Skip to main content

Software Trust Manager

Release notes

June 26, 2024

DigiCert® ONE version: 1.7645.5 | Software Trust Manager: 1.787.0

New

Undecorated ECDSA signature in SMCTL

You now have the option to perform ECDSA signatures without ASN1 decoration. From SMCTL version 1.48.0 onward, the smctl sign sign-hash command will support a new flag --non-decorate-signature. Previously, all ECDSA signatures included ASN1 decoration. This enhancement is crucial for supporting COSE signatures in the SCITT framework and other platforms and can be used. This change marks the first step towards fully enabling signatures tailored for SCITT.

Fixes

Error while updating dynamic test keys

We identified a bug that was introduced when keypair expiry was released earlier this year. The bug occurred when a dynamic test keypair was updated, this action resulted in the following error: Expiry type NO_EXPIRY is not allowed for test keypairs. This issue has been resolved.

June 19, 2024

DigiCert® ONE version: 1.7645.2 | Software Trust Manager: 1.782.0

Enhancements

Delete team

We added a new feature to allow users with Manage all teams permission to delete any team in the account. When deleting a team, users and any resources such as keypairs, keypair profiles, projects, releases, and threat detection scans associated with the team will be disassociated with the team and become available to assign to an existing team.

Fixes

Team selection during keypair generation

We identified an issue where when teams were enabled on the account, users with Manage all teams and Generate keypair permission were able to generate keypairs and assign it to any team in the account. This issue has been resolved and only users with Manage all teams and Manage keypair permission can generate keypairs for any team within the account.

Expiry error for GPG test keys

We identified an issue where GPG test key generation was incorrectly throwing an expiry error, preventing the creation of test keypairs. This has been resolved, and test keypairs can now be generated without encountering expiry restrictions.

Deleted users that are part of user groups

We identified an issue where users who were assigned to a user group, and then deleted in Account Manager were still displaying in the user group. We have fixed this issue, and the deleted users will no longer be displayed in user groups that they previously belonged to.

Nota

When a user is deleted in Account Manager, they will be removed from their user groups at the next scheduled update, which happens at 1 AM UTC every day.

June 12, 2024

DigiCert® ONE version: 1.7645.1 | Software Trust Manager: 1.777.0

Enhancements

Notification recipients

We have improved our email notification system. Now, only the users who need to know will receive specific updates about keypairs and certificates. Review the changes below:

Keypair expiry email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when any restricted or open keypair in the account, is about to expire.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when any keypair that is restricted to a team they are part of, is about to expire.

    • Users with Manage keypair and Manage all teams permission receives the email notification when any restricted and open keypair in the account, is about to expire.

Certificate expiry email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when any restricted or open keypair's default certificate in the account, is about to expire.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when the default certificate for any keypair that is restricted to a team that they are part of, is about to expire.

    • Users with Manage keypair and Manage all teams permission receives the email notification when the default certificate for any restricted or open keypair in the account, is about to expire.

Certificate auto-renewal email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when a certificate associated with a restricted or open keypair in the account, is about to be renewed.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when a certificate associated with a keypair, that is restricted to a team that the user is part of, is about to be renewed.

    • Users with Manage keypair and Manage all teams permission receives the email notification when certificates associated with restricted or open keypairs in the account, is about to be renewed.

Certificate auto-renewal blocked email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when certificates associated with restricted or open keypairs in the account, is blocked from being auto-renewed.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when certificates associated with keypairs that are restricted to a team that the user is part of, is blocked from being auto-renewed.

    • Users with Manage keypair and Manage all teams permission receives the email notification when certificates associated with restricted or open keypairs in the account, is blocked from being auto-renewed.

Dica

Which user roles have these permissions?

  • Lead

    This user role has both Manage all teams and Manage keypairpermissions.

  • Team lead

    This user role has Manage keypair permission.

Fixes

Insufficient privileges to close release

We identified an issue where users were incorrectly shown the Close release option in Software Trust Manager, which resulted in an error: <User ID> does not have permission to close release. This issue has been fixed:

  • Teams disabled

    • Users with Request release permission can close releases that they created.

    • Users with Approve release permission can close any release within the account.

  • Teams enabled

    • Users with Request release or Approve release permission can close releases assigned to a team that they are part of, provided that they created the release, or are part of the release.

    • Users with Manage all teams and Approve release permission can close any release within the account.

    • Users with Manage all teams and Request release permission can close any release in the account, provided that they created the release.

    • Users with Manage my teams and Approve release permission can close releases assigned to a team that they are part of.

    • Users with Manage my teams and Request release permission can close releases assigned to a team that they are part of, provided that they created the release.

Page not found after keypair creation

We fixed an issue where users with the Developer user role, or with Create keypair permission but without Manage keypair permission were directed to a Page not found error after creating a keypair. Now, these users will be correctly returned to the keypair list page.

Unable to import ICA certificates

We have added a fallback mechanism for OCSP requests to ensure that users can import ICA certificates in the Trust anchor tab in Software Trust Manager. Now we will check the certificate status with SHA256 and if it fails, our system will retry using SHA1 to ensure compatibility with OCSP services that still use SHA1. This update helps maintain secure certificate validation and ensures smooth importing of Root and Intermediate certificates.

Deleted users that are part of user groups

We identified an issue where users who were assigned to a user group, and then deleted in Account Manager were still displaying in the user group. We have fixed this issue, and the deleted users will no longer be displayed in user groups that they previously belonged to.

Nota

When a user is deleted in Account Manager, they will be removed from their user groups at the next scheduled update, which happens at 1 AM (UTC) every day.

May 22, 2024

DigiCert® ONE version: 1.7460.3 | Software Trust Manager: 1.775.0

Enhancements

Quantum-safe certificates

On February 7, 2024, we enhanced our keypair creation workflows to support quantum-safe Machine Learning-based Digital Signature Algorithm (MLDSA), however generating a code signing certificate with an MLDSA keypair was not possible. As of this release, MLDSA certificates can now be generated.

Keypair expiry enhancement

We have enabled expiry for standard keypairs to enhance crypto agility and improve security. Standard keypairs can now be set to expire on a specific date, upon certificate expiration, or remain non-expiring as before. Setting expiry dates help maintain security, ensures compliance with industry standards, and preserves trust in your code's integrity. This update provides more flexibility in managing keypair lifecycles.

