6.0

• Signing of APPX/MSIX packages has been implemented (thanks to Maciej Panek for the help)
• Signing of Microsoft Dynamics 365 extension packages has been implemented
• PIV cards are now supported with the new PIV storetype
• SafeNet eToken support has been improved with automatic PKCS#11 configuration using the new ETOKEN storetype
• The certificate chain in the file specified by the certfile parameter can now be in any order
• VBScript, JScript and PowerShell XML files without byte order marks are now parsed as Windows-1252 instead of ISO-8859-1
• The keystore parameter can now be specified with the OPENPGP storetype to distinguish between multiple connected devices
• The format detection based on the file extension is now case insensitive (contributed by Mathieu Delrocq)
• Only one call to the Google Cloud API is performed when the version of the key is specified in the alias parameter
• JVM arguments can now be passed using the JSIGN_OPTS environment variable
• API changes:
  • New net.jsign.jca.JsignJcaProvider JCA security provider to be used with other signing tools such as jarsigner
  • The signature can be removed by setting a null signature on the Signable object
  • Signable.computeDigest(MessageDigest) has been replaced by Signable.computeDigest(DigestAlgorithm)
  • The value of the http.agent system property is now appended to the User-Agent header when calling REST services
  • AuthenticodeSigner sets the security provider automatically if the keystore used is backed by a PKCS#11 token or a cloud service
  • AmazonSigningService now supports dynamic credentials
• Upgraded BouncyCastle to 1.77

5.0

• The AWS KMS signing service has been integrated (with contributions from Vincent Malmedy)
• Nitrokey support has been improved with automatic PKCS#11 configuration using the new NITROKEY storetype
• Smart cards are now supported with the new OPENSC storetype
• OpenPGP cards are now supported with the new OPENPGP storetype
• Google Cloud KMS via HashiCorp Vault is now supported with the new HASHICORPVAULT storetype (contributed by Maria Merkel)
• The Maven plugin can now use passwords defined in the Maven settings.xml file
• The "X.509 Certificate for PIV Authentication" on a Yubikey (slot 9a) is now automatically detected
• SHA-1 signing with Azure Key Vault is now possible (contributed by Andrij Abyzov)
• MSI signing has been improved:
  • MSI files with embedded sub storages (such as localized installers) are now supported
  • Signing a MSI file already signed with an extended signature is no longer rejected
  • An issue causing some MSI files to become corrupted once signed has been fixed
• A user friendly error message is now displayed when the private key and the certificate don't match
• Setting -Djava.security.debug=sunpkcs11 with the YUBIKEY storetype no longer triggers an error
• The cloud keystore name is no longer treated as a relative file by the Ant task and the Maven plugin
• The paths are resolved relatively to the Ant/Maven/Gradle subproject or module directory instead of the root directory
• Signing with SSL.com eSigner now also works when the malware scanning feature is enabled
• API changes:
  • The KeyStoreUtils class has been replaced by KeyStoreBuilder
• Upgraded BouncyCastle to 1.73

4.2

• Signing of Windows catalog files has been implemented
• The syntax to invoke the Gradle plugin with the Kotlin DSL has been simplified
• Several OutOfMemoryError caused by invalid input files have been fixed (thanks to OSS-Fuzz)
• API changes:
  • The Signable interface now extends Closeable and can be used in try-with-resources blocks
  • Files are no longer closed after signing
  • Most parsing errors are now rethrown as IOException
• Upgraded BouncyCastle to 1.71.1

4.1

• The SSL.com eSigner service has been integrated
• The Ant task can now sign multiple files by defining a fileset (contributed by Kyle Berezin)
• The type of the keystore is now automatically detected from the file header
• The storepass and keypass parameters can now be read from a file or from an environment variable
• The execution of the Maven plugin can now be skipped (with the <skip> configuration element, or the jsign.skip property)
• Fixed the "Map failed" OutOfMemoryError when signing large MSI files
• Certificates using an elliptic-curve key are now supported
• The default timestamping authority is now Sectigo instead of Comodo
• The signed file is now properly closed after attaching or detaching a signature (contributed by Mark Thomas)
• A detached signature added to a PE file whose length isn't a multiple of 8 is no longer invalid
• Fixed an error when signing with a Yubikey on Windows with a 32-bit JRE
• The PKCS#11 slot of the Yubikey is now automatically detected
• Upgraded BouncyCastle to 1.71

