diff --git a/docs/_data/editions.yml b/docs/_data/editions.yml
index eee4fd8c..4d9645e2 100644
--- a/docs/_data/editions.yml
+++ b/docs/_data/editions.yml
@@ -1,294 +1,299 @@
-- name: Code Signing Starter
- title: Code Signing Starter
- quotas:
- certificates: '1 EV'
- certificates-hint: 'Includes a single Extended Validation (EV) certificate'
- projects: 'up to 3'
- projects-hint: quota-hint
- users: 'up to 2'
- users-hint: quota-hint
- signign_requests_release: 'up to 60'
- signign_requests_release-hint: quota-hint
- signign_requests_test: 'up to 300'
- signign_requests_test-hint: quota-hint
- ci_pipelines: '1'
- file_based_signing:
- authenticode: true
- powershell: true
- windows_scripting_host: false
- clickonce: true
- device_drivers: false
- office_add_ins: true
- opc: true
- nuget: true
- android: true
- java: false
- office_macros: false
- xml: false
- docker: false
- sbom: false
- raw: false
- hash_based_signing: none
- artifact_configuration:
- deep_signing: true
- multiple_configurations_per_project: false
- metadata_constraints: false
- user_defined_parameters: false
- policy_enforcement:
- manual_approval: false
- quorum_approval: false
- signing_policies_per_project: 'test & release'
- signing_policies_per_project-hint: 'Each project has predefined policies for test- and release-siging.'
- policies_for_certs: false
- resubmit: false
- disable_malware_scanning: false
- pipeline_integrity:
- trusted_build_systems: false
- origin_verification: false
- origin_policies: false
- build_validation: false
- user_management:
- sso: false
- scim: false
- groups: false
- admin_delegation: false
- other:
- malware_detection: true
- hsm_key_storage: true
- available_on_premises: false
- cert_enrollment: false
- support: 'email'
- code_signing_consulting: false
- link_type: 'pricing_page'
-
-- name: Code Signing Basic
- title: Code Signing Basic
- quotas:
- certificates: '1 EV'
- certificates-hint: 'Includes a single Extended Validation (EV) certificate'
- projects: 'up to 10'
- projects-hint: 'You may use several artifact configurations per project, e.g. for different components. Click "buy now" and add projects to adjust quota.'
- users: 'up to 15'
- users-hint: quota-hint
- signign_requests_release: 'up to 500'
- signign_requests_release-hint: quota-hint
- signign_requests_test: 'up to 2500'
- signign_requests_test-hint: quota-hint
- ci_pipelines: '1 per project'
- file_based_signing:
- authenticode: true
- powershell: true
- windows_scripting_host: false
- clickonce: true
- device_drivers: true
- office_add_ins: true
- opc: true
- nuget: true
- android: true
- java: true
- office_macros: false
- xml: false
- docker: false
- sbom: false
- raw: false
- hash_based_signing: none
- artifact_configuration:
- deep_signing: true
- multiple_configurations_per_project: true
- metadata_constraints: false
- user_defined_parameters: false
- policy_enforcement:
- manual_approval: true
- quorum_approval: false
- signing_policies_per_project: 'test & release'
- signing_policies_per_project-hint: 'Each project has predefined policies for test- and release-siging.'
- policies_for_certs: false
- resubmit: false
- disable_malware_scanning: false
- pipeline_integrity:
- trusted_build_systems: false
- origin_verification: false
- origin_policies: false
- build_validation: false
- user_management:
- sso: false
- scim: false
- groups: false
- admin_delegation: false
- other:
- malware_detection: true
- hsm_key_storage: true
- available_on_premises: false
- cert_enrollment: false
- support: 'email'
- code_signing_consulting: false
- link_type: 'pricing_page'
-
-- name: Advanced Code Signing
- title: Advanced Code Signing
- quotas:
- certificates: 'unlimited'
- projects: 'unlimited'
- users: 'unlimited'
- signign_requests_release: 'unlimited'
- signign_requests_test: 'unlimited'
- ci_pipelines: 'unlimited'
- file_based_signing:
- authenticode: true
- powershell: true
- windows_scripting_host: true
- clickonce: true
- device_drivers: true
- office_add_ins: true
- opc: true
- nuget: true
- android: true
- java: true
- office_macros: true
- xml: true
- docker: true
- sbom: true
- raw: true
- hash_based_signing: none
- artifact_configuration:
- deep_signing: true
- multiple_configurations_per_project: true
- metadata_constraints: true
- user_defined_parameters: true
- policy_enforcement:
- manual_approval: true
- quorum_approval: true
- signing_policies_per_project: 'unlimited'
- policies_for_certs: true
- resubmit: true
- disable_malware_scanning: true
- pipeline_integrity:
- trusted_build_systems: Optional
- origin_verification: Optional
- origin_policies: true
- build_validation: true
- user_management:
- sso: true
- scim: true
