Software Trust Manager

We added retry logic for backend and timestamp service calls to make the signing process more resilient to failures.

We enabled support for the duration parameter on the /api/v2/signatures endpoint, which allows for greater control over signing behavior.

We improved the validation process for release window to prevent signing failures when using the same keypair across multiple service users.

With this release, the system now allows overlapping release windows only when assigned users don't overlap, ensuring predictable signing behavior while preserving flexibility.

We fixed an issue where the Created By and CreatedByName fields in signing logs would show inconsistent values (such as GUIDs, usernames, or nicknames).

With this release, these fields behave consistently, improving reliability for automation, reporting, and reconciliation workflows.

We fixed an issue where the API key name was incorrectly displayed as the KeyLocker signer.

With this release, the signing logs and DigiCert ONE correctly display the signer’s name.

We fixed an issue where APPX simple signing would fail when packages contained non-PE files or filenames with spaces.

With this release, signing succeeds with the latest smctl version.

We fixed an issue where OVA files signed using simple signing would fail the verification process due to strict file ordering requirements.

With this release, OVA signing and verification now complete successfully.

We fixed an issue where the getTeamById API would incorrectly require an testaccount_id parameter, even when the API key was only associated with a single account.

With this release, the API call behaves as expected.

We resolved an issue where signing applications contained OpenSSL vulnerabilities.

With this release, the latest Click-to-Sign includes updated libraries with no known vulnerabilities.

In this release, we are introducing a GitHub Actions that brings secure, automated container signing to your CI/CD pipelines.

Using Software Trust with CoSign, Container signing with DigiCert® Software Trust Manager ensures containers are signed with protected, PKCS#11-backed keys without ever exposing private key material.

Review the following features:

This action makes it simple for teams to strengthen supply chain security, comply with signing requirements, and ship trusted containers across environments.

To learn more and get started, review the document in GitHub.

In our API system, users can now filter for the latest audit logs and signature logs using the duration parameter. This update provides more precise and efficient log retrieval.

We have added support for configuring custom Certificate Common Names (CN) and Object Identifiers (OIDs) for private code-signing certificates, which enables HAB4 Secure Boot use cases.

With this release, users can now:

Additionally, clear validation and error messaging ensure custom values are only used with supported templates.

In this release, inactive system scope keypair profiles are now hidden from the view of account scope users. This update reduces confusion and prevents irrelevant profiles from appearing in customer views.

We resolved an issue where a Null Pointer Exception triggered a 5xx error during signing.

In this release, the signing flow now properly validates the signature algorithm, adds null checks, and returns a clear error message when an unsupported or missing sig_alg is entered.

Code signing using DigiCert® Software Trust Manager with GitHub Actions is a streamlined, keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows, Linux, and Mac.

This action delivers a dramatically improved code signing experience, richer automation, and broader platform support.

Review the following features of this action:

To learn more, see Code signing with DigiCert Software Trust Manager in GitHub.

We resolved an issue where the SMCTL healthcheck command wouldn’t add an entry to the database when signing tools weren't present. For macOS, signing tools were never returned even when available.

With this release, the SMCTL healthcheck command now correctly logs database entries across all OSes, even when signing tools are absent.

We resolved an issue where the Create certificate profile section in DigiCert ONE would incorrectly display CAs that were in a pending state.

With this release, the corresponding dropdown only displays CAs that have been issued, preventing users from selecting CAs that are not yet active.

We resolved a linking and redirecting issue where DigiCert ONE users would be taken to the wrong DigiCert® Software Trust Manager REST API site.

We resolved an issue where CertCentral connector details could not be retrieved from migrated Software Trust accounts in production.

The DigiCert ONE Clients now supports DigiCert KeyLocker. This mean DigiCert KeyLocker, in addition to Software Trust Manager and Trust Lifecycle Manager users can use the app to download, automate configuration, and keep their client tools up-to-date.

This release contains various internal enhancements and improvements.

We updated our endpoint URL for Code signing with Software Trust Manager on GitHub marketplace from demo.one.digicert.com to one.digicert.com to ensure improvement in High Availability and monitoring by the DigiCert​​®​​ support team.