Bulk signing enhancements

The initial implementation of the smctl sign command was designed to support signing multiple files from an input folder. At that time, we chose not to make the command fail immediately if signing one of the files failed, anticipating this requirement in future updates. We have now introduced three flags to improve the bulk signing procedure, these flags are: --exit-non-zero-on-fail and --fail-fast.

Team names listed in alphabetical order

Previously, team names in drop-down menus were listed in order of creation. As of this release, team names will be listed alphabetically to enhance the user experience.

Fixes

Client tool filtering by operating system

We fixed an issue in the Client tools repository where tools were not being filtered correctly by operating system. This functionality now works as expected.

Key rotation and dynamic keypair error

We identified that users received errors when attempting rotate keys or refresh dynamic keypairs if the key or key rotation did not belong to their primary account. These errors should no longer occur as long as you are assigned to the keypair, regardless of its association with the primary account.

GPG alias incorrectly displayed in signature logs

We identified and fixed an issue where downloaded signature logs displayed the UUID (Universally Unique Identifier) instead of the GPG alias.

Signatures not associated with the release

We fixed an issue where signatures were not correctly associated with a release when teams were enabled, and the release was assigned to a user group. Now, when a user from the assigned group signs with the keypair associated with the release, their signatures will be correctly associated with the release.

Expired dynamic keypairs

We fixed an issue where dynamic keypairs were incorrectly expiring after 30 days. Dynamic keypairs are periodically refreshed and should not expire. This issue has now been resolved for all active dynamic keypairs. However, previously expired dynamic keypairs cannot be restored.

Keypair selection in key rotations

We fixed an issue where keypairs not associated with a team were still appearing in the team field when updating key rotations. Now, you will only see and be able to select keypairs that are associated with the team to which the key rotation belongs.

CertCentral custom fields in Certificate profiles

We identified an issue in the Create Certificate profile workflow where CertCentral custom fields with 'anything' as the data type were not displayed. This has been fixed and should display correctly.

Correction to visible GPG actions

We identified an issue where users without the manage keypair permission were incorrectly able to see the option to edit, suspend, and unsuspend GPG master key and subkey, however when selecting this option it resulted in an error. We have fixed this issue and these options will only show if the user has the manage keypair permission.

Keypairs associated with teams

We fixed two issues related to keypair behavior in team assignments. Standard and GPG keypairs were incorrectly behaving like "Open" keypairs when assigned to teams from the Teams page. GPG keys that were changed to "Open" status from the Keypairs page were still incorrectly listed as associated with the team in the team details. Both issues have now been corrected.

May 15, 2024

DigiCert® ONE version: 1.7460.2 | Software Trust Manager: 1.771.0

Enhancements

Enhanced visibility for system users

Previously system users had limited visibility into account information. To better assist the accounts they support, we have extended their permissions to allow them to view:

  • Certificates

  • Certificate profiles

  • Certificate templates

  • CertCentral orders

  • Keypairs

  • Keypair profiles

  • Keypair rotation

  • GPG keys

  • Releases

  • Teams

  • Audit logs

  • Signature logs

Changes to user workflows and permission requirements

For simplified resource management and ease of reference, the following user flows have been implemented based on whether teams are enabled or not.

When teams are disabled on the account, users with:

  • Manage resource permission can view all related resources within the account.

  • View resource permission can view related resources assigned to them or a user group that they are part of.

Dica

Learn more about permissions when teams are disabled.

When teams are enabled on the account, users with:

  • Manage all teams and View resource permission can view all related resources within the account.

  • View resource permission can view related resources assigned to a team that they are part of.

Dica

Learn more about permissions when teams are enabled.

Change to public key download format

We have updated keypair download format to conform to RFC 7468 standards.

Previous format:

-----BEGIN EC PUBLIC KEY-----
<content>
-----END EC PUBLIC KEY-----

New format:

-----BEGIN PUBLIC KEY-----
<content>
-----END PUBLIC KEY-----

Fixes

PKCS11 library added to version 1.46.0 of Windows Clients Installer

We identified that the PKCS11 library was unintentionally excluded in version 1.46.0 of the Windows Clients Installer. We have rectified this issue without altering the version number. If you've already installed this version, download it again to ensure you have access to all required client tools.

May 8, 2024

DigiCert® ONE version: 1.7460.1 | Software Trust Manager: 1.770.0

New

Java Cryptography Extension (JCE) library

We added a JCE library to our Client tool repository. JCE is part of the Java Development Kit (JDK) that facilitates digital signing of Java Archive (JAR) files and related artifacts. Using JCE for signing is preferred over PKCS11 and KSP library options due to its compatibility with various operating systems (Windows, Linux, macOS, Solaris, and AIX) and Java architectures, including 64-bit, 32-bit, and ARM processors.

Enhancements

Latest version of rl-deploy

Our client tool packages were updated with the latest version of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

Importante

To avoid failed threat detection scans, download version 1.46.0 of Software Trust Manager client tools.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | Software Trust Manager: 1.765.0

Enhancements

Release creation improvement

In the release creation workflow, we've updated the default setting to display only keypairs with associated certificates, enhancing user experience. Users retain the flexibility to view all keypairs by deselecting the filter box if needed, ensuring seamless navigation. This change aims to streamline selection processes while providing greater clarity and efficiency.

Fixes

Incorrect label in import certificate workflow

We have rectified an error in the import certificate workflow where the "Certificate alias" field was incorrectly labeled as "Keypair alias"; it now displays accurately. This fix ensures clarity and accuracy in the workflow for all users.

March 27, 2024

DigiCert® ONE version: 1.7083.5 | Software Trust Manager: 1.761.0

Enhancements

Translation files updated

We updated translation files to enhance multilingual support across the platform, excluding Japanese. These updates ensure improved clarity and consistency for users worldwide. We remain committed to delivering a seamless experience for our diverse user base.

Fixes

User group creation and editing error

We became aware that user's were receiving the following error: "Attempt to create duplicate resource. Please check data provided." when attempting to create or update a user group in Software Trust Manager and the API. We have resolved this issue and users should be able to create and update user groups as expected.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | Software Trust Manager: 1.756.0

Enhancements

Latest version of rl-deploy

Our client tool packages were updated with version 1.3.0.0 of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

Fixes

Keypair restriction for teams

When teams are enabled, and a member of the team generated a keypair via SMCTL, the keypair was generated with open access instead of restricted to the team. This has been corrected and when teams are enabled and a user generates a keypair via SMCTL, the user will be required to provide the Team ID so that the keypair's use is restricted to that specific team.

