Skip to main content

Software Trust Manager

Release notes

October 29, 2024

DigiCert® ONE version: 1.8480.11 | Software Trust Manager: 1.880.0

Enhancements

SBOM management and integration

This release includes enhanced SBOM management features to help users monitor and address software vulnerabilities and license issues, including:

  • SBOM integration

    • Seamless integration with FOSSA for SBOM tracking

  • Risk-based insights

    • Clear visibility into dependency risks and necessary actions

  • SBOM upload

    • Upload and manage SBOMs directly within Software Trust Manager

To learn more, see Upload and analyze an SBOM file.

Keypair lifecycle management – Rekey automation

We’ve added support for keypair rekey automation to streamline certificate replacement workflows and enhance crypto-agility for users.

This update includes:

  • Rekey automation

    • New option to automate rekeying in certificate profiles

  • Algorithm customization

    • Users can select compliant algorithms for rekeying. When using PQC algorithms, if the previous keypair was stored on HSM, then the new keypair will be stored on Disk since HSMs do not currently support PQC algorithms.

  • Compliance

    • Non-compliant options (RSA 2048 or lower) are restricted for public certificate profiles

  • Alias management

    • New keys have unique aliases until the old certificate expires

  • Team controls

    • Team leads can manage rekey permissions within their teams

Audit logging for automatic certificate renewal failures

We’ve introduced audit logging for automatic certificate renewal failures in CertCentral.

Automatic cert renewal failures will now be recorded in the audit log, including the reason for the failure. This information will help users to quickly identify and troubleshoot issues without needing to contact DigiCert Support.

October 23, 2024

DigiCert® ONE version: 1.8480.8 | Software Trust Manager: 1.873.0

Enhancements

Update to certificate template for code signing

We have updated the certificate template for private code signing certificates by adding a new field. The "include": "no" field has been added to the Extended Key Usage (EKU) section. Adding this field ensures that certificates issued from a private trust can exclude the Extended Key Usage field.

By retaining only the Digital Signature (80) value in the Key Usage field and removing other values, the certificates will now have a more streamlined Key Usage with just the Digital Signature (80) included.

This update allows code signing certificates to be issued without the Extended key usage field.

Fixes

Fix for List team resources API

The List team resources API endpoint has been updated to only list resource types that are associated with teams.

Previously, this endpoint would display all resource types, regardless if those resources were associated with teams. This issue would cause inconsistencies with the List available resources endpoint.

This issue has been resolved, ensuring the correct workflow to display only resources associated with a specified team.

Fix for invalid_input_field error in List available resources API

We resolved an issue in the List available resources API endpoint where users would encounter an invalid_input_field error for RELEASE_WINDOW, KEY_ROTATION, and USER resource types.

This issue has been resolved, ensuring the correct workflow to manage these resource types in the API.

Issues with group restrictions

We resolved an issue regarding key pair restrictions. Previously, users in a specified group could neither view nor use keypairs, even if the keypair was correctly restricted to that group.

This issue has been resolved, ensuring the correct workflow to restrict and use keypairs.

October 16, 2024

DigiCert® ONE version: 1.8480.4 | Software Trust Manager: 1.869.0

Enhancements

Updated team-based permission management

We are introducing enhanced control over user / member capabilities for teams, allowing team and account leads to better manage user / member permissions.

This change enables more access control, ensuring that users / members only perform specific critical operations, based on their configured roles and team settings.

This release contains the following high-level updates:

  • New permission controls

    • Team and account leads can now limit user / member capabilities for their teams.

      • These controls are applied locally to each team and can be adjusted per user / member within a team.

  • Critical operations management

    • We have introduced new critical operations relating to:

      • Management permissions (keypairs, certificates, teams)

      • Approval permissions (keypair deletion, certificate revocation, keypair export, offline releases)

  • Permission adjustments

    • By default, users / members can perform critical operations based on their roles and permissions.

    • Team leads can remove or restore critical operation permissions for a user / member within their team.

  • Role-based restrictions

To learn more, see:

Fixes

Issue with adding users to keypair rotations

We resolved an issue involving adding users to a keypair rotation.

This issue has been resolved, ensuring the correct workflow to add users to a keypair rotation.

Issues with selecting an expiry date

We resolved an issue involving selecting an expire date while creating or updating a keypair, a GPG keypair, or a team.

This issue has been resolved, ensuring the correct workflow to select an expiry date.

October 9. 2024

DigiCert® ONE version: 1.8480.2 | Software Trust Manager: 1.865.0

Enhancements

Changes to team management and user groups

In an upcoming release, we will be updating the team management process by focusing solely on individual user assignments.

To support this update, we will be making the following changes in this release:

  • Removing user groups

    • We will be removing the concept of User Groups, only in relation to Teams.

    • User groups will no longer be supported in team creation or updates.

    • If any user groups were previously mapped to teams, they will be automatically removed during updates.

    • APIs and dropdowns will only handle user-to-team mappings, disregarding any existing group mappings.

      • For example, during a keypair generation, dropdowns will only show teams where the user is directly mapped, without considering user groups.

    • Note: This update will not impact users who are mapped directly to teams.

  • Additional changes

    • The release window will no longer allow you to select user groups.

