Digital Rose has reviewed and confirmed that the eSign App is not vulnerable to the Log4J security issue (CVE-2021-44228). The implicated log4J library is not included in any client side or server side components.
It is now possible to create Invites on transition within the Jira workflow via the new Invite Users post-function. This can be combined with the workflow validators to enforce that defined users have signed the issue.
Tip: Enable the No Pending Signatures option in the Signature Validator to enforce that all Invites (Pending Signatures) have been completed.
As an extension to the custom field configuration introduced in November, single and multi-user pickers custom fields, as well as Service Management fields Customer Organizations and Request Participants can now be displayed on the PDF Signature Archive.
A Refresh button has been added to the eSign Content panel to quickly show updated Signature changes from other users or workflow functions without reloading the entire issue.
Notification of recent eSign Updates are displayed to users in the eSign content panel on their first use after an update.
Minor cosmetic changes to the eSign User Settings page to make Pin Reset more visible plus information on the Atlassian Account ID.
Resolved an issue where eSign was blocked from creating comments for some JSM projects.
Nov 2021 Update
#1 Cloud Security Program
As a reflection of our ongoing commitment to security, eSign for Jira is now enrolled in the Atlassian Cloud Security program. In this program we invite trained security researchers to investigate apps for security vulnerabilities. Researches who find issues are rewarded with a bounty and then retest it after the vendor corrects the issue.
With this update the Advanced Security option has been enhanced to support fine-grained permissions. Execute, Invite and Finalize functions each have their own individually grantable permissions; this will allow more flexibility for teams that require more control over eSign.
Note that the legacy Execute permission has been renamed to eSign Manage and continues to allow access to all 3 core functions. This means that projects already using Advanced Security can continue with their current configuration with no changes.
#3 PDF Signature Archive - Custom Field Configuration
It is now possible to configure the list of and sequence for custom fields displayed on the PDF Signature archive for each Project via eSign Project Settings.
Only the selected custom fields will be included on the Signature Archive for this project. Field labels will be shown even if these fields are empty.
Default behavior (unchanged) in that all non-empty custom fields set on the issue are displayed.
Tip: If a transition requires signatures from multiple groups, the signature validator can be added multiple times to the transition.
#5 Void Signatures in Reset Post Function
The Reset Workflow Post Function has been expanded to allow the choice to “Void” signatures instead of clearing all signature data. Signatures Voided by this workflow are visible in the eSign Signature panel’s Show Void menu item.
For consistency, Administrative reset of signatures for the current status will now also Void those signatures.
Oct 2021 Update
#1 Workflow Automation
Enhanced options for Jira workflow automation have been introduced to eSign with this update. These tools can be used for additional process control within Jira projects.
User is a Signee (validator) - This new validator will verify that the user transitioning the issue has already signed the issue.
Required Signatures (validator) - Configure this existing validator to require a minimum number of signatures on the issue, and enforce if pending signatures (invites) are permitted before transition.
Finalize Signatures (post-function) - Add this new post-function to any workflow transition to automatically finalized signatures. This function will also generate the PDF Signature archive if enabled for the project.
Reopen Signatures (post-function)- This new post-function will reopen Signatures previously finalized (either manually or via the auto-finalized post-function).
Reset (Clear) Signatures (post-function)- This existing post-function removes all signatures for an issue; this is typically used to restart the signature process workflow if the material being reviewed has changed.
This update includes a significant update to security features supporting the personal Signature Pin.
Note that the Signature Pin is a supplementary identifier in addition to the Atlassian Cloud security controls for the Atlassian account. To apply a signature users must first authenticate with their Atlassian account, and then enter their Signature Pin.
In addition to some internal security improvements, users will notice the following:
Existing users will be prompted to reset their current Pin before they can execute any new signatures.
The minimum length has been extended to 6 characters.
Pins for first-time users must be generated via e-mail.
#3 Additional Items
Additional common issue fields (e.g. Components, Labels, Created/Updated Date, etc) added to the PDF Signature Archive.
#4 Security Patches
Nov 4, 2021 - incremental security patch applied.
Aug 2021 Update
#1 Bulk Signature Execution
A customer requested feature, this eSign enhancement allows users to apply their signature to multiple issues in a single operation. This feature will facilitate mass signature events such as releases and other high issue volume processing. A complement to the Bulk Invites function introduced in July, users can now sign up to 50 issues at one time via Advanced Search.
#2 Signature PDF Archiving
eSign now supports integrated PDF Signature Archiving of a point in time snapshot of the complete “Signed” issue. The PDF archives include comprehensive issue data, description, attachments, comments and all custom fields, and eSign Signatures and Signature Verification.
Once enabled for a project, Archives are automatically generated and stored as attachments on the Jira issue when Signatures are finalized. Users can view/download these archives on demand as needed for reference, audits, etc.
PDF Archiving is disabled by default for projects. Enable PDF archiving in the eSign Project Settings page. Once enabled, the PDF Archive option will be checked by default on the Finalize Signatures page. A preview link is available to view the content (in html) of the PDF archive.
#3 Finalize Signatures
The new Finalizing Signatures feature allows users and teams to indicate that signatures are final for a specific issue. This function “locks down” signatures for the issue to make it clear that no further signatures are required. Neither Signature execution or invites are permitted on finalized issues.
The Final status is displayed in the Signature table footer and visually clear as the toolbar buttons are also hidden. Signature Verification reports are still available from the … (more) menu.
Note: There is also new custom issue date/time field “Signatures Finalized” which can be displayed and searched for within Jira to search for finalized or (not yet) finalized issues.
Signature Administration includes a new option to Reopen Signatures for a finalized issue.
#4 Additional Items
Pin Reset is now available from the eSign User Settings page (in addition to the Execute Signature dialog).
Signature Verification badges were updated for clarity in the Signature Verification report and the (new) PDF Archive. Note that PDF Archives are excluded from the Signature checksum (ie. PDF Archive(s) attached to the Jira Issue will not invalidate Signatures the way any other Attachment changes will)
Cosmetic Changes - Issue Signatures Panel
Signatures Open/Final state and summary counts are now displayed in the table footer with the Recent Changes and Help toolbar.
The Table heading now lists Signature Status. The (Issue) Status at time of Signature has been renamed Workflow.
Signature table height has been constrained to a maximum height. Jira issues with many Signatures now display in a scrolling panel.
Jul 2021 Update
#1 Bulk Signature Invites
This update introduces new Bulk Operations functionality for Bulk Invites and Bulk Verification. With this enhancement, users can operate on multiple issues at the same time leveraging the Jira Advanced Search capabilities.
Start with any Jira advanced search query or filter, then select a list of Issues that require signatures and send invites for all of them in one operation.
Invited users receive a new consolidated Invite e-mail
Stay tuned! Bulk Signature Execution is currently in development!
#2 Signature Invite Improvements
Signature Invite notifications are now sent directly from the eSign app servers. This not only allows us to send consolidated emails for bulk invites, but also allows us to include quick search buttons in the email to allow the participants to quickly find issues waiting on signatures for themselves and the current project.
Optionally, users or administrators can choose to save these quick searches as Jira filters and add them to a dashboard and/or set up periodic subscriptions to help manage Signature completion.
#3 Bulk Verification Report
Similar to the above, the bulk operations also allows generation of a bulk verification report for a search based or hand-selected list of issues.
Every signature on every issue is individually verified and the results collected into a single report.
The report is delivered to a web page but can be saved as PDF and stored.
#4 Additional Items
[SECURITY] Apply signed app install security enhancements required by Atlassian.
[USER EXPERIENCE] Extend CDN caching for certain libraries and static resources for improved performance.
May 2021 Update
This update is focused on security and technical infrastructure improvements. There will be minimal changes visible to most users.
Additional security enabled on Atlassian session tokens
Personal Signing Pins will now lock out after repeated invalid attempts. Use Pin Reset if this occurs.
Improved XSS protection.
API rate limiting applied to prevent high volume users from impacting service availability.
#2 User Experience
Hide the Invite summary totals if there are no invites for an issue, and simplify the format to X/Y ( signed invitations / total invitations ).
The background color of the Invited lozenge was changed to Blue to align with Atlassian Jira “In Progress” convention and provide visual distinction from the Imported tag.
Improved clarity of User Pin errors to show if Pin is not set, does not match, or is locked out.
Users can execute and review signatures from within the native apps on their smartphones and tablets.
To support this new feature and the variety of screen sizes, the following user experience changes were made:
Signature Content display has been optimized for smaller screens through responsive design. Wider screens and landscape orientation will show more signature data; narrower screens will dynamically hide detail.
Execute Signature dialog updated reflow to fit on vertical screens.
Upgraded Pin Reset upgraded to function within the Execute Signature dialog so it is available on mobile.
Note: Advanced functions such as Signature Administration and Certificate Reports are not available on mobile.
#2 Legacy Signature Migration and Import
eSign now allows bulk import of pre-existing Signatures from external systems including legacy Jira Server plugins. With a flexible CSV style import format and optional fields and formats, customers will now be able to migrate signatures into eSign within Jira Cloud.
Look for the following new items:
New Signature Import administrative tool that will interactively parse, preview, and bulk load hundreds of signatures into Jira cloud.
New Import API created to support migration.
Signature Content and Certificate views updated to display imported signatures.
The Signature verification algorithms have been updated to identify and exclude imported signatures.
The Signature Admin functions (e.g. Reset Signatures) have been restricted to Project Admins on the current project only. Previously the permission check required that the user was a project admin on at least one project, but not necessarily the current project. (Note: Released early March 23, 2021.)
4.2 User Experience
Pin Reset updated to complete the reset process within the Execute Dialog and the success message now includes the email address (masked) the reset was sent to.
Invited status lozenge color changed from yellow to “In Progress” blue to align with Jira conventions and distinguish from the new [Imported] signature possible state.
The eSign Feature Summary has been added to the user documentation to assist with electronic signature app review and comparison.
Sample screen captures of Mobile App and Signature Import added to the User Guide
Mar 2021 Update
Update 1 released March 14, 2021
#1 eSign is now faster with Global CDN
eSign static resources are now distributed through the AWS Cloudfront Content Delivery Network (CDN). This will improve Signature display performance and reduce latency for eSign users as the CDN will cache shared resources globally.
#2 Service Management customer signature enhancements
eSign has supported customer signatures in Jira Service Managment (aka Service Desk) since August 2020. The Service Management Portal has now been updated to use client-side rendering for faster display of customer signatures.
Also customer (non-user) accounts may now optionally enter their Title as part of their signature. As with internal users, the Title is saved and may be reused for subsequent signatures.
#3 Other Changes
A "New Recent Updates" flag will display in the signature panel when a recent eSign update is detected. The flag will clear after 7 days.
Minor changes to the table headings and help menu in the Signature display panel.
Minor cosmetic changes to the eSign Project and User Settings pages.
Feb 2021 Update
#1 Faster Signature Rendering
With this update eSign now utilizes client-side rendering to load and display existing signature content within the customer’s Jira instance. This change will significantly reduce user wait time to display the signature panel within issues, especially for international users not in close proximity to Eastern US eSign servers.
Note: There is no change to the layout of the signature data or the signature process and workflow. The new display is visually identical to the previous display technology and compatible with all pre-existing signatures.
#2 Improve Pin Reset Usability
The Pin Reset process within the Execute Signature dialog now includes a confirmation step for improved usability.
Pin Reset emails are now directly sent to users from the eSign servers (@esign-app.com). This change will allow the reset messages to be delivered immediately, instead of waiting for the Jira Issue Notifications service.
#3 Flexible Signature Administration
The Signature Administration panel (previously Signature Reset) now supports a new option for removal of Signatures for the current issue status only. This can be useful for multi-stage approvals where existing signatures on early states need to be preserved.
#4 Feature: eSign for Confluence
The eSign for Confluence app was released earlier this month. Now the eSign technology is available to electronically sign any Confluence content with the same robust, secure and compliant electronic signature capability as eSign for Jira. See eSign for Confluence in the Atlassian Marketplace for more information.
#5 Additional Changes
eSign hosting domain has changed to esign-app.com from esign.digitalrose.dev to align with the new direct email service.
The Execute, Invite and Reset dialog windows now support the quick close 'X' in the top right corner.
Signature Reset dialog was renamed to Signature Admin as the page allows removal of Pending Invites in addition to Reset.
The Show Void function in the Signature Panel was moved to the More (...) menu to conserve screen space as this option is rarely used.