Software Trust Manager
2023 releases
December 19, 2023
DigiCert® ONE version: 1.6573.3 | Software Trust Manager: 1.700.0
New
Threat Detection Video
Software Trust Manager will make video content available in our UI regarding the benefits of undertaking Threat Detection so customers can learn more about the benefits of using Threat Detection to secure software supply-chains.
Enhancements
Display signature count for download archive logs
We have corrected the signature count related to archive logs to align with total signatures for the account. Previously, filters applied in the UI impacted the signature count value. Going forward, this will no longer be the case.
December 13, 2023
DigiCert® ONE version: 1.6573.2 | Software Trust Manager: 1.698.0
New
Threat Detection Advice
Software Trust Manager will now make our content regarding the benefits of undertaking Threat Detection on software available to all customers ahead of signing with this release.
If you are not presently licensing the Threat Detection feature, you will be given access to a tab where we explain the benefits of this feature. If you want to learn more or sign up for a free trial, you can express your interest. To learn more about this feature, see Threat detection.
Enhancements
Signature Log performance optimization
In this release, we optimized the signature log user interface (UI) pages, resulting in a much-improved load time for signature logs in the Software Trust Manager UI.
The load time of recent logs has been an issue for those with large log volumes. These larger volumes caused the request to the service to timeout, which in this release has been optimized and will no longer happen. Further changes are planned to optimize for other parts of the signature logs workflow, which will go live in future releases to continue improving this experience.
November 29, 2023
DigiCert® ONE version: 1.6392.5 | Software Trust Manager: 1.694.0
New
Enhanced options for keypair generation and storage
DigiCert® CA Manager now offers you the ability to generate and store your private keys for code signing certificates in DigiCert's shared key storage services, as well as in your dedicated key storage services that are integrated with your Software Trust Manager account. In CA Manager, you can enable multiple active key storage services, such as DigiCert's hosted HSMs and your cloud-based HSM service "Data Protection on Demand" (DPoD) from Thales. Software Trust Manager has enhanced the keypair generation workflow to enable you to choose where to generate new keys based on your use case in Software Trust Manager and in SMCTL, our command-line interface. You can access and sign with your keys regardless of whether your keys are stored in DigiCert's shared key storage services or in your dedicated key storage services, or HSMs.
Enhancements
Project error messages
We have improved our error messages for the Software Trust Manager Projects feature. Previously these error messages referenced resource IDs, however we will now display resource aliases instead to ensure that the resource is more easily identified by our users.
Release error messages
We have improved our error messages for the Software Trust Manager Release feature. Previously these error messages referenced keypair IDs, however we will now display keypair aliases instead to ensure that the keypair is more easily identified by our users.
Fixes
Contract term bug in Dashboard
We identified an issue with the end date shown in the contract term drop-down menu in the Software Trust Manager Dashboard. The end date displayed was always the original end date of the contract term, and did not account for contract terms that were extended before the contract expired. The end date for contract terms now take contract extensions into account and display correctly.
November 15, 2023
DigiCert® ONE version: 1.6392.4 | Software Trust Manager: 1.688.0
Enhancements
Exploitability of CVEs
We have added an Exploitability field to the FOSSA threat detection scan details page. The Exploitability field provides information about the likelihood that a given vulnerability will be exploited. This field helps users, administrators, and security professionals assess the urgency and priority of addressing Common Vulnerabilities and Exposures (CVE).
Fixes
Release compatibility
On November 2, 2023, we enhanced the release workflow, this change caused backward compatible issues with older versions of Signing Manager Controller (SMCTL). We have fixed the backward compatibility issue in this release. Older versions of SMCTL now works with the new release workflow enhancements.
November 8, 2023
DigiCert® ONE version: 1.6392.3 | Software Trust Manager: 1.687.0
Enhancements
Download FOSSA reports
We enhanced our threat detection integration with FOSSA. This enhancement allows you to download licensing, SBOM, vulnerability reports after completing a threat detection scan with FOSSA. In addition, you to customize the report format and metadata included in the report.
Fixes
Failure to delete threat detection scans
When attempting to delete a threat detection scan, the following error messages were returned: Scan not found for given identifier ID - <Scan ID>.
and Translation is missing
. We have resolved this issue and you should now be able to successfully delete scans in Software Trust Manager.
November 2, 2023
DigiCert® ONE version: 1.6392.2 | Software Trust Manager: 1.682.0
Enhancements
Scan then sign
Our new release feature allows you to set the purpose of your release, you can continue to use releases just to sign, or you can use our new workflow to use releases to perform threat detection scans, or to scan your software and if no threats are detected, allow your software to be signed as part of the release. You can set your preference in account settings.
Deployment risk levels
Our threat detection feature integrates with ReversingLabs to identify CVEs and deployment risks in your software. Initially, all P0 deployment risk scans would fail, but we've introduced a new enhancement that empowers you to select the P0 level in account settings which determines when the scan should fail. This way, you can focus on the highest deployment risks, enabling you to progressively refine your software while avoiding an overwhelming number of results with varying criticalities.
Threat detection scan version
We have added a Version column to the list of threat detection scans in Software Trust Manager, to make it easier for you to identify which version of the software was scanned.
Fixes
Rename DAST to SBA
ReversingLabs scans were initially listed in Software Trust Manager Scan type field as a DAST (Dynamic Application Security Testing), however after a thorough investigation we have renamed this scan type to SBA (Static Binary Analysis). SBA, also known as binary analysis or binary code analysis, more clearly describes that this scan type concentrates on analyzing the compiled binary code of an application or system without executing it. It aims to uncover vulnerabilities in the code itself, rather than its runtime behavior.
Licensing calculations clarification
We corrected the calculation in the Software Trust Manager dashboard. for Production signature units and HSM keypair units. Initially this calculation was based on the contract term selected within the dashboard. However this has been corrected to show that the signature units calculation is based on the contract term you have selected, whereas the HSM keypair units calculation is based on your account lifespan because these units do not expire.
Test keypair generation
We identified a bug in the test keypair generation workflow. When you creating a test keypair, the workflow allowed users to select online or offline as a keypair status. We have corrected this workflow to only restrict test keypairs to an online status.
November 1, 2023
New
Two-factor authentication (2FA) requirement
Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).
You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.
How to enable two-factor authentication in Account Manager.
注記
If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.
October 25, 2023
DigiCert® ONE version: 1.6201.5 | Software Trust Manager: 1.675.0
Enhancements
Desync all certificates associated with a keypair
The SMCTL desync command previously only desynced the expired
and revoked
certificates associated with a keypair from the local Windows store. We have improved the functionality of this command to allow you to additionally specify invalid
or all
as a parameter in the Windows desync command so that all certificates associated with the keypair would be desynced.
Simplified verify command
The SMCTL verify signature command has previously provided a lengthy output that made it difficult to identify if the verification of the signature was a success or failure. We have introduced a new parameter called --quiet
that can be added to the verify signature command to limit the output of the command to one sentence confirming if the verification of the signature is a success or failure.
Fixes
ReversingLabs configuration files
ReversingLabs' periodically updates their configuration files to improve the quality of scan responses and add new policies. DigiCert® Software Trust Manager is now relying on the latest available version of ReversingLabs configuration file to improve accuracy and consistency between DigiCert® Software Trust Manager and ReversingLabs' portal.
September 27, 2023
DigiCert® ONE version: 1.6074.8 | Software Trust Manager: 1.660.0
New
SBOM generation in SPDX format
With this release, DigiCert® Software Trust Manager Threat Detection customers now have the option to choose generation of SBOMs in SPDX or CycloneDX formats. SBOM format choice is now something users can select from the CLI (SMCTL). To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.
Threat Detection report generation
Software Trust Manager Threat Detection customers can now make choices on what reports to generate when requesting a scan on the CLI (SMCTL). Until this point all reports were generated by default. Now you can choose which reports to generate and those reports that will be pushed up to the Scan results in the Software Trust Manager UI. To leverage this capability, make sure download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.
Enhancements
Support non-zero response for Threat Detection Scan response in the CLI (SMCTL)
To better support threat detection software assurance CI/CD workflows, we have introduced support for a non-zero response flag when customers make a threat detection scan in our CLI (SMCTL). By including this new flag in the CLI request, any scans which fail will force the CI/CD pipeline to fail and exit so that customers can block and further activities they planned to do if the scan was a success. To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.
