From bde29968f2e584e82f016771ba29646275caf6b3 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Wed, 11 Feb 2026 10:11:34 +0100 Subject: [PATCH 1/3] adds download links for CryptoProviders --- docs/_data/changelog.yml | 16 ++++++++- docs/_data/download_links.yml | 28 +++++++++++++++ .../download-cryptoproviders-panel.md | 33 +++++++++++++++++ docs/_sass/resources.scss | 11 +++++- docs/changelog/index.md | 18 +++++++++- docs/crypto-providers/cryptoki.md | 9 ++--- docs/crypto-providers/index.md | 23 ++++++------ docs/crypto-providers/windows.md | 36 ++++++++----------- 8 files changed, 134 insertions(+), 40 deletions(-) create mode 100644 docs/_data/download_links.yml create mode 100644 docs/_includes/download-cryptoproviders-panel.md diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index 936d28a..35fdb03 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -1,3 +1,17 @@ +- date: '2026-02-12' + updates: + crypto_providers: + version: 6.0.1 + breaking_changes: + - text: | + The Windows CSP component for the deprecated [Windows CAPI](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-service-providers) (Crypto API) is not longer supported. + - text: | + The `Timeouts.HttpRequest`, `Timeouts.FirstRetryDelay` and `Timeouts.RetryCount` configuration settings have been removed. Instead, the `ServiceUnavailableTimeoutInSeconds` and `HttpRequestTimeoutInSeconds` values are available. See the [configuration section](/crypto-providers#crypto-provider-config-values) for details. + - text: | + The Cryptoki library for Windows is not provided as a separate download and not part of the Windows Installer any more (see [installation section](/crypto-providers#installation-and-usage)). + new_features: + - text: The Crypto Providers are now available via stable links on our download share. See the [installation section](/crypto-providers#installation-and-usage) for details. + issues: [SIGN-8265] - date: '2026-01-28' updates: powershell_module: @@ -915,7 +929,7 @@ - date: '2024-10-21' updates: macos_cryptotokenkit: - version: '2.0' + version: '2.0.0' breaking_changes: - text: 'Renamed the command-line parameters to align with the other client tools.' issues: [3] diff --git a/docs/_data/download_links.yml b/docs/_data/download_links.yml new file mode 100644 index 0000000..43861e4 --- /dev/null +++ b/docs/_data/download_links.yml @@ -0,0 +1,28 @@ +cryptoproviders: + v1: + - id: cryptoki + name: 'Cryptoki' + links: + - text: 'Linux x64 (.tgz)' + link: 'https://download.signpath.io/cryptoproviders/cryptoki/$VERSION/linux/x64/libSignPath.Cryptoki.tgz' + - text: 'Windows x64 (.zip)' + link: 'https://download.signpath.io/cryptoproviders/cryptoki/$VERSION/windows/x64/SignPath.Cryptoki.zip' + - id: windows_ksp + name: 'Windows KSP' + links: + - text: 'Installer (.msi)' + link: 'https://download.signpath.io/cryptoproviders/windows-ksp/$VERSION/x64/SignPath.Windows.KSP.msi' + - text: 'CycloneDX SBOM (.xml)' + link: 'https://download.signpath.io/cryptoproviders/windows-ksp/$VERSION/x64/SignPath.Windows.KSP.bom.xml' + - id: macos_cryptotokenkit + name: 'MacOs CryptoTokenKit' + links: + - text: 'Installer (.dmg)' + link: 'https://download.signpath.io/cryptoproviders/macos-cryptotokenkit/$VERSION/SignPathCryptoTokenKit.dmg' + - id: notation_plugin + name: 'Notation Plugin' + links: + - text: 'Linux x64 (.tgz)' + link: 'https://download.signpath.io/cryptoproviders/notation-plugin/$VERSION/linux/x64/notation-signpath.tgz' + - text: 'Windows x64 (.zip)' + link: 'https://download.signpath.io/cryptoproviders/notation-plugin/$VERSION/windows/x64/notation-signpath.zip' diff --git a/docs/_includes/download-cryptoproviders-panel.md b/docs/_includes/download-cryptoproviders-panel.md new file mode 100644 index 0000000..804d4da --- /dev/null +++ b/docs/_includes/download-cryptoproviders-panel.md @@ -0,0 +1,33 @@ +{% comment %} +Parameter `major` or `version` must be specified +Parameter `components` must be specified +Parameter `title_details` may be specified +{% endcomment %} +
+

