From df7204ca1228096cdd61d587fddb2a0f60efb71d Mon Sep 17 00:00:00 2001 From: Ulrich Buchgraber Date: Fri, 12 Dec 2025 14:04:06 +0100 Subject: [PATCH 1/5] Add change logs for 1.202 and add RPM signing docs --- docs/_data/changelog.yml | 21 ++++++++++++ docs/_data/editions.yml | 4 +++ docs/_data/tables/artifact-configuration.yml | 5 +++ docs/artifact-configuration/reference.md | 34 ++++++++++++++++++++ 4 files changed, 64 insertions(+) diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index 13caba9..b2f63f7 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -1,3 +1,24 @@ +- date: '2025-12-16' + updates: + application: + version: 1.202.0 + new_features: + - text: |- + Added support for file-based RPM Package Manager (`.rpm`) signing via [``](/artifact-configuration/reference#rpm-sign). + issues: [SIGN-8134, SIGN-8162] + improvements: + - text: | + ??? + issues: [SIGN-8171] + - text: | + Improved the history view on the organization details page (added a few missing fields). + issues: [SIGN-8172] + self_hosted_installations: + version: 1.202.0 + upgrade_information: + - text: |- + All Windows containers switched from Windows Server 2019 to 2022 base images. Before starting the upgrade, ensure that your Kubernetes cluster has ready Windows Server 2022 worker nodes available. + issues: [SIGN-8113] - date: '2025-12-02' updates: application: diff --git a/docs/_data/editions.yml b/docs/_data/editions.yml index ccfd059..cd72477 100644 --- a/docs/_data/editions.yml +++ b/docs/_data/editions.yml @@ -23,6 +23,7 @@ nuget: true android: true java: false + rpm: false office_macros: false xml: false docker: false @@ -92,6 +93,7 @@ nuget: true android: true java: true + rpm: false office_macros: false xml: false docker: false @@ -156,6 +158,7 @@ nuget: true android: true java: true + rpm: true office_macros: true xml: true docker: true @@ -277,6 +280,7 @@ nuget: true android: true java: true + rpm: true office_macros: false xml: false docker: true diff --git a/docs/_data/tables/artifact-configuration.yml b/docs/_data/tables/artifact-configuration.yml index cb0a3f3..be82c7b 100644 --- a/docs/_data/tables/artifact-configuration.yml +++ b/docs/_data/tables/artifact-configuration.yml @@ -70,6 +70,11 @@ signing-file-elements: directive: "[``](#jar-sign)" extensions: ".jar, .war, .ear, .apk, .aab" description: "Java archives and Android apps. (Not available for Code Signing Starter.)" + - element: "``" + isComposite: "Yes" + directive: "[``](#rpm-sign)" + extensions: ".rpm" + description: "RPM Package Manager files (available for Advanced Code Signing)" - element: "[``](syntax#zip-file-element)" isComposite: "Yes" directive: "[``](#jar-sign)" diff --git a/docs/artifact-configuration/reference.md b/docs/artifact-configuration/reference.md index 0c59f2b..4e3cda2 100644 --- a/docs/artifact-configuration/reference.md +++ b/docs/artifact-configuration/reference.md @@ -46,6 +46,7 @@ Since the file's format does not change, the unsigned files are not needed anymo * [``: Microsoft Office VBA macros](#office-macro-sign) * [``: Open Packaging Convention](#opc-sign) * [``: Java Archives](#jar-sign) +* [``: RPM Package Manager](#rpm-sign) * [``: XML Digital Signature](#xml-sign) The general syntax for embedded signing methods is: `<`_format_`-sign />` @@ -192,6 +193,39 @@ jarsigner -verify -strict .zip Add the `-verbose` option to see the certificate. + +#### ``: RPM Package Manager {#rpm-sign} + +{% include editions.md feature="file_based_signing.rpm" %} + +{%- include_relative render-ac-directive-table.inc directive="rpm-sign" -%} + +RPM is a versatile package management format used in many Linux distributions like Fedora, RedHat, or openSUSE. RPM files embed GPG signatures and therefore is only available for [signing policies](/projects#signing-policies) with a [GPG key](/managing-certificates#certificate-types) certificate. + +##### Example + +~~~ xml + + + + + + +~~~ + +##### Verification {#rpm-sign-verification} + +RPM package verification usually happens "under the hood" via package managers like [`dnf`](https://dnf.readthedocs.io/). + +To manually verify `.rpm` files, use the following commands. + +~~~ bash +rpm --import my_key.asc # Import, i.e. trust, the GPG public key + +rpm --verbose --checksig my_package.rpm +~~~ + + #### ``: XML Digital Signature {#xml-sign} {% include editions.md feature="file_based_signing.xml" %} From 11c6211458b07d82109b8c7d6ab9ea9ca736a34e Mon Sep 17 00:00:00 2001 From: Ulrich Buchgraber Date: Tue, 23 Dec 2025 13:57:41 +0100 Subject: [PATCH 2/5] Add renaming of "verify origin policy" --- docs/_data/changelog.