Fixes
UI fixes for Software Project
After release, there were a few UI enhancements identified to make the Software Projects workflows consistent with the rest of Software Trust Manager . Changes included UI content alignment, changes to button position and function as well as the ability to pause projects and change the project alias.
User mapping to GPG Keys
There was a bug with respect to default user mapping at the time of GPG keypair generation. It is now resolved.
September 13, 2023
DigiCert® ONE version: 1.6074.4 | Software Trust Manager: 1.661.0
Fixes
September 6, 2023
DigiCert® ONE version: 1.6074.1 | Software Trust Manager: 1.658.0
New
FOSSA integration for Threat detection
Software Trust Manager has partnered with FOSSA, a Software Composition Analysis (SCA) tool to extend our Threat detection ability to scan your source code repository via role-based access control (RBAC) from Signing Manger Controller (SMCTL). This feature allows all scan results to be shared to your Software Trust Manager cloud account and includes controls and analytics to help you use Software Trust Manager to secure your software supply chain.
Oracle Cloud Infrastructure (OCI) script integration with PKCS11
Integrate Software Trust Manager with Oracle Cloud Infrastructure (OCI) using our new script integration and our PKCS11 library for secure cryptographic operations and signing within your CI/CD pipeline.
Fixes
Removed critical flag for GPG to support strict requirements from RPM sign
On Fedora 36 and above, the requirement to import GPG keys into the RPM repository became more strict, which caused the key import function to fail if there were critical flags. We have removed the GPG logic for critical flags on key flags and primary user ID. This change resolved the issue with importing RPM keys.
August 30, 2023
August 30, 2023
DigiCert® ONE version: 1.5874.12 | Software Trust Manager: 1.656.0
Fixes
Remove expired users from Team workflows
Expired users were inappropriately showing as Approvers for any Teams-related action. Also, when Teams were enabled, expired users were shown in a list of users with sign permission when creating or editing a release. Expired users have now been removed from these workflows.
UI bug not displaying customers' CertCentral integration
We recently made changes to consolidate our integrations based on the connector model. In doing so, we introduced a UI bug which meant some customers could not see their CertCentral integration on the connectors list page. This has been fixed, and all customers can now view CertCentral integration on the connectors page.
August 25, 2023
DigiCert® ONE version: 1.5874.9 | Software Trust Manager: 1.653.0
Fixes
Failed to list CertCentral connectors API
CertCentral connector failed to load when CertCentral integration was only enabled in Software Trust Manager account settings and not in Account Manager. This has been fixed, CertCentral connector now loads correctly when CertCentral integration is enabled in Software Trust Manager account settings and, or in Account Manager.
August 23, 2023
DigiCert® ONE version: 1.5874.8 | Software Trust Manager: 1.652.0
New
Use Connectors to integrate with CertCentral and Threat detection services
Software Trust Manager's new Connectors feature provides you and your teams with a new space to manage your integrations. You can integrate your Software Trust Manager account with CertCentral global or Europe to order and manage publicly trusted certificates. You can also integrate with ReversingLabs to enable Threat detection on your account.
Enhancements
Projects feature is backward compatible to MariaDB 10.3.x
Last week Software Trust Manager released a new feature called Projects, however the feature was inaccessible to users relying on MariaDB version 10.3.x. The Projects feature is now backward compatible to MariaDB 10.3.x.
Fixes
Broken link on Projects page
The Learn more link on the projects page in Software Trust Manager received a "Page not found" error. The link has been updated to link correctly to the Projects page.
Certificate profiles for team not loading
When Allow team mapping for keypairs and certificates profiles is enabled for teams in Software Trust Manager Account settings, the team's certificate profiles did not populate in the certificate profile list during certificate generation for an existing keypair. This has been fixed. If Allow team mapping for keypairs and certificates profiles is enabled for teams, and you generate a new keypair with a default certificate, you will be able to select a certificate profile associated with your team from the drop-down menu.
August 16, 2023
DigiCert® ONE version: 1.5874.6 | Software Trust Manager: 1.648.0
Enhancements
Support plans
On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.