Download Crypto Providers{%- if include.version != nil -%} {{ include.version }}{%- endif -%}{%- if include.title_details != nil -%} ({{ include.title_details }}){%- endif -%}

+{%- assign version = include.version -%} +{%- assign components_arr = include.components | split: "," -%} +{%- if include.version == nil -%} +

+These download links refer to the latest available {{ include.major }}.x version. This is recommended for automated downloads from build scripts. (SignPath Crypto Providers use semantic versioning.) + +Replace `{{include.major}}-latest` in the URL with the specific version number for stable downloads. + +

+{%- assign version = include.major | append: "-latest" -%} +{%- endif --%} + + {%- for cp in site.data.download_links.cryptoproviders.v1 -%} + {%- if components_arr contains cp.id -%} + + + + + {%- endif -%} + {%- endfor -%} +
{{ cp.name }} + {%- for link in cp.links -%} + {{ link.text }}{%- if forloop.last != true -%}  |  {%- endif -%} + {%- endfor -%} +
+
\ No newline at end of file diff --git a/docs/_sass/resources.scss b/docs/_sass/resources.scss index d0e7de0..f2b2ac7 100644 --- a/docs/_sass/resources.scss +++ b/docs/_sass/resources.scss @@ -205,7 +205,7 @@ main > section.resources-section { display: inline-block; } - &.info, &.warning, &.tip { + &.info, &.warning, &.tip, &.download { & > p:first-child::before, & > h6:first-child::before { font-family: "Line Awesome Free"; @@ -220,6 +220,15 @@ main > section.resources-section { content: "\f05a"; } } + + &.download { + background-color: $light-grey-background-color; + & > p:first-child::before, + & > h6:first-child::before { + content: "\f381"; + } + } + &.tip { background-color: $light-grey-background-color; & > p:first-child::before, diff --git a/docs/changelog/index.md b/docs/changelog/index.md index 511357e..ccbee98 100644 --- a/docs/changelog/index.md +++ b/docs/changelog/index.md @@ -75,6 +75,7 @@ redirect_from: {% comment %} extract component id (e.g. application, crypto_providers, etc.) and release {% endcomment %} {% assign componentid = update[0] %} {% assign release = update[1] %} + {% assign major_version = release.version | split: '.' | first | times: 1 %} {% assign component_change_type_class_list = 'component' %} {% for changes_per_type in release %} @@ -109,7 +110,22 @@ redirect_from: {% endif %} {% endfor %} - + {% assign include_cryptoproviders_download_panel = false %} + {%- if componentid == 'macos_cryptotokenkit' and major_version >= 2 -%} + {% assign include_cryptoproviders_download_panel = true %} + {%- endif -%} + {%- if componentid == 'crypto_providers' and major_version >= 6 -%} + {% assign include_cryptoproviders_download_panel = true %} + {%- endif -%} + {%- if include_cryptoproviders_download_panel -%} + {% if componentid == 'crypto_providers' %} + {% assign crypto_provider_components = "cryptoki,windows_ksp" %} + {% else %} + {% assign crypto_provider_components = "macos_cryptotokenkit" %} + {% endif %} + {% include download-cryptoproviders-panel.md version=release.version components=crypto_provider_components %} + {%- endif -%} + {% endfor %} {% else %}

No customer facing changes in this release.

