SignPath · paulsavoie · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026
diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml
@@ -1,3 +1,21 @@
+- date: '2026-02-12'
+  updates:
+    crypto_providers: 
+      version: 6.0.1
+      breaking_changes:
+        - text: |
+            The Windows CSP component for the deprecated [Windows CAPI](https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-service-providers) (Crypto API) is not longer supported.
+        - text: |
+            The following configuration settings have been removed: `Timeouts.HttpRequest`, `Timeouts.FirstRetryDelay` and `Timeouts.RetryCount`. 
+
+            Instead, use the new settings `ServiceUnavailableTimeoutInSeconds` and `HttpRequestTimeoutInSeconds`. 
+
+            See [timeout settings](/crypto-providers#timeout-settings) for details.
+        - text: |
+            The Cryptoki library for Windows is now provided as a separate download and not part of the Windows installer any more (see [download section](/crypto-providers#download)).
+      new_features:
+        - text: The Crypto Providers are now available via stable links on our download share. See the [download section](/crypto-providers#download) for details.
+          issues: [SIGN-8265]
 - date: '2026-01-28'
   updates:
     powershell_module:
@@ -915,7 +933,7 @@
 - date: '2024-10-21'
   updates:
     macos_cryptotokenkit:
-      version: '2.0'
+      version: '2.0.0'
       breaking_changes:
         - text: 'Renamed the command-line parameters to align with the other client tools.'
           issues: [3]

diff --git a/docs/_data/download_links.yml b/docs/_data/download_links.yml
@@ -0,0 +1,28 @@
+cryptoproviders:
+  v1:
+  - id: cryptoki
+    name: 'Cryptoki'
+    links:
+      - text: 'Linux x64 (.tgz)'
+        link: 'https://download.signpath.io/cryptoproviders/cryptoki/$VERSION/linux/x64/libSignPath.Cryptoki.tgz'
+      - text: 'Windows x64 (.zip)'
+        link: 'https://download.signpath.io/cryptoproviders/cryptoki/$VERSION/windows/x64/SignPath.Cryptoki.zip'
+  - id: windows_ksp
+    name: 'Windows KSP'
+    links:
+      - text: 'Installer (.msi)'
+        link: 'https://download.signpath.io/cryptoproviders/windows-ksp/$VERSION/x64/SignPath.Windows.KSP.msi'
+      - text: 'SBOM (CycloneDX .xml)'
+        link: 'https://download.signpath.io/cryptoproviders/windows-ksp/$VERSION/x64/SignPath.Windows.KSP.bom.xml'
+  - id: macos_cryptotokenkit
+    name: 'macOS CryptoTokenKit'
+    links:
+      - text: 'Installer (.dmg)'
+        link: 'https://download.signpath.io/cryptoproviders/macos-cryptotokenkit/$VERSION/SignPathCryptoTokenKit.dmg'
+  - id: notation_plugin
+    name: 'Notation Plugin'
+    links:
+      - text: 'Linux x64 (.tgz)'
+        link: 'https://download.signpath.io/cryptoproviders/notation-plugin/$VERSION/linux/x64/notation-signpath.tgz'
+      - text: 'Windows x64 (.zip)'
+        link: 'https://download.signpath.io/cryptoproviders/notation-plugin/$VERSION/windows/x64/notation-signpath.zip'
diff --git a/docs/_data/menus/documentation.yml b/docs/_data/menus/documentation.yml
@@ -77,7 +77,7 @@
 - text: Crypto Providers
   path: crypto-providers
   items:
-    - text: Windows CSP and KSP
+    - text: Windows KSP
       path: windows
 