- groups: true
- admin_delegation: true
- other:
- malware_detection: true
- hsm_key_storage: true
- available_on_premises: true
- cert_enrollment: true
- support: 'priority'
- support-hint: 'Priority support using email, phone and screen sharing'
- code_signing_consulting: 'available'
- link_type: 'sales_email'
-
-- name: Code Signing Gateway
- title: Code Signing Gateway
- quotas:
- certificates: 'unlimited'
- projects: 'n/a'
- users: 'unlimited'
- signign_requests_release: 'unlimited'
- signign_requests_test: 'unlimited'
- ci_pipelines: 'unlimited'
- file_based_signing: none
- hash_based_signing:
- windows_providers: true
- cryptoki_library: true
- crypto_token_kit: true
- rest_api: true
- artifact_configuration:
- deep_signing: false
- multiple_configurations_per_project: true
- multiple_configurations_per_project-hint: Not supported by crypto providers
- metadata_constraints: false
- user_defined_parameters: true
- user_defined_parameters-hint: Not supported by crypto providers
- policy_enforcement:
- manual_approval: true
- manual_approval-hint: Not supported by crypto providers
- quorum_approval: true
- signing_policies_per_project: 'unlimited'
- policies_for_certs: true
- resubmit: false
- disable_malware_scanning: 'n/a'
- pipeline_integrity:
- trusted_build_systems: Optional
- origin_verification: Optional
- origin_verification-hint: Not supported by crypto providers
- origin_policies: true
- build_validation: true
- user_management:
- sso: true
- scim: true
- groups: true
- admin_delegation: true
- other:
- malware_detection: false
- hsm_key_storage: true
- available_on_premises: true
- cert_enrollment: true
- support: 'priority'
- support-hint: 'Priority support using email, phone and screen sharing'
- code_signing_consulting: 'available'
- link_type: 'sales_email'
-
-- name: Open Source Code Signing
- title: Open Source Code Signing
- quotas:
- certificates: '1 standard'
- certificates-hint: 'Includes one standard (OV) code signing certificate issued to SignPath Foundation'
- projects: 'unlimited'
- projects-hint: 'OSS teams must apply for each project individually.'
- users: 'unlimited'
- signign_requests_release: 'fair use'
- signign_requests_test: 'fair use'
- ci_pipelines: '1 per project'
- file_based_signing:
- authenticode: true
- powershell: true
- windows_scripting_host: true
- clickonce: true
- device_drivers: false
- device_drivers-hint: Due to changes in Microsoft's policies, device driver signing now requires EV certificates and attestation signing. Currently we cannot provide EV certificates to OSS projects.
- office_add_ins: true
- opc: true
- nuget: true
- android: true
- java: true
- office_macros: false
- xml: false
- docker: true
- sbom: false
- raw: false
- hash_based_signing: none
- artifact_configuration:
- deep_signing: true
- multiple_configurations_per_project: true
- metadata_constraints: 'required'
- user_defined_parameters: true
- policy_enforcement:
- manual_approval: 'required'
- quorum_approval: true
- signing_policies_per_project: 'unlimited'
- policies_for_certs: 'required'
- resubmit: true
- pipeline_integrity:
- trusted_build_systems: 'required'
- origin_verification: 'required'
- origin_policies: 'required'
- build_validation: 'required'
- disable_malware_scanning: false
- user_management:
- sso: false
- scim: false
- groups: true
- admin_delegation: true
- other:
- malware_detection: true
- hsm_key_storage: true
- available_on_premises: false
- cert_enrollment: false
- support: 'email'
- code_signing_consulting: false
- link_type: 'support_email'
+- name: Code Signing Starter
+ title: Code Signing Starter
+ quotas:
+ certificates: '1 EV'
+ certificates-hint: 'Includes a single Extended Validation (EV) certificate'
+ projects: 'up to 3'
+ projects-hint: quota-hint
+ users: 'up to 2'
+ users-hint: quota-hint
+ signign_requests_release: 'up to 60'
+ signign_requests_release-hint: quota-hint
+ signign_requests_test: 'up to 300'
+ signign_requests_test-hint: quota-hint
+ ci_pipelines: '1'
+ file_based_signing:
+ authenticode: true
+ powershell: true
+ windows_scripting_host: false
+ clickonce: true
+ device_drivers: false
+ office_add_ins: true
+ opc: true
+ nuget: true
+ android: true
+ java: false
+ office_macros: false
+ xml: false
+ docker: false
+ sbom: false
+ raw: false
+ hash_based_signing: none
+ artifact_configuration:
+ deep_signing: true
+ multiple_configurations_per_project: false
+ metadata_constraints: false
+ user_defined_parameters: false
+ policy_enforcement:
+ manual_approval: false
+ quorum_approval: false
+ signing_policies_per_project: 'test & release'
+ signing_policies_per_project-hint: 'Each project has predefined policies for test- and release-siging.'