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index b2f63f7..c7ecb95 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -2,6 +2,12 @@ updates: application: version: 1.202.0 + breaking_changes: + - text: | + Improved naming of "verify origin policy" on signing policy objects, including changing the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following APIs: + * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies` + * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}` + issues: [SIGN-8033] new_features: - text: |- Added support for file-based RPM Package Manager (`.rpm`) signing via [``](/artifact-configuration/reference#rpm-sign). From 310d6ea5e8e1d9bcec438d9d38a3f0b7d4f35f95 Mon Sep 17 00:00:00 2001 From: Ulrich Buchgraber Date: Fri, 9 Jan 2026 14:45:41 +0100 Subject: [PATCH 3/5] Add change logs for 1.203 --- docs/_data/changelog.yml | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index c7ecb95..594869d 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -1,13 +1,31 @@ +- date: '2026-01-13' + updates: + application: + version: 1.203.0 + improvements: + - text: |- + Deep signing with long file paths (> 260 characters) is now supported. + issues: [SIGN-8248] + self_hosted_installations: + version: 1.203.0 + breaking_changes: + - text: | + SignService charts: Moved App Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`. + issues: [SIGN-7578] - date: '2025-12-16' updates: application: version: 1.202.0 breaking_changes: - text: | - Improved naming of "verify origin policy" on signing policy objects, including changing the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following APIs: - * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies` - * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}` - issues: [SIGN-8033] + Improved naming of "verify origin policy" on signing policy objects. + * Changed in REST API the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following routes: + * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies` + * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}` + * Changed in REST API the property `verifiesOrigin` to `verifiesOriginPolicy` in the following routes: + * `GET /v1/{organizationId}/Projects/{slug}` + * `GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}` + issues: [SIGN-8033, SIGN-8259] new_features: - text: |- Added support for file-based RPM Package Manager (`.rpm`) signing via [``](/artifact-configuration/reference#rpm-sign). From 7ddda5a5e7549fcb6dfa4fec7f3d58b6909c8748 Mon Sep 17 00:00:00 2001 From: Ulrich Buchgraber Date: Fri, 9 Jan 2026 14:50:15 +0100 Subject: [PATCH 4/5] Improve wording --- docs/_data/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index 594869d..f18db32 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -10,7 +10,7 @@ version: 1.203.0 breaking_changes: - text: | - SignService charts: Moved App Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`. + SignService charts: Moved Application Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`. issues: [SIGN-7578] - date: '2025-12-16' updates: From bb8d62cb797286abcdd7389390bb0f0cc16e977a Mon Sep 17 00:00:00 2001 From: Stefan Wenig Date: Mon, 12 Jan 2026 17:29:29 +0100 Subject: [PATCH 5/5] PR edited --- docs/_data/changelog.yml | 18 +++++++++--------- docs/artifact-configuration/reference.md | 7 +++---- docs/users.md | 2 +- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index f18db32..2e8031f 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -10,7 +10,7 @@ version: 1.203.0 breaking_changes: - text: | - SignService charts: Moved Application Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`. + SignService charts: moved Application Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`. issues: [SIGN-7578] - date: '2025-12-16' updates: @@ -18,11 +18,11 @@ version: 1.202.0 breaking_changes: - text: | - Improved naming of "verify origin policy" on signing policy objects. - * Changed in REST API the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following routes: + REST API: improved naming of "verify origin policy" on signing policy