Skip to main content

Software Trust Manager

2023 releases

December 19, 2023

DigiCert® ONE version: 1.6573.3 | Software Trust Manager: 1.700.0

New

Threat Detection Video

Software Trust Manager will make video content available in our UI regarding the benefits of undertaking Threat Detection so customers can learn more about the benefits of using Threat Detection to secure software supply-chains.

Enhancements

Display signature count for download archive logs

We have corrected the signature count related to archive logs to align with total signatures for the account. Previously, filters applied in the UI impacted the signature count value. Going forward, this will no longer be the case.

December 13, 2023

DigiCert® ONE version: 1.6573.2 | Software Trust Manager: 1.698.0

New

Threat Detection Advice

Software Trust Manager will now make our content regarding the benefits of undertaking Threat Detection on software available to all customers ahead of signing with this release.

If you are not presently licensing the Threat Detection feature, you will be given access to a tab where we explain the benefits of this feature. If you want to learn more or sign up for a free trial, you can express your interest. To learn more about this feature, see Threat detection.

Enhancements

Signature Log performance optimization

In this release, we optimized the signature log user interface (UI) pages, resulting in a much-improved load time for signature logs in the Software Trust Manager UI.

The load time of recent logs has been an issue for those with large log volumes. These larger volumes caused the request to the service to timeout, which in this release has been optimized and will no longer happen. Further changes are planned to optimize for other parts of the signature logs workflow, which will go live in future releases to continue improving this experience.

November 29, 2023

DigiCert® ONE version: 1.6392.5 | Software Trust Manager: 1.694.0

New

Enhanced options for keypair generation and storage

DigiCert® CA Manager now offers you the ability to generate and store your private keys for code signing certificates in DigiCert's shared key storage services, as well as in your dedicated key storage services that are integrated with your Software Trust Manager account. In CA Manager, you can enable multiple active key storage services, such as DigiCert's hosted HSMs and your cloud-based HSM service "Data Protection on Demand" (DPoD) from Thales. Software Trust Manager has enhanced the keypair generation workflow to enable you to choose where to generate new keys based on your use case in Software Trust Manager and in SMCTL, our command-line interface. You can access and sign with your keys regardless of whether your keys are stored in DigiCert's shared key storage services or in your dedicated key storage services, or HSMs.

Enhancements

Project error messages

We have improved our error messages for the Software Trust Manager Projects feature. Previously these error messages referenced resource IDs, however we will now display resource aliases instead to ensure that the resource is more easily identified by our users.

Release error messages

We have improved our error messages for the Software Trust Manager Release feature. Previously these error messages referenced keypair IDs, however we will now display keypair aliases instead to ensure that the keypair is more easily identified by our users.

Fixes

Contract term bug in Dashboard

We identified an issue with the end date shown in the contract term drop-down menu in the Software Trust Manager Dashboard. The end date displayed was always the original end date of the contract term, and did not account for contract terms that were extended before the contract expired. The end date for contract terms now take contract extensions into account and display correctly.

November 15, 2023

DigiCert® ONE version: 1.6392.4 | Software Trust Manager: 1.688.0

Enhancements

Exploitability of CVEs

We have added an Exploitability field to the FOSSA threat detection scan details page. The Exploitability field provides information about the likelihood that a given vulnerability will be exploited. This field helps users, administrators, and security professionals assess the urgency and priority of addressing Common Vulnerabilities and Exposures (CVE).

Fixes

Release compatibility

On November 2, 2023, we enhanced the release workflow, this change caused backward compatible issues with older versions of Signing Manager Controller (SMCTL). We have fixed the backward compatibility issue in this release. Older versions of SMCTL now works with the new release workflow enhancements.

November 8, 2023

DigiCert® ONE version: 1.6392.3 | Software Trust Manager: 1.687.0

Enhancements

Download FOSSA reports

We enhanced our threat detection integration with FOSSA. This enhancement allows you to download licensing, SBOM, vulnerability reports after completing a threat detection scan with FOSSA. In addition, you to customize the report format and metadata included in the report.

Fixes

Failure to delete threat detection scans

When attempting to delete a threat detection scan, the following error messages were returned: Scan not found for given identifier ID - <Scan ID>. and Translation is missing. We have resolved this issue and you should now be able to successfully delete scans in Software Trust Manager.