To view these release notes in GitHub, see Releases / v1.1.1.

On September 12, 2025, at 10:00 MDT (16:00 UTC), DigiCert will add new IP addresses for inbound requests using the Client authentication endpoint (clientauth.one.digicert.com).

To ensure proper connectivity for your client tools, you or your customers need to add the following IP addresses to applicable allowlists and firewall rules:

We resolved an issue that prevented users from importing ECDSA P521 certificates using the Import certificate option in DigiCert ONE.

We resolved an issue that prevented system users from enabling or disabling certificate profiles.

We resolved an issues that prevented users from importing ECDSA P521 GPG secring files.

We resolved an issue where a CertCentral UNPROCESSABLE_ENTITY return status would cause Software Trust to throw an exception and roll back the saved order data.

With this release, Software Trust maintains the CertCentral order data, even when processing is delayed, ensuring better traceability and customer onboarding continuity.

In a previous release, we updated the keypairs/{keypair_id} REST API; however, that update resulted in missing fields.

With this release, the previously missing fields have been restored, helping users to validate certificate status and expiration as part of their signing workflows.

In the Software Trust section of DigiCert ONE, we have made significant style updates to the platform to improve the user experience, including:

We will continue making additional design and styles changes in future releases.

For Releases, in the Consolidated view section, we resolved an issue where the Fetch scan and update view action would fail.

This issue has been resolved, ensuring the correct workflow to manually sync data in the Consolidated view page.

We have added two flags that allow users to sign without the need of third-party tools or libraries:

--simple

--unsigned

To learn more, see Sign binary commands.

We have improved how Software Trust detects and alerts on newly introduced risks in your tracked software dependencies. In this release, we have made the following improvements:

DigiCert must perform maintenance affecting DigiCert® Software Trust Manager, DigiCert® Document Trust Manager, and the PrimoSign signing service in our DigiCert® ONE USA location during scheduled maintenance on July 12, 2025, 22:00 – 24:00 MDT (July 13, 04:00 – 06:00 UTC). For more details, refer to the DigiCert Global 2025 maintenance schedule.

During this time, the Software Trust Manager and Document Trust Manager will be down for approximately 10 minutes, and the PrimoSign signing service will be down for approximately 30 minutes.

Services will be restored as soon as we complete our maintenance.

How does this affect me?

Affected services

What can I do?

Plan accordingly:

We apologize for any inconvenience. If you have questions or concerns, please contact your account manager or PKI Support | DigiCert.

After July 9, 2025, we will be deprecating the new_max_signatures parameter relating to Release windows APIs. With this deprecation, only the max_signatures parameter will be supported to update signature limits.

As a result of this deprecation, if your integration currently uses new_max_signatures, then you must update your integration to use max_signatures to ensure continued functionality.

With this release, the finalized version of the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) selected by the National Institute of Standards and Technology (NIST) is now supported.

DigiCert must perform maintenance affecting DigiCert® Software Trust Manager, DigiCert® Document Trust Manager, and the PrimoSign signing service in our DigiCert® ONE USA location during scheduled maintenance on July 12, 2025, 22:00 – 24:00 MDT (July 13, 04:00 – 06:00 UTC). For more details, refer to the DigiCert Global 2025 maintenance schedule.

During this time, the Software Trust Manager and Document Trust Manager will be down for approximately 10 minutes, and the PrimoSign signing service will be down for approximately 30 minutes.

Services will be restored as soon as we complete our maintenance.

How does this affect me?

Affected services

What can I do?

Plan accordingly:

We apologize for any inconvenience. If you have questions or concerns, please contact your account manager or PKI Support | DigiCert.

After July 9, 2025, we will be deprecating the new_max_signatures parameter relating to Release windows APIs. With this deprecation, only the max_signatures parameter will be supported to update signature limits.

As a result of this deprecation, if your integration currently uses new_max_signatures, then you must update your integration to use max_signatures to ensure continued functionality.

We have made various minor improvements to the DigiCert ONE platform.

In CertCentral, ECDSA P-521 key curves are not supported. As a result, with this release CertCentral profiles will not display when users select the ECDSA P-521 key curve.

