certsync command.

The 32-bit and 64-bit CSP library had an issue preventing users from using SHA1 digest signature algorithm. This has been resolved and users should now be abled to use SHA1 digest signature algorithm via the CSP library. This change was made on the server side and does not require you to upgrade to a newer version of the CSP library.

We have developed a 32-bit version of our PKCS11 library. This version allows users to utilize our PKCS11 tool on 32-bit Windows and Linux systems, enabling them to sign Java applications in a 32-bit environment. This new version is available for download from Software Trust Manager client tool repository.

It is mandatory to select a certificate profile when generating a certificate. Previously, users needed both Generate certificate and View certificate profile permissions to successfully generate a certificate. We have streamlined the workflow by removing the requirement for the View certificate profile permission when generating a certificate. Users can now generate certificates and select certificate profiles if they only have the Generate certificate permission, this change reduces errors for users with custom roles, seeing as it is not intuitive that the 'view certificate profile' permission was required for certificate generation.

Previously, SBOM signing commands only supported keypair IDs. Now, we've expanded support to include keypair aliases as well. Keypair aliases offer users a more intuitive and user-friendly option, making SBOM signing commands easier to remember and use.

Previously, users encountered errors when adding any characters other than letters, numbers, ., _, or - in Release names. This error blocked users from creating a release but did not advise which characters were allowed. In response, we have introduced a tooltip within the Create release workflow, providing users with guidance on the allowed characters and format.

We have resolved an issue where attempting to view keypairs assigned to your team during the Release creation process which resulted in an error. Now, users can seamlessly select keypairs associated with a team without encountering errors. This improvement ensures a smoother experience when creating Releases, with all relevant keypairs readily available for selection.

We identified an issue where users were unable to enable specific key algorithms in Account settings. This problem has been resolved, and the workflow should now function as expected. Users can once again seamlessly choose their preferred key algorithms in the Account settings.

We enhanced our keypair profile workflows to allow for selection of the quantum-safe algorithm, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

We have addressed delays in loading on the archived signature logs page by removing the Total number of signature logs field as well as the Number of records column. Each report consistently contains 10,000 unfiltered signature events. However, the most recent report reflects the delta of events since the last archival, potentially deviating from the standard 10,000 events. This change ensures a smoother user experience while maintaining transparency and accuracy in reporting.

We identified an issue with the smctl windows ksp list command, which resulted in the output only showing the first letter of the storage providers. We have fixed this issue and the command output should display with the full names, as expected.

CertCentral now issues certificates off SHA-384 signature algorithm ICAs. While previously limited to SHA-256, this update enables users to utilize SHA-384 signatures based on their CA and ICA settings within CertCentral. Users can seamlessly leverage this feature to further strengthen their certificate management workflows.

We have identified that system scope keypair profiles that should be shown be visible in all Software Trust Manager accounts, were hidden. We have fixed this issue and should be accessible in all accounts.

During keypair generation, the security level associated with the keypair profile selected was hidden. We have resolved this issue and the security level should display as expected.

We identified an issue preventing the download of Software Trust Manager client tools via the no authentication API endpoint: /signingmanager/api-ui/v1/releases/noauth/{releaseName}/download and CI/CD plugins. We have fixed this issue and users should be able to successfully download our client tools using the endpoint referred to above and Software Trust Manager plugins.

We enhanced our keypair creation workflows to allow for the selection of the quantum-safe algorithms, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

We enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support CycloneDX and SPDX SBOM signing and verification using in-toto. SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.

Building on existing binary signing workflows, we enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support hash signing. Hash signing ensures data integrity by generating unique cryptographic signatures for files, offering an extra layer of security against tampering and unauthorized modifications throughout the software distribution process.

We identified and fixed two issues relating to our Projects feature. Previously, system users encountered difficulties loading the projects page; we have resolved this, and it should now load as expected. Additionally, the "Create project" button was displayed in the UI for users who did not have the required permissions assigned. We have rectified this by removing the button for users who do not have the necessary permissions to perform this action.

We have improved our API for system users. As of this release, it is mandatory for system users to provide an account ID when retrieving signature logs. This change ensures that users can access logs for a specified account rather than receiving data for all accessible accounts. This enhancement allows for more efficient workflow management.

We have enhanced the drop-down menus in existing workflows to include a search functionality to speed up the selection process. The search functionality has been applied to the following workflows:

We made changes to how keypair profiles are organized. Previously, when you created a new keypair profile, it appeared at the bottom of the list, potentially causing inconvenience. Now, to streamline your experience, newly created keypair profiles will automatically populate at the top of the list for easier access and better visibility.

We enhanced input validation for hashes provided at time of signing related to keypairs stored on disk via Software Trust Manager Rest API.

We have enhanced the user interface (UI) pages for archived signature logs in Software Trust Manager, significantly improving their load time.

Previously, users with large log volumes experienced timeouts when accessing archived logs. This release should eliminate timeouts. Additional optimizations are in progress to enhance other aspects of the signature logs workflow to further enhance user experience.

Software Trust Manager will make video content available in our UI regarding the benefits of undertaking Threat Detection so customers can learn more about the benefits of using Threat Detection to secure software supply-chains.

We have corrected the signature count related to archive logs to align with total signatures for the account. Previously, filters applied in the UI impacted the signature count value. Going forward, this will no longer be the case.

Software Trust Manager will now make our content regarding the benefits of undertaking Threat Detection on software available to all customers ahead of signing with this release.

If you are not presently licensing the Threat Detection feature, you will be given access to a tab where we explain the benefits of this feature. If you want to learn more or sign up for a free trial, you can express your interest. To learn more about this feature, see Threat detection.

In this release, we optimized the signature log user interface (UI) pages, resulting in a much-improved load time for signature logs in the Software Trust Manager UI.

The load time of recent logs has been an issue for those with large log volumes. These larger volumes caused the request to the service to timeout, which in this release has been optimized and will no longer happen. Further changes are planned to optimize for other parts of the signature logs workflow, which will go live in future releases to continue improving this experience.

DigiCert® CA Manager now offers you the ability to generate and store your private keys for code signing certificates in DigiCert's shared key storage services, as well as in your dedicated key storage services that are integrated with your Software Trust Manager account. In CA Manager, you can enable multiple active key storage services, such as DigiCert's hosted HSMs and your cloud-based HSM service "Data Protection on Demand" (DPoD) from Thales. Software Trust Manager has enhanced the keypair generation workflow to enable you to choose where to generate new keys based on your use case in Software Trust Manager and in SMCTL, our command-line interface. You can access and sign with your keys regardless of whether your keys are stored in DigiCert's shared key storage services or in your dedicated key storage services, or HSMs.

We have improved our error messages for the Software Trust Manager Projects feature. Previously these error messages referenced resource IDs, however we will now display resource aliases instead to ensure that the resource is more easily identified by our users.

We have improved our error messages for the Software Trust Manager Release feature. Previously these error messages referenced keypair IDs, however we will now display keypair aliases instead to ensure that the keypair is more easily identified by our users.

We identified an issue with the end date shown in the contract term drop-down menu in the Software Trust Manager Dashboard. The end date displayed was always the original end date of the contract term, and did not account for contract terms that were extended before the contract expired. The end date for contract terms now take contract extensions into account and display correctly.

We have added an Exploitability field to the FOSSA threat detection scan details page. The Exploitability field provides information about the likelihood that a given vulnerability will be exploited. This field helps users, administrators, and security professionals assess the urgency and priority of addressing Common Vulnerabilities and Exposures (CVE).

On November 2, 2023, we enhanced the release workflow, this change caused backward compatible issues with older versions of Signing Manager Controller (SMCTL). We have fixed the backward compatibility issue in this release. Older versions of SMCTL now works with the new release workflow enhancements.

We enhanced our threat detection integration with FOSSA. This enhancement allows you to download licensing, SBOM, vulnerability reports after completing a threat detection scan with FOSSA. In addition, you to customize the report format and metadata included in the report.

When attempting to delete a threat detection scan, the following error messages were returned: Scan not found for given identifier ID - <Scan ID>. and Translation is missing. We have resolved this issue and you should now be able to successfully delete scans in Software Trust Manager.

Our new release feature allows you to set the purpose of your release, you can continue to use releases just to sign, or you can use our new workflow to use releases to perform threat detection scans, or to scan your software and if no threats are detected, allow your software to be signed as part of the release. You can set your preference in account settings.

Our threat detection feature integrates with ReversingLabs to identify CVEs and deployment risks in your software. Initially, all P0 deployment risk scans would fail, but we've introduced a new enhancement that empowers you to select the P0 level in account settings which determines when the scan should fail. This way, you can focus on the highest deployment risks, enabling you to progressively refine your software while avoiding an overwhelming number of results with varying criticalities.

