Software Trust Manager

We have introduced support for RSAPSS with SHA-256 for HSM signing.

With this enhanced cryptographic signature scheme, users will benefit from stronger security and improved protection against signature forgery.

Note: Software Trust Manager supports NoneWithRSAPSS on Disk, but not on HSM.

We resolved an issue where users who attempted to extend an expired GPG keypair would receive an error message (“GPG Keypair is in status EXPIRED and cannot be updated”).

This issue has been resolved, ensuring the correct workflow to extended expired GPG keypairs.

As part of a larger effort to update the rekey workflow, in this release, we are introducing automated workflows for GPG keypair expiry management.

To enhance security and efficiency in key manager, this update includes:

To learn more, see GPG keys.

The updated SMCTL supports the creation and editing of GPG keypairs with expiry flags.

The following new fields have been added:

We resolved an issue relating to updating GPG keypairs via SMCTL. While there was no issue when updating via DigiCert ONE, in SMCTL users would receive a 400 error.

This issue has been resolved, ensuring the correct workflow to update a GPG keypair via SMCTL.

We have implemented a new integration method for DigiCert single login users. This method will automatically pull your CertCentral API key, provided that your CertCentral account is already linked to your single login account. This method is easier than existing methods that require you to provide your username and password or API key for your CertCentral account.

We resolved an issue affecting users with multiple accounts.

Previously, if a user was on the Keypair list page, then switched accounts, and then selected the Create keypair button, the user would receive an error message.

This issue has been fixed, ensuring the accurate workflow to create a keypair when switching accounts.

We resolved an issue affecting users with multiple accounts.

Previously, if a user was on the Account settings page, and then switched accounts, the page would display a fixed set of settings, which would throw an error if a user attempted to edit the page.

This issue has been fixed, ensuring the accurate workflow to view and edit data when switching accounts.

We resolved an issue relating to creating a release for threat detection purposes.

Previously, if a user was creating a release and teams were disabled, then the Create button would be faded out and unclickable.

This issue has been fixed, ensuring the accurate workflow to create a release, despite having teams disabled.

We have identified and corrected an issue affecting keypair generation via DigiCert ONE when teams are disabled and a user has the Create keypair permission, but not the Manage keypair permission. Previously, keypairs created in this scenario were automatically restricted to the user who created them.

With this update, keypairs generated under these conditions will now be categorized as Open, making them accessible to all users within the account. To restrict access, users can utilize the --restricted flag during keypair creation.

We have identified and corrected an issue affecting keypair access via DigiCert ONE.

Previously, when creating a keypair, if a user selected a team first, followed by selecting Open access, then the keypair would be restricted to the team.

This issue has been fixed, ensuring the accurate workflow to create an open keypair.

We have identified and corrected an issue affecting keypair creation via DigiCert ONE.

Previously, if a user enabled Teams and Keypair profiles, then created a keypair using the keypair profile, and then selected Open access, the Team dropdown would still display, but the Create keypair button would be disabled, forcing the user to create a restricted keypair.

This issue has been fixed, ensuring the accurate workflow to create open keypairs.

We have identified and corrected an issue relating to the description of restricted keypairs.

Previously, there were discrepancies in the information displayed relating to teams, users, and user groups in the Keypairs detailed page, specifically the Access section. In this section, users and user groups (which were mapped from disabled teams) were inaccurately displayed in the Keypairs detailed page.

With this update, only the team associated with the keypair will display in the Keypair detailed page.

We enhanced our delete keypair workflow. This enhancement enables you to delete keypairs from the keypair details page, in addition to the keypair list page.

We enhanced our keypair profile and create keypair workflows to allow for the selection of an alternative quantum-safe algorithm, Secure Lightweight Hash-based Digital Signature Algorithm (SLHDSA). SLHDSA is an innovative approach to cryptographic security, designed to offer robust protection with minimal computational overhead. It leverages lightweight hash-based techniques to ensure security while optimizing performance, making it ideal for resource-constrained environments. With SLHDSA, you can achieve efficient and secure digital signatures that are resistant to both classical and quantum attacks.

We resolved an issue where keypair actions for deleted standard and GPG keypairs were still accessible to users. Previously, various keypair actions remained visible and clickable for deleted keys, leading to backend errors. With this release, keypair-related actions are removed for deleted GPG and standard keypairs.

We fixed an issue where the GPG smart card daemon (SCD) showed version 1.3 in Software Trust Manager, but users were downloading version 1.4. The Client tool repository now correctly displays version 1.4.

We have enhanced the team management functionality to allow users to see and modify how projects are associated with teams. Teams can now be mapped to one or multiple projects, provided the projects have a status of In progress or Paused. You can change project-team associations via Software Trust Manager or the API via Create and Edit team workflows provided that you have the Manage all teams or Manage my team permission.

We released version 1.50.0 of SMCTL. This version of SMCTL contains enhancements for handling the new team to project management workflows mentioned above.

Users can now download the GPG keyring associated with a subkey that is used for signing and is assigned to their team, even when the master key is not assigned to their team

We identified issue where attempting to download the Software Trust Manager AIX Clients (portable tar.gz) resulted in an error: File wasn't available and Release smtools-aix-ppc64.tar.gz not found. We resolved this issue by releasing version 1.50.0 of Software Trust Manager AIX Clients (portable tar.gz).

Multi-Factor Authentication (MFA) is no longer required to access the GET Teams APIs. This change ensures easier access to these endpoints while maintaining security protocols. The affected endpoints are:

We identified an issue where Disk option was showing undefined while creating a keypair with keypair profile. This issue has been fixed and works as expected.

We identified an issue where users were blocked from changing the keypair storage method when updating keypair profiles. This issue has been fixed and works as expected.

Account users with Manage keypair permission can now delete standard and GPG keypairs stored on HSM devices. Deleting a keypair frees up an HSM slot, allowing you to store a new keypair in its place.

We have released version 1.49.0 of SMCTL. This version of SMCTL contains enhancements for handling special characters in sign commands, but it still does not support all characters. To avoid errors, remove unsupported characters from file paths before attempting to sign:

We fixed an issue where clicking on any page number in the Trust Anchors list page, redirected users backto Page 1. Pagination now works correctly, allowing you to navigate through all pages as expected.

We have fixed an issue where the expiry information for dynamic keypairs was not preserved when these keys were refreshed via API or manually refreshed. Expiry information is now maintained correctly after refreshing dynamic keypairs.

You now have the option to perform ECDSA signatures without ASN1 decoration. From SMCTL version 1.48.0 onward, the smctl sign sign-hash command will support a new flag --non-decorate-signature. Previously, all ECDSA signatures included ASN1 decoration. This enhancement is crucial for supporting COSE signatures in the SCITT framework and other platforms and can be used. This change marks the first step towards fully enabling signatures tailored for SCITT.

We identified a bug that was introduced when keypair expiry was released earlier this year. The bug occurred when a dynamic test keypair was updated, this action resulted in the following error: Expiry type NO_EXPIRY is not allowed for test keypairs. This issue has been resolved.

We added a new feature to allow users with Manage all teams permission to delete any team in the account. When deleting a team, users and any resources such as keypairs, keypair profiles, projects, releases, and threat detection scans associated with the team will be disassociated with the team and become available to assign to an existing team.

We identified an issue where when teams were enabled on the account, users with Manage all teams and Generate keypair permission were able to generate keypairs and assign it to any team in the account. This issue has been resolved and only users with Manage all teams and Manage keypair permission can generate keypairs for any team within the account.

We identified an issue where GPG test key generation was incorrectly throwing an expiry error, preventing the creation of test keypairs. This has been resolved, and test keypairs can now be generated without encountering expiry restrictions.

We identified an issue where users who were assigned to a user group, and then deleted in Account Manager were still displaying in the user group. We have fixed this issue, and the deleted users will no longer be displayed in user groups that they previously belonged to.

We have improved our email notification system. Now, only the users who need to know will receive specific updates about keypairs and certificates. Review the changes below:

Keypair expiry email notifications will be sent to the following recipients:

Certificate expiry email notifications will be sent to the following recipients:

Certificate auto-renewal email notifications will be sent to the following recipients:

Certificate auto-renewal blocked email notifications will be sent to the following recipients:

We identified an issue where users were incorrectly shown the Close release option in Software Trust Manager, which resulted in an error: <User ID> does not have permission to close release. This issue has been fixed:

We fixed an issue where users with the Developer user role, or with Create keypair permission but without Manage keypair permission were directed to a Page not found error after creating a keypair. Now, these users will be correctly returned to the keypair list page.

We have added a fallback mechanism for OCSP requests to ensure that users can import ICA certificates in the Trust anchor tab in Software Trust Manager. Now we will check the certificate status with SHA256 and if it fails, our system will retry using SHA1 to ensure compatibility with OCSP services that still use SHA1. This update helps maintain secure certificate validation and ensures smooth importing of Root and Intermediate certificates.

We identified an issue where users who were assigned to a user group, and then deleted in Account Manager were still displaying in the user group. We have fixed this issue, and the deleted users will no longer be displayed in user groups that they previously belonged to.

On February 7, 2024, we enhanced our keypair creation workflows to support quantum-safe Machine Learning-based Digital Signature Algorithm (MLDSA), however generating a code signing certificate with an MLDSA keypair was not possible. As of this release, MLDSA certificates can now be generated.

We have enabled expiry for standard keypairs to enhance crypto agility and improve security. Standard keypairs can now be set to expire on a specific date, upon certificate expiration, or remain non-expiring as before. Setting expiry dates help maintain security, ensures compliance with industry standards, and preserves trust in your code's integrity. This update provides more flexibility in managing keypair lifecycles.

The initial implementation of the smctl sign command was designed to support signing multiple files from an input folder. At that time, we chose not to make the command fail immediately if signing one of the files failed, anticipating this requirement in future updates. We have now introduced three flags to improve the bulk signing procedure, these flags are: --exit-non-zero-on-fail and --fail-fast.

Previously, team names in drop-down menus were listed in order of creation. As of this release, team names will be listed alphabetically to enhance the user experience.

We resolved an issue affecting users with multiple accounts.

We resolved an issue affecting users with multiple accounts.

We resolved an issue relating to creating a release for threat detection purposes.

We have identified and corrected an issue affecting keypair generation via DigiCert ONE when teams are disabled and a user has the Create keypair permission, but not the Manage keypair permission. Previously, keypairs created in this scenario were automatically restricted to the user who created them.

We fixed an issue where dynamic keypairs were incorrectly expiring after 30 days. Dynamic keypairs are periodically refreshed and should not expire. This issue has now been resolved for all active dynamic keypairs. However, previously expired dynamic keypairs cannot be restored.

We fixed an issue where keypairs not associated with a team were still appearing in the team field when updating key rotations. Now, you will only see and be able to select keypairs that are associated with the team to which the key rotation belongs.

We have identified and corrected an issue affecting keypair access via DigiCert ONE.

We have identified and corrected an issue affecting keypair creation via DigiCert ONE.

We have identified and corrected an issue relating to the description of restricted keypairs.

Previously system users had limited visibility into account information. To better assist the accounts they support, we have extended their permissions to allow them to view:

For simplified resource management and ease of reference, the following user flows have been implemented based on whether teams are enabled or not.

When teams are disabled on the account, users with:

When teams are enabled on the account, users with:

We have updated keypair download format to conform to RFC 7468 standards.

Previous format:

-----BEGIN EC PUBLIC KEY-----
<content>
-----END EC PUBLIC KEY-----

New format:

-----BEGIN PUBLIC KEY-----
<content>
-----END PUBLIC KEY-----

We identified that the PKCS11 library was unintentionally excluded in version 1.46.0 of the Windows Clients Installer. We have rectified this issue without altering the version number. If you've already installed this version, download it again to ensure you have access to all required client tools.