    • Multi-person approval flows will only consider individual users as approvers.

    • Notification emails will only be sent to users directly mapped to the team as approvers.

Fixes

Available patch to support Apple public certificate upload

A manual database patch is now available to support the upload of an Apple public certificate to replace a keypair.

This update allows users to map and replace an existing keypair certificate with a newly uploaded Apple public cert by manually inserting the certificate into the database.

Updated checks for digital signature key usage

For setting up private trust anchors, we have removed the requirement for CA and ICA certificates to have the Digital Signature key usage.

This update allows for more flexibility in certificate hierarchies, particularly for users who use the IMX8 NXP hierarchy.

This update resolves an issue where users were blocked from importing CA and ICA certificates that do not include "Digital Signature" in their private trust hierarchy.

Note: For public trust hierarchy setups, this requirement does not change.

October 3, 2024

DigiCert® ONE version: 1.8480.1 | Software Trust Manager: 1.862.0

Enhancements

Upgraded DigiCert One elements

We have made several minor DigiCert One enhancements to improve the overall user experience across all DigiCert products.

Upgraded client tools and software

To address reported vulnerabilities, we have upgraded certain client tools and software.

Fixes

Issues with displaying Ed25519 size / curve

We resolved an issue involving incorrect sizes / curves being displayed.

In the Account settings page, under Keypairs the Ed25519 size / curve would incorrectly display, even though EDdsa was not listed as a selected algorithm.

This issue has been resolved, ensuring the correct workflow to display valid sizes / curves for selected algorithms.

Issues with test certificates and expiries

We resolved an issue regarding unnecessary pop-up messages.

When creating a test keypair without generating a certificate, a pop-up message would display describing expiry dates. For test keypairs, there is no corresponding expiry flow, rendering the pop-up message as unnecessary.

This issue has been resolved, ensuring the correct workflow to create test keypairs.

Issues with notifications on blocked renewals

We resolved an issue regarding notifications not being sent for revoked API keys.

Without receiving these notifications, users attempting to fetch authorizations would encounter a 403 error in Software Trust Manager logs.

This issue has been resolved, ensuring the correct workflow to receive notifications on blocked renewals.

Issues with deleted keypairs

We resolved an issue where deleted keypairs would inaccurately display in error messages and logs. Instead of displaying the deleted keypairs' alias, the error message and log would display the keypair ID.

This issue has been resolved, ensuring the correct information is displayed in error messages and logs.

September 18, 2024

DigiCert® ONE version: 1.8279.3 | Software Trust Manager: 1.848.0

New

New service tiers for threat detection

We have introduced different service tiers that enable users to select the tier that best meets their threat detection needs.

Currently, there are two types of service tiers, a free service (named Software Assurance Service) and a paid service (named Supply Chain Compromise Risk Assessment Service).

To learn more, see Software binary analysis (SBA) features.

Enhancements

Client tools update to 1.53.0

Version 1.53.0 of SMCTL introduces support for both the Software Assurance Service and Supply Chain Compromise Risk Assessment Service service tiers. This version of SMCTL provides a new --threat-summary flag for the smctl scan rl-scan command.

  • For Supply Chain Compromise Risk Assessment Service, the flag provides detailed scan results, including CVE-IDs and deployment risks.

  • For Software Assurance Service, whether the flag is included or not, only the number of threats will be displayed.

Note

As a result of these enhancements to SMCTL, the following tools have also been updated to version 1.53.0. It is not necessary to update the tools below, as they do not contain additional enhancements:

  • Windows Clients Installer

  • Windows Clients (Portable zip)

  • Windows Clients (Portable tar.gz)

  • Linux Clients (Portable zip)

  • Linux Clients (Portable tar.gz)

  • AIX Clients (Portable zip)

  • AIX Clients (Portable tar.gz)

  • PKCS11 library (32 and 64-bit)

  • KSP library (32 and 64-bit)

  • CSP library (32 and 64-bit)

September 11, 2024

DigiCert® ONE version: 1.8279.2 | Software Trust Manager: 1.843.0

Fixes

Issues with test keypairs and HSM storage

We resolved an issue involving the creation of test keypairs with HSM storage. In this scenario, users were able to select HSM as the key storage for test keypair types. This was an issue because test keypairs should only be stored on disk, not on HSM storage.

This issue has been resolved, ensuring the correct workflow to create test keypairs.

Issues with deleting keypairs

We resolved an issue involving deleting keypairs assigned to a team. In this scenario, after a keypair was deleted, the keypair would still be associated with the team.

This issue has been resolved, ensuring the correct workflow to delete a keypair assigned to a team.

August 28, 2024

DigiCert® ONE version: 1.8094.6 | Software Trust Manager Manager: 1.839.0

Enhancements

RSAPSS SHA256 support for HSM signing

We have introduced support for RSAPSS with SHA-256 for HSM signing.

With this enhanced cryptographic signature scheme, users will benefit from stronger security and improved protection against signature forgery.

Note: Software Trust Manager supports NoneWithRSAPSS on Disk, but not on HSM.

Fixes

Issues with expired GPG keypairs

We resolved an issue where users who attempted to extend an expired GPG keypair would receive an error message (“GPG Keypair is in status EXPIRED and cannot be updated”).