We have added a Version column to the list of threat detection scans in Software Trust Manager, to make it easier for you to identify which version of the software was scanned.

ReversingLabs scans were initially listed in Software Trust Manager Scan type field as a DAST (Dynamic Application Security Testing), however after a thorough investigation we have renamed this scan type to SBA (Static Binary Analysis). SBA, also known as binary analysis or binary code analysis, more clearly describes that this scan type concentrates on analyzing the compiled binary code of an application or system without executing it. It aims to uncover vulnerabilities in the code itself, rather than its runtime behavior.

We corrected the calculation in the Software Trust Manager dashboard. for Production signature units and HSM keypair units. Initially this calculation was based on the contract term selected within the dashboard. However this has been corrected to show that the signature units calculation is based on the contract term you have selected, whereas the HSM keypair units calculation is based on your account lifespan because these units do not expire.

We identified a bug in the test keypair generation workflow. When you creating a test keypair, the workflow allowed users to select online or offline as a keypair status. We have corrected this workflow to only restrict test keypairs to an online status.

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

The SMCTL desync command previously only desynced the expired and revoked certificates associated with a keypair from the local Windows store. We have improved the functionality of this command to allow you to additionally specify invalid or all as a parameter in the Windows desync command so that all certificates associated with the keypair would be desynced.Windows

The SMCTL verify signature command has previously provided a lengthy output that made it difficult to identify if the verification of the signature was a success or failure. We have introduced a new parameter called --quiet that can be added to the verify signature command to limit the output of the command to one sentence confirming if the verification of the signature is a success or failure.

ReversingLabs' periodically updates their configuration files to improve the quality of scan responses and add new policies. DigiCert​​®​​ Software Trust Manager is now relying on the latest available version of ReversingLabs configuration file to improve accuracy and consistency between DigiCert​​®​​ Software Trust Manager and ReversingLabs' portal.

With this release, DigiCert​​®​​ Software Trust Manager Threat Detection customers now have the option to choose generation of SBOMs in SPDX or CycloneDX formats. SBOM format choice is now something users can select from the CLI (SMCTL). To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Software Trust Manager Threat Detection customers can now make choices on what reports to generate when requesting a scan on the CLI (SMCTL). Until this point all reports were generated by default. Now you can choose which reports to generate and those reports that will be pushed up to the Scan results in the Software Trust Manager UI. To leverage this capability, make sure download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

To better support threat detection software assurance CI/CD workflows, we have introduced support for a non-zero response flag when customers make a threat detection scan in our CLI (SMCTL). By including this new flag in the CLI request, any scans which fail will force the CI/CD pipeline to fail and exit so that customers can block and further activities they planned to do if the scan was a success. To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

After release, there were a few UI enhancements identified to make the Software Projects workflows consistent with the rest of Software Trust Manager . Changes included UI content alignment, changes to button position and function as well as the ability to pause projects and change the project alias.

There was a bug with respect to default user mapping at the time of GPG keypair generation. It is now resolved.

When system users enabled Software Trust Manager feature flags in DigiCert® Account Manager, unrelated settings showed being affected in Software Trust Manager account settings. This has been fixed. When system users update Software Trust Manager related feature flags in DigiCert® Account Manager, only the specified flag gets updated while unrelated existing flags remain unaffected.

Software Trust Manager has partnered with FOSSA, a Software Composition Analysis (SCA) tool to extend our Threat detection ability to scan your source code repository via role-based access control (RBAC) from Signing Manger Controller (SMCTL). This feature allows all scan results to be shared to your Software Trust Manager cloud account and includes controls and analytics to help you use Software Trust Manager to secure your software supply chain.

Integrate Software Trust Manager with Oracle Cloud Infrastructure (OCI) using our new script integration and our PKCS11 library for secure cryptographic operations and signing within your CI/CD pipeline.

On Fedora 36 and above, the requirement to import GPG keys into the RPM repository became more strict, which caused the key import function to fail if there were critical flags. We have removed the GPG logic for critical flags on key flags and primary user ID. This change resolved the issue with importing RPM keys.

Expired users were inappropriately showing as Approvers for any Teams-related action. Also, when Teams were enabled, expired users were shown in a list of users with sign permission when creating or editing a release. Expired users have now been removed from these workflows.

We recently made changes to consolidate our integrations based on the connector model. In doing so, we introduced a UI bug which meant some customers could not see their CertCentral integration on the connectors list page. This has been fixed, and all customers can now view CertCentral integration on the connectors page.

