Digital Signature Service - DSS

⚠️ Important Notice – Trusted List v6 (TLv6) Migration

In line with the updated ETSI TS 119 612 v2.3.1 specifications, the new Trusted List v6 (TLv6) format will soon be enforced.

All stakeholders and system integrators are strongly advised to ensure that their systems are compatible with TLv6.

Failure to upgrade may impact the ability to access or validate Trusted Lists correctly.

➡️ For more information, please click here.

Latest version

Access and download DSS 6.2

Here, you can access and download the latest version of the Digital Signature Services open-source library released in February 2025. You can read more about DSS and how it can help you below.

Access to Bitbucket source code

Access to Github source code

Download the DSS Demonstration WebApp

Source code is available in zip and tar.gz

What is DSS?

Purpose of the service

DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. In particular, DSS aims to follow the eIDAS Regulation and related standards closely.

DSS can be re-used in an IT solution for electronic signatures to ensure that signatures are created and verified in line with European legislation and standards. DSS allows re-use in a variety of different ways: in an applet, in a stand-alone application or in a server application. DSS can also be used as a reference implementation for IT solutions which do not directly re-use it. Demos are also available to assist the use of DSS as a reference implementation. DSS was developed by Nowina Solutions and is maintained up-to-date via new releases.

Users of the service

The Digital Europe eSignature DSS service is intended for Service Providers active in the implementation of e-signature solutions.

Benefits of the service

Digital Europe eSignature's DSS open-source library delivers the following benefits to its users:

Open-source software under LGPL 2.1, a non-viral open source license;
Written in Java, guaranteeing portability on numerous platforms;
Interoperability of the e-signatures;
Supports both e-signatures and e-seals;
Validation of countersignatures and multiple signatures;
A flexible library, that can be:
- Reused in different topologies: in an applet, as a stand-alone application, server-based, or any combination;
- Used in its entirety or on a module-by-module basis;
- Adapted to numerous usages via configuration files or extension points;
Alignment with the eIDAS Regulation and related standards;
Supports EU standards on:
- Signature formats and packaging methods;
- Signature validation procedures;
Validation relying on Member States' trusted lists:
- Status of trust service providers/trust service, compensation of information, path validation.

How can it be used?

The library, realised in Java, is open-source, available to all Member States, businesses and citizens for re-use in electronic signature solutions. It is continuously updated and maintained to anticipate and follow developments in regulations and standards.

Anyone can integrate it and redistribute it under the terms of the Lesser General Public License (LGPL 2.1).

In accordance with ETSI standards, DSS supports various document and signature formats including PAdES, XAdES, CAdES and ASiC and is compliant with Implementing Decision 2015/1506/EU. A “cook-book” is also provided with documentation targeting implementers/developers and aiming at facilitating the integration and use of DSS in their applications.

Validation of qualified and advanced signatures and seals

In anticipation of the ETSI standard, TS 119 172-4, which is currently being drafted with the aim of standardising a “signature validation policy for European qualified electronic signatures/seals using trusted lists”, eSignature Building Block’s provides its interpretation of the eIDAS Regulation's requirements for the validation of qualified and advanced signatures and seals.

This algorithm has been designed following discussions and meetings with experts involved in the field, in the context of the Digital Europe eSignature Building Block. This algorithm is to be considered as guidelines for implementers, or parties interested in understanding how QES validation is implemented in DSS.

The algorithm (available below) focuses on determining 3 sub-conclusions:

- Whether the certificate is qualified

- What is the type of this certificate

- Whether the corresponding private key is protected by a QSCD.

Qualified electronic signature (QES) validation algorithm.pdf

Demonstration tool

Demos of DSS for electronic signature creation, extension and validation

The Digital Europe eSignature building block maintains a demonstration tool that allows everybody interested in the DSS functionalities to try them out.

The demo tool is a web application that, among others, allows users to:

upload and sign a document
upload and sign multiple documents
access REST / SOAP webservices
extend an electronic signature
validate an electronic signature

The DSS demonstration tool is accessible from here

Releases and Bitbucket

DSS releases are part of the eSignature service offering.

The Digital Europe eSignature building block collects all issues, bugs, or requests for change in the DSS project's JIRA. More information on how to use JIRA can be found here.

Source code is also made available on the DSS Bitbucket repository.

Documentation

Documentation is available in HTML, PDF and Javadoc.

Releases

Summary of current version

Version

Release date

Features

6.2

February 2025

Main new features / improvements :

Trusted List v6 support (ETSI TS 119 612 v2.3.1);
Support of trust anchors with sunset date (ETSI EN 319 102-1);
PdfBox 3 upgrade;
Memory configuration on PAdES creation (large files signing);
Recognition of PAdES Extended Profiles (ETSI EN 319 142-2);
'AnyValidationData' (XAdES) and 'anyValData' (JAdES) unsigned properties support;
ECDSA with SHA3 support for XAdES signatures;
Configurable validation of ats-hash-index(-v3) attribute for CAdES archive-time-stamp-v3;
Transitive validation of ASiCArchiveManifest references;
Automatic RSA encoding on signing with SignatureTokenConnection;
Support of 'noRevAvail' (OID: 2.5.29.56) certificate extension;
CertificateVerifier checks can be skipped (signing, augmentation);
Cryptographic constraints update;
Added validation time property on signature validation with REST/SOAP webServices;
Dependencies update (BouncyCastle, xmlsec, FOP, HttpClient5, json-sKema, etc.);
Java 23 support.

Bug fixes / issues :

Encapsulation of timestamp validation data within CertificateValues/RevocationValues unsigned properties;
Encapsulation of signature validation data within TimeStampValidationData unsigned property;
XAdESPath contain imports from jaxb related modules;
crlSign key usage check enforced on augmentation for online CRLs;
PAdES ByteRange is not checked when exceeding PDF's size;
Slow XAdES validation with large amount of datafiles;
XAdES DataObjectFormat misses reference to KeyInfo element;
Failed validation of detached CMS signature when using not id-data content type;
Inconsistent ats-hash-index-v3 building for non Baseline or invalid CAdES structures;
Invalid ASiC-S with CAdES creation, when CMS is provided as input;
Deadlock in TLValidationJob on TL URL change when CacheCleaner is not used;
DiagnosticData misses certificate references when custom TokeIdentifierProvider is used;
CXF OpenAPI generates wrong JSON schema (webApplication);
dss-crl-parser-stream invalidates some CRLs signed by RSASSA-PSS;
XAdES validation fails in case of tempered `ds:KeyInfo` certificate;
AlertOnNoRevocationAfterBestSignatureTime returns NextUpdate before current time.