Metadata added for most recent 10,000 Signature logs

We identified that the excel report generated after downloading via the Most recent 10,000 signature logs method did not include relevant metadata. We fixed this issue and relevant metadata should show in these reports.

Healthcheck error updated

When a user ran the smctl healthcheck command and no signing tools were found in their system, the log files listed the following error message: "Error Tools cannot be null." We updated the error message to: "Unable to detect compatible signing tools." to improve the clarity that the user needs to install third-party signing tools.

Windows certsync error updated

When a user runs the smctl windows certsync command without providing environment variables first, the log files listed a long string of information. We updated the error messages to be more concise: "Error occurred while trying to connect to service. No Host provided in request URL."

March 19, 2024

DigiCert® ONE version: 1.7083.3 | Software Trust Manager: 1.753.0

Enhancements

Version number change for client tools

You may have been notified about an new version of Software Trust Manager client tools; however, if you have already downloaded version 1.44.0 of the Software Trust Manager tools, there is no need to update your client tools to the latest version as the changes made do not affect Software Trust Manager users.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | Software Trust Manager: 1.751.0

Fixes

Improved scalability and reliability

As an ongoing effort, we have improved the scalability and reliability of Software Trust Manager. These updates ensures seamless operations even during peak usage and provides our users with a more efficient and robust user experience.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | Software Trust Manager: 1.748.0

Enhancements

Optimized download of signature logs

We have addressed the issue of slow downloading for signature logs via the latest 10,000 option as well as the archived signature logs workflows. This change optimizes the download speed and prevents timeout errors.

Optimized SBOM report download

Previously when users downloaded an SBOM report, Software Trust Manager showed no indicator that the download was in progress. We have enhanced this workflow by disabling the "Download" button after it is clicked and display a spinner to assure users that the download is in progress. This enhancement also prevents users from unnecessarily clicking the download button multiple time and duplicating the SBOM reports.

Fixes

Deleted certificates no longer display in certificate store

Deleted certificates were still listed in Windows certificate store even after running the smctl windows certsync command. We have fixed this issue and deleted certificates should no longer display in the certificate store after running the smctl windows certsync command.

CSP library now supports SHA1 digest signature algorithm

The 32-bit and 64-bit CSP library had an issue preventing users from using SHA1 digest signature algorithm. This has been resolved and users should now be abled to use SHA1 digest signature algorithm via the CSP library. This change was made on the server side and does not require you to upgrade to a newer version of the CSP library.

February 29, 2024

DigiCert® ONE version: 1.6887.5 | Software Trust Manager: 1.742.0

New

32-bit version of PKCS11 library

We have developed a 32-bit version of our PKCS11 library. This version allows users to utilize our PKCS11 tool on 32-bit Windows and Linux systems, enabling them to sign Java applications in a 32-bit environment. This new version is available for download from Software Trust Manager client tool repository.

Enhancements

Certificate generation permissions

It is mandatory to select a certificate profile when generating a certificate. Previously, users needed both Generate certificate and View certificate profile permissions to successfully generate a certificate. We have streamlined the workflow by removing the requirement for the View certificate profile permission when generating a certificate. Users can now generate certificates and select certificate profiles if they only have the Generate certificate permission, this change reduces errors for users with custom roles, seeing as it is not intuitive that the 'view certificate profile' permission was required for certificate generation.

SBOM signing commands support keypair IDs

Previously, SBOM signing commands only supported keypair IDs. Now, we've expanded support to include keypair aliases as well. Keypair aliases offer users a more intuitive and user-friendly option, making SBOM signing commands easier to remember and use.

Invalid characters in release names

Previously, users encountered errors when adding any characters other than letters, numbers, ., _, or - in Release names. This error blocked users from creating a release but did not advise which characters were allowed. In response, we have introduced a tooltip within the Create release workflow, providing users with guidance on the allowed characters and format.

Fixes

Keypairs assigned to team in Release workflows

We have resolved an issue where attempting to view keypairs assigned to your team during the Release creation process which resulted in an error. Now, users can seamlessly select keypairs associated with a team without encountering errors. This improvement ensures a smoother experience when creating Releases, with all relevant keypairs readily available for selection.

Key algorithms selection in Account settings

We identified an issue where users were unable to enable specific key algorithms in Account settings. This problem has been resolved, and the workflow should now function as expected. Users can once again seamlessly choose their preferred key algorithms in the Account settings.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | Software Trust Manager: 1.735.0

Enhancements

Quantum-safe algorithms

We enhanced our keypair profile workflows to allow for selection of the quantum-safe algorithm, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

Archived signature logs

We have addressed delays in loading on the archived signature logs page by removing the Total number of signature logs field as well as the Number of records column. Each report consistently contains 10,000 unfiltered signature events. However, the most recent report reflects the delta of events since the last archival, potentially deviating from the standard 10,000 events. This change ensures a smoother user experience while maintaining transparency and accuracy in reporting.

Fixes

KSP list command for SMCTL

We identified an issue with the smctl windows ksp list command, which resulted in the output only showing the first letter of the storage providers. We have fixed this issue and the command output should display with the full names, as expected.

February 14, 2024

DigiCert® ONE version: 1.6887.2 | Software Trust Manager: 1.731.0

New

SHA-384 signature algorithm ICAs

CertCentral now issues certificates off SHA-384 signature algorithm ICAs. While previously limited to SHA-256, this update enables users to utilize SHA-384 signatures based on their CA and ICA settings within CertCentral. Users can seamlessly leverage this feature to further strengthen their certificate management workflows.

Fixes

Hidden keypair profiles

We have identified that system scope keypair profiles that should be shown be visible in all Software Trust Manager accounts, were hidden. We have fixed this issue and should be accessible in all accounts.

Hidden security level for keypair profiles

During keypair generation, the security level associated with the keypair profile selected was hidden. We have resolved this issue and the security level should display as expected.

February 8, 2024

DigiCert® ONE version: 1.6887.1 | Software Trust Manager: 1.724.0

Fixes

Client tool download via API and plugins

We identified an issue preventing the download of Software Trust Manager client tools via the no authentication API endpoint: /signingmanager/api-ui/v1/releases/noauth/{releaseName}/download and CI/CD plugins. We have fixed this issue and users should be able to successfully download our client tools using the endpoint referred to above and Software Trust Manager plugins.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | Software Trust Manager: 1.723.0

Enhancements

Quantum-safe algorithms

We enhanced our keypair creation workflows to allow for the selection of the quantum-safe algorithms, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

SBOM signing

We enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support CycloneDX and SPDX SBOM signing and verification using in-toto. SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.