objects. + * Changed the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following API routes: * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies` * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}` - * Changed in REST API the property `verifiesOrigin` to `verifiesOriginPolicy` in the following routes: + * Changed the property `verifiesOrigin` to `verifiesOriginPolicy` in the following API routes: * `GET /v1/{organizationId}/Projects/{slug}` * `GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}` issues: [SIGN-8033, SIGN-8259] @@ -32,16 +32,16 @@ issues: [SIGN-8134, SIGN-8162] improvements: - text: | - ??? + Artifact download permissions based on global roles: only some global roles are now eligible (used to be all explicit global roles). See [documentation](/users#permissions). issues: [SIGN-8171] - text: | - Improved the history view on the organization details page (added a few missing fields). + Improved the history view on the organization details page (missing fields added). issues: [SIGN-8172] self_hosted_installations: version: 1.202.0 upgrade_information: - text: |- - All Windows containers switched from Windows Server 2019 to 2022 base images. Before starting the upgrade, ensure that your Kubernetes cluster has ready Windows Server 2022 worker nodes available. + All Windows containers switched from Windows Server 2019 to Server 2022 base images. Before starting the upgrade, ensure that your Kubernetes cluster has Windows Server 2022 worker nodes available and ready. issues: [SIGN-8113] - date: '2025-12-02' updates: @@ -49,7 +49,7 @@ version: 1.201.4 new_features: - text: |- - Added support for the "DSSE (Dead Simple Signing Envelope)" signing format via [``](/artifact-configuration/reference#dsse-sign). + Added support for [DSSE (Dead Simple Signing Envelope) signatures][``](/artifact-configuration/reference#dsse-sign). issues: [SIGN-8132] bug_fixes: - text: |- @@ -59,7 +59,7 @@ version: 1.201.4 improvements: - text: |- - Improved SignService reliability on temporary database outages. + Improved SignService reliability during temporary database outages. issues: [SIGN-8164] - date: '2025-11-27' updates: diff --git a/docs/artifact-configuration/reference.md b/docs/artifact-configuration/reference.md index 4e3cda2..623ba7d 100644 --- a/docs/artifact-configuration/reference.md +++ b/docs/artifact-configuration/reference.md @@ -200,12 +200,11 @@ Add the `-verbose` option to see the certificate. {%- include_relative render-ac-directive-table.inc directive="rpm-sign" -%} -RPM is a versatile package management format used in many Linux distributions like Fedora, RedHat, or openSUSE. RPM files embed GPG signatures and therefore is only available for [signing policies](/projects#signing-policies) with a [GPG key](/managing-certificates#certificate-types) certificate. +RPM is the package manager format for many Linux distributions including Fedora, RedHat, and openSUSE. RPM is based on GPG signatures and requires [signing policies](/projects#signing-policies) with a [GPG key](/managing-certificates#certificate-types) certificate. ##### Example ~~~ xml - @@ -215,9 +214,9 @@ RPM is a versatile package management format used in many Linux distributions li ##### Verification {#rpm-sign-verification} -RPM package verification usually happens "under the hood" via package managers like [`dnf`](https://dnf.readthedocs.io/). +Package verification is typically performed automatically by package management tools like yum and DNF. -To manually verify `.rpm` files, use the following commands. +To manually verify `.rpm` files, use the following commands: ~~~ bash rpm --import my_key.asc # Import, i.e. trust, the GPG public key diff --git a/docs/users.md b/docs/users.md index 99b9410..18387cc 100644 --- a/docs/users.md +++ b/docs/users.md @@ -154,7 +154,7 @@ Read permissions: * All users can view configuration information and metadata * Access to artifacts is restricted to users with read permissions for the signing request * Users have read permissions for a Signing Request if they have - * an appropriate global role: *Administrator*, *Global Reader* + * an appropriate global role: *Global Administrator*, *Project Administrator*, *Global Reader*, *Support User* * a role for the Project: *Reader*, *Configurator* * a role for the Signing Policy: *Submitter*, *Approver*