SP 1.202 and 1.203 change logs

docs/_data/changelog.yml

@@ -1,10 +1,55 @@
+- date: '2026-01-13'
+  updates:
+    application:
+      version: 1.203.0
+      improvements:
+        - text: |-
+            Deep signing with long file paths (> 260 characters) is now supported.
+          issues: [SIGN-8248]
+    self_hosted_installations:
+      version: 1.203.0
+      breaking_changes:
+        - text: |
+            SignService charts: moved Application Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`.
+          issues: [SIGN-7578]
+- date: '2025-12-16'
+  updates:
+    application:
+      version: 1.202.0
+      breaking_changes:
+        - text: |
+            REST API: improved naming of "verify origin policy" on signing policy objects.
+            * Changed the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following API routes:
+              * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies`
+              * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}`
+            * Changed the property `verifiesOrigin` to `verifiesOriginPolicy` in the following API routes:
+              * `GET /v1/{organizationId}/Projects/{slug}`
+              * `GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}`
+          issues: [SIGN-8033, SIGN-8259]
+      new_features:
+        - text: |-
+            Added support for file-based RPM Package Manager (`.rpm`) signing via [`<rpm-sign>`](/artifact-configuration/reference#rpm-sign).
+          issues: [SIGN-8134, SIGN-8162]
+      improvements:
+        - text: |
+            Artifact download permissions based on global roles: only some global roles are now eligible (used to be all explicit global roles). See [documentation](/users#permissions).
+          issues: [SIGN-8171]
+        - text: |
+            Improved the history view on the organization details page (missing fields added).
+          issues: [SIGN-8172]
+    self_hosted_installations:
+      version: 1.202.0
+      upgrade_information:
+        - text: |-
+            All Windows containers switched from Windows Server 2019 to Server 2022 base images. Before starting the upgrade, ensure that your Kubernetes cluster has Windows Server 2022 worker nodes available and ready.
+          issues: [SIGN-8113]
 - date: '2025-12-02'
   updates:
     application:
       version: 1.201.4
       new_features:
         - text: |-
-            Added support for the "DSSE (Dead Simple Signing Envelope)" signing format via [`<dsse-sign>`](/artifact-configuration/reference#dsse-sign).
+            Added support for [DSSE (Dead Simple Signing Envelope) signatures][`<dsse-sign>`](/artifact-configuration/reference#dsse-sign).
           issues: [SIGN-8132]
       bug_fixes:
         - text: |-
@@ -14,7 +59,7 @@
       version: 1.201.4
       improvements:
         - text: |-
-            Improved SignService reliability on temporary database outages.
+            Improved SignService reliability during temporary database outages.
           issues: [SIGN-8164]
 - date: '2025-11-27'
   updates:

docs/_data/editions.yml

@@ -23,6 +23,7 @@
     nuget: true
     android: true
     java: false
+    rpm: false
     office_macros: false
     xml: false
     docker: false
@@ -92,6 +93,7 @@
     nuget: true
     android: true
     java: true
+    rpm: false
     office_macros: false
     xml: false
     docker: false
@@ -156,6 +158,7 @@
     nuget: true
     android: true
     java: true
+    rpm: true
     office_macros: true
     xml: true
     docker: true
@@ -277,6 +280,7 @@
     nuget: true
     android: true
     java: true
+    rpm: true
     office_macros: false
     xml: false
     docker: true

docs/_data/tables/artifact-configuration.yml

@@ -70,6 +70,11 @@ signing-file-elements:
       directive: "[`<jar-sign>`](#jar-sign)"
       extensions: ".jar, .war, .ear, .apk, .aab"
       description: "Java archives and Android apps. (Not available for Code Signing Starter.)"
+    - element: "`<rpm-file>`"
+      isComposite: "Yes"
+      directive: "[`<rpm-sign>`](#rpm-sign)"
+      extensions: ".rpm"
+      description: "RPM Package Manager files (available for Advanced Code Signing)"
     - element: "[`<zip-file>`](syntax#zip-file-element)"
       isComposite: "Yes"
       directive: "[`<jar-sign>`](#jar-sign)"

docs/artifact-configuration/reference.md

@@ -46,6 +46,7 @@ Since the file's format does not change, the unsigned files are not needed anymo
 * [`<office-macro-sign>`: Microsoft Office VBA macros](#office-macro-sign)
 * [`<opc-sign>`: Open Packaging Convention](#opc-sign)
 * [`<jar-sign>`: Java Archives](#jar-sign)
+* [`<rpm-sign>`: RPM Package Manager](#rpm-sign)
 * [`<xml-sign>`: XML Digital Signature](#xml-sign)
 
 The general syntax for embedded signing methods is: `<`_format_`-sign />`
@@ -192,6 +193,38 @@ jarsigner -verify -strict <file>.zip
 
 Add the `-verbose` option to see the certificate.
 
+
+#### `<rpm-sign>`: RPM Package Manager {#rpm-sign}
+
+{% include editions.md feature="file_based_signing.rpm" %}
+
+{%- include_relative render-ac-directive-table.inc directive="rpm-sign" -%}
+
+RPM is the package manager format for many Linux distributions including Fedora, RedHat, and openSUSE. RPM is based on GPG signatures and requires [signing policies](/projects#signing-policies) with a [GPG key](/managing-certificates#certificate-types) certificate.
+
+##### Example
+
+~~~ xml
+<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
+  <rpm-file>
+    <rpm-sign />
+  </rpm-file>
+</artifact-configuration>
+~~~
+
+##### Verification {#rpm-sign-verification}
+
+Package verification is typically performed automatically by package management tools like yum and DNF.
+
+To manually verify `.rpm` files, use the following commands:
+
+~~~ bash
+rpm --import my_key.asc # Import, i.e. trust, the GPG public key
+
+rpm --verbose --checksig my_package.rpm
+~~~
+
+
 #### `<xml-sign>`: XML Digital Signature {#xml-sign}
 
 {% include editions.md feature="file_based_signing.xml" %}

docs/users.md

@@ -154,7 +154,7 @@ Read permissions:
 * All users can view configuration information and metadata
 * Access to artifacts is restricted to users with read permissions for the signing request
 * Users have read permissions for a Signing Request if they have
-  * an appropriate global role: *Administrator*, *Global Reader*
+  * an appropriate global role: *Global Administrator*, *Project Administrator*, *Global Reader*, *Support User*
   * a role for the Project: *Reader*, *Configurator*
   * a role for the Signing Policy: *Submitter*, *Approver*