Past releases

Version	Release date	Features
6.2.RC1	December 2024	-
6.1.1	March 2025	Main new features / improvements : Trusted List v6 support (ETSI TS 119 612 v2.3.1); Updated dependencies (BouncyCastle, VeraPdf, FOP, logback); Fixed expired unit tests.
6.1	September 2024	Main new features / improvements : ASN.1 Evidence Records (RFC 4998) support; Document digest generator for Evidence Record creation; ETSI EN 319 102-1 v1.4.1 implementation; ETSI TS 119 182-1 implementation (support of 'iat' header, relaxed 'crit' header processing, etc.); Support of ISO 32001 and ISO 32002; Upgraded default cryptographic algorithms (default SHA-512, RSASSA-PSS, deprecated MaskGenerationFunction, etc.); Refactoring of jaxb dependencies (optional for signature creation/augmentation); .sha2 file support on Trusted Lists loading; Configurable revocation skip constraints; Configurable reference validation from XML Manifest; Possibility to add an LT signature within an LTA document; PDF Annotation modification detection; Customizable timestamp validation in SignatureValidationContext; JAdES : added base64url encoding REST/SOAP API endpoints; Dependencies update; Java 22 support. Bug fixes / issues : LTA timestamp does not impact best-signature-time; Expired OCSP responder impacts signing-certificate validation; QCForLegalPerson qualifier is not processed correctly; Possible memory leak in XAdESSignature on Santuario signature creation; Unable to sign large files with ASiC; Visual modification detection depends on order of signature creation; NPE on certain evidence records processing; PdfByteRangeDocument cannot be used on signature validation; Inconsistent signature page handling when signing in existing signature fields; Unable to create xades signature with empty namespace prefix; DSS returns XAdES-BASELINE-* for a signature without signing-certificate in KeyInfo; Cannot compile Transformer for Simple Report PDF when using Saxon-HE 12.4; Validation fails when SigningCertificateDigestAlgorithm constraint level is higher than failed Cryptographic level; Evidence record validation fixes; CertificateValues/RevocationValues have invalid format in ETSI Validation Report; JAXBPKILoader : invalid behavior for multiple cross certificates; Dockerfile fix.
6.1.RC1	July 2024	-
6.0.1	March 2025	Main new features / improvements : Trusted List v6 support (ETSI TS 119 612 v2.3.1); Updated dependencies (BouncyCastle, VeraPdf, FOP, logback); Fixed expired unit tests. Bug fixes / issues : Possible memory leak during XAdES signature creation; CertificateValues/RevocationValues incorrect format in ETSI Validation Report.
6.0	December 2023	Main new features / improvements : Transition from javax.* to jakarta.* namespaces; Demos : webapp migrated from Spring to Spring-Boot 3; Demos : removed sscd-mocca-adapter module. Bug fixes / issues : KeyEntityTSPSource : add null safe processing. + All the changes included in DSS 5.13. NOTE: This version uses jakarta.* namespaces. Use DSS 5.13 for javax.* support.
5.13.1	March 2025	Main new features / improvements : Trusted List v6 support (ETSI TS 119 612 v2.3.1); Updated dependencies (BouncyCastle, VeraPdf, FOP, logback); Fixed expired unit tests. Bug fixes / issues : Possible memory leak during XAdES signature creation; CertificateValues/RevocationValues incorrect format in ETSI Validation Report.
5.13	December 2023	Main new features / improvements : RFC 6283 XML Evidence Records (XMLERS) validation support; Offline PKI Factory; Support of new standard versions TS 119 102-2 v1.4.1 and TS 119 615 v1.2.1; Validation of detached time-stamps considers POEs from other time-stamps; XAdES : added support of EdDSA algorithm; XAdES : support of a custom DataObjectFormat element; JAdES : added support of "x5u" header; Added support for OCSP responders without nonce; Added qualification information messages to simple certificate report; Added optional validation constraint for enforced time-stamp presence and validity verification; Added Dockerfile to run DSS Demo WebApp; Dependencies update (BouncyCastle, Apache Santuario, PdfBox, OpenPdf, etc.); Documentation improvements; Java 21 support. Bug fixes / issues : XAdES : fixed signing of XML documents with comments / non UTF-8 encoding; XAdES : fixed signature creation with custom DSSReference definition; PAdES : improved LT-level determination algorithm; ASiC : fixed false negative validation result on ASiC-S container validation with a manifest; Adjusted OCSP nonce generation to required 32 octets; Fixed multi-threading issue within ZipUtils; Fixed NullPointerException in DiagnosticData when validating with a custom trusted list certificate source; Demo WebApp : fixed custom validation time input field on a certificate validation webpage; Demo WebApp : added a customizable property to skip RSA keys validation (fixes issue with long application launching); Other minor fixes and improvements.
5.13.RC1	November 2023	-
5.12.1	June 2023	Main new features / improvements: Improved Trust Service validation and qualification status reporting; Improved MRA processing; Dependencies update; Demonstrations : improved eSig validation tests. Bug fixes / issues: Fixed Diagnostic Data unmarshalling on certificate validation; Fixed NullPointerException on unknown Digest Algorithm; WebApp : fixed OCSP load with disabled JDBC source.