Hash signing

Building on existing binary signing workflows, we enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support hash signing. Hash signing ensures data integrity by generating unique cryptographic signatures for files, offering an extra layer of security against tampering and unauthorized modifications throughout the software distribution process.

Fixes

Projects

We identified and fixed two issues relating to our Projects feature. Previously, system users encountered difficulties loading the projects page; we have resolved this, and it should now load as expected. Additionally, the "Create project" button was displayed in the UI for users who did not have the required permissions assigned. We have rectified this by removing the button for users who do not have the necessary permissions to perform this action.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | Software Trust Manager: 1.717.0

Enhancements

API changes for system users requesting signature logs

We have improved our API for system users. As of this release, it is mandatory for system users to provide an account ID when retrieving signature logs. This change ensures that users can access logs for a specified account rather than receiving data for all accessible accounts. This enhancement allows for more efficient workflow management.

Search functionality in drop-down menus

We have enhanced the drop-down menus in existing workflows to include a search functionality to speed up the selection process. The search functionality has been applied to the following workflows:

  • Generate a certificate

  • Create a certificate profile

  • Create a release

  • Create a GPG subkey

January 24, 2024

DigiCert® ONE version: 1.6665.5 | Software Trust Manager: 1.714.0

Enhancements

Keypair profile

We made changes to how keypair profiles are organized. Previously, when you created a new keypair profile, it appeared at the bottom of the list, potentially causing inconvenience. Now, to streamline your experience, newly created keypair profiles will automatically populate at the top of the list for easier access and better visibility.

January 10, 2024

DigiCert® ONE version: 1.6665.2 | Software Trust Manager: 1.709.0

Enhancements

API validation of hashes

We enhanced input validation for hashes provided at time of signing related to keypairs stored on disk via Software Trust Manager Rest API.

January 3, 2024

DigiCert® ONE version: 1.6665.1 | Software Trust Manager: 1.705.0

Enhancements

Archived signature log performance optimization

We have enhanced the user interface (UI) pages for archived signature logs in Software Trust Manager, significantly improving their load time.

Previously, users with large log volumes experienced timeouts when accessing archived logs. This release should eliminate timeouts. Additional optimizations are in progress to enhance other aspects of the signature logs workflow to further enhance user experience.

December 19, 2023

DigiCert® ONE version: 1.6573.3 | Software Trust Manager: 1.700.0

New

Threat Detection Video

Software Trust Manager will make video content available in our UI regarding the benefits of undertaking Threat Detection so customers can learn more about the benefits of using Threat Detection to secure software supply-chains.

Enhancements

Display signature count for download archive logs

We have corrected the signature count related to archive logs to align with total signatures for the account. Previously, filters applied in the UI impacted the signature count value. Going forward, this will no longer be the case.

December 13, 2023

DigiCert® ONE version: 1.6573.2 | Software Trust Manager: 1.698.0

New

Threat Detection Advice

Software Trust Manager will now make our content regarding the benefits of undertaking Threat Detection on software available to all customers ahead of signing with this release.

If you are not presently licensing the Threat Detection feature, you will be given access to a tab where we explain the benefits of this feature. If you want to learn more or sign up for a free trial, you can express your interest. To learn more about this feature, see Threat detection.

Enhancements

Signature Log performance optimization

In this release, we optimized the signature log user interface (UI) pages, resulting in a much-improved load time for signature logs in the Software Trust Manager UI.

The load time of recent logs has been an issue for those with large log volumes. These larger volumes caused the request to the service to timeout, which in this release has been optimized and will no longer happen. Further changes are planned to optimize for other parts of the signature logs workflow, which will go live in future releases to continue improving this experience.

November 29, 2023

DigiCert® ONE version: 1.6392.5 | Software Trust Manager: 1.694.0

New

Enhanced options for keypair generation and storage

DigiCert® CA Manager now offers you the ability to generate and store your private keys for code signing certificates in DigiCert's shared key storage services, as well as in your dedicated key storage services that are integrated with your Software Trust Manager account. In CA Manager, you can enable multiple active key storage services, such as DigiCert's hosted HSMs and your cloud-based HSM service "Data Protection on Demand" (DPoD) from Thales. Software Trust Manager has enhanced the keypair generation workflow to enable you to choose where to generate new keys based on your use case in Software Trust Manager and in SMCTL, our command-line interface. You can access and sign with your keys regardless of whether your keys are stored in DigiCert's shared key storage services or in your dedicated key storage services, or HSMs.

Enhancements

Project error messages

We have improved our error messages for the Software Trust Manager Projects feature. Previously these error messages referenced resource IDs, however we will now display resource aliases instead to ensure that the resource is more easily identified by our users.

Release error messages

We have improved our error messages for the Software Trust Manager Release feature. Previously these error messages referenced keypair IDs, however we will now display keypair aliases instead to ensure that the keypair is more easily identified by our users.

Fixes

Contract term bug in Dashboard

We identified an issue with the end date shown in the contract term drop-down menu in the Software Trust Manager Dashboard. The end date displayed was always the original end date of the contract term, and did not account for contract terms that were extended before the contract expired. The end date for contract terms now take contract extensions into account and display correctly.

November 15, 2023

DigiCert® ONE version: 1.6392.4 | Software Trust Manager: 1.688.0

Enhancements

Exploitability of CVEs

We have added an Exploitability field to the FOSSA threat detection scan details page. The Exploitability field provides information about the likelihood that a given vulnerability will be exploited. This field helps users, administrators, and security professionals assess the urgency and priority of addressing Common Vulnerabilities and Exposures (CVE).

Fixes

Release compatibility

On November 2, 2023, we enhanced the release workflow, this change caused backward compatible issues with older versions of Signing Manager Controller (SMCTL). We have fixed the backward compatibility issue in this release. Older versions of SMCTL now works with the new release workflow enhancements.

November 8, 2023

DigiCert® ONE version: 1.6392.3 | Software Trust Manager: 1.687.0

Enhancements

Download FOSSA reports

We enhanced our threat detection integration with FOSSA. This enhancement allows you to download licensing, SBOM, vulnerability reports after completing a threat detection scan with FOSSA. In addition, you to customize the report format and metadata included in the report.

Fixes

Failure to delete threat detection scans

When attempting to delete a threat detection scan, the following error messages were returned: Scan not found for given identifier ID - <Scan ID>. and Translation is missing. We have resolved this issue and you should now be able to successfully delete scans in Software Trust Manager.