This update improves the user experience by avoiding unsupported configuration paths.

After July 9, 2025, we will be deprecating the new_max_signatures parameter relating to Release windows APIs. With this deprecation, only the max_signatures parameter will be supported to update signature limits.

As a result of this deprecation, if your integration currently uses new_max_signatures, then you must update your integration to use max_signatures to ensure continued functionality.

We have added new flags for SMCTL that allow users to define the application name in User Account Control (UAC) prompts.

This enhancement also enforces UTF-8 encoding to prevent character display issues, particularly on systems using Japanese language settings.

We have added the following flags:

In DigiCert ONE, the Client tool repository page has been updated to indicate that DigiCert Click-to-sign now supports Windows 11, in addition to Windows 10.

We have added support for the ECDSA P-521 key curve in Software Trust Manager’s Account settings.

This enhancement aligns Software Trust with Trust Lifecycle Manager and IoT Trust Manager, ensuring consistent curve availability across DigiCert managers.

We fixed an issue where the Signature used graph displayed incorrect projections.

With this release, usage calculations now reflect accurate average monthly consumption to support reliable forecasting.

We resolved an issue where updating a certificate profile for CertCentral profiles caused previously entered values to be removed.

Additionally, we have adjusted the behavior of skip approvals and production / test options, as these features only apply when creating a profile, not when updating a profile.

We resolved an issue that prevented users from updating an existing keypair profile using the ECDSA algorithm.

With this update, users can now update keypair profiles with all supported ECDSA key curve combinations.

In this release, we have addressed the following issues:

To view these release notes in GitHub, see Releases / v1.0.1.

We resolved an issue where certificate profiles using the CertCentral enrollment method could not be opened, nor edited.

With this release, CertCentral profiles can now be accessed as expected.

We resolved an issue where certificate profiles created via the API could not be edited in DigiCert ONE, specifically when values were passed as strings instead of arrays.

With this release, certificate profiles can now be successfully edited, regardless of how the values are formatted.

We resolved an issue where the Dashboard page displayed an incorrect number of production signature units when the Contract term start time was set to 12:00AM instead of 00:00AM.

With this release, signature usage data is now accurately displayed when changing Contract term start times.

We resolved an issue where the Requester filter on the Project details page was not updating the filtered output correctly.

We resolved an issue that prevented keypair profiles with a Disabled status from appearing in the GET API response and in DigiCert ONE.

We resolved an issue where audit logs for downloaded reports were not displaying in the Audit logs page.

We resolved an issue where creating a service user resulted in duplicate entries in the user table with different authentication types.

We resolved an issue where the list of approvers was incorrectly cached and failed to update when switching between keypairs for deletion.

We resolved an issue where the Open option under Access was disabled specifically during the GPG master key creation process.

We resolved an issue where the smksp_cert_sync.exe process was failing during execution.

We resolved an issue affecting PKCS#11 client tool commands, specifically the following commands: p11cat, p11ls, p11more, and p11od.

For the recently launched AI Assist chatbot, we have updated a link that takes users to the DigiCert product docs, which explains how to best engage with the chatbot.

To learn more, see Ask AI Assist for help.

AI Assist is a new AI-powered chatbot designed to help DigiCert​​®​​ Software Trust Manager administrators. It provides answers to product usage, onboarding, configuration, installation, and API integration queries by sourcing relevant information from our documentation websites: DigiCert product documentation, DigiCert developer portal, and DigiCert ONE.

Features of the AI chatbot:

Where can I find the AI chatbot?

You can access AI Assist by selecting the question mark in the top-right corner of the DigiCert​​®​​ Software Trust Manager administration screen. The chatbot will open on the same screen.

Who can use the AI chatbot?

AI Assist is available to all DigiCert​​®​​ Software Trust Manager users with Account Admin access.

Can I chat with live customer support?

No, AI Assist does not support live chat with customer support. For assistance, contact support via email, phone, or a support ticket.

To learn more, see Ask AI Assist for help.

We have added the ability to filter for deleted scans in the Threat detection page.

With this release, deleted scans are now viewable using a new filter (Deleted); however, deleted scans remain excluded from the default view scans.