5.12	April 2023	Main new features / improvements : PAdES : signature creation with external CMS provider; PAdES : added PDF/A validation support; PAdES : spoofing attack detection; PAdES : improved performance and memory consumption on signature validation; PAdES : VRI dictionary made optional; XAdES : less memory consuming message-imprint computation; JAdES : added support of EdDSA algorithms; Validation : improved RFC 5280 conformance; Validation : return INDETERMINATE/CERTIFICATE_CHAIN_GENERAL_FAILURE if no acceptable revocation found; Validation policy : improved handling of expired cryptographic algorithms; DataLoader : removed default SSL-protocol definition; DataLoader : added an option of pre-emptive basic authentication; SignatureTokenConnection : possibility to filter keys; REST/SOAP services : added a setter of default validation policy; REST/SOAP services : added a signing method with a provided SignatureAlgorithm; Simple report : added information about trust anchors; Add support for SAML metadata XSD; Removed redundant xml-apis and commons-codec dependencies declaration; DSS Standalone : signing of multiple document; DSS Standalone : extension of signed documents; DSS Standalone : validation of documents; WebApp : add a property to define a custom trusted certificate source; Dependencies update (BouncyCastle, HttpClient5, Apache Santuario, PdfBox, etc.); Documentation improvement (F.A.Q. section, offline support, etc.); Java 19 support. Bug fixes / issues : PAdES : unable to extend a document with /DSS dictionary before a timestamp; PAdES : improved code to preserve PDF/A documents validity; PAdES : fixed text auto-fitting function in certain configurations; PAdES : ensure DocMDP is created as a direct object; CAdES : OCSP responses incorporation for CAdES-BASELINE-LT profile; XAdES : improved handling of custom DSSReference configurations; XAdES : fixed rare issue with inability to create ENVELOPED signature; Fixed extension of not AdES signatures with a revoked certificate; TLValidationJob : fixed unexpected exception and thread stuck during the refresh; NativeHTTPDataLoader : threads can get stuck; JdbcCacheConnector : improved code to allow some database implementations; SubjectAlternativeName certificate extension extraction; Skipping ProspectiveCertificateChain always results to PASSED; Unknown MRA equivalence URI caused an error.
5.12.RC1	February 2023	-
v5.11.1	November 2022	Main new features / improvements : • Maven Central release; • Update vulnerable dependencies. Bug fixes : • Fixed URN OID extraction from an XML Trusted List.
v5.11	October 2022	Main new features / improvements : PAdES : improved PDF-signing performance (add caching of the temporary revision); PAdES : introduce temporary document processing factory (e.g. in-file or in-memory); PAdES : simplified configuration of modification detection modules; PAdES : added signing app name for signature; ASiC : introduce ASiC Merger; ASiC : improved ASiC in-file processing (avoid loading document into memory); XAdES : add support of a custom CommitmentType qualifier; CAdES : improved signature file extension naming; TL-validation : Trust Service equivalence scheme and Mutual Recognition Agreement support; Other : dependencies update (Apache Santuario, PdfBox, OpenPdf, httpclient5, etc.); Demo : eSignature Validation Test Cases automated validation module; Demo : added ASiC Merger webpage; Standalone app : add TL signing function; Standalone app : add XMLManifest signing function; Java 18 support. Bug fixes : Qualification determination : Improved algorithm to comply with TS 119 615 + fixed issues; JAdES : signature can be created with ECDSA algorithm using a wrong elliptic curve; LTA signature is indeterminate because no revocations lists found; Exception when a not supported encryption algorithm is provided; Validation for ASiC without mimetype returns FORMAT_FAILURE; Skipped AcceptableRevocationDataFound constraint may lead to false positive validation result; ASiC : unable to proceed validation of CEN-header invalid files; SimpleReport : fix valid signatures counter; Demo : fix proxy configuration conversion.
v5.11.RC1	August 2022	-
v5.10.2	October 2022	Main new features / improvements : Maven Central release; Update vulnerable dependencies. Bug fixes : Fixed validation of signatures with invalid cryptographic algorithm OID; Fixed URN OID extraction from an XML Trusted List.
v5.10.1	April 2022	Main new features / improvements : Cookbook update; PAdES : object modification detection; PAdES : visual signature preview; PAdES : avoid repeated creation of OCSP/CRL tokens; PAdES : enforce signature creation/validation against ISO 32 000 restrictions (DocMDP, Lock, etc.); XAdES and CAdES : added support of extended profiles on validation; ASiC services refactoring (various improvements); WebService to sign a Trusted List; Apple KeyStore as a signature token connection; ED448 signature algorithm support; Demo : new viewer for XML reports; Dependencies upgrade (HttpClient5, BouncyCastle, Santuario, logback, etc.); Java 17 support. Bug fixes : PAdES : erroneously triggered visual signature difference warning; PAdES : wrong LT-/LTA-level determination for documents with multiple signatures; PAdES : original documents extraction does not work against carriage return; XAdES : NPE on validation of XAdES v.1.1.1, 1.2.2; JAdES : wrong payload computation for 'sigD' with ObjectIdByURI mechanism; ASiC : MimeType is lost on re-signature; Signature policy caching issue; Revocation freshness checks use different values across the code; Demo : jumping rows on collapse of TL-validation table; Demo : inability to sign when encryption algorithm of the token is different from the one used in signature; Demo : wrong encoding on uploaded filenames containing non-ASCII characters.
v5.10	March 2022	New features: Add an Apple signature token Add 'user notice' to signature policy PAdES : detect prohibited changes SimpleReport : add timestamp signature scopes Invalid signatures can be made with Revoked and Suspended certificates on level B and T SAV : verify if used digest algorithm for signing-certificate reference is reliable at validation time PAdES : check if a visual signature field is within page size PAdES : alert on restricted signature creation SVC : return possible extension time on failed signature augmentation Add support for SHA-3 with PLAIN-ECDSA and ED448 signature algorithms PAdES : visual signature pre-visualization Bugs: Add a content timestamp checkbox ignored when signing a digest DSS demo : improve exception escalating on content timestamp creation