November 2, 2023

DigiCert® ONE version: 1.6392.2 | Software Trust Manager: 1.682.0

Enhancements

Scan then sign

Our new release feature allows you to set the purpose of your release, you can continue to use releases just to sign, or you can use our new workflow to use releases to perform threat detection scans, or to scan your software and if no threats are detected, allow your software to be signed as part of the release. You can set your preference in account settings.

Deployment risk levels

Our threat detection feature integrates with ReversingLabs to identify CVEs and deployment risks in your software. Initially, all P0 deployment risk scans would fail, but we've introduced a new enhancement that empowers you to select the P0 level in account settings which determines when the scan should fail. This way, you can focus on the highest deployment risks, enabling you to progressively refine your software while avoiding an overwhelming number of results with varying criticalities.

Threat detection scan version

We have added a Version column to the list of threat detection scans in Software Trust Manager, to make it easier for you to identify which version of the software was scanned.Threat detection

Fixes

Rename DAST to SBA

ReversingLabs scans were initially listed in Software Trust Manager Scan type field as a DAST (Dynamic Application Security Testing), however after a thorough investigation we have renamed this scan type to SBA (Static Binary Analysis). SBA, also known as binary analysis or binary code analysis, more clearly describes that this scan type concentrates on analyzing the compiled binary code of an application or system without executing it. It aims to uncover vulnerabilities in the code itself, rather than its runtime behavior.

Licensing calculations clarification

We corrected the calculation in the Software Trust Manager dashboard. for Production signature units and HSM keypair units. Initially this calculation was based on the contract term selected within the dashboard. However this has been corrected to show that the signature units calculation is based on the contract term you have selected, whereas the HSM keypair units calculation is based on your account lifespan because these units do not expire.

Test keypair generation

We identified a bug in the test keypair generation workflow. When you creating a test keypair, the workflow allowed users to select online or offline as a keypair status. We have corrected this workflow to only restrict test keypairs to an online status.

November 1, 2023

New

Two-factor authentication (2FA) requirement

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

Note

If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.

October 25, 2023

DigiCert® ONE version: 1.6201.5 | Software Trust Manager: 1.675.0

Enhancements

Desync all certificates associated with a keypair

The SMCTL desync command previously only desynced the expired and revoked certificates associated with a keypair from the local Windows store. We have improved the functionality of this command to allow you to additionally specify invalid or all as a parameter in the Windows desync command so that all certificates associated with the keypair would be desynced.Windows

Simplified verify command

The SMCTL verify signature command has previously provided a lengthy output that made it difficult to identify if the verification of the signature was a success or failure. We have introduced a new parameter called --quiet that can be added to the verify signature command to limit the output of the command to one sentence confirming if the verification of the signature is a success or failure.

Fixes

ReversingLabs configuration files

ReversingLabs' periodically updates their configuration files to improve the quality of scan responses and add new policies. DigiCert​​®​​ Software Trust Manager is now relying on the latest available version of ReversingLabs configuration file to improve accuracy and consistency between DigiCert​​®​​ Software Trust Manager and ReversingLabs' portal.

September 27, 2023

DigiCert® ONE version: 1.6074.8 | Software Trust Manager: 1.660.0

New

SBOM generation in SPDX format

With this release, DigiCert​​®​​ Software Trust Manager Threat Detection customers now have the option to choose generation of SBOMs in SPDX or CycloneDX formats. SBOM format choice is now something users can select from the CLI (SMCTL). To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Threat Detection report generation

Software Trust Manager Threat Detection customers can now make choices on what reports to generate when requesting a scan on the CLI (SMCTL). Until this point all reports were generated by default. Now you can choose which reports to generate and those reports that will be pushed up to the Scan results in the Software Trust Manager UI. To leverage this capability, make sure download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Enhancements

Support non-zero response for Threat Detection Scan response in the CLI (SMCTL)

To better support threat detection software assurance CI/CD workflows, we have introduced support for a non-zero response flag when customers make a threat detection scan in our CLI (SMCTL). By including this new flag in the CLI request, any scans which fail will force the CI/CD pipeline to fail and exit so that customers can block and further activities they planned to do if the scan was a success. To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Fixes

UI fixes for Software Project

After release, there were a few UI enhancements identified to make the Software Projects workflows consistent with the rest of Software Trust Manager . Changes included UI content alignment, changes to button position and function as well as the ability to pause projects and change the project alias.