November 2, 2023

DigiCert® ONE version: 1.6392.2 | Software Trust Manager: 1.682.0

Enhancements

Scan then sign

Our new release feature allows you to set the purpose of your release, you can continue to use releases just to sign, or you can use our new workflow to use releases to perform threat detection scans, or to scan your software and if no threats are detected, allow your software to be signed as part of the release. You can set your preference in account settings.

Deployment risk levels

Our threat detection feature integrates with ReversingLabs to identify CVEs and deployment risks in your software. Initially, all P0 deployment risk scans would fail, but we've introduced a new enhancement that empowers you to select the P0 level in account settings which determines when the scan should fail. This way, you can focus on the highest deployment risks, enabling you to progressively refine your software while avoiding an overwhelming number of results with varying criticalities.

Threat detection scan version

We have added a Version column to the list of threat detection scans in Software Trust Manager, to make it easier for you to identify which version of the software was scanned.

Fixes

Rename DAST to SBA

ReversingLabs scans were initially listed in Software Trust Manager Scan type field as a DAST (Dynamic Application Security Testing), however after a thorough investigation we have renamed this scan type to SBA (Static Binary Analysis). SBA, also known as binary analysis or binary code analysis, more clearly describes that this scan type concentrates on analyzing the compiled binary code of an application or system without executing it. It aims to uncover vulnerabilities in the code itself, rather than its runtime behavior.

Licensing calculations clarification

We corrected the calculation in the Software Trust Manager dashboard. for Production signature units and HSM keypair units. Initially this calculation was based on the contract term selected within the dashboard. However this has been corrected to show that the signature units calculation is based on the contract term you have selected, whereas the HSM keypair units calculation is based on your account lifespan because these units do not expire.

Test keypair generation

We identified a bug in the test keypair generation workflow. When you creating a test keypair, the workflow allowed users to select online or offline as a keypair status. We have corrected this workflow to only restrict test keypairs to an online status.

November 1, 2023

New

Two-factor authentication (2FA) requirement

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

Nota

If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.

October 25, 2023

DigiCert® ONE version: 1.6201.5 | Software Trust Manager: 1.675.0

Enhancements

Desync all certificates associated with a keypair

The SMCTL desync command previously only desynced the expired and revoked certificates associated with a keypair from the local Windows store. We have improved the functionality of this command to allow you to additionally specify invalid or all as a parameter in the Windows desync command so that all certificates associated with the keypair would be desynced.Windows

Simplified verify command

The SMCTL verify signature command has previously provided a lengthy output that made it difficult to identify if the verification of the signature was a success or failure. We have introduced a new parameter called --quiet that can be added to the verify signature command to limit the output of the command to one sentence confirming if the verification of the signature is a success or failure.

Fixes

ReversingLabs configuration files

ReversingLabs' periodically updates their configuration files to improve the quality of scan responses and add new policies. DigiCert​​®​​ Software Trust Manager is now relying on the latest available version of ReversingLabs configuration file to improve accuracy and consistency between DigiCert​​®​​ Software Trust Manager and ReversingLabs' portal.

September 27, 2023

DigiCert® ONE version: 1.6074.8 | Software Trust Manager: 1.660.0

New

SBOM generation in SPDX format

With this release, DigiCert​​®​​ Software Trust Manager Threat Detection customers now have the option to choose generation of SBOMs in SPDX or CycloneDX formats. SBOM format choice is now something users can select from the CLI (SMCTL). To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Threat Detection report generation

Software Trust Manager Threat Detection customers can now make choices on what reports to generate when requesting a scan on the CLI (SMCTL). Until this point all reports were generated by default. Now you can choose which reports to generate and those reports that will be pushed up to the Scan results in the Software Trust Manager UI. To leverage this capability, make sure download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Enhancements

Support non-zero response for Threat Detection Scan response in the CLI (SMCTL)

To better support threat detection software assurance CI/CD workflows, we have introduced support for a non-zero response flag when customers make a threat detection scan in our CLI (SMCTL). By including this new flag in the CLI request, any scans which fail will force the CI/CD pipeline to fail and exit so that customers can block and further activities they planned to do if the scan was a success. To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Fixes

UI fixes for Software Project

After release, there were a few UI enhancements identified to make the Software Projects workflows consistent with the rest of Software Trust Manager . Changes included UI content alignment, changes to button position and function as well as the ability to pause projects and change the project alias.

User mapping to GPG Keys

There was a bug with respect to default user mapping at the time of GPG keypair generation. It is now resolved.

September 13, 2023

DigiCert® ONE version: 1.6074.4 | Software Trust Manager: 1.661.0

Fixes

Changes to feature flags affected unrelated settings

When system users enabled Software Trust Manager feature flags in DigiCert® Account Manager, unrelated settings showed being affected in Software Trust Manager account settings. This has been fixed. When system users update Software Trust Manager related feature flags in DigiCert® Account Manager, only the specified flag gets updated while unrelated existing flags remain unaffected.

September 6, 2023

DigiCert® ONE version: 1.6074.1 | Software Trust Manager: 1.658.0

New

FOSSA integration for Threat detection

Software Trust Manager has partnered with FOSSA, a Software Composition Analysis (SCA) tool to extend our Threat detection ability to scan your source code repository via role-based access control (RBAC) from Signing Manger Controller (SMCTL). This feature allows all scan results to be shared to your Software Trust Manager cloud account and includes controls and analytics to help you use Software Trust Manager to secure your software supply chain.

Oracle Cloud Infrastructure (OCI) script integration with PKCS11

Integrate Software Trust Manager with Oracle Cloud Infrastructure (OCI) using our new script integration and our PKCS11 library for secure cryptographic operations and signing within your CI/CD pipeline.

Fixes

Removed critical flag for GPG to support strict requirements from RPM sign

On Fedora 36 and above, the requirement to import GPG keys into the RPM repository became more strict, which caused the key import function to fail if there were critical flags. We have removed the GPG logic for critical flags on key flags and primary user ID. This change resolved the issue with importing RPM keys.

August 30, 2023

DigiCert® ONE version: 1.5874.12 | Software Trust Manager: 1.656.0

Fixes

Remove expired users from Team workflows

Expired users were inappropriately showing as Approvers for any Teams-related action. Also, when Teams were enabled, expired users were shown in a list of users with sign permission when creating or editing a release. Expired users have now been removed from these workflows.

