2.10 (2025.06.23)

• added JavaScript signing
• added PKCS#11 provider support (requires OpenSSL 3.0+)
• added support for providers without specifying "-pkcs11module" option
  (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
• added compatibility with the CNG engine version 1.1 or later
• added the "-engineCtrl" option to control hardware and CNG engines
• added the '-blobFile' option to specify a file containing the blob content
• improved unauthenticated blob support (thanks to Asger Hautop Drewsen)
• improved UTF-8 handling for certificate subjects and issuers
• fixed support for multiple signerInfo contentType OIDs (CTL and Authenticode)
• fixed tests for python-cryptography >= 43.0.0

2.9 (2024.06.29)

• added a 64 bit long pseudo-random NONCE in the TSA request
• missing NID_pkcs9_signingTime is no longer an error
• added support for PEM-encoded CRLs
• fixed the APPX central directory sorting order
• added a special "-" file name to read the passphrase from stdin
  (by Steve McIntyre)
• used native HTTP client with OpenSSL 3.x, removing libcurl dependency
• added '-login' option to force a login to PKCS11 engines
  (by Brad Hughes)
• added the "-ignore-crl" option to disable fetching and verifying
  CRL Distribution Points
• changed error output to stderr instead of stdout
• various testing framework improvements
• various memory corruption fixes

2.8 (2024.03.03)

• Microsoft PowerShell signing sponsored by Cisco Systems, Inc.
• fixed setting unauthenticated attributes (Countersignature, Unauthenticated
  Data Blob) in a nested signature
• added the "-index" option to verify a specific signature or modify its
  unauthenticated attributes
• added CAT file verification
• added listing the contents of a CAT file with the "-verbose" option
• added the new "extract-data" command to extract a PKCS#7 data content to be
  signed with "sign" and attached with "attach-signature"
• added PKCS9_SEQUENCE_NUMBER authenticated attribute support
• added the "-ignore-cdp" option to disable CRL Distribution Points (CDP)
  online verification
• unsuccessful CRL retrieval and verification changed into a critical error
• the "-p" option modified to also use to configured proxy to connect CRL
  Distribution Points
• added implicit allowlisting of the Microsoft Root Authority serial number
  00C1008B3C3C8811D13EF663ECDF40
• added listing of certificate chain retrieved from the signature in case of
  verification failure

2.7 (2023.09.19)

• fixed signing CAB files (by Michael Brown)
• fixed handling of unsupported commands (by Maxim Bagryantsev)
• fixed writing DIFAT sectors
• added APPX support (by Maciej Panek and Małgorzata Olszówka)
• added a built-in TSA response generation (-TSA-certs, -TSA-key
  and -TSA-time options)

2.6 (2023.05.29)

• modular architecture implemented to simplify adding file formats
• added verification of CRLs specified in the signing certificate
• added MSI DIFAT sectors support (by Max Bagryantsev)
• added legacy provider support for OpenSSL 3.0.0 and later
• fixed numerous bugs

2.5 (2022.08.12)

• fixed the Unix executable install path
• fixed the hardcoded "pkcs11" engine id
• fixed building with MinGW
• fixed testing with the python3 distributed with Ubuntu 18.04

2.4 (2022.08.02)

• migrated the build system from GNU Autoconf to CMake
• added the "-h" option to set the cryptographic hash function for the "attach -signature" and "add" commands
• set the default hash function to "sha256"
• added the "attach-signature" option to compute and compare the leaf certificate hash for the "add" command
• renamed the "-st" option "-time" (the old name is accepted for compatibility)
• updated the "-time" option to also set explicit verification time
• added the "-ignore-timestamp" option to disable timestamp server signature verification
• removed the "-timestamp-expiration" option
• fixed several bugs
• updated the included documentation
• enabled additional compiler/linker hardening options
• added CI based on GitHub Actions

2.3 (2022.03.06)

CRITICAL SECURITY VULNERABILITIES

This release fixes several critical memory corruption vulnerabilities.
A malicious attacker could create a file, which, when processed with
osslsigncode, triggers arbitrary code execution. Any previous version
of osslsigncode should be immediately upgraded if the tool is used for
processing of untrusted files.

• fixed several memory safety issues
• fixed non-interactive PVK (MSBLOB) key decryption
• added a bash completion script
• added CA bundle path auto-detection

2.2 (2021.08.15)

• CAT files support (thanks to James McKenzie)
• MSI support rewritten without libgsf dependency, which allows
  for handling of all the needed MSI metadata, such as dates
• "-untrusted" option renamed to "-TSA-CAfile"
• "-CRLuntrusted" option renamed to "-TSA-CRLfile"
• numerous bug fixes and improvements

2.1 (2020-10-11)

• certificate chain verification support
• timestamp verification support
• CRL verification support ("-CRLfile" option)
• improved CAB signature support
• nested signatures support
• user-specified signing time ("-st" option) by vszakats
• added more tests
• fixed numerous bugs
• dropped OpenSSL 1.1.0 support