diff --git a/docs/crypto-providers/cryptoki.md b/docs/crypto-providers/cryptoki.md index a096a2d..e90b371 100644 --- a/docs/crypto-providers/cryptoki.md +++ b/docs/crypto-providers/cryptoki.md @@ -34,6 +34,7 @@ This section provides general information about using the SignPath Cryptoki libr | RedHat | 8 (latest minor) | | RedHat | 9 (latest minor) | + {:.panel.info} > **Dependency on OpenSSL and `ca-certificates`** > @@ -58,15 +59,11 @@ This section provides general information about using the SignPath Cryptoki libr #### Windows -The Cryptoki library is installed to `%ProgramFiles%\SignPath\CryptoProviders\SignPath.Cryptoki.dll` by the [MSI installer](/crypto-providers/windows#installation). - -Alternatively, you can copy-deploy `Windows\SignPath.Cryptoki.dll` from the Crypto Providers ZIP archive to your target system. +You can copy-deploy `SignPath.Cryptoki.dll` from the Crypto Providers `.zip` archive to your target system. #### Linux -Copy-deploy the Cryptoki library `Linux/libSignPath.Cryptoki/$OpenSslVersion/libSignPath.Cryptoki.so` from the Crypto Providers ZIP archive to your target system. - -Check the output of `openssl version` on your target system to select the correct OpenSSL version. +Copy-deploy the Cryptoki library `libSignPath.Cryptoki.so` from the Crypto Providers `.tar.gz` archive to your target system. ### Configuration diff --git a/docs/crypto-providers/index.md b/docs/crypto-providers/index.md index 45937ff..5d93ecb 100644 --- a/docs/crypto-providers/index.md +++ b/docs/crypto-providers/index.md @@ -3,7 +3,7 @@ header: Crypto Providers layout: resources toc: true show_toc: 3 -description: SignPath Crypto Providers (Cryptoki, KSP, CSP, CryptoTokenKit) +description: SignPath Crypto Providers (Cryptoki, KSP, CryptoTokenKit) --- {% include editions.md feature="hash_based_signing.rest_api" %} @@ -12,7 +12,7 @@ description: SignPath Crypto Providers (Cryptoki, KSP, CSP, CryptoTokenKit) The SignPath Crypto Providers allow signing tools such as [SignTool.exe](/crypto-providers/windows#signtool), [OpenSSL](/crypto-providers/cryptoki#openssl) or [jarsigner](/crypto-providers/cryptoki#jarsigner) to sign files locally using keys or certificates stored and managed by SignPath. -Crypto Providers are generally used to provide a device-independent API for using secure key storage devices such as USB key tokens or Hardware Security Modules (HSMs). You may think of them as device drivers for crypto hardware. Most software tools used for code signing support one Crypto Provider technology, such as Microsoft KSP/CSP or PKCS #11 Cryptoki. +Crypto Providers are generally used to provide a device-independent API for using secure key storage devices such as USB key tokens or Hardware Security Modules (HSMs). You may think of them as device drivers for crypto hardware. Most software tools used for code signing support one Crypto Provider technology, such as Microsoft KSP or PKCS #11 Cryptoki. The SignPath Crypto Providers do not access the crypto hardware directly. Instead, they implement these interfaces to provide access to SignPath _Projects_ and _Signing Policies_. During the entire operation, the private key will remain on the HSM. @@ -29,7 +29,6 @@ The following Crypto Providers are available for SignPath: |-----------------------------------------------|-----------------------------------------------|---------------------|-------------- | **Cryptoki** (Cryptographic Token Interface) | [PKCS #11] version 2.40 | Windows, Linux | **KSP** (Key Storage Provider) | [CNG] (Cryptographic API: Next Generation) | Windows -| **CSP** (Cryptographic Service Provider) | [CAPI] (CryptoAPI) | Windows | This API is deprecated, most tools now use KSP/CNG | **CTK** (CryptoTokenKit) | [CTK extension] | macOS [PKCS #11]: https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html @@ -72,12 +71,17 @@ As always, the private key does not leave the boundaries of the HSM. Depending on the signing tool you're using, the corresponding Crypto Provider needs to be installed (on all build nodes). See the respective pages: -* [SignPath KSP and CSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools +* [SignPath KSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools * [SignPath Cryptoki](/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools * [GPG-based tools](/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki Crypto Provider](/crypto-providers/cryptoki) but require additional configuration steps * [SignPath CryptoTokenKit](/crypto-providers/macos) for macOS _codesign_ * Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/crypto-providers/rest-api) + +{% include download-cryptoproviders-panel.md major="6" components="cryptoki,windows_ksp" %} + +{% include download-cryptoproviders-panel.md major="2" components="macos_cryptotokenkit" title_details="MacOS CryptoTokenKit" %} + ## Configuration {#crypto-provider-configuration} ### Values {#crypto-provider-config-values} @@ -129,11 +133,10 @@ Supported log levels: `none`, `fatal`, `error`, `warning`, `info`, `debug`, `ver #### Timeout settings -| JSON setting | Environment variable | Default Value | Description -|-----------------------------|---------------------------------------|-------------------|------------------------- -| `Timeouts.HttpRequest` | `SIGNPATH_TIMEOUTS_HTTP_REQUEST` | `30` | Timeout for HTTP calls in seconds per attempt -| `Timeouts.FirstRetryDelay` | `SIGNPATH_TIMEOUTS_FIRST_RETRY_DELAY` | `1.16` | Initial delay in seconds in case of failed API HTTP requests -| `Timeouts.RetryCount` | `SIGNPATH_TIMEOUTS_RETRY_COUNT` | `10` | Maximum number of retries in case of failed API HTTP requests +| JSON setting | Environment variable | Default Value | Description +|--------------------------------------|----------------------------------------------------|---------------|------------------------- +| `ServiceUnavailableTimeoutInSeconds` | `SIGNPATH_SERVICE_UNAVAILABLE_TIMEOUT_IN_SECONDS ` | `600` | Total time in seconds that the command will wait for a single service call to succeed (across several retries). +| `HttpRequestTimeoutInSeconds` | `SIGNPATH_HTTP_REQUEST_TIMEOUT_IN_SECONDS` | `30` | Timeout for HTTP calls in seconds per attempt {: .break-column-2} HTTP timeouts and 5xx server errors (e.g. 503 Service Unavailable errors) are treated as failed requests. @@ -224,7 +227,7 @@ In order to perform hash-based signing with the Crypto Providers, perform the fo ### Linux samples {#linux-docker-samples} -The Crypto Provider package contains Linux sample scripts that demonstrate the use of different signing tools, their configuration, and the required dependencies in the `Scenarios` directory. See the `README.md` for the full list. +The Cryptoki package for Linux contains sample scripts that demonstrate the use of different signing tools, their configuration, and the required dependencies in the `Scenarios` directory. See the `README.md` for the full list. For supported Linux distributions, you can execute the samples using the provided Docker container configurations. See the `Linux/Samples` directory in the Crypto Provider package. See `README.md` for further information and details how to use the `RunScenario.sh` and `RunScenario.ps1` entry point scripts to invoke samples. diff --git a/docs/crypto-providers/windows.md b/docs/crypto-providers/windows.md index d3cc3e7..a82bfc1 100644 --- a/docs/crypto-providers/windows.md +++ b/docs/crypto-providers/windows.md @@ -1,46 +1,43 @@ --- -header: Windows CSP and KSP +header: Windows KSP layout: resources toc: true show_toc: 3 -description: SignPath Windows CSP and KSP Crypto Providers +description: SignPath Windows KSP Crypto Provider --- ## Overview -Signing tools secifically designed for Windows typically use CNG KSP or CAPI CSP providers. Install and use the SignPath KSP and CSP providers to use this tools with SignPath. +Signing tools secifically designed for Windows typically use CNG KSP providers. Install and use the SignPath KSP provider to use these tools with SignPath. ## Setup ### Installation -To install the Windows CNG KSP and CAPI CSP providers, +To install the Windows CNG KSP provider, -1. Run the MSI installer file from the `Windows` subdirectory of the Crypto Providers ZIP archive. (See below for unattended options.) +1. Run the MSI installer file. (See below for unattended options.) 2. Continue with the [general Crypto Provider configuration](/crypto-providers#crypto-provider-configuration). {:.panel.info} > **Verification** > -> To verify the successful registration of the CSP and KSP, you can use the following command: +> To verify the successful registration of the KSP, you can use the following command: > > ~~~powershell > certutil -csplist > ~~~ > -> It should contain two entries: +> It should contain one entry: > -> * `Provider Name: SignPathCSP` > * `Provider Name: SignPathKSP` -CSPs [are deprecated by Microsoft](https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-service-providers), so most up-to-date tools only require a KSP. You can deselect the "Windows CAPI CSP" in the "custom setup" installer step. - ### Unattended installation To install the MSI in an automated fashion, run the following command (in an elevated command prompt). ~~~powershell -msiexec /i SignPathCryptoProviders-$Version.msi /qn /L* install.log +msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log ~~~ See [`msiexec` documentation](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec). @@ -50,7 +47,7 @@ See [`msiexec` documentation](https://learn.microsoft.com/en-us/windows-server/a If you want `msiexec` to terminate only after the installation has completed, run the following command in a PowerShell session: ~~~powershell -msiexec /i SignPathCryptoProviders-$Version.msi /qn /L* install.log | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" } +msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" } ~~~ #### Selecting components @@ -58,15 +55,13 @@ msiexec /i SignPathCryptoProviders-$Version.msi /qn /L* install.log | Out-Host; To install only parts, use the `ADDLOCAL` msiexec parameter with the following options (delimited by commas): * `KSP` for the Windows CNG KSP installation and registration - * `CSP` for the Windows CAPI CNG installation and registration - * `Cryptoki` for the Cryptoki library installation * `SignPathConfigAndEnv` for the default `CryptoProvidersConfig.json` configuration file in `%ProgramFiles%\SignPath\CryptoProviders` and the system-wide `SIGNPATH_CONFIG_FILE` environment variable Example: install KSP and configuration file variable ~~~powershell -msiexec /i SignPathCryptoProviders-$Version.msi /qn /L* install.log ADDLOCAL=KSP,SignPathConfigAndEnv | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" } +msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log ADDLOCAL=KSP,SignPathConfigAndEnv | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" } ~~~ ### Update to a new version @@ -82,7 +77,7 @@ Uninstall via Windows' "Apps & features" / "Installed apps" dialog. To uninstall in an automated fashion, run the following command (in an elevated PowerShell session). ~~~powershell -msiexec /x SignPathCryptoProviders-$Version.msi /qn /L* uninstall.log | Out-Host +msiexec /x SignPath.Windows.KSP.msi /qn /L* uninstall.log | Out-Host ~~~ ### Configuration @@ -104,7 +99,7 @@ _SignTool.exe_ requires the following parameters: | Parameter | Value | Description |--------------|-----------------------------------|---------------- -| `/csp` | `SignPathKSP` or `SignPathCSP` | SignPath KSP (preferred) or CSP +| `/csp` | `SignPathKSP` | SignPath KSP | `/kc` | `$ProjectSlug/$SigningPolicySlug` | Key container name: _Project_ and _Signing Policy_ slug, separated by a forward slash | `/fd` | `SHA256`, `SHA384` or `SHA512` | Digest (hashing) algorithm | `/f` | Path to the certificate file | Download the respective certificate file from SignPath @@ -133,25 +128,24 @@ In addition to the general [Crypto Provider configuration](/crypto-providers#cry | Parameter | Value | Description |-----------------------|--------------------------------------|--------------------------------------- -| Crypto Provider | `SignPathKSP` or `SignPathCSP` | SignPath KSP (preferred) or CSP +| Crypto Provider | `SignPathKSP` | SignPath KSP | Key container name | `$ProjectSlug/$SigningPolicySlug` | SignPath _Project_ and _Signing Policy_ slugs, separated by a forward slash | Certificate file | Path to the x.509 certificate file | Download the respective certificate file from SignPath {:.panel.info} > **Use _Project_ and _Signing Policy_ slugs to speficy a key** > -> Identify a specific _Signing Policy_ by specifying _Project_ and _Signing Policy_ slugs. The SignPath KSP/CSP will select that policy's certificate. +> Identify a specific _Signing Policy_ by specifying _Project_ and _Signing Policy_ slugs. The SignPath KSP will select that policy's certificate. ### Error handling The following table shows the KSP `HRESULT` result codes for different error situations when calling the SignPath REST API. -| Situation | error code (KSP result code or CSP `GetLastError()` code) +| Situation | error code (KSP result code) |----------------------------------------------------------------------------------------------------------|---------------------------------------------------------- | Transient errors like HTTP timeouts or 503 (Service Unavailable) which still occur after the last retry | `NTE_DEVICE_NOT_READY` ("The device that is required by this cryptographic provider is not ready for use.") for errors without an HTTP status code. Otherwise, HTTP status code as an HRESULT in the `FACILITY_ITF`, e.g. `0x800401F7` for HTTP 503 | Non-transient service errors (e.g. 500 Internal Server Error) | HTTP status code as an HRESULT in the `FACILITY_ITF`, e.g. `0x800401F4` for HTTP 500 | User errors detected by service (4xx returned) | HTTP status code as an HRESULT in the `FACILITY_ITF`, e.g. `0x80040190` for HTTP 400 | Other unspecified errors (fall back) | `NTE_FAIL` ("An internal error occurred.") -The CSP error code has to be retrieved via [`GetLastError()`](https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror). From 23fd106614f6a51f571e896ba322ff9a85f09945 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Wed, 11 Feb 2026 13:27:53 +0100 Subject: [PATCH 2/3] update download panel for changelog to have 2 cols --- .../download-cryptoproviders-panel.md | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/_includes/download-cryptoproviders-panel.md b/docs/_includes/download-cryptoproviders-panel.md index 804d4da..e55e105 100644 --- a/docs/_includes/download-cryptoproviders-panel.md +++ b/docs/_includes/download-cryptoproviders-panel.md @@ -4,8 +4,7 @@ Parameter `components` must be specified Parameter `title_details` may be specified {% endcomment %}
-