+ policies_for_certs: false
+ resubmit: false
+ disable_malware_scanning: false
+ pipeline_integrity:
+ trusted_build_systems: false
+ origin_verification: false
+ origin_policies: false
+ build_validation: false
+ user_management:
+ sso: false
+ scim: false
+ groups: false
+ admin_delegation: false
+ other:
+ malware_detection: true
+ hsm_key_storage: true
+ select_key_algorithm: false
+ available_on_premises: false
+ cert_enrollment: false
+ support: 'email'
+ code_signing_consulting: false
+ link_type: 'pricing_page'
+
+- name: Code Signing Basic
+ title: Code Signing Basic
+ quotas:
+ certificates: '1 EV'
+ certificates-hint: 'Includes a single Extended Validation (EV) certificate'
+ projects: 'up to 10'
+ projects-hint: 'You may use several artifact configurations per project, e.g. for different components. Click "buy now" and add projects to adjust quota.'
+ users: 'up to 15'
+ users-hint: quota-hint
+ signign_requests_release: 'up to 500'
+ signign_requests_release-hint: quota-hint
+ signign_requests_test: 'up to 2500'
+ signign_requests_test-hint: quota-hint
+ ci_pipelines: '1 per project'
+ file_based_signing:
+ authenticode: true
+ powershell: true
+ windows_scripting_host: false
+ clickonce: true
+ device_drivers: true
+ office_add_ins: true
+ opc: true
+ nuget: true
+ android: true
+ java: true
+ office_macros: false
+ xml: false
+ docker: false
+ sbom: false
+ raw: false
+ hash_based_signing: none
+ artifact_configuration:
+ deep_signing: true
+ multiple_configurations_per_project: true
+ metadata_constraints: false
+ user_defined_parameters: false
+ policy_enforcement:
+ manual_approval: true
+ quorum_approval: false
+ signing_policies_per_project: 'test & release'
+ signing_policies_per_project-hint: 'Each project has predefined policies for test- and release-siging.'
+ policies_for_certs: false
+ resubmit: false
+ disable_malware_scanning: false
+ pipeline_integrity:
+ trusted_build_systems: false
+ origin_verification: false
+ origin_policies: false
+ build_validation: false
+ user_management:
+ sso: false
+ scim: false
+ groups: false
+ admin_delegation: false
+ other:
+ malware_detection: true
+ hsm_key_storage: true
+ select_key_algorithm: false
+ available_on_premises: false
+ cert_enrollment: false
+ support: 'email'
+ code_signing_consulting: false
+ link_type: 'pricing_page'
+
+- name: Advanced Code Signing
+ title: Advanced Code Signing
+ quotas:
+ certificates: 'unlimited'
+ projects: 'unlimited'
+ users: 'unlimited'
+ signign_requests_release: 'unlimited'
+ signign_requests_test: 'unlimited'
+ ci_pipelines: 'unlimited'
+ file_based_signing:
+ authenticode: true
+ powershell: true
+ windows_scripting_host: true
+ clickonce: true
+ device_drivers: true
+ office_add_ins: true
+ opc: true
+ nuget: true
+ android: true
+ java: true
+ office_macros: true
+ xml: true
+ docker: true
+ sbom: true
+ raw: true
+ hash_based_signing: none
+ artifact_configuration:
+ deep_signing: true
+ multiple_configurations_per_project: true
+ metadata_constraints: true
+ user_defined_parameters: true
+ policy_enforcement:
+ manual_approval: true
+ quorum_approval: true
+ signing_policies_per_project: 'unlimited'
+ policies_for_certs: true
+ resubmit: true
+ disable_malware_scanning: true
+ pipeline_integrity:
+ trusted_build_systems: Optional
+ origin_verification: Optional
+ origin_policies: true
+ build_validation: true
+ user_management:
+ sso: true
+ scim: true
+ groups: true
+ admin_delegation: true
+ other:
+ malware_detection: true
+ hsm_key_storage: true
+ select_key_algorithm: true
+ available_on_premises: true
+ cert_enrollment: true
+ support: 'priority'
+ support-hint: 'Priority support using email, phone and screen sharing'
+ code_signing_consulting: 'available'
+ link_type: 'sales_email'
+
+- name: Code Signing Gateway
+ title: Code Signing Gateway
+ quotas:
+ certificates: 'unlimited'
+ projects: 'n/a'
+ users: 'unlimited'
+ signign_requests_release: 'unlimited'
+ signign_requests_test: 'unlimited'
+ ci_pipelines: 'unlimited'
+ file_based_signing: none
+ hash_based_signing:
+ windows_providers: true
+ cryptoki_library: true
+ crypto_token_kit: true
+ rest_api: true
+ artifact_configuration:
+ deep_signing: false
+ multiple_configurations_per_project: true
+ multiple_configurations_per_project-hint: Not supported by crypto providers
+ metadata_constraints: false
+ user_defined_parameters: true
+ user_defined_parameters-hint: Not supported by crypto providers
+ policy_enforcement:
+ manual_approval: true
+ manual_approval-hint: Not supported by crypto providers
+ quorum_approval: true
+ signing_policies_per_project: 'unlimited'
+ policies_for_certs: true
+ resubmit: false
+ disable_malware_scanning: 'n/a'
+ pipeline_integrity:
+ trusted_build_systems: Optional
+ origin_verification: Optional
+ origin_verification-hint: Not supported by crypto providers
+ origin_policies: true
+ build_validation: true
+ user_management:
+ sso: true
+ scim: true
+ groups: true
+ admin_delegation: true
+ other:
+ malware_detection: false
+ hsm_key_storage: true
+ select_key_algorithm: true
+ available_on_premises: true
+ cert_enrollment: true
+ support: 'priority'
+ support-hint: 'Priority support using email, phone and screen sharing'
+ code_signing_consulting: 'available'
+ link_type: 'sales_email'
+
+- name: Open Source Code Signing
+ title: Open Source Code Signing
+ quotas:
+ certificates: '1 standard'
+ certificates-hint: 'Includes one standard (OV) code signing certificate issued to SignPath Foundation'
+ projects: 'unlimited'
+ projects-hint: 'OSS teams must apply for each project individually.'