CertCentral connector failed to load when CertCentral integration was only enabled in Software Trust Manager account settings and not in Account Manager. This has been fixed, CertCentral connector now loads correctly when CertCentral integration is enabled in Software Trust Manager account settings and, or in Account Manager.

Software Trust Manager's new Connectors feature provides you and your teams with a new space to manage your integrations. You can integrate your Software Trust Manager account with CertCentral global or Europe to order and manage publicly trusted certificates. You can also integrate with ReversingLabs to enable Threat detection on your account.

Last week Software Trust Manager released a new feature called Projects, however the feature was inaccessible to users relying on MariaDB  version 10.3.x. The Projects feature is now backward compatible to MariaDB 10.3.x.

The Learn more link on the projects page in Software Trust Manager received a "Page not found" error. The link has been updated to link correctly to the Projects page.

When Allow team mapping for keypairs and certificates profiles is enabled for teams in Software Trust Manager Account settings, the team's certificate profiles did not populate in the certificate profile list during certificate generation for an existing keypair. This has been fixed. If Allow team mapping for keypairs and certificates profiles is enabled for teams, and you generate a new keypair with a default certificate, you will be able to select a certificate profile associated with your team from the drop-down menu.

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

Software Trust Manager's new feature Projects provides you and your teams with a structured and collaborative environment to manage threat detection scans and releases for a specific software development project. Create a project to store all your related software scans and releases for different versions of the same software. You can refer to each software project by a descriptive name and an alias to allow for easy reference in SMCTL commands.

When the Address 2 field for the organization's address was "NULL" in DigiCert® Account Manager, certificate generation and dynamic keypair refresh failed. This issue has been fixed and should allows you to generate a certificate and refresh your dynamic keypair regardless of whether the optional Address 2 field has been completed or not.

Code signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with standard keypairs. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.

GPG signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with GPG keys. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.

Users with the "Approve release window" permission were redirected to "Page not found" when attempting to approve an offline release. Users that have the "Approve release window" permission assigned are now able to access the approve release page when attempting to approve an offline release.

When a user with insufficient permissions attempted to access a page, they were redirected to the dashboard. This issue has been resolved and users are shown "Page not found" when attempting to access a page with insufficient permissions.

When your data was previously filtered using a filter that no longer exists, no results were displayed. When you view your list pages now, any archived filters that were applied will be removed, and you can select to filter your data by existing filters.

Added capability to filter by dropdown selections of Severity and Status filters in threat detection results so customers can limit view to priority risks.

Deprecating the license page in account settings as we better cater for this in the dashboard, as well as providing overall consumption rates in the customer's account section of DigiCert ONE.

Fixed an issue where, once you applied filters related to keypairs on the keypairs list page, then visited another page and came back to the keypair list page, the filter was persisted but the results were not filtered correctly. We have resolved this now for all keypair algorithm types.

Custom CertCentral fields were not showing up in Generate Certificate page for existing keypairs. We are now delivering parity for new and existing keypairs when generating a new certificate in this release.

With this release, DigiCert​​®​​ Software Trust Manager Threat Detection customers now have the option to choose generation of SBOMs in SPDX or CycloneDX formats. SBOM format choice is now something users can select from the CLI (SMCTL). To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Software Trust Manager Threat Detection customers can now make choices on what reports to generate when requesting a scan on the CLI (SMCTL). Until this point all reports were generated by default. Now you can choose which reports to generate and those reports that will be pushed up to the Scan results in the Software Trust Manager UI. To leverage this capability, make sure download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

To better support threat detection software assurance CI/CD workflows, we have introduced support for a non-zero response flag when customers make a threat detection scan in our CLI (SMCTL). By including this new flag in the CLI request, any scans which fail will force the CI/CD pipeline to fail and exit so that customers can block and further activities they planned to do if the scan was a success. To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

After release, there were a few UI enhancements identified to make the Software Projects workflows consistent with the rest of Software Trust Manager . Changes included UI content alignment, changes to button position and function as well as the ability to pause projects and change the project alias.

There was a bug with respect to default user mapping at the time of GPG keypair generation. It is now resolved.

Previously, deployment risks and common vulnerabilities and exposures (CVE) were sorted by ID number rather than priority in the threat detection results pages. Now, both deployment risks and CVE data will be sorted in descending order to show critical risks and vulnerabilities first.

For example, a severity 9 CVE will be higher on the page than a severity 7 CVE and a P0 deployment risk will be higher than a P1, etc.