     - text: Cryptoki/PKCS#11

diff --git a/docs/_includes/download-cryptoproviders-panel.md b/docs/_includes/download-cryptoproviders-panel.md
@@ -0,0 +1,47 @@
+{% comment %}
+Parameter `major` or `version` must be specified
+Parameter `components` must be specified
+Parameter `title_details` may be specified
+{% endcomment %}
+<blockquote class="panel download">
+<p><strong>Download Crypto Providers {%- if include.title_details != nil %} ({{ include.title_details }}) {%- endif -%}</strong></p>
+{%- assign components_arr = include.components | split: "," -%}
+{%- if include.version == nil -%}
+<p>
+These download links refer to the latest available {{ include.major }}.x version. This is recommended for automated downloads from build scripts. See <a href="/changelog/">Product changes</a> for stable links to a specific version. SignPath Crypto Providers use <a href="https://semver.org/">semantic versioning</a>.
+
+</p>
+   {%- assign major_version = include.major -%}
+{%- else -%}
+   {%- assign major_version = include.version | split: "." | first -%}
+{%- endif --%}
+{%- assign latest_version = major_version | append: "-latest" -%}
+<table>
+   {%- if include.version != nil -%}
+     <tr>
+       <th></th>
+       <th>{{ latest_version}} (recommended)</th>
+       <th>{{ include.version }}</th>
+     </tr>
+   {%- endif -%}
+   {%- for cp in site.data.download_links.cryptoproviders.v1 -%}
+     {%- if components_arr contains cp.id -%}
+        <tr>
+          <td data-label="Type">{{ cp.name }}</td>
+          <td data-label="{{ latest_version }}">
+             {%- for link in cp.links -%}
+             <a href="{{ link.link | replace: '$VERSION', latest_version }}">{{ link.text }}</a>{%- if forloop.last != true -%}&nbsp;&nbsp;|&nbsp;&nbsp;{%- endif -%} 
+             {%- endfor -%}
+          </td>
+          {%- if include.version != nil -%}
+            <td data-label="{{ include.version }}">
+               {%- for link in cp.links -%}
+             <a href="{{ link.link | replace: '$VERSION', include.version }}">{{ link.text }}</a>{%- if forloop.last != true -%}&nbsp;&nbsp;|&nbsp;&nbsp;{%- endif -%} 
+             {%- endfor -%}
+            </td>
+          {%- endif -%}
+        </tr>
+      {%- endif -%}
+    {%- endfor -%}
+</table>
+</blockquote>
diff --git a/docs/_sass/resources.scss b/docs/_sass/resources.scss
@@ -205,7 +205,7 @@ main > section.resources-section {
 				display: inline-block;
 			}
 
-			&.info, &.warning, &.tip {
+			&.info, &.warning, &.tip, &.download {
 				& > p:first-child::before,
 				& > h6:first-child::before {
 					font-family: "Line Awesome Free";
@@ -220,6 +220,15 @@ main > section.resources-section {
 					content: "\f05a";
 				}
 			}
+
+			&.download {
+				background-color: $light-grey-background-color;
+				& > p:first-child::before,
+				& > h6:first-child::before {
+					content: "\f381";
+				}
+			}
+
 			&.tip {
 				background-color: $light-grey-background-color;
 				& > p:first-child::before,

diff --git a/docs/changelog/index.md b/docs/changelog/index.md
@@ -75,6 +75,7 @@ redirect_from:
 				{% comment %} extract component id (e.g. application, crypto_providers, etc.) and release {% endcomment %}
 				{% assign componentid = update[0] %}
 				{% assign release = update[1] %}
+				{% assign major_version = release.version | split: '.' | first | times: 1 %}
 
 				{% assign component_change_type_class_list = 'component' %}
 				{% for changes_per_type in release %}
@@ -109,7 +110,22 @@ redirect_from:
 							</div> <!-- change_type -->
 						{% endif %}
 					{% endfor %}
-				</div>
+					{% assign include_cryptoproviders_download_panel = false %}
+					{%- if componentid == 'macos_cryptotokenkit' and major_version >= 2 -%}
+						{% assign include_cryptoproviders_download_panel = true %}
+					{%- endif -%}
+					{%- if componentid == 'crypto_providers' and major_version >= 6 -%}
+					  {% assign include_cryptoproviders_download_panel = true %}
+					{%- endif -%}
+					{%- if include_cryptoproviders_download_panel -%}
+						{% if componentid == 'crypto_providers' %}
+						  {% assign crypto_provider_components = "cryptoki,windows_ksp" %}
+						{% else %}
+						  {% assign crypto_provider_components = "macos_cryptotokenkit" %}
+						{% endif %}
+						{% include download-cryptoproviders-panel.md version=release.version components=crypto_provider_components %}
+					{%- endif -%}
+				</div> <!-- component -->
 			{% endfor %}
 		{% else %}
 			<p class='no-updates'>No customer facing changes in this release.</p>

diff --git a/docs/crypto-providers/cryptoki.md b/docs/crypto-providers/cryptoki.md
@@ -34,6 +34,7 @@ This section provides general information about using the SignPath Cryptoki libr
 | RedHat       | 8 (latest minor)   |
 | RedHat       | 9 (latest minor)   |
 