+ users: 'unlimited'
+ signign_requests_release: 'fair use'
+ signign_requests_test: 'fair use'
+ ci_pipelines: '1 per project'
+ file_based_signing:
+ authenticode: true
+ powershell: true
+ windows_scripting_host: true
+ clickonce: true
+ device_drivers: false
+ device_drivers-hint: Due to changes in Microsoft's policies, device driver signing now requires EV certificates and attestation signing. Currently we cannot provide EV certificates to OSS projects.
+ office_add_ins: true
+ opc: true
+ nuget: true
+ android: true
+ java: true
+ office_macros: false
+ xml: false
+ docker: true
+ sbom: false
+ raw: false
+ hash_based_signing: none
+ artifact_configuration:
+ deep_signing: true
+ multiple_configurations_per_project: true
+ metadata_constraints: 'required'
+ user_defined_parameters: true
+ policy_enforcement:
+ manual_approval: 'required'
+ quorum_approval: true
+ signing_policies_per_project: 'unlimited'
+ policies_for_certs: 'required'
+ resubmit: true
+ pipeline_integrity:
+ trusted_build_systems: 'required'
+ origin_verification: 'required'
+ origin_policies: 'required'
+ build_validation: 'required'
+ disable_malware_scanning: false
+ user_management:
+ sso: false
+ scim: false
+ groups: true
+ admin_delegation: true
+ other:
+ malware_detection: true
+ hsm_key_storage: true
+ select_key_algorithm: false
+ available_on_premises: false
+ cert_enrollment: false
+ support: 'email'
+ code_signing_consulting: false
+ link_type: 'support_email'
diff --git a/docs/_data/featuregroups.yml b/docs/_data/featuregroups.yml
index 7afa071f..844b6cce 100644
--- a/docs/_data/featuregroups.yml
+++ b/docs/_data/featuregroups.yml
@@ -1,211 +1,215 @@
-- name: quotas
- title: 'Quotas'
- features:
- - name: certificates
- title: 'Code signing certificates'
- hint: 'Number and type of code signing certificates included with each subscription.'
- href: '/product/editions-explained#code-signing-certificates'
- - name: projects
- title: 'Projects'
- hint: 'Projects availabe for each subscription. Projects define artifacts and policies, and assign certificates and permissions.'
- href: '/product/editions-explained#projects'
- - name: users
- title: 'Users'
- hint: 'Named users that interact with SignPath. No licenses required for CI user accounts or build agents.'
- href: '/product/editions-explained#users'
- - name: signing_requests
- title: 'Signing requests'
- hint: 'Signing requests (think software packages or releases) per year. Each signing request may contain multiple files.'
- href: '/product/editions-explained#signing-requests'
- - name: signign_requests_release
- title: 'release-signing'
- hint: 'Signing requests using your EV certificate'
- class: f sub
- - name: signign_requests_test
- title: 'test-signing'
- hint: 'Signing request using a test certificate that must be installed on target machines. Used for testing the signing configuration, signing internal builds, release candidates etc.'
- class: f sub
- - name: ci_pipelines
- title: 'CI pipelines'
- hint: 'Limits the number of parallel signing requests.'
- href: '/product/editions-explained#ci-pipelines'
-
-- name: file_based_signing
- title: 'Signing methods and file types'
- href: '/product/editions-explained#file-based-signing'
- features:
- - name: authenticode
- title: 'Windows Authenticode'
- hint: 'Windows programs, installers, packages and components. This includes the file types EXE and DLL files, MSI and MSIX installers, AppX packages and bundles, cabinet (CAB) and catalog (CAT) files, and a few other formats.'
- sub: '.exe .msi
.appx ...'
- - name: powershell
- title: 'PowerShell scripts'
- sub: '.ps1 .psm1 ...'
- - name: windows_scripting_host
- title: 'Windows Scripting'
- hint: 'VBScript and JScript files for Windows Scripting Host'
- sub: '.wsh .vbs .js'
- - name: clickonce
- title: 'ClickOnce applications'
- sub: '.manifest'
- - name: device_drivers
- title: 'Windows device drivers'
- hint: 'EV signing (attestation and HLK) and cross-signing'
- sub: '.drv .sys
.hlkx ...'