New plans:
Standard support (free)
Business support (mid-level)
Premium support (highest-level)
For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.
How does this affect me?
To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.
How the limited-time upgrade works:
Platinum support plans are upgraded to Premium support for the duration of the contract.
Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.
Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.
August 15, 2023
DigiCert® ONE version: 1.5874.5 | Software Trust Manager: 1.648.0
New
Organize your software with Projects
Software Trust Manager's new feature Projects provides you and your teams with a structured and collaborative environment to manage threat detection scans and releases for a specific software development project. Create a project to store all your related software scans and releases for different versions of the same software. You can refer to each software project by a descriptive name and an alias to allow for easy reference in SMCTL commands.
Fixes
Failure to generate certificate and refresh dynamic keypair
When the Address 2 field for the organization's address was "NULL" in DigiCert® Account Manager, certificate generation and dynamic keypair refresh failed. This issue has been fixed and should allows you to generate a certificate and refresh your dynamic keypair regardless of whether the optional Address 2 field has been completed or not.
June 28, 2023
DigiCert® ONE version: 1.5428.8 | Software Trust Manager: 1.633.0
New
Code signing with Jenkins plugin
Code signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with standard keypairs. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.
GPG signing with Jenkins plugin
GPG signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with GPG keys. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.
Fixes
Offline release approval issue resolved
Users with the "Approve release window" permission were redirected to "Page not found" when attempting to approve an offline release. Users that have the "Approve release window" permission assigned are now able to access the approve release page when attempting to approve an offline release.
Redirect to dashboard issue resolved
When a user with insufficient permissions attempted to access a page, they were redirected to the dashboard. This issue has been resolved and users are shown "Page not found" when attempting to access a page with insufficient permissions.
No data provided issue resolved
When your data was previously filtered using a filter that no longer exists, no results were displayed. When you view your list pages now, any archived filters that were applied will be removed, and you can select to filter your data by existing filters.
June 21, 2023
DigiCert® ONE version: 1.5428.7 | Software Trust Manager: 1.630.0
New
Filter by deployment risk and common vulnerability priority
Added capability to filter by dropdown selections of Severity and Status filters in threat detection results so customers can limit view to priority risks.
Enhancements
Remove license page in Software Trust Manager account settings
Deprecating the license page in account settings as we better cater for this in the dashboard, as well as providing overall consumption rates in the customer's account section of DigiCert ONE.
Fixes
Resolve issues with keypair list page filters
Fixed an issue where, once you applied filters related to keypairs on the keypairs list page, then visited another page and came back to the keypair list page, the filter was persisted but the results were not filtered correctly. We have resolved this now for all keypair algorithm types.
Customer CertCentral certificate field issue
Custom CertCentral fields were not showing up in Generate Certificate page for existing keypairs. We are now delivering parity for new and existing keypairs when generating a new certificate in this release.
June 14, 2023
DigiCert® ONE version: 1.5428.5 | Software Trust Manager: 1.623.0
Enhancements
Threat detection sorting
Previously, deployment risks and common vulnerabilities and exposures (CVE) were sorted by ID number rather than priority in the threat detection results pages. Now, both deployment risks and CVE data will be sorted in descending order to show critical risks and vulnerabilities first.
For example, a severity 9 CVE will be higher on the page than a severity 7 CVE and a P0 deployment risk will be higher than a P1, etc.
June 8, 2023
DigiCert® ONE version: 1.5428.2 | Software Trust Manager Manager: 1.617.0
New
New dashboard, better insights
Software Trust Manager released a new and improved dashboard that allows you to filter your data by your contract term, team, or a specific user. You can use this feature to identify an overview of:
Actions awaiting your approval in the account.
News section which alerts you to release notes, new product features, bug fixes, enhancements, and industry changes that may affect you.
Most and least used resources.
Consumption recommendations to ensure that you do not exceed your licensed units, which are specific to your contracted service term end date.
Filters for service term, teams and users.