Software Trust Manager released a new and improved dashboard that allows you to filter your data by your contract term, team, or a specific user. You can use this feature to identify an overview of:

Software Trust Manager released some enhancements relating to the Threat detection feature following our integration with ReversingLabs. We now support a new and expanded JSON schema that permits more information to be provided based on the data retrieved following the binary decomposition analysis. We also added a new logo in the UI and changed the name from Software Scanner to Threat Detection. Further, we give credit to National Vulnerability Database (NVD) relating to the Common vulnerabilities and exposures (CVE) details.

If a user had Certificate Revoke permission but not Certificate Profile permission, certificate revoke was not possible. This is now resolved.

The release dropdown list was blank when selecting releases to compare, which is now resolved.

For Account scope users, the dashboard now shows an accurate count for keypairs and certificates.

The client tools repo for System users showed Keylocker client tools in addition to STM client tools. The appropriate client tools are now only visible.

CertCentral recently introduced a custom field for certificate orders which supports user choosing a dropdown option. Software Trust Manager will now also support dropdowns for custom fields in our UI for parity purposes.

We are updating Software Trust Manager’s server-side log validation errors to capture validation errors, record more comprehensive logs, remove duplicate logging, and classify logs correctly.

Published 1.7.0 Azure devops extension to fix the broken client tools download link (tested with test extension version 1.5.0).

Fixed an issue where service users were not being mapped to GPG keys correctly. This is now corrected and service users can sign and manage GPG keys as per the service design.

Fixed issues with SMCTL Windows commands certsync and desync. These should now perform normally.

Software Trust Manager command-line interface (SMCTL) has enabled users to incorporate notarization workflows for Apple apps and binaries. Developers can not only sign their Apple files but also get them notarized and staple the results to the binary to give end users confidence around the quality of the software being installed on their Apple devices.

Click-to-sign client now supports customers to enable DEBUG logging so as to help identify configuration and setup errors detected when using the client.

Allows users to specify a GPG subkey for signing so that users can opt to use an older subkey.

Software Trust Manager has introduced MDC (Mapped Diagnostic Context) approach to enrich server-side log messages. These messages provide information to better track service execution.

Fixed an issue that was not assigning the creator of a new keypair as the default user.

We identified some missing server-side log scenarios relating to some events. We are now capturing create and modify for GPG master and subkeys, update Account Settings, and client tools download.

Implemented a fix to alert users who do not have access to a key and try to sign with it. Such users now see a proper error message.

Signing Apple binaries with Apple certificates can be complicated. We simplified the process by extending the scope of the STM CLI (SMCTL) to identify Apple binary types and build signing commands for Apple's codesign and productsign tools, so the user only has to identify the keypair they wish to use and where the binaries reside.

Legacy connected devices are often constrained by key algorithm as well as keysize/curve and do not have the ability to support newer or more robust keys. Software Trust Manager is adding support for ECDSA keypairs with p192 curve to support customers with legacy product lines constrained to this key type. The generation and import of these keys is limited to STM disk storage. Signing is supported in conjunction with the STM PKCS11 library and optimized for OpenSSL and PKCS 11 tool signing tools.

Fixed a bug where for some keypairs, the default certificate checkbox was enabled and for some it was disabled. All keypairs can now have default certificate set if required.

Fixed an error in the account settings content relative to trial account being enabled.

Fixed an error for customers who connect remotely via SSH who were not able to see their environment variables from the STM CLI (SMCTL).

Keytool import was importing the key as online by default, which conflicted with how the STM CLI (SMCTL) performs keypair import. Now all keypair import operations will set the key as offline for users to bring online afterwards if they choose.

Software Trust Manager launched the Teams feature in 2022. This feature enables the management of users, keys, and profiles by grouping these resources under a team. It also introduces multi-person approval workflows and signing limits to account admins—all local and specific to each team of users. With the Teams feature fully established, we will sunset the older APIs which supported profiles to user mappings and instead invite customers to use the Teams APIs to map profiles to users instead.

Rebranding our click-to-sign client with the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.

Rebranding our Azure DevOps and GitHub custom action plugins to the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.

Fixed bugs relating to GPG keypairs which were identified post-release.

Fixed a bug which caused the click-to-sign client to crash.

Software Trust Manager now supports hosted account customers to have a dedicated account integration for secure key generation in a Thales DPOD service. Our workflows support key generation and support signing with keys hosted on the Thales DPOD service, which meets the minimum requirements for public trust code signing private key storage. Customers benefit from the dedicate storage provided by Thales, and means the customer will always retain the keys.