This issue has been resolved, ensuring the correct workflow to extended expired GPG keypairs.

August 21, 2024

DigiCert® ONE version: 1.8094.5 | Software Trust Manager Manager: 1.834.0

Enhancements

Automated GPG keypair management

As part of a larger effort to update the rekey workflow, in this release, we are introducing automated workflows for GPG keypair expiry management.

To enhance security and efficiency in key manager, this update includes:

  • Keypair expiry automation

    • GPG keypairs can now be created with specific expiration dates or no expiry.

  • Automated notifications

    • Users will receive automated notifications 14 days and 7 days before keypair expiry.

  • Automated key expiry

    • GPG keypairs will automatically expire on their configured expiry date, and users will be notified.

To learn more, see GPG keypairs.

Clients tools update to 1.52.0

The updated SMCTL supports the creation and editing of GPG keypairs with expiry flags.

The following new fields have been added:

  • --expire-on string

    • Provide the expiry date for the GPG keypair in the format: DD-MONTH-YYYY(e.g., 10-May-2024).

    • The keypair will expire at midnight (UTC) on the date selected.

    • Requires: --expiry-type ON_SPECIFIC_DATE

  • --expiry-type string

    • Provide one of the following expiry types for production keypairs only: - NO_EXPIRY | ON_SPECIFIC_DATE

Fixes

Issues with updating GPG keypairs

We resolved an issue relating to updating GPG keypairs via SMCTL. While there was no issue when updating via DigiCert ONE, in SMCTL users would receive a 400 error.

This issue has been resolved, ensuring the correct workflow to update a GPG keypair via SMCTL.

August 14, 2024

DigiCert® ONE version: 1.8094.4 | Software Trust Manager: 1.831.01

Enhancements

New CertCentral integration method

We have implemented a new integration method for DigiCert single login users. This method will automatically pull your CertCentral API key, provided that your CertCentral account is already linked to your single login account. This method is easier than existing methods that require you to provide your username and password or API key for your CertCentral account.

Fixes

Issues with switching accounts in the Keypairs page

We resolved an issue affecting users with multiple accounts.

Previously, if a user was on the Keypair list page, then switched accounts, and then selected the Create keypair button, the user would receive an error message.

This issue has been fixed, ensuring the accurate workflow to create a keypair when switching accounts.

Issues with switching accounts in the Account settings page

We resolved an issue affecting users with multiple accounts.

Previously, if a user was on the Account settings page, and then switched accounts, the page would display a fixed set of settings, which would throw an error if a user attempted to edit the page.

This issue has been fixed, ensuring the accurate workflow to view and edit data when switching accounts.

Issues with creating a release

We resolved an issue relating to creating a release for threat detection purposes.

Previously, if a user was creating a release and teams were disabled, then the Create button would be faded out and unclickable.

This issue has been fixed, ensuring the accurate workflow to create a release, despite having teams disabled.

Keypair access adjustment in DigiCert ONE

We have identified and corrected an issue affecting keypair generation via DigiCert ONE when teams are disabled and a user has the Create keypair permission, but not the Manage keypair permission. Previously, keypairs created in this scenario were automatically restricted to the user who created them.

With this update, keypairs generated under these conditions will now be categorized as Open, making them accessible to all users within the account. To restrict access, users can utilize the --restricted flag during keypair creation.

Keypair access with teams

We have identified and corrected an issue affecting keypair access via DigiCert ONE.

Previously, when creating a keypair, if a user selected a team first, followed by selecting Open access, then the keypair would be restricted to the team.

This issue has been fixed, ensuring the accurate workflow to create an open keypair.

Issues with creating open keypairs

We have identified and corrected an issue affecting keypair creation via DigiCert ONE.

Previously, if a user enabled Teams and Keypair profiles, then created a keypair using the keypair profile, and then selected Open access, the Team dropdown would still display, but the Create keypair button would be disabled, forcing the user to create a restricted keypair.

This issue has been fixed, ensuring the accurate workflow to create open keypairs.

Issues with restricted keypair descriptions

We have identified and corrected an issue relating to the description of restricted keypairs.

Previously, there were discrepancies in the information displayed relating to teams, users, and user groups in the Keypairs detailed page, specifically the Access section. In this section, users and user groups (which were mapped from disabled teams) were inaccurately displayed in the Keypairs detailed page.

With this update, only the team associated with the keypair will display in the Keypair detailed page.

July 31, 2024

DigiCert® ONE version: 1.7827.6 | Software Trust Manager: 1.815.0

Enhancements

Delete keypairs from keypair details page

We enhanced our delete keypair workflow. This enhancement enables you to delete keypairs from the keypair details page, in addition to the keypair list page.

Support for SLHDSA algorithm

We enhanced our keypair profile and create keypair workflows to allow for the selection of an alternative quantum-safe algorithm, Secure Lightweight Hash-based Digital Signature Algorithm (SLHDSA). SLHDSA is an innovative approach to cryptographic security, designed to offer robust protection with minimal computational overhead. It leverages lightweight hash-based techniques to ensure security while optimizing performance, making it ideal for resource-constrained environments. With SLHDSA, you can achieve efficient and secure digital signatures that are resistant to both classical and quantum attacks.