Enhancements
Software Scanner becomes Threat Detection
Software Trust Manager released some enhancements relating to the Threat detection feature following our integration with ReversingLabs. We now support a new and expanded JSON schema that permits more information to be provided based on the data retrieved following the binary decomposition analysis. We also added a new logo in the UI and changed the name from Software Scanner to Threat Detection. Further, we give credit to National Vulnerability Database (NVD) relating to the Common vulnerabilities and exposures (CVE) details.
Fixes
Permission issue relating to revoke
If a user had Certificate Revoke permission but not Certificate Profile permission, certificate revoke was not possible. This is now resolved.
Compare releases bug
The release dropdown list was blank when selecting releases to compare, which is now resolved.
May 31, 2023
DigiCert® ONE version: 1.5118.11 | Software Trust Manager: 1.604.0
Fixes
Account scope users see correct values on dashboard
For Account scope users, the dashboard now shows an accurate count for keypairs and certificates.
Client tools repo for System users displays KeyLocker client tools
The client tools repo for System users showed Keylocker client tools in addition to STM client tools. The appropriate client tools are now only visible.
May 30, 2023
DigiCert® version: 1.5118.10 | Software Trust Manager: 1.602.0
New
Support for CertCentral custom field with dropdown
CertCentral recently introduced a custom field for certificate orders which supports user choosing a dropdown option. Software Trust Manager will now also support dropdowns for custom fields in our UI for parity purposes.
Enhancements
Optimize error logs
We are updating Software Trust Manager’s server-side log validation errors to capture validation errors, record more comprehensive logs, remove duplicate logging, and classify logs correctly.
Known issues
Azure plugin update to fix tool download error
Published 1.7.0 Azure devops extension to fix the broken client tools download link (tested with test extension version 1.5.0).
May 10, 2023
DigiCert® version: 1.5118.3 | Software Trust Manager: 1.586.0
Fixes
GPG key service user mappings
Fixed an issue where service users were not being mapped to GPG keys correctly. This is now corrected and service users can sign and manage GPG keys as per the service design.
April 26, 2023
DigiCert® version: 1.4957.4 | Software Trust Manager: 1.584.0
Fix
SMCTL Windows certsync and desync commands
Fixed issues with SMCTL Windows commands certsync and desync. These should now perform normally.
April 19, 2023
DigiCert® version: 1.4957.3 | Software Trust Manager: 1.582.0
New
SMCTL integration for Apple notarization
Software Trust Manager command-line interface (SMCTL) has enabled users to incorporate notarization workflows for Apple apps and binaries. Developers can not only sign their Apple files but also get them notarized and staple the results to the binary to give end users confidence around the quality of the software being installed on their Apple devices.
Enhancements
Debugging support for click-to-sign client
Click-to-sign client now supports customers to enable DEBUG logging so as to help identify configuration and setup errors detected when using the client.
GPG subkey selection at time of signing
Allows users to specify a GPG subkey for signing so that users can opt to use an older subkey.
Platform logging enhancements for better troubleshooting support
Software Trust Manager has introduced MDC (Mapped Diagnostic Context) approach to enrich server-side log messages. These messages provide information to better track service execution.
Fixes
SMCTL support user assignment at time of key generation
Fixed an issue that was not assigning the creator of a new keypair as the default user.
Server-side logs
We identified some missing server-side log scenarios relating to some events. We are now capturing create and modify for GPG master and subkeys, update Account Settings, and client tools download.
Incorrect error message for access denied during signing
Implemented a fix to alert users who do not have access to a key and try to sign with it. Such users now see a proper error message.
April 5, 2023
DigiCert® version: 1.xxxx.x | Software Trust Manager: 1.xxx.x
Enhancements
Debugging support for click-to-sign client
Click-to-sign client now supports customers to enable DEBUG logging so as to help identify configuration and setup errors detected when using the client.
GPG subkey selection at time of signing
Allow users to specify a GPG subkey for signing so that users can opt to use a subkey which is not the most recently generated key in the GPG keyring.
Fixes
SMCTL support user assignment at time of key generation
Fixed an issue that was not assigning the creator of a new keypair as the default user.
Server-side logs
We identified some missing server-side log scenarios relating to some events. We are now capturing create and modify for GPG master and subkeys, update Account Settings, and client tools download.
Incorrect error message for access denied during signing
Implemented a fix to alert users who do not have access to a key and try to sign with it. Such users now see a proper error message.