We resolved an issue where users could create a keypair using a keypair profile from a different team if the profile was selected before selecting the team.

With this release, the keypair profile list now correctly filters based on the selected team.

We resolved an issue where details for keypair profiles would remain visible, even after the profile was unselected.

We resolved an issue where valid user groups were not displaying in various keypair-related pages.

We have made several updates to the SBOM merge workflow to improve the overall user experience, including:

We resolved an issue where the Threat detection video would briefly appear before the page fully loaded.

With this update, the video no longer flashes as the page refreshes.

We resolved an issue where selecting the Create keypair button would incorrectly take users to the Email Support page.

This issue has been resolved, ensuring the correct workflow when selecting the Create keypair button.

We have updated the alert on the Client tools repository page to clearly indicate that the displayed version refers to DigiCert ONE Clients.

This clarification helps avoid confusion with other DigiCert client versions.

We resolved an issue where users who were removed from a team would encounter undefined errors on the Team details page.

The platform now redirects these users to the Teams list page.

When updating a team, we have added a loader icon to clearly indicate that the platform is actively saving changes.

Previously, users would select the Save button multiple times without knowing if the changes were being saved.

When creating a release, we resolved an issue where the dropdown would display users who didn’t have the correct permissions.

With this update, the dropdown only displays users with the correct permissions.

In DigiCert ONE, we moved the cards for DigiCert ONE Clients to the top of the Client tool repository page for increased visibility.

With this release, users in a pending state can be added to a team, allowing configurations before a user is fully activated.

Note: Pending users are not included in validation workflows, such as release approvals or keypair exports.

If a user’s view cannot be identified based on the user agent, then the unidentified user agent will default to the describe view.

For ReversingLabs-related threat detection scanning, there was an issue with displaying data in the Files impacted section.

This issue has been resolved, ensuring that the Files impacted section correctly displays data related to threat risks, deployment risks, and CVEs.

We increased the volume limit when mapping and displaying user groups and keypairs.

Previously, we only supported mapping keypairs to 20 of the most recent user groups.

With this release, users can now map all user groups to keypairs.

We have launched a new type of release notes specific to the DigiCert ONE Platform.

This new page will include information about features that apply to many or all parts of the DigiCert ONE Platform.

To learn more, see DigiCert ONE Platform.

We have released the DigiCert ONE​​ Clients app for Windows and Mac users.

In the DigiCert ONE Platform, the Client tool repository page has been updated with two new installers:

The DigiCert ONE​​ Clients application provides a streamlined approach to manage all Software Trust clients and libraries, including:

To learn more, see DigiCert ONE Clients.

In a previous release, we introduced the ability to create a consolidated view of multiple threat detection scans.

With this release, we have made several enhancements and improvements:

We resolved an issue where users were unable to add a scan to a release window if the scan was previously mapped to another project.

With this update, users can now successfully add scans across projects while maintaining mapping integrity.

In the Client tool repository page, we have updated the cards so that only the card header is a clickable link.

Previously, the entire card was a clickable link.

We have made critical fixes to our Jenkins plugins to enhance stability and improve error handling when running on remote agents.

For the GPG Sign plugin, we:

For the Code Sign plugin, we:

We have resolved an issue that prevented users from signing .jar files using the JCE method with Java 8.

Previously, attempts to sign using the documented jarsigner command failed, despite JCE method support for Java 8.

With this update, we have ensured compatibility of the JCE signing method with Java 8.

Notes:

With this release, users can now create a consolidated view of various threat detection scans.

A consolidated view combines results from multiple scans across different projects to provide a clear and unified view of vulnerabilities and licensing issues in your software.

To learn more, see Create a consolidated view of threat detection scans.

To address detected vulnerabilities, we have updated rl-deploy to the latest version for Windows and Linux.

For Windows and Linux, rl-deploy has been updated to version 2.2.8.0.

In the Import trust anchor certificate page, we resolved an issue where the Upload function was displaying incorrectly.

This issue has been resolved, ensuring that Upload displays correctly.

In the Keypair profiles detail page, we resolved an issue where the data point Type would display twice in the status bar.

This issue has been resoled, ensuring that Type only displays once.