Download Crypto Providers{%- if include.version != nil -%} {{ include.version }}{%- endif -%}{%- if include.title_details != nil -%} ({{ include.title_details }}){%- endif -%}

-{%- assign version = include.version -%} +

Download Crypto Providers{%- if include.title_details != nil -%} ({{ include.title_details }}){%- endif -%}

{%- assign components_arr = include.components | split: "," -%} {%- if include.version == nil -%}

@@ -14,18 +13,35 @@ These download links refer to the latest available {{ include.major }}.x version Replace `{{include.major}}-latest` in the URL with the specific version number for stable downloads.

-{%- assign version = include.major | append: "-latest" -%} + {%- assign major_version = include.major -%} +{%- else -%} + {%- assign major_version = include.version | split: "." | first -%} {%- endif --%} +{%- assign latest_version = major_version | append: "-latest" -%} + {%- if include.version != nil -%} + + + + + + {%- endif -%} {%- for cp in site.data.download_links.cryptoproviders.v1 -%} {%- if components_arr contains cp.id -%} - + {%- if include.version != nil -%} + + {%- endif -%} {%- endif -%} {%- endfor -%} From 5faee2fd6a84db3cf624ca513df70d4be5128a73 Mon Sep 17 00:00:00 2001 From: Stefan Wenig Date: Wed, 11 Feb 2026 18:27:36 +0100 Subject: [PATCH 3/3] download edits --- docs/_data/changelog.yml | 10 +++++++--- docs/_data/download_links.yml | 4 ++-- docs/_data/menus/documentation.yml | 2 +- .../_includes/download-cryptoproviders-panel.md | 8 +++----- docs/crypto-providers/index.md | 17 +++++++++-------- 5 files changed, 22 insertions(+), 19 deletions(-) diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml index 35fdb03..b304d68 100644 --- a/docs/_data/changelog.yml +++ b/docs/_data/changelog.yml @@ -6,11 +6,15 @@ - text: | The Windows CSP component for the deprecated [Windows CAPI](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-service-providers) (Crypto API) is not longer supported. - text: | - The `Timeouts.HttpRequest`, `Timeouts.FirstRetryDelay` and `Timeouts.RetryCount` configuration settings have been removed. Instead, the `ServiceUnavailableTimeoutInSeconds` and `HttpRequestTimeoutInSeconds` values are available. See the [configuration section](/crypto-providers#crypto-provider-config-values) for details. + The following configuration settings have been removed: `Timeouts.HttpRequest`, `Timeouts.FirstRetryDelay` and `Timeouts.RetryCount`. + + Instead, use the new settings `ServiceUnavailableTimeoutInSeconds` and `HttpRequestTimeoutInSeconds`. + + See [timeout settings](/crypto-providers#timeout-settings) for details. - text: | - The Cryptoki library for Windows is not provided as a separate download and not part of the Windows Installer any more (see [installation section](/crypto-providers#installation-and-usage)). + The Cryptoki library for Windows is now provided as a separate download and not part of the Windows installer any more (see [download section](/crypto-providers#download)). new_features: - - text: The Crypto Providers are now available via stable links on our download share. See the [installation section](/crypto-providers#installation-and-usage) for details. + - text: The Crypto Providers are now available via stable links on our download share. See the [download section](/crypto-providers#download) for details. issues: [SIGN-8265] - date: '2026-01-28' updates: diff --git a/docs/_data/download_links.yml b/docs/_data/download_links.yml index 43861e4..85c446c 100644 --- a/docs/_data/download_links.yml +++ b/docs/_data/download_links.yml @@ -12,10 +12,10 @@ cryptoproviders: links: - text: 'Installer (.msi)' link: 'https://download.signpath.io/cryptoproviders/windows-ksp/$VERSION/x64/SignPath.Windows.KSP.msi' - - text: 'CycloneDX SBOM (.xml)' + - text: 'SBOM (CycloneDX .xml)' link: 'https://download.signpath.io/cryptoproviders/windows-ksp/$VERSION/x64/SignPath.Windows.KSP.bom.xml' - id: macos_cryptotokenkit - name: 'MacOs CryptoTokenKit' + name: 'macOS CryptoTokenKit' links: - text: 'Installer (.dmg)' link: 'https://download.signpath.io/cryptoproviders/macos-cryptotokenkit/$VERSION/SignPathCryptoTokenKit.dmg' diff --git a/docs/_data/menus/documentation.yml b/docs/_data/menus/documentation.yml index cee5d16..1a56f7e 100644 --- a/docs/_data/menus/documentation.yml +++ b/docs/_data/menus/documentation.yml @@ -77,7 +77,7 @@ - text: Crypto Providers path: crypto-providers items: - - text: Windows CSP and KSP + - text: Windows KSP path: windows - text: Cryptoki/PKCS#11 diff --git a/docs/_includes/download-cryptoproviders-panel.md b/docs/_includes/download-cryptoproviders-panel.md index e55e105..74bd1f8 100644 --- a/docs/_includes/download-cryptoproviders-panel.md +++ b/docs/_includes/download-cryptoproviders-panel.md @@ -4,13 +4,11 @@ Parameter `components` must be specified Parameter `title_details` may be specified {% endcomment %}
-

Download Crypto Providers{%- if include.title_details != nil -%} ({{ include.title_details }}){%- endif -%}

+

Download Crypto Providers {%- if include.title_details != nil %} ({{ include.title_details }}) {%- endif -%}

{%- assign components_arr = include.components | split: "," -%} {%- if include.version == nil -%}

-These download links refer to the latest available {{ include.major }}.x version. This is recommended for automated downloads from build scripts. (SignPath Crypto Providers use semantic versioning.) - -Replace `{{include.major}}-latest` in the URL with the specific version number for stable downloads. +These download links refer to the latest available {{ include.major }}.x version. This is recommended for automated downloads from build scripts. See Product changes for stable links to a specific version. SignPath Crypto Providers use semantic versioning.

