Signotaur 1.0 Version History

v1.2.0.63

March 10th, 2026

Changes

New Features

  • Added scheduled database backups, configurable via a new Backup settings page.
  • Added --renew [DURATION] and --allow-validity-reduction options to the rotate-key command for API key renewal workflows. --renew extends the new API key's expiry instead of inheriting the old key's expiry, with an optional validity duration, while --allow-validity-reduction permits rotation even when the new key would have a shorter validity period than the original.
  • Added option to test web configuration post-installation from the installer.
  • Added post-expiry reminder interval for certificate expiration notifications. This is configurable via the Notifications settings page and replaces the previous fixed daily post-expiry notification, and defaults to 28 days.

Improvements

  • Settings and profile pages now warn before navigating away from unsaved changes.
  • Added log file retention policy, configurable via the Logging settings page.
  • Added Last Used column and auto-revoke date/time hover tooltip to the API Keys table.
  • Made some UI improvements on settings pages.

Bug Fixes

  • Fixed sorting issue on certificate tables with multiple pages.
  • Fixed over-zealous validation on the External Auth settings page.

v1.2.0.42

February 26th, 2026

Changes

Improvements

  • Added --if-expiring-within option to the rotate-key command to only rotate keys that are approaching expiry within a specified duration (e.g., 7d, 24h, 1w). Added --ignore-already-rotated-error option to suppress errors when a key has already been rotated. Both of these options are useful for CI/CD workflows.
  • The installer now provides backup options during upgrades, allowing users to choose to back up the database, configuration, and certificates before the upgrade proceeds.
  • When a signing request specifies an unsupported algorithm, the server now logs the list of supported algorithms alongside the error, making it easier to diagnose configuration issues.

Infrastructure

  • Updated third-party dependencies to the latest stable versions.

v1.2.0.31

February 11th, 2026

Changes

New Features

New Commands
  • Added new config command with subcommands (init, set, get, show, unset, path) to persist defaults in %USERPROFILE%\.signotaur\config.json. Supported settings include server URL, certificate selectors (thumbprint/label/subject), console theme, output encoding, and allowUntrusted. Command-line arguments override environment variables, which override config file values.
  • Added new rotate-key command to rotate API keys with a configurable overlap period (0–30 days). During overlap, both keys remain valid; the old key is automatically revoked at expiry. This enables planned credential rollover with minimal client disruption. A new ApiKeyRotator role controls who can perform rotations.
  • The rotate-key command supports direct output to CI systems like Continua CI server via the --emit-secret option. Alternatively, the --write-key-file or --write-env-file options can be used to update key files with the new API key atomically.
  • Added new auth set-key command which securely stores API keys to files with owner-only permissions. This supports reading keys from stdin or via environment variables. Optional server verification ensures the key is valid before storing. The key file can then be used as input to other commands.

Sign Command
  • Added new --api-key-file option that allows the API key to be provided via a file instead of the command line. Supports both plain-text files and dotenv format.
  • Added new --api-key-name option that specifies a custom environment variable name or key when reading from a dotenv file (default: SIGNOTAUR_API_KEY).
  • Added new --fai`l-if-expiring-within option that checks API key expiry before signing and fails if the key expires within the specified duration (e.g., 7d, 24h, 1w). Useful for CI/CD pipelines to catch expiring keys early.
  • The SIGNOTAUR_SERVER environment variable can now be used as a fallback for the server URL when --sign-server is not specified.
  • Added new --label option to select certificates by label. When multiple certificates share the same label, the one with the latest expiry is automatically selected, simplifying certificate renewal workflows.

Web UI
  • The certificate page in the Admin section has a new Edit Certificate dialog. This allows editing the certificate alias and also assigning a label to the certificate. The label provides a stable logical identifier as an alternative to thumbprints, so expiring certificates can be replaced without updating client configuration.
  • The Users table in the Admin section has a new Manage API Keys dialog. This allows administrators to select users' API keys to revoke. The server now tracks when API keys were created and last used, and these details are shown next to each key. Each user can now be assigned to the ApiKeyRotator role in the Edit User Dialog.
  • All revoked and expired API keys can now be cleaned up on the API Keys page in the user's Profile section of the Web UI.
  • Added name and avatar of current logged-in user to the header.
  • Page sizes for tables with paging can now be set in the configuration file.