SMCTL optimized for performance

We released version 1.51.0 of SMCTL. This version of SMCTL contains optimizations that significantly reduce latency, resulting in faster and smoother signing experiences.

Note

As a result of these enhancements to SMCTL, the following tools have also been updated to version 1.51.0. It is not necessary to update the tools below, as they do not contain additional enhancements:

  • Windows Clients Installer

  • Windows Clients (Portable zip)

  • Windows Clients (Portable tar.gz)

  • Linux Clients (Portable zip)

  • Linux Clients (Portable tar.gz)

  • AIX Clients (Portable zip)

  • AIX Clients (Portable tar.gz)

  • PKCS11 library (32 and 64-bit)

  • KSP library (32 and 64-bit)

  • CSP library (32 and 64-bit)

Fixes

Actions removed for deleted standard and GPG keys

We resolved an issue where keypair actions for deleted standard and GPG keypairs were still accessible to users. Previously, various keypair actions remained visible and clickable for deleted keys, leading to backend errors. With this release, keypair-related actions are removed for deleted GPG and standard keypairs.

July 24, 2024

DigiCert® ONE version: 1.7827.5 | Software Trust Manager: 1.810.0

Fixes

GPG smart card daemon (SCD) updated to version 1.4

We fixed an issue where the GPG smart card daemon (SCD) showed version 1.3 in Software Trust Manager, but users were downloading version 1.4. The Client tool repository now correctly displays version 1.4.

July 18, 2024

DigiCert® ONE version: 1.7827.3 | Software Trust Manager: 1.805.0

Enhancements

Team to project management

We have enhanced the team management functionality to allow users to see and modify how projects are associated with teams. Teams can now be mapped to one or multiple projects, provided the projects have a status of In progress or Paused. You can change project-team associations via Software Trust Manager or the API via Create and Edit team workflows provided that you have the Manage all teams or Manage my team permission.

SMCTL supports team to project management

We released version 1.50.0 of SMCTL. This version of SMCTL contains enhancements for handling the new team to project management workflows mentioned above.

Download GPG keyring if subkey is assigned to your team

Users can now download the GPG keyring associated with a subkey that is used for signing and is assigned to their team, even when the master key is not assigned to their team

Fixes

Failed to download AIX clients (portable tar.gz)

We identified issue where attempting to download the Software Trust Manager AIX Clients (portable tar.gz) resulted in an error: File wasn't available and Release smtools-aix-ppc64.tar.gz not found. We resolved this issue by releasing version 1.50.0 of Software Trust Manager AIX Clients (portable tar.gz).

Note

As a result of this change, the 64-bit PKCS11 library (for macOS) has also been updated to version 1.50.0. However, updating this tool is not necessary if you are using the previous version.

MFA is not required to access GET teams APIs

Multi-Factor Authentication (MFA) is no longer required to access the GET Teams APIs. This change ensures easier access to these endpoints while maintaining security protocols. The affected endpoints are:

  • <env>/signingmanager/api/v1/teams

  • <env>/signingmanager/api/v1/teams/available-resources

Disk selection in keypair profiles

We identified an issue where Disk option was showing undefined while creating a keypair with keypair profile. This issue has been fixed and works as expected.

Update to storage method in keypair profiles

We identified an issue where users were blocked from changing the keypair storage method when updating keypair profiles. This issue has been fixed and works as expected.

July 3, 2024

DigiCert® ONE version: 1.7827.1 | Software Trust Manager: 1.794.0

New

Delete keypairs from HSM

Account users with Manage keypair permission can now delete standard and GPG keypairs stored on HSM devices. Deleting a keypair frees up an HSM slot, allowing you to store a new keypair in its place.

Enhancements

Special characters in SMCTL sign commands

We have released version 1.49.0 of SMCTL. This version of SMCTL contains enhancements for handling special characters in sign commands, but it still does not support all characters. To avoid errors, remove unsupported characters from file paths before attempting to sign:

  • Supported characters: @ % ( ) - _ = [ ] { } ;

  • Unsupported characters: | ` $ > < # ! ' & + ^

Fixes

Pagination fix in Trust anchors list

We fixed an issue where clicking on any page number in the Trust Anchors list page, redirected users backto Page 1. Pagination now works correctly, allowing you to navigate through all pages as expected.

Key expiry alignment for dynamic keypairs

We have fixed an issue where the expiry information for dynamic keypairs was not preserved when these keys were refreshed via API or manually refreshed. Expiry information is now maintained correctly after refreshing dynamic keypairs.

June 26, 2024

DigiCert® ONE version: 1.7645.5 | Software Trust Manager: 1.787.0

New

Undecorated ECDSA signature in SMCTL

You now have the option to perform ECDSA signatures without ASN1 decoration. From SMCTL version 1.48.0 onward, the smctl sign sign-hash command will support a new flag --non-decorate-signature. Previously, all ECDSA signatures included ASN1 decoration. This enhancement is crucial for supporting COSE signatures in the SCITT framework and other platforms and can be used. This change marks the first step towards fully enabling signatures tailored for SCITT.

Fixes

Error while updating dynamic test keys

We identified a bug that was introduced when keypair expiry was released earlier this year. The bug occurred when a dynamic test keypair was updated, this action resulted in the following error: Expiry type NO_EXPIRY is not allowed for test keypairs. This issue has been resolved.