We added a JCE library to our Client tool repository. JCE is part of the Java Development Kit (JDK) that facilitates digital signing of Java Archive (JAR) files and related artifacts. Using JCE for signing is preferred over PKCS11 and KSP library options due to its compatibility with various operating systems (Windows, Linux, macOS, Solaris, and AIX) and Java architectures, including 64-bit, 32-bit, and ARM processors.

Our client tool packages were updated with the latest version of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

In the release creation workflow, we've updated the default setting to display only keypairs with associated certificates, enhancing user experience. Users retain the flexibility to view all keypairs by deselecting the filter box if needed, ensuring seamless navigation. This change aims to streamline selection processes while providing greater clarity and efficiency.

We have rectified an error in the import certificate workflow where the "Certificate alias" field was incorrectly labeled as "Keypair alias"; it now displays accurately. This fix ensures clarity and accuracy in the workflow for all users.

We updated translation files to enhance multilingual support across the platform, excluding Japanese. These updates ensure improved clarity and consistency for users worldwide. We remain committed to delivering a seamless experience for our diverse user base.

We became aware that user's were receiving the following error: "Attempt to create duplicate resource. Please check data provided." when attempting to create or update a user group in Software Trust Manager and the API. We have resolved this issue and users should be able to create and update user groups as expected.

Our client tool packages were updated with version 1.3.0.0 of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

When teams are enabled, and a member of the team generated a keypair via SMCTL, the keypair was generated with open access instead of restricted to the team. This has been corrected and when teams are enabled and a user generates a keypair via SMCTL, the user will be required to provide the Team ID so that the keypair's use is restricted to that specific team.

We identified that the excel report generated after downloading via the Most recent 10,000 signature logs method did not include relevant metadata. We fixed this issue and relevant metadata should show in these reports.

When a user ran the smctl healthcheck command and no signing tools were found in their system, the log files listed the following error message: "Error Tools cannot be null." We updated the error message to: "Unable to detect compatible signing tools." to improve the clarity that the user needs to install third-party signing tools.

When a user runs the smctl windows certsync command without providing environment variables first, the log files listed a long string of information. We updated the error messages to be more concise: "Error occurred while trying to connect to service. No Host provided in request URL."

You may have been notified about an new version of Software Trust Manager client tools; however, if you have already downloaded version 1.44.0 of the Software Trust Manager tools, there is no need to update your client tools to the latest version as the changes made do not affect Software Trust Manager users.

As an ongoing effort, we have improved the scalability and reliability of Software Trust Manager. These updates ensures seamless operations even during peak usage and provides our users with a more efficient and robust user experience.

We have addressed the issue of slow downloading for signature logs via the latest 10,000 option as well as the archived signature logs workflows. This change optimizes the download speed and prevents timeout errors.

Previously when users downloaded an SBOM report, Software Trust Manager showed no indicator that the download was in progress. We have enhanced this workflow by disabling the "Download" button after it is clicked and display a spinner to assure users that the download is in progress. This enhancement also prevents users from unnecessarily clicking the download button multiple time and duplicating the SBOM reports.

Deleted certificates were still listed in Windows certificate store even after running the smctl windows certsync command. We have fixed this issue and deleted certificates should no longer display in the certificate store after running the smctl windows certsync command.

The 32-bit and 64-bit CSP library had an issue preventing users from using SHA1 digest signature algorithm. This has been resolved and users should now be abled to use SHA1 digest signature algorithm via the CSP library. This change was made on the server side and does not require you to upgrade to a newer version of the CSP library.

We have developed a 32-bit version of our PKCS11 library. This version allows users to utilize our PKCS11 tool on 32-bit Windows and Linux systems, enabling them to sign Java applications in a 32-bit environment. This new version is available for download from Software Trust Manager client tool repository.

It is mandatory to select a certificate profile when generating a certificate. Previously, users needed both Generate certificate and View certificate profile permissions to successfully generate a certificate. We have streamlined the workflow by removing the requirement for the View certificate profile permission when generating a certificate. Users can now generate certificates and select certificate profiles if they only have the Generate certificate permission, this change reduces errors for users with custom roles, seeing as it is not intuitive that the 'view certificate profile' permission was required for certificate generation.