Improvements

  • Certificate selection by subject now chooses the certificate with the latest expiry when multiple certificates match, rather than returning an error.
  • Added short option aliases for all command-line options.
  • Certificate selection logging now shows which selector (thumbprint, label, or subject) was used when multiple were provided. Note selection precedence is: thumbprint → label → subject.
  • Added daily limit to configuration file for API key rotations.
  • Now intercepting more Windows error codes to log friendly error messages on client.
  • Client error output is now cleaner, with stack traces only shown in verbose mode.
  • Improvements to database connections and transactions in multiple threading scenarios.

Security Fixes

  • Fixed a vulnerability due to Windows services requiring service paths to be quoted.
  • Added signature verification for client update manifests to prevent tampering by man-in-the-middle attacks.

Bug Fixes

  • Fixed issue with certificate enabled state not being updated correctly without refreshing the page.
  • Fixed paging issue on admin users table.
  • Fixed issue where avatar was not displayed in admin users table.
  • Fixed issue where debug logging would be displayed in some cases when verbose mode was not enabled.
  • Fixed issue where Create User dialog was not cleared on close.

Infrastructure

  • Updated the .NET runtime to version 10.0.3.
  • Updated third-party dependencies to the latest stable versions.

v1.1.0.89

January 14th, 2025

Changes

New Features

  • The server now sends email notifications to API key owners when keys are approaching expiration or have expired. Notification timing is configurable in server settings.
  • Users can now control which types of email notifications they receive (API keys, code signing certificates, website certificates) from their profile settings.
  • The command-line client now displays warnings when an API key is approaching expiration, helping prevent authentication failures. Further enhancements are planned in a future update.
  • Added a new --theme option to customise console colours (light/dark/general), along with a --no-color option to disable coloured output for CI/CD compatibility.

Improvements

  • Improved robustness when working with PKCS#11 hardware security modules, including automatic recovery from session failures, library re-initialisation on errors, and improved thread safety.
  • Added new Windows error descriptions, making it easier to diagnose signing failures.

Bug Fixes

  • Corrected a problem that prevented notification settings from being saved correctly.
  • Fixed an issue where cancelled operations did not return the correct exit codes.

Infrastructure

  • Updated the .NET runtime to version 10.0.2.
  • Updated third-party dependencies to the latest stable versions.

v1.1.0.69

November 28th, 2025

Changes

New Features

  • Now built and running on .NET 10, delivering improved performance and broader platform compatibility.
  • Added new tabs to the Settings page for configuring logging levels (file, console, and Windows Event Log), event retention, and options such as update checking behaviour and maximum PIN failure limits.

Client Improvements

  • Enabled signature appending on Windows 10 with a warning indicating that this feature is only officially supported on Windows Server 2022, Windows 11, or later.
  • Added support for signing VSTO and ClickOnce applications using a flat folder structure.

Bug Fixes

  • Fixed an issue where notification warning days were being duplicated in the configuration file.

Infrastructure

  • Updated .NET SDK to 10.0.100.
  • Updated third-party dependencies.

v1.1.0.55

November 11th, 2025

Changes

Improvements

  • Added `--sha1|--add-sha1-signature` command line option to allow dual-signing with an additional SHA-1 signature for legacy Windows versions.
  • The alias for new certificate registrations is now defined uniquely using a combination of fields to allow for certificates with the same subject.

v1.1.0.48

November 4th, 2025

Changes

Client Improvements

  • VSTO signing now supports nested VSTO files.
  • Added support for exclude patterns (!) in file specifications for File and --filelist parameters.
  • Added content pattern filtering for dependency files in ClickOnce and VSTO applications using filepattern:contentpattern1:contentpattern2:contentpattern3 syntax for File and --filelist parameters.
  • Added --base-directory option to all commands for resolving relative file paths.
  • Extended the `--strict-lifetime` option to support timestamp-based manifest verification.
  • Enhanced logging messages for better diagnostics.