- - name: nuget
- title: 'NuGet packages'
- sub: '.nupkg'
- - name: office_add_ins
- title: 'Office add-ins'
- sub: '.manifest'
- - name: opc
- title: 'Visual Studio extensions'
- sub: '.vsix'
- - name: android
- title: 'Android apps'
- hint: 'APK signing scheme v1'
- sub: '.apk'
- - name: java
- title: 'Java archives'
- sub: '.jar .war .ear'
- - name: office_macros
- title: 'Microsoft Office Macros'
- hint: 'Sign VBA macros in Microsoft Office files: Excel, Word, Powerpoint, Visio, Project, Publisher'
- sub: '.xlsm .xlst
.docm ...'
- href: '/product/editions-explained#office-macros'
- - name: xml
- title: 'XML files'
- hint: 'XMLDSIG signatures'
- sub: '.xml'
- href: '/product/editions-explained#xml-signing'
- - name: docker
- title: 'Container images'
- sub: 'cosign, DCT/Notary'
- href: '/product/editions-explained#container-signing'
- - name: sbom
- title: 'SBOMs'
- hint: 'Software/SaaS/Hardware/... Bills of Material'
- sub: 'CycloneDX XML'
- href: '/product/editions-explained#sbom-signing'
- - name: raw
- title: 'Raw signatures'
- hint: 'Create detached raw signatures (signature blocks)'
-
-- name: hash_based_signing
- title: 'Crypto providers and hash signing'
- href: '/product/editions-explained#hash-based-signing'
- features:
- - name: windows_providers
- title: 'Windows KSP/CSP'
- hint: 'Sign files using various Windows tools with SignPath KSP (CNG) and CSP (CAPI)'
- - name: cryptoki_library
- title: 'Cryptoki/PKCS #11'
- hint: 'Sign files using various PKCS# 11 compliant tools with SignPath Cryptoki library for Windows and Linux'
- - name: crypto_token_kit
- title: 'Apple CryptoTokenKit'
- hint: 'Sign files for macOS, iOS etc. using macOS signing tools with SignPath CTK library'
- - name: rest_api
- title: 'REST API'
- hint: 'Use the SignPath REST API for custom integration and advanced scenarios not supported by crypto providers'
-
-- name: artifact_configuration
- title: 'Artifact configuration'
- features:
- - name: deep_signing
- title: 'Deep signing'
- hint: 'Sign files contained in installers, packages, add-ins etc.'
- href: '/product/editions-explained#deep-signing'
- - name: multiple_configurations_per_project
- title: 'Multiple versions'
- hint: 'Projects can have multiple named artifact configurations (e.g. for versioning).'
- href: '/product/editions-explained#multiple-versions'
- - name: metadata_constraints
- title: 'Metadata constraints'
- hint: 'Verify that artifacts comply with specified metadata.'
- href: '/product/editions-explained#metadata-constraints'
- - name: user_defined_parameters
- title: 'User-defined parameters'
- hint: 'Pass user-defined parameters to signing requests.'
- href: '/product/editions-explained#user-defined-parameters'
-
-- name: policy_enforcement
- title: 'Policy enforcement'
- features:
- - name: manual_approval
- title: 'Manual approval'
- hint: 'Require manual approval for certain signing policies.'
- href: '/product/editions-explained#manual-approval'
- - name: quorum_approval
- title: 'Quorum approval'
- hint: 'Require a certain number of approvals from a list of possible approvers (a.k.a. k-out-of-n approval).'
- class: f sub
- - name: signing_policies_per_project
- title: 'Signing policies per project'
- hint: 'For each project, signing policies define signing permissions and policies for a specific certificate.'
- href: '/product/editions-explained#signing-policies-per-project'
- - name: resubmit
- title: 'Resubmit'
- hint: 'Resubmit signing requests for signing using different policies and/or certificates, e.g. for final signing of release candidates'
- href: '/product/editions-explained#resubmit'
- - name: policies_for_certs
- title: 'Certificate policies'
- hint: 'Specify minimum requirements e.g. for release certificates.'
- href: '/product/editions-explained#certificate-policies'
-
-- name: pipeline_integrity
- title: 'Pipeline Integrity'
- features:
- - name: trusted_build_systems
- title: 'Trusted Build Systems'
- hint: 'Verify that signing requests originate from a trusted build system.'
- - name: origin_verification
- title: 'Origin verification'
- hint: 'Source code repository and build metadata are automatically collected and verified.'
- href: '/product/editions-explained#origin-verification'
- - name: origin_policies
- title: 'Origin-based policies'
- hint: 'Base approval decisions and policy automation on origin metadata.'
- class: f sub
- - name: build_validation
- title: 'Build validation'
- hint: 'Automatically checks build configurations for security weaknesses.'
- class: f sub
-
-- name: user_management
- title: 'User management'
- features:
- - name: sso
- title: 'Single sign-on'
- hint: 'Connect to your authentication provider using SAML or OpenID Connect.'