4.0

• MS Cabinet signing has been implemented (contributed by Joseph Lee)
• Signatures can be detached and re-attached to make the builds reproducible without access to the private key
• The new YUBIKEY storetype can be specified to sign with a YubiKey (the SunPKCS11 provider is automatically configured)
• The Azure Key Vault, DigiCert ONE and Google Cloud KMS cloud key management systems have been integrated
• The Maven plugin can now sign multiple files by defining a fileset (contributed by Bernhard Stiftner).
• The command line tool can now sign multiple files
• The alias parameter is now optional if the keystore contains only one entry (contributed by Michele Locati)
• The keystore aliases are now listed in the error message if the alias specified is incorrect
• The storetype parameter is no longer required for JCEKS keystores
• Fixed the update of the PE checksum (contributed by Markus Kilås)
• The CMSAlgorithmProtection attribute is no longer added to the signature (contributed by Yegor Yarko)
• The signature algorithm is identified as RSA instead of sha*RSA when using SHA-2 digests (contributed by Yegor Yarko)
• Upgraded BouncyCastle to 1.69

3.1

• Certificate files can now be used with a PKCS11 token to support OpenPGP cards unable to hold a whole certificate chain (contributed by Erwin Tratar)
• Fixed an IllegalArgumentException when parsing large entries of MSI files

3.0

• Jsign now requires Java 8 or higher
• MSI signing has been implemented
• Script signing has been implemented: PowerShell (contributed by Björn Kautler), VBScript, JScript and WSF
• The Maven plugin now uses the proxy defined in the Maven settings for the timestamping (contributed by Denny Bayer)
• The Maven plugin now accepts passwords encrypted using the Maven security settings (contributed by Denny Bayer)
• The Maven plugin is now bound by default to the package phase
• The timestamping is no longer enabled by default with the Maven plugin
• Renamed the command line tool from pesign to jsign
• Renamed the Ant task and the Gradle extension method from signexe to jsign
• SOCKS proxies are now supported
• Fixed the invalid SHA-512 signatures (contributed by Markus Kilås)
• The non-timestamped signatures are now reproducible (the signingTime attribute has been removed)
• Upgraded BouncyCastle to 1.64

2.1

• Fixed the loading of SunPKCS11 configuration files with Java 9
• SunPKCS11 configuration files can be loaded from any directory
• Maven plugin settings can now be passed on the command line (contributed by Nicolas Roduit)
• The first timestamping authority specified is no longer skipped (contributed by Thomas Atzmueller)
• Fixed the typo on the withTimestampingAuthority() methods in PESigner (contributed by Bjørn Madsen)
• Upgraded BouncyCastle to 1.60

2.0

• Jsign now requires Java 7 or higher
• Multiple signatures are now supported. New signatures can replace or be added to the previous ones.
• PKCS#11 hardware tokens are now supported.
• The signature algorithm can now be specified independently of the digest algorithm (contributed by Markus Kilås)
• Timestamping is attempted 3 times by default with a 10 seconds pause if an exception occurs (contributed by Erwin Tratar)
• Timestamping can now fail over to other services
• Private keys in PEM format are now supported (PKCS#1 and PKCS#8, encrypted or not)
• Upgraded BouncyCastle to 1.54 (contributed by Markus Kilås)
• Fixed the Accept header for RFC 3161 requests (contributed by Markus Kilås)
• Internal refactoring to share the code between the Ant task and the CLI tool (contributed by Michael Peterson)
• The code has been split into distinct modules (core, ant, cli).
• Jsign is now available as a plugin for Maven (net.jsign:jsign-maven-plugin) and Gradle
• The API can be used to sign in-memory files using a SeekableByteChannel

1.3

• The command line tool now supports HTTP proxies (contributed by Michael Szediwy)
• RFC 3161 timestamping services are now supported (contributed by Florent Daigniere)
• The digest algorithm now defaults to SHA-256
• The shaded dependencies are now relocated to avoid conflicts
• Added SHA-384 and SHA-512 checksums support
• SHA-2 is accepted as an alias for SHA-256