SignPath · stefan-wenig · Dec 3, 2025 · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml
@@ -1,3 +1,21 @@
+- date: '2025-12-02'
+  updates:
+    application:
+      version: 1.201.4
+      new_features:
+        - text: |-
+            Added support for the "DSSE (Dead Simple Signing Envelope)" signing format via [`<dsse-sign>`](/artifact-configuration/reference#dsse-sign).
+          issues: [SIGN-8132]
+      bug_fixes:
+        - text: |-
+            Fixed in UI: Error handling for "resubmit" action when the new signing policy doesn't allow the original signing requests' branch name.
+          issues: [SIGN-7955]
+    self_hosted_installations:
+      version: 1.201.4
+      improvements:
+        - text: |-
+            Improved SignService reliability on temporary database outages.
+          issues: [SIGN-8164]
 - date: '2025-11-27'
   updates:
     crypto_providers:

diff --git a/docs/_data/editions.yml b/docs/_data/editions.yml
@@ -27,6 +27,7 @@
     xml: false
     docker: false
     sbom: false
+    dsse: false
     cms: false
     gpg: false
     raw: false
@@ -95,6 +96,7 @@
     xml: false
     docker: false
     sbom: false
+    dsse: false
     cms: false
     gpg: false
     raw: false
@@ -158,6 +160,7 @@
     xml: true
     docker: true
     sbom: true
+    dsse: true
     cms: true
     gpg: true
     raw: true
@@ -278,6 +281,7 @@
     xml: false
     docker: true
     sbom: false
+    dsse: false
     cms: false
     gpg: false
     raw: false

diff --git a/docs/_data/tables/artifact-configuration.yml b/docs/_data/tables/artifact-configuration.yml
@@ -1,46 +1,46 @@
 signing-file-elements:
   headers:
     element: Element
-    isContainer: "[Container format](#containers)"
-    directive: Signing directive
+    isComposite: "[Container format](#containers)"
+    directive: Signing directives
     extensions: Extensions
     description: Description
     _attributes:
       element: {style: "width: 9em;"}
       directive: {style: "width: 10em;"}
   body:
     - element: "`<pe-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".exe, .dll, .acm, .ax, .cpl, .drv, .efi, .mui, .ocx, .scr, .sys, .tsp"
       description: "Portable Executable (PE) files: EXE, DLL, and other executable files"
     - element: "`<powershell-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".ps1, .psm1, psd1, .psdc1, .ps1xml"
       description: "PowerShell scripts and modules"
     - element: "`<windows-script-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".wsf, ,vbs, .js"
       description: "Windows scripts for Windows Scripting Host, typically VBScript and JScript[^jscript]. (Not available for Code Signing Starter.)"
     - element: "`<msi-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".msi, .msm, .msp"
       description: "Microsoft installer files"
     - element: "`<cab-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".cab"
       description: "Windows cabinet files"
     - element: "`<catalog-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".cat"
       description: "Windows catalog files"
     - element: "`<appx-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".appx, .appxbundle"
       description: |
@@ -49,59 +49,98 @@ signing-file-elements:
         {:.p.info}
         The Common Name of the code signing certificate must match the `PublisherDisplayName` in the `AppxManifest.xml` file.
     - element: "`<msix-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<authenticode-sign>`](#authenticode-sign)"
       extensions: ".msix, .msixbundle"
       description: "MSIX installer app packages for Microsoft Windows"
     - element: "`<opc-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<opc-sign>`](#opc-sign)"
       extensions: ".vsix, .xps, hlkx, ..."
       description: >-
         Open Packaging Conventions (OPC) files including Visual Studio Extensions (VSIX) and Hardware Lab Kit driver signing packages. 
         (Driver signing not available for Code Signing Starter.) File size limit: 40 MB.
     - element: "`<nupkg-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<nuget-sign>`](#nuget-sign)"
       extensions: ".nupkg"
       description: "NuGet packages"
     - element: "`<jar-file>`"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<jar-sign>`](#jar-sign)"
       extensions: ".jar, .war, .ear, .apk, .aab"
       description: "Java archives and Android apps. (Not available for Code Signing Starter.)"
     - element: "[`<zip-file>`](syntax#zip-file-element)"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<jar-sign>`](#jar-sign)"
       extensions: ".zip"
       description: "Use ZIP archives to sign multiple files at once. (ZIP archives can also be signed and verified using the [JAR format](#jar-sign).)"
     - element: "`<office-oxml-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<office-macro-sign>`](#office-macro-sign)"
       extensions: ".xlsm, .xltm, .docm, .dotm, .pptm, .potm, .vsdm, vstm, ... "
       description: "Sign VBA macros in Microsoft Office Open XML files and templates: Excel, Word, PowerPoint and Visio (available for Advanced Code Signing)"
     - element: "`<office-binary-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<office-macro-sign>`](#office-macro-sign)"
       extensions: ".xls, .xlt, .doc, .dot, .pot, .ppa, .pps, .ppt, .mpp, .mpt, .pub, .vsd, .vst, ... "
       description: "Sign VBA macros in binary Microsoft Office files and templates: Project, Publisher, and legacy Excel, Word, PowerPoint and Visio (available for Advanced Code Signing)"
     - element: "`<xml-file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: "[`<xml-sign>`](#xml-sign)"
       extensions: ".xml"
       description: "Use this directive to sign XML files using [XMLDSIG](https://www.w3.org/TR/xmldsig-core1/) (available for Advanced Code Signing). File size limit: 2 MB."
     - element: "[`<directory>`](syntax#directory-element)"
-      isContainer: "Yes"
+      isComposite: "Yes"
       directive: "[`<clickonce-sign>`](#clickonce-sign)"
       description: "Directories within container files. This directive is primarily used to structure further elements within containers, e.g. ZIP, MSI, or other directories. It can also be used to sign ClickOnce files and VSTO add-ins."
     - element: "`<file>`"
-      isContainer: "No"
+      isComposite: "No"
       directive: |
+        [`<dsse-sign>`](#dsse-sign),
         [`<create-cms-signature>`](#create-cms-signature),
         [`<create-gpg-signature>`](#create-gpg-signature),
         [`<create-raw-signature>`](#create-raw-signature)
       extensions: "*"
-      description: "Arbitrary files. Create detached [CMS/PKCS #7](#create-cms-signature), [GPG/OpenPGP](#create-gpg-signature) or [raw](#create-raw-signature) signatures (available for Advanced Code Signing)."
+      description: |
+        Create enveloped signatures ([DSSE](#dsse-sign))
+        and detached signatures ([CMS/PKCS #7](#create-cms-signature), [GPG/OpenPGP](#create-gpg-signature), [raw](#create-raw-signature))
+         for arbitrary files (available for Advanced Code Signing).
+
+signing-method-categories:
+  headers:
+    category: Category
+    description: How it works
+    original: Original file
+    available: Available methods
+    _attributes:
+      directive: {style: "font-weight: bold;"}
+  body:
+    - category: "[Embedded](#embedded-signing-methods)"
+      description: Adds a signature to an existing file.
+      original: Replaced by signed file
+      available: |
+        [`<authenticode-sign>`](#authenticode-sign),
+        [`<opc-sign>`](#opc-sign),
+        [`<nuget-sign>`](#nuget-sign),
+        [`<jar-sign>`](#jar-sign),
+        [`<office-macro-sign>`](#office-macro-sign),
+        [`<xml-sign>`](#xml-sign)
+    - category: "[Enveloped](#enveloped-signing-methods)"
+      description: Adds a new file that contains the unsigned file _and_ the signature.
+      original: Preserved
+      available: |
+        [`<dsse-sign>`](#dsse-sign)
+    - category: "[Detached](#detached-signing-methods)"
+      description: Adds a new file that contains only the signature.
+      original: Preserved
+      available: |
+        [`<create-cms-signature>`](#create-cms-signature),
+        [`<create-gpg-signature>`](#create-gpg-signature),
+        [`<create-raw-signature>`](#create-raw-signature)
+    - category: "[Other](#other-signing-methods)"
+      available: |
+        [`<clickonce-sign>`](#clickonce-sign)
 