Known issues
Description of issue
Text about issue
March 9, 2023
DigiCert® version: 1.4803.0 | Software Trust Manager: 1.572.0
New
Support for CLI (SMCTL) signing workflows for Apple
Signing Apple binaries with Apple certificates can be complicated. We simplified the process by extending the scope of the STM CLI (SMCTL) to identify Apple binary types and build signing commands for Apple's codesign and productsign tools, so the user only has to identify the keypair they wish to use and where the binaries reside.
Support for ECDSA p192 keys
Legacy connected devices are often constrained by key algorithm as well as keysize/curve and do not have the ability to support newer or more robust keys. Software Trust Manager is adding support for ECDSA keypairs with p192 curve to support customers with legacy product lines constrained to this key type. The generation and import of these keys is limited to STM disk storage. Signing is supported in conjunction with the STM PKCS11 library and optimized for OpenSSL and PKCS 11 tool signing tools.
Fixes
Default certificate bug
Fixed a bug where for some keypairs, the default certificate checkbox was enabled and for some it was disabled. All keypairs can now have default certificate set if required.
Account settings content correction with trial accounts
Fixed an error in the account settings content relative to trial account being enabled.
Apple error for SMCTL environment when connecting via SSH
Fixed an error for customers who connect remotely via SSH who were not able to see their environment variables from the STM CLI (SMCTL).
Known issues
Consistency relating to keypair import workflows
Keytool import was importing the key as online by default, which conflicted with how the STM CLI (SMCTL) performs keypair import. Now all keypair import operations will set the key as offline for users to bring online afterwards if they choose.
Access policy APIs end of life
Software Trust Manager launched the Teams feature in 2022. This feature enables the management of users, keys, and profiles by grouping these resources under a team. It also introduces multi-person approval workflows and signing limits to account admins—all local and specific to each team of users. With the Teams feature fully established, we will sunset the older APIs which supported profiles to user mappings and instead invite customers to use the Teams APIs to map profiles to users instead.
February 9, 2023
New
Rebrand of Click-to-Sign client
Rebranding our click-to-sign client with the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.
Rebrand CI/CD plugins
Rebranding our Azure DevOps and GitHub custom action plugins to the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.
Fixes
Multiple fixes relating to GPG keypair workflows
Fixed bugs relating to GPG keypairs which were identified post-release.
Click-to-Sign client stability
Fixed a bug which caused the click-to-sign client to crash.
February 8, 2023
New
Integration with Thales DPOD for key storage at account level
Software Trust Manager now supports hosted account customers to have a dedicated account integration for secure key generation in a Thales DPOD service. Our workflows support key generation and support signing with keys hosted on the Thales DPOD service, which meets the minimum requirements for public trust code signing private key storage. Customers benefit from the dedicate storage provided by Thales, and means the customer will always retain the keys.
Software Trust Manager rebranding
We are rebranding the product from Secure Software Manager to Software Trust Manager. The new name aligns with the vision for the product as we grow the capabilities to deliver a broader range of software trust features which help customers secure their software supply chain at a time when ensuring digital trust is now one of the most pressing issues for the modern enterprise.
Enhancements
GPG keypair signing controls in release workflows
Users can now sign and modify GPG keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.
GPG keypair management with CLI
Users can now create and modify GPG Keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.
Adjust auto-renewal of private certificates to within 6 hours of expiry
Certificate auto-renewal process was happening too far away from the certificate expiry date. We fixed this by checking for certificate expiry every 4 hours and replacing certs which were enabled for auto-renewal when they are less than 6 hours left with the certs validity.
Fixes
Certificate auto-renewal process creating multiple certificates and long alias
Certificate auto-renewal process was causing duplication of renewed certs and and also was causing the alias of the certificate to become exponentially long. We fixed the duplication issue and made adjustments to how we rename legacy certificates so the alias is not growing exponentially each time the cert expires.
Support for certificate import when teams feature is enabled
The introduction of teams feature caused an unexpected issue when trying to import a certificate when the teams feature was enabled. Users can now import certs when teams feature is enabled or disabled.