User mapping to GPG Keys

There was a bug with respect to default user mapping at the time of GPG keypair generation. It is now resolved.

September 13, 2023

DigiCert® ONE version: 1.6074.4 | Software Trust Manager: 1.661.0

Fixes

Changes to feature flags affected unrelated settings

When system users enabled Software Trust Manager feature flags in DigiCert® Account Manager, unrelated settings showed being affected in Software Trust Manager account settings. This has been fixed. When system users update Software Trust Manager related feature flags in DigiCert® Account Manager, only the specified flag gets updated while unrelated existing flags remain unaffected.

September 6, 2023

DigiCert® ONE version: 1.6074.1 | Software Trust Manager: 1.658.0

New

FOSSA integration for Threat detection

Software Trust Manager has partnered with FOSSA, a Software Composition Analysis (SCA) tool to extend our Threat detection ability to scan your source code repository via role-based access control (RBAC) from Signing Manger Controller (SMCTL). This feature allows all scan results to be shared to your Software Trust Manager cloud account and includes controls and analytics to help you use Software Trust Manager to secure your software supply chain.

Oracle Cloud Infrastructure (OCI) script integration with PKCS11

Integrate Software Trust Manager with Oracle Cloud Infrastructure (OCI) using our new script integration and our PKCS11 library for secure cryptographic operations and signing within your CI/CD pipeline.

Fixes

Removed critical flag for GPG to support strict requirements from RPM sign

On Fedora 36 and above, the requirement to import GPG keys into the RPM repository became more strict, which caused the key import function to fail if there were critical flags. We have removed the GPG logic for critical flags on key flags and primary user ID. This change resolved the issue with importing RPM keys.

August 30, 2023

August 30, 2023

DigiCert® ONE version: 1.5874.12 | Software Trust Manager: 1.656.0

Fixes

Remove expired users from Team workflows

Expired users were inappropriately showing as Approvers for any Teams-related action. Also, when Teams were enabled, expired users were shown in a list of users with sign permission when creating or editing a release. Expired users have now been removed from these workflows.

UI bug not displaying customers' CertCentral integration

We recently made changes to consolidate our integrations based on the connector model. In doing so, we introduced a UI bug which meant some customers could not see their CertCentral integration on the connectors list page. This has been fixed, and all customers can now view CertCentral integration on the connectors page.

August 25, 2023

DigiCert® ONE version: 1.5874.9 | Software Trust Manager: 1.653.0

Fixes

Failed to list CertCentral connectors API

CertCentral connector failed to load when CertCentral integration was only enabled in Software Trust Manager account settings and not in Account Manager. This has been fixed, CertCentral connector now loads correctly when CertCentral integration is enabled in Software Trust Manager account settings and, or in Account Manager.

August 23, 2023

DigiCert® ONE version: 1.5874.8 | Software Trust Manager: 1.652.0

New

Use Connectors to integrate with CertCentral and Threat detection services

Software Trust Manager's new Connectors feature provides you and your teams with a new space to manage your integrations. You can integrate your Software Trust Manager account with CertCentral global or Europe to order and manage publicly trusted certificates. You can also integrate with ReversingLabs to enable Threat detection on your account.

Enhancements

Projects feature is backward compatible to MariaDB 10.3.x

Last week Software Trust Manager released a new feature called Projects, however the feature was inaccessible to users relying on MariaDB  version 10.3.x. The Projects feature is now backward compatible to MariaDB 10.3.x.

Fixes

Certificate profiles for team not loading

When Allow team mapping for keypairs and certificates profiles is enabled for teams in Software Trust Manager Account settings, the team's certificate profiles did not populate in the certificate profile list during certificate generation for an existing keypair. This has been fixed. If Allow team mapping for keypairs and certificates profiles is enabled for teams, and you generate a new keypair with a default certificate, you will be able to select a certificate profile associated with your team from the drop-down menu.