 authenticode-attributes:
   headers:

diff --git a/docs/_sass/main.scss b/docs/_sass/main.scss
@@ -67,6 +67,9 @@ header > div, main > section > div
 
 h1, h2, h3, h4, h5 {
 	font-weight: 400;
+	code {
+		font-style: normal;
+	}
 }
 
 p.center {

diff --git a/docs/artifact-configuration/examples.md b/docs/artifact-configuration/examples.md
@@ -37,7 +37,7 @@ This configuration works for all PE files.
 
 ## Signing multiple files
 
-### Signing multiple artifacts in a ZIP container
+### Signing multiple artifacts in a ZIP archive
 
 You can sign multiple unrelated artifacts by packing them into a single ZIP file.
 
@@ -56,7 +56,7 @@ You can sign multiple unrelated artifacts by packing them into a single ZIP file
 
 ### Deep-signing an MSI installer {#msi-sample}
 
-This will sign the PE files `libs/common.dll` and `main.exe`, then re-package their MSI container and sign it too. It also restricts the name of the MSI container file.
+This will sign the PE files `libs/common.dll` and `main.exe`, then re-package their MSI file and sign it too. It also restricts the name of the MSI file.
 
 ~~~ xml
 <artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">

diff --git a/docs/artifact-configuration/index.md b/docs/artifact-configuration/index.md
@@ -51,7 +51,7 @@ You can easily sign multiple files by creating a ZIP archive. Use wildcards, ind
 
 ## Deep signing of nested files
 
-Sometimes you need to sign both the container and its contents. For instance, an MSI installer package needs to be signed, but you also want the files it installs to be signed. SignPath can sign both the container and its contents in a single pass if you specify an appropriate artifact configuration. See [here](examples#msi-sample) for an example.
+Sometimes you need to sign both a composite file and its contents. For instance, an MSI installer package needs to be signed, but you also want the files it installs to be signed. SignPath can sign both the composite file and its contents in a single pass if you specify an appropriate artifact configuration. See [here](examples#msi-sample) for an example.
 
 ## Further reading