- - name: scim
- title: 'Entra ID/Azure AD sync'
- hint: >
- Synchronize users and groups from your organization´s Entra ID/Azure Active Directory using SCIM.
- - name: groups
- title: 'User groups'
- hint: 'Arrange your users into groups for easier assignment of permissions in signing policies.'
- - name: admin_delegation
- title: 'Delegation of administration'
- hint: 'Administration of projects can be delegated to project configurators'
-
-- name: other
- title: 'Other'
- features:
- - name: malware_detection
- title: 'Malware detection'
- hint: 'Artifacts are scanned for viruses and other threats before signing.'
- - name: hsm_key_storage
- title: 'HSM key storage'
- hint: 'Private keys are created and stored on a Hardware Security Module (HSM). Signatures are created by the HSM, private keys cannot be exported.'
- - name: available_on_premises
- title: 'Self-hosted option'
- hint: 'Deploy SignPath in your own organization on-premises or in a Private Cloud for full control, unlimited processing and reduced bandwith consumption.'
- - name: cert_enrollment
- title: 'Automatic certificate enrollment'
- hint: 'Integrate with your Certificate Authority via EST (Enrollment over Secure Transport, RFC 7030)'
- - name: support
- title: 'Support'
- - name: code_signing_consulting
- title: 'Professional services'
- hint: 'Training and consulting for SignPath, CI integration, code signing technologies and security.'
-
+- name: quotas
+ title: 'Quotas'
+ features:
+ - name: certificates
+ title: 'Code signing certificates'
+ hint: 'Number and type of code signing certificates included with each subscription.'
+ href: '/product/editions-explained#code-signing-certificates'
+ - name: projects
+ title: 'Projects'
+ hint: 'Projects availabe for each subscription. Projects define artifacts and policies, and assign certificates and permissions.'
+ href: '/product/editions-explained#projects'
+ - name: users
+ title: 'Users'
+ hint: 'Named users that interact with SignPath. No licenses required for CI user accounts or build agents.'
+ href: '/product/editions-explained#users'
+ - name: signing_requests
+ title: 'Signing requests'
+ hint: 'Signing requests (think software packages or releases) per year. Each signing request may contain multiple files.'
+ href: '/product/editions-explained#signing-requests'
+ - name: signign_requests_release
+ title: 'release-signing'
+ hint: 'Signing requests using your EV certificate'
+ class: f sub
+ - name: signign_requests_test
+ title: 'test-signing'
+ hint: 'Signing request using a test certificate that must be installed on target machines. Used for testing the signing configuration, signing internal builds, release candidates etc.'
+ class: f sub
+ - name: ci_pipelines
+ title: 'CI pipelines'
+ hint: 'Limits the number of parallel signing requests.'
+ href: '/product/editions-explained#ci-pipelines'
+
+- name: file_based_signing
+ title: 'Signing methods and file types'
+ href: '/product/editions-explained#file-based-signing'
+ features:
+ - name: authenticode
+ title: 'Windows Authenticode'
+ hint: 'Windows programs, installers, packages and components. This includes the file types EXE and DLL files, MSI and MSIX installers, AppX packages and bundles, cabinet (CAB) and catalog (CAT) files, and a few other formats.'
+ sub: '.exe .msi
.appx ...'
+ - name: powershell
+ title: 'PowerShell scripts'
+ sub: '.ps1 .psm1 ...'
+ - name: windows_scripting_host
+ title: 'Windows Scripting'
+ hint: 'VBScript and JScript files for Windows Scripting Host'
+ sub: '.wsh .vbs .js'
+ - name: clickonce
+ title: 'ClickOnce applications'
+ sub: '.manifest'
+ - name: device_drivers
+ title: 'Windows device drivers'
+ hint: 'EV signing (attestation and HLK) and cross-signing'
+ sub: '.drv .sys
.hlkx ...'
+ - name: nuget
+ title: 'NuGet packages'
+ sub: '.nupkg'
+ - name: office_add_ins
+ title: 'Office add-ins'
+ sub: '.manifest'
+ - name: opc
+ title: 'Visual Studio extensions'
+ sub: '.vsix'
+ - name: android
+ title: 'Android apps'
+ hint: 'APK signing scheme v1'
+ sub: '.apk'
+ - name: java
+ title: 'Java archives'
+ sub: '.jar .war .ear'
+ - name: office_macros
+ title: 'Microsoft Office Macros'
+ hint: 'Sign VBA macros in Microsoft Office files: Excel, Word, Powerpoint, Visio, Project, Publisher'
+ sub: '.xlsm .xlst
.docm ...'