UI bug not displaying customers' CertCentral integration

We recently made changes to consolidate our integrations based on the connector model. In doing so, we introduced a UI bug which meant some customers could not see their CertCentral integration on the connectors list page. This has been fixed, and all customers can now view CertCentral integration on the connectors page.

August 25, 2023

DigiCert® ONE version: 1.5874.9 | Software Trust Manager: 1.653.0

Fixes

Failed to list CertCentral connectors API

CertCentral connector failed to load when CertCentral integration was only enabled in Software Trust Manager account settings and not in Account Manager. This has been fixed, CertCentral connector now loads correctly when CertCentral integration is enabled in Software Trust Manager account settings and, or in Account Manager.

August 23, 2023

DigiCert® ONE version: 1.5874.8 | Software Trust Manager: 1.652.0

New

Use Connectors to integrate with CertCentral and Threat detection services

Software Trust Manager's new Connectors feature provides you and your teams with a new space to manage your integrations. You can integrate your Software Trust Manager account with CertCentral global or Europe to order and manage publicly trusted certificates. You can also integrate with ReversingLabs to enable Threat detection on your account.

Enhancements

Projects feature is backward compatible to MariaDB 10.3.x

Last week Software Trust Manager released a new feature called Projects, however the feature was inaccessible to users relying on MariaDB  version 10.3.x. The Projects feature is now backward compatible to MariaDB 10.3.x.

Fixes

Certificate profiles for team not loading

When Allow team mapping for keypairs and certificates profiles is enabled for teams in Software Trust Manager Account settings, the team's certificate profiles did not populate in the certificate profile list during certificate generation for an existing keypair. This has been fixed. If Allow team mapping for keypairs and certificates profiles is enabled for teams, and you generate a new keypair with a default certificate, you will be able to select a certificate profile associated with your team from the drop-down menu.

August 16, 2023

DigiCert® ONE version: 1.5874.6 | Software Trust Manager: 1.648.0

Enhancements

Support plans

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

  • Standard support (free)

  • Business support (mid-level)

  • Premium support (highest-level)

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

  • Platinum support plans are upgraded to Premium support for the duration of the contract.

  • Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.

  • Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.

August 15, 2023

DigiCert® ONE version: 1.5874.5 | Software Trust Manager: 1.648.0

New

Organize your software with Projects

Software Trust Manager's new feature Projects provides you and your teams with a structured and collaborative environment to manage threat detection scans and releases for a specific software development project. Create a project to store all your related software scans and releases for different versions of the same software. You can refer to each software project by a descriptive name and an alias to allow for easy reference in SMCTL commands.

Fixes

Failure to generate certificate and refresh dynamic keypair

When the Address 2 field for the organization's address was "NULL" in DigiCert® Account Manager, certificate generation and dynamic keypair refresh failed. This issue has been fixed and should allows you to generate a certificate and refresh your dynamic keypair regardless of whether the optional Address 2 field has been completed or not.

June 28, 2023

DigiCert® ONE version: 1.5428.8 | Software Trust Manager: 1.633.0

New

Code signing with Jenkins plugin

Code signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with standard keypairs. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.

GPG signing with Jenkins plugin

GPG signing with the Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux with GPG keys. This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.

Fixes

Offline release approval issue resolved

Users with the "Approve release window" permission were redirected to "Page not found" when attempting to approve an offline release. Users that have the "Approve release window" permission assigned are now able to access the approve release page when attempting to approve an offline release.

Redirect to dashboard issue resolved

When a user with insufficient permissions attempted to access a page, they were redirected to the dashboard. This issue has been resolved and users are shown "Page not found" when attempting to access a page with insufficient permissions.

No data provided issue resolved

When your data was previously filtered using a filter that no longer exists, no results were displayed. When you view your list pages now, any archived filters that were applied will be removed, and you can select to filter your data by existing filters.

June 21, 2023

DigiCert® ONE version: 1.5428.7 | Software Trust Manager: 1.630.0

New

Filter by deployment risk and common vulnerability priority

Added capability to filter by dropdown selections of Severity and Status filters in threat detection results so customers can limit view to priority risks.

Enhancements

Remove license page in Software Trust Manager account settings

Deprecating the license page in account settings as we better cater for this in the dashboard, as well as providing overall consumption rates in the customer's account section of DigiCert ONE.

Fixes

Resolve issues with keypair list page filters

Fixed an issue where, once you applied filters related to keypairs on the keypairs list page, then visited another page and came back to the keypair list page, the filter was persisted but the results were not filtered correctly. We have resolved this now for all keypair algorithm types.

Customer CertCentral certificate field issue

Custom CertCentral fields were not showing up in Generate Certificate page for existing keypairs. We are now delivering parity for new and existing keypairs when generating a new certificate in this release.

September 27, 2023

DigiCert® ONE version: 1.6074.8 | Software Trust Manager: 1.660.0

New

SBOM generation in SPDX format

With this release, DigiCert​​®​​ Software Trust Manager Threat Detection customers now have the option to choose generation of SBOMs in SPDX or CycloneDX formats. SBOM format choice is now something users can select from the CLI (SMCTL). To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Threat Detection report generation

Software Trust Manager Threat Detection customers can now make choices on what reports to generate when requesting a scan on the CLI (SMCTL). Until this point all reports were generated by default. Now you can choose which reports to generate and those reports that will be pushed up to the Scan results in the Software Trust Manager UI. To leverage this capability, make sure download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Enhancements

Support non-zero response for Threat Detection Scan response in the CLI (SMCTL)

To better support threat detection software assurance CI/CD workflows, we have introduced support for a non-zero response flag when customers make a threat detection scan in our CLI (SMCTL). By including this new flag in the CLI request, any scans which fail will force the CI/CD pipeline to fail and exit so that customers can block and further activities they planned to do if the scan was a success. To leverage this capability, make sure to download the latest version of the CLI (SMCTL) from Software Trust Manager Client Tools Repository.

Fixes

UI fixes for Software Project

After release, there were a few UI enhancements identified to make the Software Projects workflows consistent with the rest of Software Trust Manager . Changes included UI content alignment, changes to button position and function as well as the ability to pause projects and change the project alias.

User mapping to GPG Keys

There was a bug with respect to default user mapping at the time of GPG keypair generation. It is now resolved.

June 14, 2023

DigiCert® ONE version: 1.5428.5 | Software Trust Manager: 1.623.0

Enhancements

Threat detection sorting

Previously, deployment risks and common vulnerabilities and exposures (CVE) were sorted by ID number rather than priority in the threat detection results pages. Now, both deployment risks and CVE data will be sorted in descending order to show critical risks and vulnerabilities first.

