Try Out Post-Quantum Cryptography for Code Signing With SignServer Community 5.9.1

The newly released SignServer Community 5.9.1 demonstrates Keyfactor’s commitment to the open-source community and features quantum-safe code signing. Read on to learn more.

Today, we are happy to announce the release of SignServer Community 5.9.1 featuring code signing based on post-quantum cryptography (PQC) and more.

Thanks to each and every SignServer Contributor  for their work in getting us here! With the new Keyfactor Community program, we wish to give back, learn more, and collaborate more closely with the open-source community. As one way to give back, SignServer Community will be released more often from now on.

Here we’ll take a look at the key features of this new release.

Starting with this release, SignServer Community releases will follow the release schedule for the Enterprise Edition, including all major and feature releases. Security updates and minor releases will be handled on a best-effort basis. As a result, SignServer Community will be released at least twice as often. The details of each Community release are specified in the release notes.

As quantum computing is getting closer, Keyfactor now offers code signing with try-it-out post-quantum cryptography (PQC) support in the latest SignServer Community release.

CMS Signer and Keystore Crypto Token now support the SPHINCS+ algorithm, so you can now experiment with creating post-quantum keys and signatures. This experimental support is suited for proof-of-concept implementations. The generated keys are associated with self-signed post-quantum certificates, also based on the SPHINCS+ post-quantum algorithm.

By leveraging post-quantum signing in SignServer together with the SPHINCS+ algorithm in Bouncy Castle, it is possible to build an end-to-end system for creating and verifying signatures, thereby bringing use cases such as IoT code signing to a stage of post-quantum readiness through crypto agility.

Learn more about what’s going on with post-quantum cryptography, as well as how to prepare for PQC, with certificate issuance, digital signatures, and crypto agility, in our documentation about Post-Quantum Readiness.

Azure Key Vault is now supported for cloud deployments. A new Crypto Token has been implemented in SignServer Community 5.9.1 that allows you to store and use the signing keys in Azure Key Vault. This Azure Key Vault Crypto Token can thus be used as an alternative to using standard Hardware Security Modules (HSM) or a software keystore.

For more information, see AzureKeyVaultCryptoToken.

DNS Security Extensions (DNSSEC) is a useful  tool for enhancing trust and integrity by adding security on top of the Domain Name System (DNS).

When the DNS system for translating human-friendly domain names to IP addresses was designed in the 1980s, security was not a primary consideration and DNS has remained an insecure and unauthenticated protocol. The DNS Security Extensions (DNSSEC) add cryptographic signatures to existing DNS records. The signatures are stored in DNS name servers and are used to ensure that the requested DNS record comes from the right source and that it is not altered during transmission.

SignServer Community now supports signing DNS zone files according to the DNSSEC standard using the new signers ZoneFileServerSideSigner, ZoneZipFileServerSideSigner and ZoneHashSigner.

For more details, see the Release notes for SignServer Community 5.9.1.

To deploy the latest version of SignServer Community, you can download it from GitHub or SourceForge or run it as containers from DockerHub.

SignServer is available as a free 30-day trial on Azure and AWS marketplaces for those who want to test the additional features of SignServer Enterprise.

See the deployment options on download SignServer.

Do you want to be the first to hear about new development in the world of open-source software like EJBCA, SignServer, or Bouncy Castle?

Find out more and sign up for the Newsletter: