SP 1.202 and 1.203 change logs

docs/_data/changelog.yml

@@ -1,3 +1,48 @@
+- date: '2026-01-13'
+  updates:
+    application:
+      version: 1.203.0
+      improvements:
+        - text: |-
+            Deep signing with long file paths (> 260 characters) is now supported.
+          issues: [SIGN-8248]
+    self_hosted_installations:
+      version: 1.203.0
+      breaking_changes:
+        - text: |
+            SignService charts: Moved Application Insights connection string from `appSecrets.signService.applicationInsights.connectionString` to `appSecrets.shared.applicationInsights.connectionString`.
+          issues: [SIGN-7578]
+- date: '2025-12-16'
+  updates:
+    application:
+      version: 1.202.0
+      breaking_changes:
+        - text: |
+            Improved naming of "verify origin policy" on signing policy objects.
+            * Changed in REST API the property `verifyOrigin` to `verifyOriginPolicy` and `originVerification` to `originPolicyVerification` in the following routes:
+              * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies`
+              * `POST /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}`
+            * Changed in REST API the property `verifiesOrigin` to `verifiesOriginPolicy` in the following routes:
+              * `GET /v1/{organizationId}/Projects/{slug}`
+              * `GET /v1/{organizationId}/Projects/{projectSlug}/SigningPolicies/{signingPolicySlug}`
+          issues: [SIGN-8033, SIGN-8259]
+      new_features:
+        - text: |-
+            Added support for file-based RPM Package Manager (`.rpm`) signing via [`<rpm-sign>`](/artifact-configuration/reference#rpm-sign).
+          issues: [SIGN-8134, SIGN-8162]
+      improvements:
+        - text: |
+            ???
+          issues: [SIGN-8171]
+        - text: |
+            Improved the history view on the organization details page (added a few missing fields).
+          issues: [SIGN-8172]
+    self_hosted_installations:
+      version: 1.202.0
+      upgrade_information:
+        - text: |-
+            All Windows containers switched from Windows Server 2019 to 2022 base images. Before starting the upgrade, ensure that your Kubernetes cluster has ready Windows Server 2022 worker nodes available.
+          issues: [SIGN-8113]
 - date: '2025-12-02'
   updates:
     application:

docs/_data/editions.yml

@@ -23,6 +23,7 @@
     nuget: true
     android: true
     java: false
+    rpm: false
     office_macros: false
     xml: false
     docker: false
@@ -92,6 +93,7 @@
     nuget: true
     android: true
     java: true
+    rpm: false
     office_macros: false
     xml: false
     docker: false
@@ -156,6 +158,7 @@
     nuget: true
     android: true
     java: true
+    rpm: true
     office_macros: true
     xml: true
     docker: true
@@ -277,6 +280,7 @@
     nuget: true
     android: true
     java: true
+    rpm: true
     office_macros: false
     xml: false
     docker: true

docs/_data/tables/artifact-configuration.yml

@@ -70,6 +70,11 @@ signing-file-elements:
       directive: "[`<jar-sign>`](#jar-sign)"
       extensions: ".jar, .war, .ear, .apk, .aab"
       description: "Java archives and Android apps. (Not available for Code Signing Starter.)"
+    - element: "`<rpm-file>`"
+      isComposite: "Yes"
+      directive: "[`<rpm-sign>`](#rpm-sign)"
+      extensions: ".rpm"
+      description: "RPM Package Manager files (available for Advanced Code Signing)"
     - element: "[`<zip-file>`](syntax#zip-file-element)"
       isComposite: "Yes"
       directive: "[`<jar-sign>`](#jar-sign)"

docs/artifact-configuration/reference.md

@@ -46,6 +46,7 @@ Since the file's format does not change, the unsigned files are not needed anymo
 * [`<office-macro-sign>`: Microsoft Office VBA macros](#office-macro-sign)
 * [`<opc-sign>`: Open Packaging Convention](#opc-sign)
 * [`<jar-sign>`: Java Archives](#jar-sign)
+* [`<rpm-sign>`: RPM Package Manager](#rpm-sign)
 * [`<xml-sign>`: XML Digital Signature](#xml-sign)
 
 The general syntax for embedded signing methods is: `<`_format_`-sign />`
@@ -192,6 +193,39 @@ jarsigner -verify -strict <file>.zip
 
 Add the `-verbose` option to see the certificate.
 
+
+#### `<rpm-sign>`: RPM Package Manager {#rpm-sign}
+
+{% include editions.md feature="file_based_signing.rpm" %}
+
+{%- include_relative render-ac-directive-table.inc directive="rpm-sign" -%}
+
+RPM is a versatile package management format used in many Linux distributions like Fedora, RedHat, or openSUSE. RPM files embed GPG signatures and therefore is only available for [signing policies](/projects#signing-policies) with a [GPG key](/managing-certificates#certificate-types) certificate.
+
+##### Example
+
+~~~ xml
+<?xml version="1.0" encoding="utf-8" ?>
+<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
+  <rpm-file>
+    <rpm-sign />
+  </rpm-file>
+</artifact-configuration>
+~~~
+
+##### Verification {#rpm-sign-verification}
+
+RPM package verification usually happens "under the hood" via package managers like [`dnf`](https://dnf.readthedocs.io/).
+
+To manually verify `.rpm` files, use the following commands.
+
+~~~ bash
+rpm --import my_key.asc # Import, i.e. trust, the GPG public key
+
+rpm --verbose --checksig my_package.rpm
+~~~
+
+
 #### `<xml-sign>`: XML Digital Signature {#xml-sign}
 
 {% include editions.md feature="file_based_signing.xml" %}