Server Improvements

  • Added certificate expiration monitoring. Administrators now receive warning notifications before certificate expiration.
  • Added Notifications tab to Settings page for configuration of certificate expiration notification timings.
  • Added Password Policy tab to Settings page for easier configuration of user password restrictions
  • Improved change detection on Settings pages and added Reset button
  • Added key type and bit size information to certificate tables.
  • Website SSL certificates now loaded directly from file to prevent machine keystore permission errors.
  • Further improvements to website SSL certificate validation.
  • Enhanced PKCS#11 session login with improved error handling and access protection.

Infrastructure

  • Updated .NET SDK to 9.0.306.
  • Converted some synchronous methods to asynchronous for improved performance.
  • Updated third-party dependencies.

v1.1.0.14

October 14th, 2025

Changes

New Features

  • ClickOnce and VSTO application signing and verification support.
  • Client tool auto-update functionality with new update command and sign command parameter for auto-updating before signing (will be functional in subsequent releases).

Server Improvements

  • Enhanced website SSL certificate validation with new RevocationCheckMode and AllowUntrustedRoot configuration options.
  • Added configurable PIN attempt limit (MaxAllowedPKCS11PinFailures) to protect PKCS#11 hardware tokens from permanent lockout (default: 2 attempts).
  • Configurable logging levels for Kestrel web service.

Bug Fixes

  • Fixed website SSL certificate validation when specified by subject.

Client Improvements

  • Better error messages with detailed descriptions for signing failures.
  • Warning messages now appear for unrecognised command-line arguments.

Infrastructure

  • Updated .NET SDK to 9.0.305.
  • Updated third-party dependencies.

v1.0.0.507

August 1st, 2025

Changes

Server

  • Fix: A regression bug introduced in v1.0.0.502 caused a database migration to be omitted, resulting in an error after upgrading from a version earlier than v1.0.0.444.

v1.0.0.505

August 1st, 2025

Changes

Server

  • Fix: Auto refresh toggle button was not shown on first load of the Events page.
  • Fix: Default store location when loading website SSL certificate by subject was CurrentUser and did not match text in installer selection which was LocalMachine.
  • Update: Added StoreLocation to config file to enable loading of SSL certificate from a different store location.

Core

  • Updates to third party packages.

 

v1.0.0.502

July 24th, 2025

Changes

Server

  • Feature: New Events page providing administrators with visibility into signing activity, certificate usage, authentication attempts, warnings, and errors.
  • Feature: Added a Service Details button to the website footer. Clicking this provides information about the server operating system, server user account, .NET framework and runtime. This is only visible when logged in as an administrator.
  • Fix: The log file was not rolling over to a new file when the file size limit was reached.

Client

  • Update: Added --verify-cert-chain option to SignotaurTool sign command. This used to turn on certificate chain verification. The existing options --ignore-untrusted-root and --revocation-mode are only relevant to signing when this option is enabled.
  • Update: Added --revocation-mode option to SignotaurTool verify command. The verify command will now check the certificate chain by default unless --revocation-mode is set to 'NoCheck'.
  • Update: Added --strict-lifetime option to SignotaurTool verify command. This can be used to strictly enforce signature validity to the certificate’s validity period when a timestamp is present.

Installer

  • Fix: If the SSL website certificate was defined by subject in the installer, the subject was lost when upgrading with the option to keep existing settings.

Core

  • Updated to .NET SDK version to 9.0.302
  • Updates to third party packages.

 

v1.0.0.459

May 14th, 2025

Changes

  • Update: The Library tab on the Add Certificate dialog has been renamed to Hardware, and the description has been updated to clarify that this is for PKCS#11-compatible hardware tokens.