June 19, 2024

DigiCert® ONE version: 1.7645.2 | Software Trust Manager: 1.782.0

Enhancements

Delete team

We added a new feature to allow users with Manage all teams permission to delete any team in the account. When deleting a team, users and any resources such as keypairs, keypair profiles, projects, releases, and threat detection scans associated with the team will be disassociated with the team and become available to assign to an existing team.

Fixes

Team selection during keypair generation

We identified an issue where when teams were enabled on the account, users with Manage all teams and Generate keypair permission were able to generate keypairs and assign it to any team in the account. This issue has been resolved and only users with Manage all teams and Manage keypair permission can generate keypairs for any team within the account.

Expiry error for GPG test keys

We identified an issue where GPG test key generation was incorrectly throwing an expiry error, preventing the creation of test keypairs. This has been resolved, and test keypairs can now be generated without encountering expiry restrictions.

Deleted users that are part of user groups

We identified an issue where users who were assigned to a user group, and then deleted in Account Manager were still displaying in the user group. We have fixed this issue, and the deleted users will no longer be displayed in user groups that they previously belonged to.

Note

When a user is deleted in Account Manager, they will be removed from their user groups at the next scheduled update, which happens at 1 AM UTC every day.

June 12, 2024

DigiCert® ONE version: 1.7645.1 | Software Trust Manager: 1.777.0

Enhancements

Notification recipients

We have improved our email notification system. Now, only the users who need to know will receive specific updates about keypairs and certificates. Review the changes below:

Keypair expiry email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when any restricted or open keypair in the account, is about to expire.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when any keypair that is restricted to a team they are part of, is about to expire.

    • Users with Manage keypair and Manage all teams permission receives the email notification when any restricted and open keypair in the account, is about to expire.

Certificate expiry email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when any restricted or open keypair's default certificate in the account, is about to expire.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when the default certificate for any keypair that is restricted to a team that they are part of, is about to expire.

    • Users with Manage keypair and Manage all teams permission receives the email notification when the default certificate for any restricted or open keypair in the account, is about to expire.

Certificate auto-renewal email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when a certificate associated with a restricted or open keypair in the account, is about to be renewed.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when a certificate associated with a keypair, that is restricted to a team that the user is part of, is about to be renewed.

    • Users with Manage keypair and Manage all teams permission receives the email notification when certificates associated with restricted or open keypairs in the account, is about to be renewed.

Certificate auto-renewal blocked email notifications will be sent to the following recipients:

  • Teams disabled

    User with Manage keypair permission receives the email notification when certificates associated with restricted or open keypairs in the account, is blocked from being auto-renewed.

  • Teams enabled

    • Users with Manage keypair permission receives the email notification when certificates associated with keypairs that are restricted to a team that the user is part of, is blocked from being auto-renewed.

    • Users with Manage keypair and Manage all teams permission receives the email notification when certificates associated with restricted or open keypairs in the account, is blocked from being auto-renewed.

Tip

Which user roles have these permissions?

  • Lead

    This user role has both Manage all teams and Manage keypairpermissions.

  • Team lead

    This user role has Manage keypair permission.

Fixes

Insufficient privileges to close release

We identified an issue where users were incorrectly shown the Close release option in Software Trust Manager, which resulted in an error: <User ID> does not have permission to close release. This issue has been fixed:

  • Teams disabled

    • Users with Request release permission can close releases that they created.

    • Users with Approve release permission can close any release within the account.

  • Teams enabled

    • Users with Request release or Approve release permission can close releases assigned to a team that they are part of, provided that they created the release, or are part of the release.

    • Users with Manage all teams and Approve release permission can close any release within the account.

    • Users with Manage all teams and Request release permission can close any release in the account, provided that they created the release.

    • Users with Manage my teams and Approve release permission can close releases assigned to a team that they are part of.

    • Users with Manage my teams and Request release permission can close releases assigned to a team that they are part of, provided that they created the release.

Page not found after keypair creation

We fixed an issue where users with the Developer user role, or with Create keypair permission but without Manage keypair permission were directed to a Page not found error after creating a keypair. Now, these users will be correctly returned to the keypair list page.

Unable to import ICA certificates

We have added a fallback mechanism for OCSP requests to ensure that users can import ICA certificates in the Trust anchor tab in Software Trust Manager. Now we will check the certificate status with SHA256 and if it fails, our system will retry using SHA1 to ensure compatibility with OCSP services that still use SHA1. This update helps maintain secure certificate validation and ensures smooth importing of Root and Intermediate certificates.

Deleted users that are part of user groups

We identified an issue where users who were assigned to a user group, and then deleted in Account Manager were still displaying in the user group. We have fixed this issue, and the deleted users will no longer be displayed in user groups that they previously belonged to.

Note

When a user is deleted in Account Manager, they will be removed from their user groups at the next scheduled update, which happens at 1 AM (UTC) every day.

May 22, 2024

DigiCert® ONE version: 1.7460.3 | Software Trust Manager: 1.775.0

Enhancements

Quantum-safe certificates

On February 7, 2024, we enhanced our keypair creation workflows to support quantum-safe Machine Learning-based Digital Signature Algorithm (MLDSA), however generating a code signing certificate with an MLDSA keypair was not possible. As of this release, MLDSA certificates can now be generated.