August 16, 2023

DigiCert® ONE version: 1.5874.6 | Software Trust Manager: 1.648.0

Enhancements

Support plans

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

  • Standard support (free)

  • Business support (mid-level)

  • Premium support (highest-level)

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

  • Platinum support plans are upgraded to Premium support for the duration of the contract.

  • Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.

  • Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.

August 15, 2023

DigiCert® ONE version: 1.5874.5 | Software Trust Manager: 1.648.0

New

Organize your software with Projects

Software Trust Manager's new feature Projects provides you and your teams with a structured and collaborative environment to manage threat detection scans and releases for a specific software development project. Create a project to store all your related software scans and releases for different versions of the same software. You can refer to each software project by a descriptive name and an alias to allow for easy reference in SMCTL commands.Threat detection

Fixes

Failure to generate certificate and refresh dynamic keypair

When the Address 2 field for the organization's address was "NULL" in DigiCert® Account Manager, certificate generation and dynamic keypair refresh failed. This issue has been fixed and should allows you to generate a certificate and refresh your dynamic keypair regardless of whether the optional Address 2 field has been completed or not.

June 28, 2023

DigiCert® ONE version: 1.5428.8 | Software Trust Manager: 1.633.0

New

Code signing with Jenkins plugin

Code signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with standard keypairs. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.

GPG signing with Jenkins plugin

GPG signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with GPG keys. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.

Fixes

Offline release approval issue resolved

Users with the "Approve release window" permission were redirected to "Page not found" when attempting to approve an offline release. Users that have the "Approve release window" permission assigned are now able to access the approve release page when attempting to approve an offline release.

Redirect to dashboard issue resolved

When a user with insufficient permissions attempted to access a page, they were redirected to the dashboard. This issue has been resolved and users are shown "Page not found" when attempting to access a page with insufficient permissions.

No data provided issue resolved

When your data was previously filtered using a filter that no longer exists, no results were displayed. When you view your list pages now, any archived filters that were applied will be removed, and you can select to filter your data by existing filters.

June 21, 2023

DigiCert® ONE version: 1.5428.7 | Software Trust Manager: 1.630.0

New

Filter by deployment risk and common vulnerability priority

Added capability to filter by dropdown selections of Severity and Status filters in threat detection results so customers can limit view to priority risks.

Enhancements

Remove license page in Software Trust Manager account settings

Deprecating the license page in account settings as we better cater for this in the dashboard, as well as providing overall consumption rates in the customer's account section of DigiCert ONE.

Fixes

Resolve issues with keypair list page filters

Fixed an issue where, once you applied filters related to keypairs on the keypairs list page, then visited another page and came back to the keypair list page, the filter was persisted but the results were not filtered correctly. We have resolved this now for all keypair algorithm types.

Customer CertCentral certificate field issue

Custom CertCentral fields were not showing up in Generate Certificate page for existing keypairs. We are now delivering parity for new and existing keypairs when generating a new certificate in this release.

June 14, 2023

DigiCert® ONE version: 1.5428.5 | Software Trust Manager: 1.623.0

Enhancements

Threat detection sorting

Previously, deployment risks and common vulnerabilities and exposures (CVE) were sorted by ID number rather than priority in the threat detection results pages. Now, both deployment risks and CVE data will be sorted in descending order to show critical risks and vulnerabilities first.

For example, a severity 9 CVE will be higher on the page than a severity 7 CVE and a P0 deployment risk will be higher than a P1, etc.

June 8, 2023

DigiCert® ONE version: 1.5428.2 | Software Trust Manager Manager: 1.617.0

New

New dashboard, better insights

Software Trust Manager released a new and improved dashboard that allows you to filter your data by your contract term, team, or a specific user. You can use this feature to identify an overview of:

  • Actions awaiting your approval in the account.

  • News section which alerts you to release notes, new product features, bug fixes, enhancements, and industry changes that may affect you.

  • Most and least used resources.

  • Consumption recommendations to ensure that you do not exceed your licensed units, which are specific to your contracted service term end date.

  • Filters for service term, teams and users.