For example, a severity 9 CVE will be higher on the page than a severity 7 CVE and a P0 deployment risk will be higher than a P1, etc.

June 8, 2023

DigiCert® ONE version: 1.5428.2 | Software Trust Manager Manager: 1.617.0

New

New dashboard, better insights

Software Trust Manager released a new and improved dashboard that allows you to filter your data by your contract term, team, or a specific user. You can use this feature to identify an overview of:

  • Actions awaiting your approval in the account.

  • News section which alerts you to release notes, new product features, bug fixes, enhancements, and industry changes that may affect you.

  • Most and least used resources.

  • Consumption recommendations to ensure that you do not exceed your licensed units, which are specific to your contracted service term end date.

  • Filters for service term, teams and users.

Enhancements

Software Scanner becomes Threat Detection

Software Trust Manager released some enhancements relating to the Threat detection feature following our integration with ReversingLabs. We now support a new and expanded JSON schema that permits more information to be provided based on the data retrieved following the binary decomposition analysis. We also added a new logo in the UI and changed the name from Software Scanner to Threat Detection. Further, we give credit to National Vulnerability Database (NVD) relating to the Common vulnerabilities and exposures (CVE) details.

Fixes

Permission issue relating to revoke

If a user had Certificate Revoke permission but not Certificate Profile permission, certificate revoke was not possible. This is now resolved.

Compare releases bug

The release dropdown list was blank when selecting releases to compare, which is now resolved.

May 31, 2023

DigiCert® ONE version: 1.5118.11 | Software Trust Manager: 1.604.0

Fixes

Account scope users see correct values on dashboard

For Account scope users, the dashboard now shows an accurate count for keypairs and certificates.

Client tools repo for System users displays KeyLocker client tools

The client tools repo for System users showed Keylocker client tools in addition to STM client tools. The appropriate client tools are now only visible.

May 30, 2023

DigiCert® version: 1.5118.10 | Software Trust Manager: 1.602.0

New

Support for CertCentral custom field with dropdown

CertCentral recently introduced a custom field for certificate orders which supports user choosing a dropdown option. Software Trust Manager will now also support dropdowns for custom fields in our UI for parity purposes.

Enhancements

Optimize error logs

We are updating Software Trust Manager’s server-side log validation errors to capture validation errors, record more comprehensive logs, remove duplicate logging, and classify logs correctly.

Known issues

Azure plugin update to fix tool download error

Published 1.7.0 Azure devops extension to fix the broken client tools download link (tested with test extension version 1.5.0).

May 10, 2023

DigiCert® version: 1.5118.3 | Software Trust Manager: 1.586.0

Fixes

GPG key service user mappings

Fixed an issue where service users were not being mapped to GPG keys correctly. This is now corrected and service users can sign and manage GPG keys as per the service design.

April 26, 2023

DigiCert® version: 1.4957.4 | Software Trust Manager: 1.584.0

Fix

SMCTL Windows certsync and desync commands

Fixed issues with SMCTL Windows commands certsync and desync. These should now perform normally.

April 19, 2023

DigiCert® version: 1.4957.3 | Software Trust Manager: 1.582.0

New

SMCTL integration for Apple notarization

Software Trust Manager command-line interface (SMCTL) has enabled users to incorporate notarization workflows for Apple apps and binaries. Developers can not only sign their Apple files but also get them notarized and staple the results to the binary to give end users confidence around the quality of the software being installed on their Apple devices.

Enhancements

Debugging support for click-to-sign client

Click-to-sign client now supports customers to enable DEBUG logging so as to help identify configuration and setup errors detected when using the client.

GPG subkey selection at time of signing

Allows users to specify a GPG subkey for signing so that users can opt to use an older subkey.

Platform logging enhancements for better troubleshooting support

Software Trust Manager has introduced MDC (Mapped Diagnostic Context) approach to enrich server-side log messages. These messages provide information to better track service execution.

Fixes

SMCTL support user assignment at time of key generation

Fixed an issue that was not assigning the creator of a new keypair as the default user.

Server-side logs

We identified some missing server-side log scenarios relating to some events. We are now capturing create and modify for GPG master and subkeys, update Account Settings, and client tools download.

Incorrect error message for access denied during signing

Implemented a fix to alert users who do not have access to a key and try to sign with it. Such users now see a proper error message.

March 9, 2023

DigiCert® version: 1.4803.0 | Software Trust Manager: 1.572.0

New

Support for CLI (SMCTL) signing workflows for Apple

Signing Apple binaries with Apple certificates can be complicated. We simplified the process by extending the scope of the STM CLI (SMCTL) to identify Apple binary types and build signing commands for Apple's codesign and productsign tools, so the user only has to identify the keypair they wish to use and where the binaries reside.

Support for ECDSA p192 keys

Legacy connected devices are often constrained by key algorithm as well as keysize/curve and do not have the ability to support newer or more robust keys. Software Trust Manager is adding support for ECDSA keypairs with p192 curve to support customers with legacy product lines constrained to this key type. The generation and import of these keys is limited to STM disk storage. Signing is supported in conjunction with the STM PKCS11 library and optimized for OpenSSL and PKCS 11 tool signing tools.

Fixes

Default certificate bug

Fixed a bug where for some keypairs, the default certificate checkbox was enabled and for some it was disabled. All keypairs can now have default certificate set if required.

Account settings content correction with trial accounts

Fixed an error in the account settings content relative to trial account being enabled.

Apple error for SMCTL environment when connecting via SSH

Fixed an error for customers who connect remotely via SSH who were not able to see their environment variables from the STM CLI (SMCTL).

Known issues

Consistency relating to keypair import workflows

Keytool import was importing the key as online by default, which conflicted with how the STM CLI (SMCTL) performs keypair import. Now all keypair import operations will set the key as offline for users to bring online afterwards if they choose.

Access policy APIs end of life

Software Trust Manager launched the Teams feature in 2022. This feature enables the management of users, keys, and profiles by grouping these resources under a team. It also introduces multi-person approval workflows and signing limits to account admins—all local and specific to each team of users. With the Teams feature fully established, we will sunset the older APIs which supported profiles to user mappings and instead invite customers to use the Teams APIs to map profiles to users instead.

February 9, 2023

New

Rebrand of Click-to-Sign client

Rebranding our click-to-sign client with the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.

Rebrand CI/CD plugins

Rebranding our Azure DevOps and GitHub custom action plugins to the product name Software Trust Manager. This is a cosmetic change of logos and branding and does not introduce any breaking changes.

Fixes

Multiple fixes relating to GPG keypair workflows

Fixed bugs relating to GPG keypairs which were identified post-release.

Click-to-Sign client stability

Fixed a bug which caused the click-to-sign client to crash.

February 8, 2023

New

Integration with Thales DPOD for key storage at account level

Software Trust Manager now supports hosted account customers to have a dedicated account integration for secure key generation in a Thales DPOD service. Our workflows support key generation and support signing with keys hosted on the Thales DPOD service, which meets the minimum requirements for public trust code signing private key storage. Customers benefit from the dedicate storage provided by Thales, and means the customer will always retain the keys.

Software Trust Manager rebranding

We are rebranding the product from Secure Software Manager to Software Trust Manager. The new name aligns with the vision for the product as we grow the capabilities to deliver a broader range of software trust features which help customers secure their software supply chain at a time when ensuring digital trust is now one of the most pressing issues for the modern enterprise.

Enhancements

GPG keypair signing controls in release workflows

Users can now sign and modify GPG keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.

GPG keypair management with CLI

Users can now create and modify GPG Keypairs from the CLI, bringing parity to keypair activities which are already in place for standard keys on the CLI.

Adjust auto-renewal of private certificates to within 6 hours of expiry

Certificate auto-renewal process was happening too far away from the certificate expiry date. We fixed this by checking for certificate expiry every 4 hours and replacing certs which were enabled for auto-renewal when they are less than 6 hours left with the certs validity.

Fixes

Certificate auto-renewal process creating multiple certificates and long alias

Certificate auto-renewal process was causing duplication of renewed certs and and also was causing the alias of the certificate to become exponentially long. We fixed the duplication issue and made adjustments to how we rename legacy certificates so the alias is not growing exponentially each time the cert expires.

Support for certificate import when teams feature is enabled

The introduction of teams feature caused an unexpected issue when trying to import a certificate when the teams feature was enabled. Users can now import certs when teams feature is enabled or disabled.

Signature or signatures to release mapping issues resolved

Users not part of release should not have signatures count towards release signature limit and user should not be able to sign with key if not part of release when the key is in offline status. Applies to both standard keys and GPG keys.

January 18, 2023

Fixes

Status spinner hangs in account settings

Fixed an issue where uncaught exceptions in the account settings UI caused the status spinner to spin indefinitely.

Issue with release window controls

Fixed an issue where changes made to account settings were not being inherited in release windows.

January 17, 2023

New

GPG Keypair workflows enhancements

To support customers who sign with GPG keyrings, DigiCert​​®​​ Software Trust Manager (STM) now supports importing GPG secrings into a STM account. This lets you continue signing with assets that are known to your customers and partners. The new workflows capture all signatures to the DigiCert​​®​​ Software Trust Manager log for improved signing visibility, and supports export functionality for customers with multi-person approval structures.

Fixes

Enable private key export for open access keypairs

Private key export was limited to only restricted access keys stored in disk. This fix enables all secure disk stored keys to be exported via the export workflow.

Improve user experience for log export

We have included a UI spinner to show activity when the user makes a request to export logs, a process which can take some time depending on the size of the log.

Known issues

Validation of changes for account settings API

Includes more stringent validation of changes to customers' account settings made via the API.

January 11, 2023

New

Support for instance issuance for public trust code signing certificates from CertCentral

CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022. DigiCert​​®​​ Software Trust Manager integration now supports auto-issuance of public trust code signing certs. This applies only to organizations which are pre-approved in your CertCentral account when CertCentral is enabled to bypass manual approval, or when the request is made by a verified CertCentral organization contact.

Set up preapproval in CertCentral advanced settings so you can auto-issue public trust code signing certificates via DigiCert​​®​​ Software Trust Manager.

Integration with Espressif for Secure Boot signing with keys stored in Software Trust Manager

DigiCert​​®​​ Software Trust Manager PKCS11 library is now optimized to support integrating with Espressif tool suite to support Secure Boot (v2) process on the ESP32.

This means customers can create, sign with and manage signing keys stored in DigiCert​​®​​ Software Trust Manager to ensure the organization's second stage bootloader and binary are both signed and can be verified as trustworthy before being installed on the device.

Software Trust Manager CLI (SMCTL) optimized to support OsslSign on Linux and Mac

The STM command-line interface (CLI) tool can now write sign commands for Authenticode files types using the osslcodesign signing tool. This will help customers who wish to simplify the signing process for Authenticode files and capture metadata relating to signatures on Linux and Mac OS.

The default signing tool for Authenticode file signing using the STM CLI on Linux is Jsign. To select Osslsign, users will need to provide --tool osslsigncode as part of the signing command.

Enhancements

Software Trust Manager CLI (SMCTL) support for teams multi-person approval for offline release windows

The STM command-line interface (CLI) tool now allows customers to request and approve offline release windows for keys which are part of an STM Team which is enforcing multi-person approval. Multi-person approval of offline release windows was released for APIs and UI in December, and we are bringing parity to the CLI in this month's release.

Upgrade of UI to align with most recent platform common components library release

The STM user interface will see many minor enhancements related to the latest and greatest DigiCert ONE UI common component library. This will make the user experience more consistent and provide easier access to common tasks on list pages such as modifying, deleting, and revoking resources such as keys, certs, teams, releases, and profiles.

API documentation on STM portal

The DigiCert​​®​​ Software Trust Manager API documentation team introduces a revamped version of STM Swagger for APIs to provide more context and content and support a simpler integration experience. The new Swagger API page is available to view under the Resources section of the STM UI.

Fixes

UI spinner fix for audit and signature log export

Fix UI experience relating to load of audit logs and signature log export page.

Bug fixes for Click-to-sign client

Fix Nuget signing issues identified after initial release so as to support Nuget signing in full via Click-to-sign client.

Minor content changes relating to client tools repository module in the UI.

Minor content changes relating to online documentation.

Known issues

Failed import of public trust code signing certificates from CertCentral

CertCentral introduced support for instant issuance of public trust code signing certificates, CS and EV CS, in late 2022 which caused some certificate imports to fail via the DigiCert​​®​​ Software Trust Manager integration. DigiCert​​®​​ Software Trust Manager has now introduced support for all CertCentral issuance workflows regardless of whether CertCentral administrator approval is required. All issued certificates which were not imported will be imported as a result of this fix to resolve any remaining customer issues.