+<!-- TODO: this panel (and the next?) is not needed any more - right -->
 {:.panel.info}
 > **Dependency on OpenSSL and `ca-certificates`**
 >
@@ -58,15 +59,11 @@ This section provides general information about using the SignPath Cryptoki libr
 
 #### Windows
 
-The Cryptoki library is installed to `%ProgramFiles%\SignPath\CryptoProviders\SignPath.Cryptoki.dll` by the [MSI installer](/crypto-providers/windows#installation).
-
-Alternatively, you can copy-deploy `Windows\SignPath.Cryptoki.dll` from the Crypto Providers ZIP archive to your target system.
+You can copy-deploy `SignPath.Cryptoki.dll` from the Crypto Providers `.zip` archive to your target system.
 
 #### Linux
 
-Copy-deploy the Cryptoki library `Linux/libSignPath.Cryptoki/$OpenSslVersion/libSignPath.Cryptoki.so` from the Crypto Providers ZIP archive to your target system.
-
-Check the output of `openssl version` on your target system to select the correct OpenSSL version.
+Copy-deploy the Cryptoki library `libSignPath.Cryptoki.so` from the Crypto Providers `.tar.gz` archive to your target system.
 
 ### Configuration
 

diff --git a/docs/crypto-providers/index.md b/docs/crypto-providers/index.md
@@ -3,7 +3,7 @@ header: Crypto Providers
 layout: resources
 toc: true
 show_toc: 3
-description: SignPath Crypto Providers (Cryptoki, KSP, CSP, CryptoTokenKit)
+description: SignPath Crypto Providers (Cryptoki, KSP, CryptoTokenKit)
 ---
 
 {% include editions.md feature="hash_based_signing.rest_api" %}
@@ -12,14 +12,14 @@ description: SignPath Crypto Providers (Cryptoki, KSP, CSP, CryptoTokenKit)
 
 The SignPath Crypto Providers allow signing tools such as [SignTool.exe](/crypto-providers/windows#signtool), [OpenSSL](/crypto-providers/cryptoki#openssl) or [jarsigner](/crypto-providers/cryptoki#jarsigner) to sign files locally using keys or certificates stored and managed by SignPath. 
 
-Crypto Providers are generally used to provide a device-independent API for using secure key storage devices such as USB key tokens or Hardware Security Modules (HSMs). You may think of them as device drivers for crypto hardware. Most software tools used for code signing support one Crypto Provider technology, such as Microsoft KSP/CSP or PKCS #11 Cryptoki.
+Crypto Providers are generally used to provide a device-independent API for using secure key storage devices such as USB key tokens or Hardware Security Modules (HSMs). You may think of them as device drivers for crypto hardware. Most software tools used for code signing support one Crypto Provider technology, such as Microsoft KSP or PKCS #11 Cryptoki.
 
 The SignPath Crypto Providers do not access the crypto hardware directly. Instead, they implement these interfaces to provide access to SignPath _Projects_ and _Signing Policies_. During the entire operation, the private key will remain on the HSM.
 
 {:.panel.info}
 > **Version info**
 >
-> This documentation contains information about the latest version of the CryptoProviders. See the [CryptoProvider changelog](/changelog?component=crypto_providers) or the [macOS CryptoTokenKit changelog](/changelog?component=macos_cryptotokenkit) for updates.
+> This documentation contains information about the latest version of the Crypto Providers. See the [Crypto Provider changelog](/changelog?component=crypto_providers) or the [macOS CryptoTokenKit changelog](/changelog?component=macos_cryptotokenkit) for updates.
 
 ### Crypto Providers
 
@@ -29,7 +29,6 @@ The following Crypto Providers are available for SignPath:
 |-----------------------------------------------|-----------------------------------------------|---------------------|--------------
 | **Cryptoki** (Cryptographic Token Interface)  | [PKCS #11] version 2.40                       | Windows, Linux
 | **KSP** (Key Storage Provider)                | [CNG] (Cryptographic API: Next Generation)    | Windows
-| **CSP** (Cryptographic Service Provider)      | [CAPI] (CryptoAPI)                            | Windows             | This API is deprecated, most tools now use KSP/CNG
 | **CTK** (CryptoTokenKit)                      | [CTK extension]                               | macOS
 
 [PKCS #11]: https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
@@ -68,15 +67,21 @@ With small platform-specific variations, the general flow of a signing operation
 
 As always, the private key does not leave the boundaries of the HSM.
 