Enhancements

Software Scanner becomes Threat Detection

Software Trust Manager released some enhancements relating to the Threat detection feature following our integration with ReversingLabs. We now support a new and expanded JSON schema that permits more information to be provided based on the data retrieved following the binary decomposition analysis. We also added a new logo in the UI and changed the name from Software Scanner to Threat Detection. Further, we give credit to National Vulnerability Database (NVD) relating to the Common vulnerabilities and exposures (CVE) details.

Fixes

Permission issue relating to revoke

If a user had Certificate Revoke permission but not Certificate Profile permission, certificate revoke was not possible. This is now resolved.

Compare releases bug

The release dropdown list was blank when selecting releases to compare, which is now resolved.

May 31, 2023

DigiCert® ONE version: 1.5118.11 | Software Trust Manager: 1.604.0

Fixes

Account scope users see correct values on dashboard

For Account scope users, the dashboard now shows an accurate count for keypairs and certificates.

Client tools repo for System users displays KeyLocker client tools

The client tools repo for System users showed Keylocker client tools in addition to STM client tools. The appropriate client tools are now only visible.

May 30, 2023

DigiCert® version: 1.5118.10 | Software Trust Manager: 1.602.0

New

Support for CertCentral custom field with dropdown

CertCentral recently introduced a custom field for certificate orders which supports user choosing a dropdown option. Software Trust Manager will now also support dropdowns for custom fields in our UI for parity purposes.

Enhancements

Optimize error logs

We are updating Software Trust Manager’s server-side log validation errors to capture validation errors, record more comprehensive logs, remove duplicate logging, and classify logs correctly.

Known issues

Azure plugin update to fix tool download error

Published 1.7.0 Azure devops extension to fix the broken client tools download link (tested with test extension version 1.5.0).

May 10, 2023

DigiCert® version: 1.5118.3 | Software Trust Manager: 1.586.0

Fixes

GPG key service user mappings

Fixed an issue where service users were not being mapped to GPG keys correctly. This is now corrected and service users can sign and manage GPG keys as per the service design.

April 26, 2023

DigiCert® version: 1.4957.4 | Software Trust Manager: 1.584.0

Fix

SMCTL Windows certsync and desync commands

Fixed issues with SMCTL Windows commands certsync and desync. These should now perform normally.

April 19, 2023

DigiCert® version: 1.4957.3 | Software Trust Manager: 1.582.0

New

SMCTL integration for Apple notarization

Software Trust Manager command-line interface (SMCTL) has enabled users to incorporate notarization workflows for Apple apps and binaries. Developers can not only sign their Apple files but also get them notarized and staple the results to the binary to give end users confidence around the quality of the software being installed on their Apple devices.

Enhancements

Debugging support for click-to-sign client

Click-to-sign client now supports customers to enable DEBUG logging so as to help identify configuration and setup errors detected when using the client.

GPG subkey selection at time of signing

Allows users to specify a GPG subkey for signing so that users can opt to use an older subkey.

Platform logging enhancements for better troubleshooting support

Software Trust Manager has introduced MDC (Mapped Diagnostic Context) approach to enrich server-side log messages. These messages provide information to better track service execution.

Fixes

SMCTL support user assignment at time of key generation

Fixed an issue that was not assigning the creator of a new keypair as the default user.

Server-side logs

We identified some missing server-side log scenarios relating to some events. We are now capturing create and modify for GPG master and subkeys, update Account Settings, and client tools download.

Incorrect error message for access denied during signing

Implemented a fix to alert users who do not have access to a key and try to sign with it. Such users now see a proper error message.

April 5, 2023

DigiCert® version: 1.xxxx.x | Software Trust Manager: 1.xxx.x

Enhancements

Debugging support for click-to-sign client

Click-to-sign client now supports customers to enable DEBUG logging so as to help identify configuration and setup errors detected when using the client.

GPG subkey selection at time of signing

Allow users to specify a GPG subkey for signing so that users can opt to use a subkey which is not the most recently generated key in the GPG keyring.

Fixes

SMCTL support user assignment at time of key generation

Fixed an issue that was not assigning the creator of a new keypair as the default user.

Server-side logs

We identified some missing server-side log scenarios relating to some events. We are now capturing create and modify for GPG master and subkeys, update Account Settings, and client tools download.

Incorrect error message for access denied during signing

Implemented a fix to alert users who do not have access to a key and try to sign with it. Such users now see a proper error message.