Signature or signatures to release mapping issues resolved
Users not part of release should not have signatures count towards release signature limit and user should not be able to sign with key if not part of release when the key is in offline status. Applies to both standard keys and GPG keys.
January 18, 2023
Fixes
Status spinner hangs in account settings
Fixed an issue where uncaught exceptions in the account settings UI caused the status spinner to spin indefinitely.
Issue with release window controls
Fixed an issue where changes made to account settings were not being inherited in release windows.
January 17, 2023
New
GPG Keypair workflows enhancements
To support customers who sign with GPG keyrings, DigiCert® Software Trust Manager (STM) now supports importing GPG secrings into a STM account. This lets you continue signing with assets that are known to your customers and partners. The new workflows capture all signatures to the DigiCert® Software Trust Manager log for improved signing visibility, and supports export functionality for customers with multi-person approval structures.
Fixes
Enable private key export for open access keypairs
Private key export was limited to only restricted access keys stored in disk. This fix enables all secure disk stored keys to be exported via the export workflow.
Improve user experience for log export
We have included a UI spinner to show activity when the user makes a request to export logs, a process which can take some time depending on the size of the log.
Known issues
Validation of changes for account settings API
Includes more stringent validation of changes to customers' account settings made via the API.
January 11, 2023
New
Support for instance issuance for public trust code signing certificates from CertCentral
CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022. DigiCert® Software Trust Manager integration now supports auto-issuance of public trust code signing certs. This applies only to organizations which are pre-approved in your CertCentral account when CertCentral is enabled to bypass manual approval, or when the request is made by a verified CertCentral organization contact.
Set up preapproval in CertCentral advanced settings so you can auto-issue public trust code signing certificates via DigiCert® Software Trust Manager.
Integration with Espressif for Secure Boot signing with keys stored in Software Trust Manager
DigiCert® Software Trust Manager PKCS11 library is now optimized to support integrating with Espressif tool suite to support Secure Boot (v2) process on the ESP32.
This means customers can create, sign with and manage signing keys stored in DigiCert® Software Trust Manager to ensure the organization's second stage bootloader and binary are both signed and can be verified as trustworthy before being installed on the device.
Software Trust Manager CLI (SMCTL) optimized to support OsslSign on Linux and Mac
The STM command-line interface (CLI) tool can now write sign commands for Authenticode files types using the osslcodesign signing tool. This will help customers who wish to simplify the signing process for Authenticode files and capture metadata relating to signatures on Linux and Mac OS.
The default signing tool for Authenticode file signing using the STM CLI on Linux is Jsign. To select Osslsign, users will need to provide --tool osslsigncode as part of the signing command.
Enhancements
Software Trust Manager CLI (SMCTL) support for teams multi-person approval for offline release windows
The STM command-line interface (CLI) tool now allows customers to request and approve offline release windows for keys which are part of an STM Team which is enforcing multi-person approval. Multi-person approval of offline release windows was released for APIs and UI in December, and we are bringing parity to the CLI in this month's release.
Upgrade of UI to align with most recent platform common components library release
The STM user interface will see many minor enhancements related to the latest and greatest DigiCert ONE UI common component library. This will make the user experience more consistent and provide easier access to common tasks on list pages such as modifying, deleting, and revoking resources such as keys, certs, teams, releases, and profiles.
API documentation on STM portal
The DigiCert® Software Trust Manager API documentation team introduces a revamped version of STM Swagger for APIs to provide more context and content and support a simpler integration experience. The new Swagger API page is available to view under the Resources section of the STM UI.
Fixes
UI spinner fix for audit and signature log export
Fix UI experience relating to load of audit logs and signature log export page.
Bug fixes for Click-to-sign client
Fix Nuget signing issues identified after initial release so as to support Nuget signing in full via Click-to-sign client.
Minor content changes relating to client tools repository module in the UI.
Minor content changes relating to online documentation.
Known issues
Failed import of public trust code signing certificates from CertCentral
CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022 which caused some certificate imports to fail via the DigiCert® Software Trust Manager integration. DigiCert® Software Trust Manager has now introduced support for all CertCentral issuance workflows regardless of whether CertCentral administrator approval is required. All issued certificates which were not imported will be imported as a result of this fix to resolve any remaining customer issues.