We resolved an issue where the Client tools page failed to load for system users, preventing access to the downloads section. The system was incorrectly requiring an account ID, resulting in an Account not found error.

With this update, system and account scope users can access client tools as expected.

Users in DCONE Global with OneLogin can now choose from a list of mapped CertCentral accounts in OneLogin to create a CertCentral connector in Software Trust Manager, instead of being restricted to the default or primary account.

This update ensures that users can select the appropriate CertCentral account to obtain public trust certificates from accounts mapped to their OneLogin.

We have enhanced the JWT authentication workflow to include friendly_name as part of the user object in the security context.

Previously, for users with a first and last name, this information was used for logging, user identification, and health check details. However, for service users without a first or last name, tracking was limited because friendly_name was not utilized.

With this update, when a user's first and last name are not available, the system will now use friendly_name for tracking.

This update ensures consistent and accurate logging, user identification, and health check data for both regular users and service users.

We resolved an issue where users were unable to add Intermediate Certificate Authority (ICA) certificates in the Trust anchor certificates page.

This issue has been resolved, ensuring the correct workflow to add ICA certificates.

Customers using Luna HSMs can now map keys to the Keypair listing page, enabling secure signing workflows while also displaying details about the keypair.

To learn more, see Discover keys on HSMs.

On the Account settings and Certificate details pages, the edit button has been updated.

With this release, the edit button is separated from the title of the page and is positioned on the right side. This update ensures consistency across other Software Trust Manager pages.

Previously, clicking the edit button would collapse the entire section.

We resolved an issue in the macOS SMCTL for code signing where the --deep flag was being utilized, even when the flag was explicitly set to false.

With this update, the --deep flag is used by default, but follows the correct workflow when set to false.

With this update, you can assign (map) existing threat detection scans to a release.

Assigning scan a to a release ensures that scan data is managed based on the security policies and rules configured within the release window.

To learn more, see Assign a threat detection scan to a release.

We have introduced support for the following RSA PSS algorithms for certificate templates:

With this release, the /signingmanager/api/v1/keypair-profiles/<Keypair-Profile-ID> endpoint now strictly validates account_id to ensure accurate keypair profile access.

To complement this update, review the following changes:

This update addresses a detected bug and improves overall security with accessing keypair profiles

We fixed an issue that users encountered when creating a release after interacting with GPG keypairs. Specifically, if a user selected a GPG keypair for a release, removed it, and then attempted to add another GPG keypair, the certificate selection would incorrectly become enabled. This issue led to errors during the release creation process.

With this update, removing a GPG keypair from a release no longer enables certificate selection, ensuring the correct workflow for managing GPG keypairs.

We resolved an issue in the Create certificate profile page where if users selected a certificate template that generated a backend error, the page would become unresponsive.

With this update, the page automatically refreshes and returns users to the Create certificate profile page.

To provide clarity for users creating test keypairs, we added the following text below the Test option in the Create keypair page: Test keypairs expires after 30 days.

We resolved an issue where users who added columns to the Certificates page were unable to horizontally scroll and view the newly added columns.

With this update, users can horizontally scroll to view additional columns.

We resolved an issue where users who had a certificate profile with auto-renewal were unable to update the rekey setting from yes to no.

This update ensures the correct workflow to update the rekey setting.

We resolved an issue where assigning a keypair to a team using the update --team-id command in SMCTL would not update the access status of the keypair. The keypair would remain open, even after being restricted to a team.

With this update, users can use the update --team-id command to assign keypairs to teams and enforce desired access restrictions.

We have updated the Jenkins plugin for code signing to address critical issues relating to non-master Jenkins nodes (slave agents).

With this update, we have:

Additionally:

Users running Jenkins versions 2.414.x and 2.426.x on setups with dynamic agent environments should upgrade to version 15.v57c7ff9398ea for improved stability and compatibility.

The Azure DevOps plugins for Software Trust Manager have been updated to address warnings related to the use of an end-of-life Node.js version 10.

With this update, we have:

We resolved an issue where the health check functionality would fail after the account id field was made mandatory in certain API requests.

This issue has been resolved. The health check API (api/v1/health/extensive) now works correctly without requiring an account id.