+ href: '/product/editions-explained#office-macros'
+ - name: xml
+ title: 'XML files'
+ hint: 'XMLDSIG signatures'
+ sub: '.xml'
+ href: '/product/editions-explained#xml-signing'
+ - name: docker
+ title: 'Container images'
+ sub: 'cosign, DCT/Notary'
+ href: '/product/editions-explained#container-signing'
+ - name: sbom
+ title: 'SBOMs'
+ hint: 'Software/SaaS/Hardware/... Bills of Material'
+ sub: 'CycloneDX XML'
+ href: '/product/editions-explained#sbom-signing'
+ - name: raw
+ title: 'Raw signatures'
+ hint: 'Create detached raw signatures (signature blocks)'
+
+- name: hash_based_signing
+ title: 'Crypto providers and hash signing'
+ href: '/product/editions-explained#hash-based-signing'
+ features:
+ - name: windows_providers
+ title: 'Windows KSP/CSP'
+ hint: 'Sign files using various Windows tools with SignPath KSP (CNG) and CSP (CAPI)'
+ - name: cryptoki_library
+ title: 'Cryptoki/PKCS #11'
+ hint: 'Sign files using various PKCS# 11 compliant tools with SignPath Cryptoki library for Windows and Linux'
+ - name: crypto_token_kit
+ title: 'Apple CryptoTokenKit'
+ hint: 'Sign files for macOS, iOS etc. using macOS signing tools with SignPath CTK library'
+ - name: rest_api
+ title: 'REST API'
+ hint: 'Use the SignPath REST API for custom integration and advanced scenarios not supported by crypto providers'
+
+- name: artifact_configuration
+ title: 'Artifact configuration'
+ features:
+ - name: deep_signing
+ title: 'Deep signing'
+ hint: 'Sign files contained in installers, packages, add-ins etc.'
+ href: '/product/editions-explained#deep-signing'
+ - name: multiple_configurations_per_project
+ title: 'Multiple versions'
+ hint: 'Projects can have multiple named artifact configurations (e.g. for versioning).'
+ href: '/product/editions-explained#multiple-versions'
+ - name: metadata_constraints
+ title: 'Metadata constraints'
+ hint: 'Verify that artifacts comply with specified metadata.'
+ href: '/product/editions-explained#metadata-constraints'
+ - name: user_defined_parameters
+ title: 'User-defined parameters'
+ hint: 'Pass user-defined parameters to signing requests.'
+ href: '/product/editions-explained#user-defined-parameters'
+
+- name: policy_enforcement
+ title: 'Policy enforcement'
+ features:
+ - name: manual_approval
+ title: 'Manual approval'
+ hint: 'Require manual approval for certain signing policies.'
+ href: '/product/editions-explained#manual-approval'
+ - name: quorum_approval
+ title: 'Quorum approval'
+ hint: 'Require a certain number of approvals from a list of possible approvers (a.k.a. k-out-of-n approval).'
+ class: f sub
+ - name: signing_policies_per_project
+ title: 'Signing policies per project'
+ hint: 'For each project, signing policies define signing permissions and policies for a specific certificate.'
+ href: '/product/editions-explained#signing-policies-per-project'
+ - name: resubmit
+ title: 'Resubmit'
+ hint: 'Resubmit signing requests for signing using different policies and/or certificates, e.g. for final signing of release candidates'
+ href: '/product/editions-explained#resubmit'
+ - name: policies_for_certs
+ title: 'Certificate policies'
+ hint: 'Specify minimum requirements e.g. for release certificates.'
+ href: '/product/editions-explained#certificate-policies'
+
+- name: pipeline_integrity
+ title: 'Pipeline Integrity'
+ features:
+ - name: trusted_build_systems
+ title: 'Trusted Build Systems'
+ hint: 'Verify that signing requests originate from a trusted build system.'
+ - name: origin_verification
+ title: 'Origin verification'
+ hint: 'Source code repository and build metadata are automatically collected and verified.'
+ href: '/product/editions-explained#origin-verification'
+ - name: origin_policies
+ title: 'Origin-based policies'
+ hint: 'Base approval decisions and policy automation on origin metadata.'
+ class: f sub
+ - name: build_validation
+ title: 'Build validation'
+ hint: 'Automatically checks build configurations for security weaknesses.'
+ class: f sub
+
+- name: user_management
+ title: 'User management'
+ features:
+ - name: sso
+ title: 'Single sign-on'
+ hint: 'Connect to your authentication provider using SAML or OpenID Connect.'
+ - name: scim
+ title: 'Entra ID/Azure AD sync'
+ hint: >
+ Synchronize users and groups from your organization´s Entra ID/Azure Active Directory using SCIM.
+ - name: groups
+ title: 'User groups'
+ hint: 'Arrange your users into groups for easier assignment of permissions in signing policies.'
+ - name: admin_delegation
+ title: 'Delegation of administration'
+ hint: 'Administration of projects can be delegated to project configurators'
+
+- name: other
+ title: 'Other'
+ features:
+ - name: malware_detection
+ title: 'Malware detection'
+ hint: 'Artifacts are scanned for viruses and other threats before signing.'
+ - name: hsm_key_storage
+ title: 'HSM key storage'
+ hint: 'Private keys are created and stored on a Hardware Security Module (HSM). Signatures are created by the HSM, private keys cannot be exported.'
+ - name: select_key_algorithm
+ title: 'Key algorithm options'
+ href: '/documentation/managing-certificates#key-algorithms-and-lengths'
+ hint: 'All editions support RSA 4096.'