v5.10.RC1	January 2022	-
v5.9	September 2021	Many improvements in the validation reports AIASource introduction : more customizations Customization of revocation collection strategy (OCSP/CRL first) DocumentBuilderFactory securities ECDSA / ECDSA-PLAIN support JAdES (JSON AdES) consolidations PAdES visual signature refactorings / improvements : Image scaling : STRETCH / ZOOM_AND_CENTER / CENTER Text wrapping : BOX_FILL / FILL_BOX_AND_LINEBREAK / FONT_BASIC Dependency upgrades (Santuario, BouncyCastle, PDFBox,…) Java 16 support Bug fixes : Short term OCSP response On hold certificate Qualification conflict (issuance time / best signing time) ASiC-S can’t be timestamped twice PAdES revision extraction PAdES wrong level detection (files with multiple signatures/timestamps) ETSI Validation report : multiple files / references
v5.9.RC1	July 2021	-
v5.8	February 2021	JAdES implementation (ETSI TS 119 182 v0.0.6) : signature creation, extension and validation (advanced electronic signatures based on JWS) PDF Shadow attacks : prevention and detection Counter Signature creation (CAdES, XAdES, JAdES and ASiC containers) Support of the unsigned attribute SignaturePolicyStore (CAdES, XAdES, JAdES and ASiC containers) Support of the QCLimitValue attribute Support of Java 8 up to 15
v5.8.RC1	December 2020	-
v5.7	August 2020	CertificatePool removal and performance ameliorations QWAC validator New design of PDF reports Support of PSD2 attributes Support of EdDSA Signature representation with a timeline Visual signature creation with REST/SOAP webservices
v5.7.RC1	June 2020	-
v5.6	March 2020	Complete rewriting of the TL/LOTL loading with: online / offline refresh 3 caches (download / parse / validate) multiple LOTL support multiple TL support (not linked to a LOTL) Pivot LOTL support Synchronization strategy (eg : expired TL/LOTL are rejected/accepted) multi-lingual support (trust service matching) alerting (eg : LOTL/OJ location desynchronization,...) complete reporting (summary of download / parsing / validation) Independant timestamp creation and validation (not linked to a signature, with ASiC and PDF) Timestamp qualification Internationalization of the validation reports Multiple Trusted Sources support XAdES support of different prefixes / versions
v5.6.RC1	January 2020	-
v5.5	October 2019	The implementation of the ETSI Validation Report The support of Java 12 (multi-release jars) Webservice which allows to validate certificates.
v5.5.RC1	August 2019	-
v5.4.3	August 2019	-
v5.4	January 2019	Augmentation of signatures with invalid time-stamps, archive-time-stamps and revoked certificates Upgrade to Java 8 or 9 Certify documents Add support of KeyHash in OCSP Responses
v5.4.RC1	October 2018	-
v5.3.2	October 2018	Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3
v5.3.1	July 2018	Certificate validation content-timestamps generation SHA-3 support non-EU trusted list(s) support integration of the last version of MOCCA
v5.3	May 2018	Certificate validation content-timestamps generation SHA-3 support non-EU trusted list(s) support integration of the last version of MOCCA
v5.3.RC1	April 2018	-
v5.2.1	October 2018	Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3
v5.2	December 2017	Qualification matrix guidelines and documentation Improvements regarding visual representation of a signature Alternative packaging: Image docker / spring-boot CRL streaming, the demo won’t use the X509CRL java object by default (it can be changed). With some signatures, we had large CRLs (+60Mo in Estonia) and that could cause memory issues. RSASSA-PSS support, I received some requests to support these algorithms : SHA1withRSAandMGF1 SHA224withRSAandMGF1 SHA256withRSAandMGF1 SHA384withRSAandMGF1 SHA512withRSAandMGF1
v5.2.RC2	December 2017	-
v5.2.RC1	September 2017	-
v5.1	September 2017	-
v5.1.RC1	June 2017	-
v5.0	April 2017	Refactoring of ASiC format handling, following the ETSI ASiC Plugtest Signature of multiple files (ASiC and XAdES) Integration of the Qualification matrix as described in draft ETSI 119 172-4, for supporting signatures before and after 01/07/2016 (eIDAS entry into force) Migration to PDFBox 2 for handling PDFs Complete refactoring of the ASiC part (creation, extension and validation) Compliance to eIDAS regulation.
v5.0.RC1	January 2017	-
v4.7	October 2016	A XAdES PlugTest is planned in October / November 2015. Remaining changes resulting from this PlugTest and not included in v4.6 may be included in this release. An eSignature Validation PlugTest is planned in April 2016. Depending on the actual timeframe, impacts from this PlugTest may be included in this release, and the release of DSS 4.7 will be postponed accordingly. Other potential improvements and features: Extension of signature validation policy support CAdES attribute certificates CRL in multiple parts Distributed timestamps method Support of cross-certification in path building
v4.7.RC2	September 2016	-
v.4.7.RC1	June 2016	-
v4.6 *	08.03.2016	Based on standards: Signature formats when creating a signature: baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174 Signature formats when validating a signature: baseline profiles, and core specs ETSI TS 101 903, 101 733, 102 778 and 102 918 Signature validation process ETSI TS 102 853 Improvements in packaging and core functionalities: CAdES optimisation, CAdES multiple Signer Information. A CAdES PlugTest is occurring in June and July 2015. Changes resulting from this PlugTest will be included in this release. CAdES countersignature will not be supported. Impacts from XAdES PlugTest of October 2015 Processing of large files Further refactoring of demo applet (size, validation policy editor) SOAP and REST Web Services Standalone demo application
v4.6.RC2	18.01.2016	-
v4.6.RC1	02.11.2016	-
v4.5.0	25.09.2015	-
v4.5.0.RC2	18.08.2015	-
v4.5.0.RC1	01.07.2015	-
v4.4.0	25.06.2015	-
v4.4.RC2	20.04.2015	-
v4.4.RC1	05.03.2015	-
...