-## Installation and usage
+## Download and installation {#download}
 
-Depending on the signing tool you're using, the corresponding Crypto Provider needs to be installed (on all build nodes). See the respective pages:
+Choose the correct package and install it on all build agents ():
 
-* [SignPath KSP and CSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools
-* [SignPath Cryptoki](/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools
-* [GPG-based tools](/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki Crypto Provider](/crypto-providers/cryptoki) but require additional configuration steps
+* [SignPath Windows KSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools
+* [SignPath Cryptoki library](/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools
+* [GPG-based tools](/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki library](/crypto-providers/cryptoki) but require additional configuration steps
 * [SignPath CryptoTokenKit](/crypto-providers/macos) for macOS _codesign_
-* Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/crypto-providers/rest-api)
+
+<!-- should really include notation_plugin here also and merge other PR -->
+{% include download-cryptoproviders-panel.md major="6" components="cryptoki,windows_ksp" %}
+
+{% include download-cryptoproviders-panel.md major="2" components="macos_cryptotokenkit" title_details="MacOS CryptoTokenKit" %}
+
+Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/crypto-providers/rest-api)
 
 ## Configuration {#crypto-provider-configuration}
 
@@ -107,7 +112,7 @@ The [MSI installer](/crypto-providers/windows#installation) for Windows creates
 You will usually specifiy the Project and Signing Policy and let SignPath select the matching certificate.
 
 The following values
-* should be provieded for other [PKCS #11/Cryptoki](cryptoki) signing tools that don't accept a _key ID_ parameter
+* should be provided for other [PKCS #11/Cryptoki](cryptoki) signing tools that don't accept a _key ID_ parameter
 * are internally used for GPG signing via PKCS #11 (see [GPG](gpg#configure-gnupg))
 * can be provided for macOS CryptoTokenKit as default values (see [macOS](macos#usage-project-signing-policy))
 
@@ -129,11 +134,10 @@ Supported log levels: `none`, `fatal`, `error`, `warning`, `info`, `debug`, `ver
 
 #### Timeout settings
 
-| JSON setting                | Environment variable                  | Default Value     | Description
-|-----------------------------|---------------------------------------|-------------------|-------------------------
-| `Timeouts.HttpRequest`      | `SIGNPATH_TIMEOUTS_HTTP_REQUEST`      | `30`              | Timeout for HTTP calls in seconds per attempt
-| `Timeouts.FirstRetryDelay`  | `SIGNPATH_TIMEOUTS_FIRST_RETRY_DELAY` | `1.16`            | Initial delay in seconds in case of failed API HTTP requests
-| `Timeouts.RetryCount`       | `SIGNPATH_TIMEOUTS_RETRY_COUNT`       | `10`              | Maximum number of retries in case of failed API HTTP requests
+| JSON setting                         | Environment variable                               | Default Value | Description
+|--------------------------------------|----------------------------------------------------|---------------|-------------------------
+| `ServiceUnavailableTimeoutInSeconds` | `SIGNPATH_SERVICE_UNAVAILABLE_TIMEOUT_IN_SECONDS ` | `600`         | Total time in seconds that the command will wait for a single service call to succeed (across several retries).
+| `HttpRequestTimeoutInSeconds`        | `SIGNPATH_HTTP_REQUEST_TIMEOUT_IN_SECONDS`         | `30`          | Timeout for HTTP calls in seconds per attempt
 {: .break-column-2}
 
 HTTP timeouts and 5xx server errors (e.g. 503 Service Unavailable errors) are treated as failed requests.
@@ -224,7 +228,7 @@ In order to perform hash-based signing with the Crypto Providers, perform the fo
 
 ### Linux samples {#linux-docker-samples}
 
-The Crypto Provider package contains Linux sample scripts that demonstrate the use of different signing tools, their configuration, and the required dependencies in the `Scenarios` directory. See the `README.md` for the full list. 
+The Cryptoki package for Linux contains sample scripts that demonstrate the use of different signing tools, their configuration, and the required dependencies in the `Scenarios` directory. See the `README.md` for the full list. 
 
 For supported Linux distributions, you can execute the samples using the provided Docker container configurations. See the `Linux/Samples` directory in the Crypto Provider package. See `README.md` for further information and details how to use the `RunScenario.sh` and `RunScenario.ps1` entry point scripts to invoke samples.