{%- assign major_version = include.major -%} @@ -22,7 +20,7 @@ Replace `{{include.major}}-latest` in the URL with the specific version number f {%- if include.version != nil -%}
- + {%- endif -%} diff --git a/docs/crypto-providers/index.md b/docs/crypto-providers/index.md index 5d93ecb..e672747 100644 --- a/docs/crypto-providers/index.md +++ b/docs/crypto-providers/index.md @@ -19,7 +19,7 @@ The SignPath Crypto Providers do not access the crypto hardware directly. Instea {:.panel.info} > **Version info** > -> This documentation contains information about the latest version of the CryptoProviders. See the [CryptoProvider changelog](/changelog?component=crypto_providers) or the [macOS CryptoTokenKit changelog](/changelog?component=macos_cryptotokenkit) for updates. +> This documentation contains information about the latest version of the Crypto Providers. See the [Crypto Provider changelog](/changelog?component=crypto_providers) or the [macOS CryptoTokenKit changelog](/changelog?component=macos_cryptotokenkit) for updates. ### Crypto Providers @@ -67,21 +67,22 @@ With small platform-specific variations, the general flow of a signing operation As always, the private key does not leave the boundaries of the HSM. -## Installation and usage +## Download and installation {#download} -Depending on the signing tool you're using, the corresponding Crypto Provider needs to be installed (on all build nodes). See the respective pages: +Choose the correct package and install it on all build agents (): -* [SignPath KSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools -* [SignPath Cryptoki](/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools -* [GPG-based tools](/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki Crypto Provider](/crypto-providers/cryptoki) but require additional configuration steps +* [SignPath Windows KSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools +* [SignPath Cryptoki library](/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools +* [GPG-based tools](/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki library](/crypto-providers/cryptoki) but require additional configuration steps * [SignPath CryptoTokenKit](/crypto-providers/macos) for macOS _codesign_ -* Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/crypto-providers/rest-api) {% include download-cryptoproviders-panel.md major="6" components="cryptoki,windows_ksp" %} {% include download-cryptoproviders-panel.md major="2" components="macos_cryptotokenkit" title_details="MacOS CryptoTokenKit" %} +Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/crypto-providers/rest-api) + ## Configuration {#crypto-provider-configuration} ### Values {#crypto-provider-config-values} @@ -111,7 +112,7 @@ The [MSI installer](/crypto-providers/windows#installation) for Windows creates You will usually specifiy the Project and Signing Policy and let SignPath select the matching certificate. The following values -* should be provieded for other [PKCS #11/Cryptoki](cryptoki) signing tools that don't accept a _key ID_ parameter +* should be provided for other [PKCS #11/Cryptoki](cryptoki) signing tools that don't accept a _key ID_ parameter * are internally used for GPG signing via PKCS #11 (see [GPG](gpg#configure-gnupg)) * can be provided for macOS CryptoTokenKit as default values (see [macOS](macos#usage-project-signing-policy))
{{ latest_version}} (Recommended){{ include.version }}
{{ cp.name }} + {%- for link in cp.links -%} - {{ link.text }}{%- if forloop.last != true -%}  |  {%- endif -%} + {{ link.text }}{%- if forloop.last != true -%}  |  {%- endif -%} {%- endfor -%} + {%- for link in cp.links -%} + {{ link.text }}{%- if forloop.last != true -%}  |  {%- endif -%} + {%- endfor -%} +
{{ latest_version}} (Recommended){{ latest_version}} (recommended) {{ include.version }}