Previously, SBOM signing commands only supported keypair IDs. Now, we've expanded support to include keypair aliases as well. Keypair aliases offer users a more intuitive and user-friendly option, making SBOM signing commands easier to remember and use.

Previously, users encountered errors when adding any characters other than letters, numbers, ., _, or - in Release names. This error blocked users from creating a release but did not advise which characters were allowed. In response, we have introduced a tooltip within the Create release workflow, providing users with guidance on the allowed characters and format.

We have resolved an issue where attempting to view keypairs assigned to your team during the Release creation process which resulted in an error. Now, users can seamlessly select keypairs associated with a team without encountering errors. This improvement ensures a smoother experience when creating Releases, with all relevant keypairs readily available for selection.

We identified an issue where users were unable to enable specific key algorithms in Account settings. This problem has been resolved, and the workflow should now function as expected. Users can once again seamlessly choose their preferred key algorithms in the Account settings.

We enhanced our keypair profile workflows to allow for selection of the quantum-safe algorithm, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

We have addressed delays in loading on the archived signature logs page by removing the Total number of signature logs field as well as the Number of records column. Each report consistently contains 10,000 unfiltered signature events. However, the most recent report reflects the delta of events since the last archival, potentially deviating from the standard 10,000 events. This change ensures a smoother user experience while maintaining transparency and accuracy in reporting.

We identified an issue with the smctl windows ksp list command, which resulted in the output only showing the first letter of the storage providers. We have fixed this issue and the command output should display with the full names, as expected.

CertCentral now issues certificates off SHA-384 signature algorithm ICAs. While previously limited to SHA-256, this update enables users to utilize SHA-384 signatures based on their CA and ICA settings within CertCentral. Users can seamlessly leverage this feature to further strengthen their certificate management workflows.

We have identified that system scope keypair profiles that should be shown be visible in all Software Trust Manager accounts, were hidden. We have fixed this issue and should be accessible in all accounts.

During keypair generation, the security level associated with the keypair profile selected was hidden. We have resolved this issue and the security level should display as expected.

We identified an issue preventing the download of Software Trust Manager client tools via the no authentication API endpoint: /signingmanager/api-ui/v1/releases/noauth/{releaseName}/download and CI/CD plugins. We have fixed this issue and users should be able to successfully download our client tools using the endpoint referred to above and Software Trust Manager plugins.

We enhanced our keypair creation workflows to allow for the selection of the quantum-safe algorithms, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

We enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support CycloneDX and SPDX SBOM signing and verification using in-toto. SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.

Building on existing binary signing workflows, we enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support hash signing. Hash signing ensures data integrity by generating unique cryptographic signatures for files, offering an extra layer of security against tampering and unauthorized modifications throughout the software distribution process.

We identified and fixed two issues relating to our Projects feature. Previously, system users encountered difficulties loading the projects page; we have resolved this, and it should now load as expected. Additionally, the "Create project" button was displayed in the UI for users who did not have the required permissions assigned. We have rectified this by removing the button for users who do not have the necessary permissions to perform this action.

We have improved our API for system users. As of this release, it is mandatory for system users to provide an account ID when retrieving signature logs. This change ensures that users can access logs for a specified account rather than receiving data for all accessible accounts. This enhancement allows for more efficient workflow management.

We have enhanced the drop-down menus in existing workflows to include a search functionality to speed up the selection process. The search functionality has been applied to the following workflows:

We made changes to how keypair profiles are organized. Previously, when you created a new keypair profile, it appeared at the bottom of the list, potentially causing inconvenience. Now, to streamline your experience, newly created keypair profiles will automatically populate at the top of the list for easier access and better visibility.

We enhanced input validation for hashes provided at time of signing related to keypairs stored on disk via Software Trust Manager Rest API.

We have enhanced the user interface (UI) pages for archived signature logs in Software Trust Manager, significantly improving their load time.

Previously, users with large log volumes experienced timeouts when accessing archived logs. This release should eliminate timeouts. Additional optimizations are in progress to enhance other aspects of the signature logs workflow to further enhance user experience.