We are rebranding the product from Secure Software Manager to Software Trust Manager. The new name aligns with the vision for the product as we grow the capabilities to deliver a broader range of software trust features which help customers secure their software supply chain at a time when ensuring digital trust is now one of the most pressing issues for the modern enterprise.

Users can now sign and modify GPG keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.

Users can now create and modify GPG Keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.

Certificate auto-renewal process was happening too far away from the certificate expiry date. We fixed this by checking for certificate expiry every 4 hours and replacing certs which were enabled for auto-renewal when they are less than 6 hours left with the certs validity.

Certificate auto-renewal process was causing duplication of renewed certs and and also was causing the alias of the certificate to become exponentially long. We fixed the duplication issue and made adjustments to how we rename legacy certificates so the alias is not growing exponentially each time the cert expires.

The introduction of teams feature caused an unexpected issue when trying to import a certificate when the teams feature was enabled. Users can now import certs when teams feature is enabled or disabled.

Users not part of release should not have signatures count towards release signature limit and user should not be able to sign with key if not part of release when the key is in offline status. Applies to both standard keys and GPG keys.

Fixed an issue where uncaught exceptions in the account settings UI caused the status spinner to spin indefinitely.

Fixed an issue where changes made to account settings were not being inherited in release windows.

To support customers who sign with GPG keyrings, DigiCert​​®​​ Software Trust Manager (STM) now supports importing GPG secrings into a STM account. This lets you continue signing with assets that are known to your customers and partners. The new workflows capture all signatures to the DigiCert​​®​​ Software Trust Manager log for improved signing visibility, and supports export functionality for customers with multi-person approval structures.

Private key export was limited to only restricted access keys stored in disk. This fix enables all secure disk stored keys to be exported via the export workflow.

We have included a UI spinner to show activity when the user makes a request to export logs, a process which can take some time depending on the size of the log.

Includes more stringent validation of changes to customers' account settings made via the API.

CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022. DigiCert​​®​​ Software Trust Manager integration now supports auto-issuance of public trust code signing certs. This applies only to organizations which are pre-approved in your CertCentral account when CertCentral is enabled to bypass manual approval, or when the request is made by a verified CertCentral organization contact.

Set up preapproval in CertCentral advanced settings so you can auto-issue public trust code signing certificates via DigiCert​​®​​ Software Trust Manager.

DigiCert​​®​​ Software Trust Manager PKCS11 library is now optimized to support integrating with Espressif tool suite to support Secure Boot (v2) process on the ESP32.

This means customers can create, sign with and manage signing keys stored in DigiCert​​®​​ Software Trust Manager to ensure the organization's second stage bootloader and binary are both signed and can be verified as trustworthy before being installed on the device.

The STM command-line interface (CLI) tool can now write sign commands for Authenticode files types using the osslcodesign signing tool. This will help customers who wish to simplify the signing process for Authenticode files and capture metadata relating to signatures on Linux and Mac OS.

The default signing tool for Authenticode file signing using the STM CLI on Linux is Jsign. To select Osslsign, users will need to provide --tool osslsigncode as part of the signing command.

The STM command-line interface (CLI) tool now allows customers to request and approve offline release windows for keys which are part of an STM Team which is enforcing multi-person approval. Multi-person approval of offline release windows was released for APIs and UI in December, and we are bringing parity to the CLI in this month's release.

The STM user interface will see many minor enhancements related to the latest and greatest DigiCert ONE UI common component library. This will make the user experience more consistent and provide easier access to common tasks on list pages such as modifying, deleting, and revoking resources such as keys, certs, teams, releases, and profiles.

The DigiCert​​®​​ Software Trust Manager API documentation team introduces a revamped version of STM Swagger for APIs to provide more context and content and support a simpler integration experience. The new Swagger API page is available to view under the Resources section of the STM UI.

Fix UI experience relating to load of audit logs and signature log export page.

Fix Nuget signing issues identified after initial release so as to support Nuget signing in full via Click-to-sign client.

Minor content changes relating to client tools repository module in the UI.

Minor content changes relating to online documentation.

CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022 which caused some certificate imports to fail via the DigiCert​​®​​ Software Trust Manager integration. DigiCert​​®​​ Software Trust Manager has now introduced support for all CertCentral issuance workflows regardless of whether CertCentral administrator approval is required. All issued certificates which were not imported will be imported as a result of this fix to resolve any remaining customer issues.