Keypair expiry enhancement

We have enabled expiry for standard keypairs to enhance crypto agility and improve security. Standard keypairs can now be set to expire on a specific date, upon certificate expiration, or remain non-expiring as before. Setting expiry dates help maintain security, ensures compliance with industry standards, and preserves trust in your code's integrity. This update provides more flexibility in managing keypair lifecycles.

Bulk signing enhancements

The initial implementation of the smctl sign command was designed to support signing multiple files from an input folder. At that time, we chose not to make the command fail immediately if signing one of the files failed, anticipating this requirement in future updates. We have now introduced three flags to improve the bulk signing procedure, these flags are: --exit-non-zero-on-fail and --fail-fast.

Team names listed in alphabetical order

Previously, team names in drop-down menus were listed in order of creation. As of this release, team names will be listed alphabetically to enhance the user experience.

Fixes

Issues with switching accounts in the Keypairs page

We resolved an issue affecting users with multiple accounts.

Issues with switching accounts in the Account settings page

We resolved an issue affecting users with multiple accounts.

Issues with creating a release

We resolved an issue relating to creating a release for threat detection purposes.

Keypair access adjustment in DigiCert ONE

We have identified and corrected an issue affecting keypair generation via DigiCert ONE when teams are disabled and a user has the Create keypair permission, but not the Manage keypair permission. Previously, keypairs created in this scenario were automatically restricted to the user who created them.

Expired dynamic keypairs

We fixed an issue where dynamic keypairs were incorrectly expiring after 30 days. Dynamic keypairs are periodically refreshed and should not expire. This issue has now been resolved for all active dynamic keypairs. However, previously expired dynamic keypairs cannot be restored.

Keypair selection in key rotations

We fixed an issue where keypairs not associated with a team were still appearing in the team field when updating key rotations. Now, you will only see and be able to select keypairs that are associated with the team to which the key rotation belongs.

Keypair access with teams

We have identified and corrected an issue affecting keypair access via DigiCert ONE.

Issues with creating open keypairs

We have identified and corrected an issue affecting keypair creation via DigiCert ONE.

Issues with restricted keypair descriptions

We have identified and corrected an issue relating to the description of restricted keypairs.

May 15, 2024

DigiCert® ONE version: 1.7460.2 | Software Trust Manager: 1.771.0

Enhancements

Enhanced visibility for system users

Previously system users had limited visibility into account information. To better assist the accounts they support, we have extended their permissions to allow them to view:

  • Certificates

  • Certificate profiles

  • Certificate templates

  • CertCentral orders

  • Keypairs

  • Keypair profiles

  • Keypair rotation

  • GPG keys

  • Releases

  • Teams

  • Audit logs

  • Signature logs

Changes to user workflows and permission requirements

For simplified resource management and ease of reference, the following user flows have been implemented based on whether teams are enabled or not.

When teams are disabled on the account, users with:

  • Manage resource permission can view all related resources within the account.

  • View resource permission can view related resources assigned to them or a user group that they are part of.

Tip

Learn more about permissions when teams are disabled.

When teams are enabled on the account, users with:

  • Manage all teams and View resource permission can view all related resources within the account.

  • View resource permission can view related resources assigned to a team that they are part of.

Tip

Learn more about permissions when teams are enabled.Team permissions

Change to public key download format

We have updated keypair download format to conform to RFC 7468 standards.

Previous format:

-----BEGIN EC PUBLIC KEY-----
<content>
-----END EC PUBLIC KEY-----

New format:

-----BEGIN PUBLIC KEY-----
<content>
-----END PUBLIC KEY-----

Fixes

PKCS11 library added to version 1.46.0 of Windows Clients Installer

We identified that the PKCS11 library was unintentionally excluded in version 1.46.0 of the Windows Clients Installer. We have rectified this issue without altering the version number. If you've already installed this version, download it again to ensure you have access to all required client tools.

May 8, 2024

DigiCert® ONE version: 1.7460.1 | Software Trust Manager: 1.770.0

New

Java Cryptography Extension (JCE) library

We added a JCE library to our Client tool repository. JCE is part of the Java Development Kit (JDK) that facilitates digital signing of Java Archive (JAR) files and related artifacts. Using JCE for signing is preferred over PKCS11 and KSP library options due to its compatibility with various operating systems (Windows, Linux, macOS, Solaris, and AIX) and Java architectures, including 64-bit, 32-bit, and ARM processors.

Enhancements

Latest version of rl-deploy

Our client tool packages were updated with the latest version of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

Important

To avoid failed threat detection scans, download version 1.46.0 of Software Trust Manager client tools.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | Software Trust Manager: 1.765.0

Enhancements

Release creation improvement

In the release creation workflow, we've updated the default setting to display only keypairs with associated certificates, enhancing user experience. Users retain the flexibility to view all keypairs by deselecting the filter box if needed, ensuring seamless navigation. This change aims to streamline selection processes while providing greater clarity and efficiency.

Fixes

Incorrect label in import certificate workflow

We have rectified an error in the import certificate workflow where the "Certificate alias" field was incorrectly labeled as "Keypair alias"; it now displays accurately. This fix ensures clarity and accuracy in the workflow for all users.