* October 2015: Implementing Acts Art. 27 & 37 (eSig formats)

The main purpose of this milestone is to align DSS on the Implementing Acts of Art. 27, 37 of eIDAS published in September 2015.

Please note that, as these Implementing Acts published in September 2015 will first designate the “former standards” (baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174) and not the upcoming ETSI EN 319 1x2, it was decided to rename this release as DSS 4.6 and not DSS 5.0. The major version DSS 5.0 will be used when these Implementing Acts will be modified in 2016 to point to ETSI EN 319 1x2.

Trusted List v6 Support

Following a publication of the new standard ETSI TS 119 612 v2.3.1 "Trusted Lists", in order to help with the transition of applications to a new version of Trusted Lists v6, we provide patches for the following versions of DSS:

6.1 → 6.1.1
6.0 → 6.0.1
5.13 → 5.13.1

All main versions starting with DSS 6.2 already include support of Trusted Lists v6.

Please consider that use of older versions should be discouraged.

If your installation uses the EU LOTL or EU MS Trusted Lists in any process, we strongly encourage you to upgrade your DSS version.

More information about the migration procedure can be found at each version's webpage.

Security information

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

5.2 → 5.2.1
5.3.0 / 5.3.1 → 5.3.2

Please consider that use of older versions should be discouraged.

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.

Contribute

If you would like to speak to us about suggested improvement for Digital Europe eSignature, we would love to hear from you. Please contact us by clicking on the button below.

Click here to see the DSS Jira project's current issue list.

Thanks for downloading DSS

We would greatly appreciate if you could also help us enhance the user experience of this website and fill in this survey to tell us who you are:

Sector required

Private

Public

Company or organisation: required

Email address required

In compliance with our record and privacy statement, I accept that CEF uses the information I have provided for:

Update required

registering and receiving important notifications (e.g. security updates) regarding DSS)

Marketing

marketing activities e.g. the organisation of events, live webinars etc.

On-boarding

on-boarding activities such as contacting relevant stakeholders and explaining the building blocks etc.

Download date

I don't wish to participate

Page tree