Known issues

Description of issue

Text about issue

March 9, 2023

DigiCert® version: 1.4803.0 | Software Trust Manager: 1.572.0

New

Support for CLI (SMCTL) signing workflows for Apple

Signing Apple binaries with Apple certificates can be complicated. We simplified the process by extending the scope of the STM CLI (SMCTL) to identify Apple binary types and build signing commands for Apple's codesign and productsign tools, so the user only has to identify the keypair they wish to use and where the binaries reside.

Support for ECDSA p192 keys

Legacy connected devices are often constrained by key algorithm as well as keysize/curve and do not have the ability to support newer or more robust keys. Software Trust Manager is adding support for ECDSA keypairs with p192 curve to support customers with legacy product lines constrained to this key type. The generation and import of these keys is limited to STM disk storage. Signing is supported in conjunction with the STM PKCS11 library and optimized for OpenSSL and PKCS 11 tool signing tools.

Fixes

Default certificate bug

Fixed a bug where for some keypairs, the default certificate checkbox was enabled and for some it was disabled. All keypairs can now have default certificate set if required.

Account settings content correction with trial accounts

Fixed an error in the account settings content relative to trial account being enabled.

Apple error for SMCTL environment when connecting via SSH

Fixed an error for customers who connect remotely via SSH who were not able to see their environment variables from the STM CLI (SMCTL).

Known issues

Consistency relating to keypair import workflows

Keytool import was importing the key as online by default, which conflicted with how the STM CLI (SMCTL) performs keypair import. Now all keypair import operations will set the key as offline for users to bring online afterwards if they choose.

Access policy APIs end of life

Software Trust Manager launched the Teams feature in 2022. This feature enables the management of users, keys, and profiles by grouping these resources under a team. It also introduces multi-person approval workflows and signing limits to account admins—all local and specific to each team of users. With the Teams feature fully established, we will sunset the older APIs which supported profiles to user mappings and instead invite customers to use the Teams APIs to map profiles to users instead.

February 9, 2023

New

Rebrand of Click-to-Sign client

Rebranding our click-to-sign client with the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.

Rebrand CI/CD plugins

Rebranding our Azure DevOps and GitHub custom action plugins to the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.

Fixes

Multiple fixes relating to GPG keypair workflows

Fixed bugs relating to GPG keypairs which were identified post-release.

Click-to-Sign client stability

Fixed a bug which caused the click-to-sign client to crash.

February 8, 2023

New

Integration with Thales DPOD for key storage at account level

Software Trust Manager now supports hosted account customers to have a dedicated account integration for secure key generation in a Thales DPOD service. Our workflows support key generation and support signing with keys hosted on the Thales DPOD service, which meets the minimum requirements for public trust code signing private key storage. Customers benefit from the dedicate storage provided by Thales, and means the customer will always retain the keys.

Software Trust Manager rebranding

We are rebranding the product from Secure Software Manager to Software Trust Manager. The new name aligns with the vision for the product as we grow the capabilities to deliver a broader range of software trust features which help customers secure their software supply chain at a time when ensuring digital trust is now one of the most pressing issues for the modern enterprise.

Enhancements

GPG keypair signing controls in release workflows

Users can now sign and modify GPG keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.

GPG keypair management with CLI

Users can now create and modify GPG Keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.

Adjust auto-renewal of private certificates to within 6 hours of expiry

Certificate auto-renewal process was happening too far away from the certificate expiry date. We fixed this by checking for certificate expiry every 4 hours and replacing certs which were enabled for auto-renewal when they are less than 6 hours left with the certs validity.

Fixes

Certificate auto-renewal process creating multiple certificates and long alias

Certificate auto-renewal process was causing duplication of renewed certs and and also was causing the alias of the certificate to become exponentially long. We fixed the duplication issue and made adjustments to how we rename legacy certificates so the alias is not growing exponentially each time the cert expires.

Support for certificate import when teams feature is enabled

The introduction of teams feature caused an unexpected issue when trying to import a certificate when the teams feature was enabled. Users can now import certs when teams feature is enabled or disabled.

Signature or signatures to release mapping issues resolved

Users not part of release should not have signatures count towards release signature limit and user should not be able to sign with key if not part of release when the key is in offline status. Applies to both standard keys and GPG keys.