March 27, 2024

DigiCert® ONE version: 1.7083.5 | Software Trust Manager: 1.761.0

Enhancements

Translation files updated

We updated translation files to enhance multilingual support across the platform, excluding Japanese. These updates ensure improved clarity and consistency for users worldwide. We remain committed to delivering a seamless experience for our diverse user base.

Fixes

User group creation and editing error

We became aware that user's were receiving the following error: "Attempt to create duplicate resource. Please check data provided." when attempting to create or update a user group in Software Trust Manager and the API. We have resolved this issue and users should be able to create and update user groups as expected.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | Software Trust Manager: 1.756.0

Enhancements

Latest version of rl-deploy

Our client tool packages were updated with version 1.3.0.0 of ReversingLabs' scanning tool called rl-deploy to improve accuracy and consistency between Software Trust Manager and ReversingLabs' portal.

Fixes

Keypair restriction for teams

When teams are enabled, and a member of the team generated a keypair via SMCTL, the keypair was generated with open access instead of restricted to the team. This has been corrected and when teams are enabled and a user generates a keypair via SMCTL, the user will be required to provide the Team ID so that the keypair's use is restricted to that specific team.

Metadata added for most recent 10,000 Signature logs

We identified that the excel report generated after downloading via the Most recent 10,000 signature logs method did not include relevant metadata. We fixed this issue and relevant metadata should show in these reports.

Healthcheck error updated

When a user ran the smctl healthcheck command and no signing tools were found in their system, the log files listed the following error message: "Error Tools cannot be null." We updated the error message to: "Unable to detect compatible signing tools." to improve the clarity that the user needs to install third-party signing tools.

Windows certsync error updated

When a user runs the smctl windows certsync command without providing environment variables first, the log files listed a long string of information. We updated the error messages to be more concise: "Error occurred while trying to connect to service. No Host provided in request URL."

March 19, 2024

DigiCert® ONE version: 1.7083.3 | Software Trust Manager: 1.753.0

Enhancements

Version number change for client tools

You may have been notified about an new version of Software Trust Manager client tools; however, if you have already downloaded version 1.44.0 of the Software Trust Manager tools, there is no need to update your client tools to the latest version as the changes made do not affect Software Trust Manager users.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | Software Trust Manager: 1.751.0

Fixes

Improved scalability and reliability

As an ongoing effort, we have improved the scalability and reliability of Software Trust Manager. These updates ensures seamless operations even during peak usage and provides our users with a more efficient and robust user experience.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | Software Trust Manager: 1.748.0

Enhancements

Optimized download of signature logs

We have addressed the issue of slow downloading for signature logs via the latest 10,000 option as well as the archived signature logs workflows. This change optimizes the download speed and prevents timeout errors.

Optimized SBOM report download

Previously when users downloaded an SBOM report, Software Trust Manager showed no indicator that the download was in progress. We have enhanced this workflow by disabling the "Download" button after it is clicked and display a spinner to assure users that the download is in progress. This enhancement also prevents users from unnecessarily clicking the download button multiple time and duplicating the SBOM reports.

Fixes

Deleted certificates no longer display in certificate store

Deleted certificates were still listed in Windows certificate store even after running the smctl windows certsync command. We have fixed this issue and deleted certificates should no longer display in the certificate store after running the smctl windows certsync command.

CSP library now supports SHA1 digest signature algorithm

The 32-bit and 64-bit CSP library had an issue preventing users from using SHA1 digest signature algorithm. This has been resolved and users should now be abled to use SHA1 digest signature algorithm via the CSP library. This change was made on the server side and does not require you to upgrade to a newer version of the CSP library.

February 29, 2024

DigiCert® ONE version: 1.6887.5 | Software Trust Manager: 1.742.0

New

32-bit version of PKCS11 library

We have developed a 32-bit version of our PKCS11 library. This version allows users to utilize our PKCS11 tool on 32-bit Windows and Linux systems, enabling them to sign Java applications in a 32-bit environment. This new version is available for download from Software Trust Manager client tool repository.

Enhancements

Certificate generation permissions

It is mandatory to select a certificate profile when generating a certificate. Previously, users needed both Generate certificate and View certificate profile permissions to successfully generate a certificate. We have streamlined the workflow by removing the requirement for the View certificate profile permission when generating a certificate. Users can now generate certificates and select certificate profiles if they only have the Generate certificate permission, this change reduces errors for users with custom roles, seeing as it is not intuitive that the 'view certificate profile' permission was required for certificate generation.

SBOM signing commands support keypair IDs

Previously, SBOM signing commands only supported keypair IDs. Now, we've expanded support to include keypair aliases as well. Keypair aliases offer users a more intuitive and user-friendly option, making SBOM signing commands easier to remember and use.

Invalid characters in release names

Previously, users encountered errors when adding any characters other than letters, numbers, ., _, or - in Release names. This error blocked users from creating a release but did not advise which characters were allowed. In response, we have introduced a tooltip within the Create release workflow, providing users with guidance on the allowed characters and format.