+ - name: available_on_premises
+ title: 'Self-hosted option'
+ hint: 'Deploy SignPath in your own organization on-premises or in a Private Cloud for full control, unlimited processing and reduced bandwith consumption.'
+ - name: cert_enrollment
+ title: 'Automatic certificate enrollment'
+ hint: 'Integrate with your Certificate Authority via EST (Enrollment over Secure Transport, RFC 7030)'
+ - name: support
+ title: 'Support'
+ - name: code_signing_consulting
+ title: 'Professional services'
+ hint: 'Training and consulting for SignPath, CI integration, code signing technologies and security.'
+
diff --git a/docs/documentation/managing-certificates.md b/docs/documentation/managing-certificates.md
index 4c8f6517..b8415a41 100644
--- a/docs/documentation/managing-certificates.md
+++ b/docs/documentation/managing-certificates.md
@@ -1,28 +1,44 @@
----
-main_header: Documentation
-sub_header: Managing Certificates
-layout: resources
-toc: true
-description: How to manage code signing certificates in SignPath
----
-
-## Overview
-
-SignPath helps you control access to your code signing certificates. You have to decide how many code signing certificates you need in your organization. Depending on your business model, you might want to use one certificate across your entire organizations or have separate certificates for each project or customer.
-
-## Test and Release certificates
-
-* Use **test certificates** during the development process. You can test your release process and sign every build. Test certificates are not created by a commercial CA and are therefore not trusted by operating systems or browsers. Artifacts that were mistakenly or even maliciously signed by a test certificate cannot affect your users and customers. You can read more about how to roll out and manage test certificates in your infrastructure in the [knowledge base](/code-signing/test-certificates).
-* Use dedicated **release certificates** for each published version of your software. SignPath allows you to enforce stricter policies for release certificates.
-
-## Certificate types
-
-With SignPath, you have three options for creating or importing a certificate:
-
-* **Self-signed certificates** are not signed by any certificate authority and therefore not trusted. You can use them for testing your release process.
-* **Certificate signing requests (CSRs)** can be created using SignPath. You can use the CSR to purchase a certificate from a trusted certificate authority (CA). By creating a CSR, you ensure that the private key is created directly on our hardware security module (HSM) and cannot be compromised. This is the recommended way for securing your code signing process.
-* **PFX files** can be imported into SignPath. If you already own a certificate, you can simply upload it. However, as your private key may have already been exposed, we recommend to use PFX imports only as a temporary solution. (Only available for RSA keys.)
-
-## Restrictions
-
-SignPath allows you to configure restrictions for certificates. You can, for instance, specify that all signing requests that are using the certificate must be manually approved.
+---
+main_header: Documentation
+sub_header: Managing Certificates
+layout: resources
+toc: true
+description: How to manage code signing certificates in SignPath
+---
+
+## Overview
+
+SignPath helps you control access to your code signing certificates. You have to decide how many code signing certificates you need in your organization. Depending on your business model, you might want to use one certificate across your entire organizations or have separate certificates for each project or customer.
+
+## Test and Release certificates
+
+* Use **test certificates** during the development process. You can test your release process and sign every build. Test certificates are not created by a commercial CA and are therefore not trusted by operating systems or browsers. Artifacts that were mistakenly or even maliciously signed by a test certificate cannot affect your users and customers. You can read more about how to roll out and manage test certificates in your infrastructure in the [knowledge base](/code-signing/test-certificates).
+* Use dedicated **release certificates** for each published version of your software. SignPath allows you to enforce stricter policies for release certificates.
+
+## Certificate types
+
+With SignPath, you have three options for creating or importing a certificate:
+
+* **Self-signed certificates** are not signed by any certificate authority and therefore not trusted. You can use them for testing your release process.
+* **Certificate signing requests (CSRs)** can be created using SignPath. You can use the CSR to purchase a certificate from a trusted certificate authority (CA). By creating a CSR, you ensure that the private key is created directly on our hardware security module (HSM) and cannot be compromised. This is the recommended way for securing your code signing process.
+* **PFX files** can be imported into SignPath. If you already own a certificate, you can simply upload it. However, as your private key may have already been exposed, we recommend to use PFX imports only as a temporary solution. (Only available for RSA keys.)
+
+## Key algorithms and lengths
+
+All editions support the default key format RSA 4096.
+
+{% include editions.md feature="other.select_key_algorithm" %}
+
+In supported editions, the following key algorithms and lengths are available:
+
+* RSA: 2048, 3072, 4096, 8192 bits
+* ECDSA NIST: P256, P384, P521
+* ECDSA Brainpool: P256r1, P384r1, P512r1
+
+The availability of keys may be limited for certain key stores/HSMs.
+
+Note that not all signing methods support all key algorithms and lenghts. SignPath shows known incompatibilities when selecting a key algorithm.
+
+## Restrictions
+
+SignPath allows you to configure restrictions for certificates. You can, for instance, specify that all signing requests that are using the certificate must be manually approved.