January 18, 2023

Fixes

Status spinner hangs in account settings

Fixed an issue where uncaught exceptions in the account settings UI caused the status spinner to spin indefinitely.

Issue with release window controls

Fixed an issue where changes made to account settings were not being inherited in release windows.

January 17, 2023

New

GPG Keypair workflows enhancements

To support customers who sign with GPG keyrings, DigiCert​​®​​ Software Trust Manager (STM) now supports importing GPG secrings into a STM account. This lets you continue signing with assets that are known to your customers and partners. The new workflows capture all signatures to the DigiCert​​®​​ Software Trust Manager log for improved signing visibility, and supports export functionality for customers with multi-person approval structures.

Fixes

Enable private key export for open access keypairs

Private key export was limited to only restricted access keys stored in disk. This fix enables all secure disk stored keys to be exported via the export workflow.

Improve user experience for log export

We have included a UI spinner to show activity when the user makes a request to export logs, a process which can take some time depending on the size of the log.

Known issues

Validation of changes for account settings API

Includes more stringent validation of changes to customers' account settings made via the API.

January 11, 2023

New

Support for instance issuance for public trust code signing certificates from CertCentral

CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022. DigiCert​​®​​ Software Trust Manager integration now supports auto-issuance of public trust code signing certs. This applies only to organizations which are pre-approved in your CertCentral account when CertCentral is enabled to bypass manual approval, or when the request is made by a verified CertCentral organization contact.

Set up preapproval in CertCentral advanced settings so you can auto-issue public trust code signing certificates via DigiCert​​®​​ Software Trust Manager.

Integration with Espressif for Secure Boot signing with keys stored in Software Trust Manager

DigiCert​​®​​ Software Trust Manager PKCS11 library is now optimized to support integrating with Espressif tool suite to support Secure Boot (v2) process on the ESP32.

This means customers can create, sign with and manage signing keys stored in DigiCert​​®​​ Software Trust Manager to ensure the organization's second stage bootloader and binary are both signed and can be verified as trustworthy before being installed on the device.

Software Trust Manager CLI (SMCTL) optimized to support OsslSign on Linux and Mac

The STM command-line interface (CLI) tool can now write sign commands for Authenticode files types using the osslcodesign signing tool. This will help customers who wish to simplify the signing process for Authenticode files and capture metadata relating to signatures on Linux and Mac OS.

The default signing tool for Authenticode file signing using the STM CLI on Linux is Jsign. To select Osslsign, users will need to provide --tool osslsigncode as part of the signing command.

Enhancements

Software Trust Manager CLI (SMCTL) support for teams multi-person approval for offline release windows

The STM command-line interface (CLI) tool now allows customers to request and approve offline release windows for keys which are part of an STM Team which is enforcing multi-person approval. Multi-person approval of offline release windows was released for APIs and UI in December, and we are bringing parity to the CLI in this month's release.

Upgrade of UI to align with most recent platform common components library release

The STM user interface will see many minor enhancements related to the latest and greatest DigiCert ONE UI common component library. This will make the user experience more consistent and provide easier access to common tasks on list pages such as modifying, deleting, and revoking resources such as keys, certs, teams, releases, and profiles.

API documentation on STM portal

The DigiCert​​®​​ Software Trust Manager API documentation team introduces a revamped version of STM Swagger for APIs to provide more context and content and support a simpler integration experience. The new Swagger API page is available to view under the Resources section of the STM UI.

Fixes

UI spinner fix for audit and signature log export

Fix UI experience relating to load of audit logs and signature log export page.

Bug fixes for Click-to-sign client

Fix Nuget signing issues identified after initial release so as to support Nuget signing in full via Click-to-sign client.

Minor content changes relating to client tools repository module in the UI.

Minor content changes relating to online documentation.

Known issues

Failed import of public trust code signing certificates from CertCentral

CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022 which caused some certificate imports to fail via the DigiCert​​®​​ Software Trust Manager integration. DigiCert​​®​​ Software Trust Manager has now introduced support for all CertCentral issuance workflows regardless of whether CertCentral administrator approval is required. All issued certificates which were not imported will be imported as a result of this fix to resolve any remaining customer issues.