Fixes

Keypairs assigned to team in Release workflows

We have resolved an issue where attempting to view keypairs assigned to your team during the Release creation process which resulted in an error. Now, users can seamlessly select keypairs associated with a team without encountering errors. This improvement ensures a smoother experience when creating Releases, with all relevant keypairs readily available for selection.

Key algorithms selection in Account settings

We identified an issue where users were unable to enable specific key algorithms in Account settings. This problem has been resolved, and the workflow should now function as expected. Users can once again seamlessly choose their preferred key algorithms in the Account settings.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | Software Trust Manager: 1.735.0

Enhancements

Quantum-safe algorithms

We enhanced our keypair profile workflows to allow for selection of the quantum-safe algorithm, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

Archived signature logs

We have addressed delays in loading on the archived signature logs page by removing the Total number of signature logs field as well as the Number of records column. Each report consistently contains 10,000 unfiltered signature events. However, the most recent report reflects the delta of events since the last archival, potentially deviating from the standard 10,000 events. This change ensures a smoother user experience while maintaining transparency and accuracy in reporting.

Fixes

KSP list command for SMCTL

We identified an issue with the smctl windows ksp list command, which resulted in the output only showing the first letter of the storage providers. We have fixed this issue and the command output should display with the full names, as expected.

February 14, 2024

DigiCert® ONE version: 1.6887.2 | Software Trust Manager: 1.731.0

New

SHA-384 signature algorithm ICAs

CertCentral now issues certificates off SHA-384 signature algorithm ICAs. While previously limited to SHA-256, this update enables users to utilize SHA-384 signatures based on their CA and ICA settings within CertCentral. Users can seamlessly leverage this feature to further strengthen their certificate management workflows.

Fixes

Hidden keypair profiles

We have identified that system scope keypair profiles that should be shown be visible in all Software Trust Manager accounts, were hidden. We have fixed this issue and should be accessible in all accounts.

Hidden security level for keypair profiles

During keypair generation, the security level associated with the keypair profile selected was hidden. We have resolved this issue and the security level should display as expected.

February 8, 2024

DigiCert® ONE version: 1.6887.1 | Software Trust Manager: 1.724.0

Fixes

Client tool download via API and plugins

We identified an issue preventing the download of Software Trust Manager client tools via the no authentication API endpoint: /signingmanager/api-ui/v1/releases/noauth/{releaseName}/download and CI/CD plugins. We have fixed this issue and users should be able to successfully download our client tools using the endpoint referred to above and Software Trust Manager plugins.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | Software Trust Manager: 1.723.0

Enhancements

Quantum-safe algorithms

We enhanced our keypair creation workflows to allow for the selection of the quantum-safe algorithms, Machine Learning-based Digital Signature Algorithm (MLDSA). MLDSA is a cutting-edge approach to cryptographic security. It utilizes advanced machine learning techniques to continuously adapt and enhance security measures, providing adaptive protection against emerging threats.

SBOM signing

We enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support CycloneDX and SPDX SBOM signing and verification using in-toto. SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.

Hash signing

Building on existing binary signing workflows, we enhanced our command line interface (CLI), Signing Manager Controller (SMCTL) to support hash signing. Hash signing ensures data integrity by generating unique cryptographic signatures for files, offering an extra layer of security against tampering and unauthorized modifications throughout the software distribution process.

Fixes

Projects

We identified and fixed two issues relating to our Projects feature. Previously, system users encountered difficulties loading the projects page; we have resolved this, and it should now load as expected. Additionally, the "Create project" button was displayed in the UI for users who did not have the required permissions assigned. We have rectified this by removing the button for users who do not have the necessary permissions to perform this action.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | Software Trust Manager: 1.717.0

Enhancements

API changes for system users requesting signature logs

We have improved our API for system users. As of this release, it is mandatory for system users to provide an account ID when retrieving signature logs. This change ensures that users can access logs for a specified account rather than receiving data for all accessible accounts. This enhancement allows for more efficient workflow management.

Search functionality in drop-down menus

We have enhanced the drop-down menus in existing workflows to include a search functionality to speed up the selection process. The search functionality has been applied to the following workflows:

  • Generate a certificate

  • Create a certificate profile

  • Create a release

  • Create a GPG subkey

January 24, 2024

DigiCert® ONE version: 1.6665.5 | Software Trust Manager: 1.714.0

Enhancements

Keypair profile

We made changes to how keypair profiles are organized. Previously, when you created a new keypair profile, it appeared at the bottom of the list, potentially causing inconvenience. Now, to streamline your experience, newly created keypair profiles will automatically populate at the top of the list for easier access and better visibility.

January 10, 2024

DigiCert® ONE version: 1.6665.2 | Software Trust Manager: 1.709.0

Enhancements

API validation of hashes

We enhanced input validation for hashes provided at time of signing related to keypairs stored on disk via Software Trust Manager Rest API.

January 3, 2024

DigiCert® ONE version: 1.6665.1 | Software Trust Manager: 1.705.0

Enhancements

Archived signature log performance optimization

We have enhanced the user interface (UI) pages for archived signature logs in Software Trust Manager, significantly improving their load time.

Previously, users with large log volumes experienced timeouts when accessing archived logs. This release should eliminate timeouts. Additional optimizations are in progress to enhance other aspects of the signature logs workflow to further enhance user experience.