  • Fix: The Update Certificate Password dialog now closes after successfully updating the password.
  • Fix: Fixed rare error about referencing a delegate that has been garbage collected by native code and possible memory leak.
  • Fix: The password reset process now allows sending the email even if the email address is not confirmed.
  • Fix: The email address is now automatically confirmed when resetting the password from a password reset link.
  • Fix: The email settings are now still marked as configured when the username and password is blank.
  • Fix: The platform not supported error is now handled better when the append signature option is used on Windows 10 or earlier.

  • Updates to some third party packages.

 

v1.0.0.444

April 8th, 2025

Changes

  • Fix: We were not checking whether a user was locked out, disabled or password was expired when logging in
  • Fix: Temporary password status was not reset after password change, resulting in redirection to change password page
  • Fix: Issue where a user cannot be deleted if it has been assign certificate access
  • Fix: Installer now ensures all parent directories are created to prevent error when copying server SSL certificate
  • Fix: Issues with certificate access dialog boxes on users and certificate administration pages not being populated on first open and refreshing after save and reopen
  • Fix: User enabled/disabled status was not updated in database when editing user details

  • Update: Expiration times for temporary passwords, email verification, password reset links, remember me and 2FA remember code can now be specified in the server configuration file. The defaults are 30 minutes for password reset, 12 hours for email verification, one hour for temporary passwords, 14 days for remember me and 30 days for 2FA remember code.
  • Update: Now displaying an icon on the users administration page to indicate if a user has been locked out or disabled.
  • Update: Added --revocation-mode option to client, for specifying how to check for certificate revocation when building the certificate chain. This can be 'Online' to perform live checks (default); 'Offline' to skip online checks using cached data. This can significantly improve signing speed when firewall or network issues block CRL/OCSP requests; or 'NoCheck' to disable all revocation validation, increasing the risk of accepting revoked certificates.
  • Update: Installation is now aborted on unsupported operation systems. Signotaur currently supports Windows 10 / Server 2016 and above.

  • Updates to some third party packages.

 

v1.0.0.423

March 11th, 2025

Changes

  • Feature: Added support to client tool for an enhanced file list format with descriptions and URLs for each file. Each line in the file list now follows the format: FilePath|Description|URL. See --file-list option in (sign command documentation for further details.

  • Update: Email settings now allow configuration of a server without authentication, e.g. with blank username and password.
  • Update: Added secure sockets mode selection to email settings for specifying the type of the SSL and/or TLS encryption that should be used when connecting.
  • Update: Removed "Use HTTPS" option from installers. HTTPS is required.
  • Update: Added --encoding option to all command lines. This can be set to one of UTF8, UTF16, OEMCodePage or CodePage### where ### is the number of the code page to use. The default is UTF8. Note: This is a change to the previous command output which was set to Unicode/UTF16.
  • Update: Added minor hints and information to client tool command line.

  • Fix: Validation errors were not displayed when sending a test email message. This has now been corrected.

  • Updates to some third party packages.

 

v1.0.0.360

December 19th, 2024

Changes

  • Update: Added timestamp command to client tool.
  • Update: Added verify command to client tool.
  • Update: Added fallback timestamp server and verify options to sign command in client tool.
  • Update: Added ability to update the registered token password/pin for PKCS11 library certificates.
  • Update: Added eye to all password fields.
  • Update: Improved the port available check in the installer and added "I know what I'm doing" checkbox to bypass port validation.
  • Update: Improvements to session locking and cache handling when signing using PKCS11 libraries.
  • Update: Error handling improvements.
  • Update: Some minor UI improvements.
  • Updates to some third party packages.

 

v1.0.0.329

December 4th, 2024

Initial Release

Note that if you had the RC or earlier beta build installed, you will need to uninstall and re-install to fix an installer issue - contact support before doing this (we are contacting beta testers and RC customers).

 

v1.0.0.319 Beta

November 18th, 2024

RC 1