sgcSign

Enterprise-grade digital signature suite for Delphi, C++Builder and .NET. Produces XAdES, PAdES, CAdES and ASiC signatures from 10 key providers and 21 pre-configured country profiles — available as an in-process component library or as a self-hosted remote signing daemon for build farms.

XAdES / PAdES / CAdES / ASiC
10 Key Providers
21 Country Profiles
EU eIDAS Compliant
TWO FORM FACTORS, ONE ENGINE

Library or Server — Same Signing Core

sgcSign ships in two complementary form factors that share the same signing engine, key providers and country profiles. Pick the embedded library, the centralised server, or use both together.

sgcSign Component Library

Drop-in Delphi / C++Builder / .NET components that produce XAdES, PAdES, CAdES and ASiC signatures directly inside your application. Native CNG/BCrypt cryptography, no external DLLs, full source code included.

Library features →

sgcSign Server

Self-hosted remote signing daemon — REST API, Bootstrap web admin, Windows-service installer. Adds Authenticode, ClickOnce, NuGet and VSIX signing on top of document formats. Ready-made GitHub Actions, Azure DevOps, Jenkins, Docker and Helm pipelines.

Server overview →
SIGNATURE STANDARDS

Every ETSI Format, B-B Through B-LTA

Full coverage of the four ETSI signature families plus Microsoft Authenticode for PE binaries. All four AdES levels supported.

</>

XAdES

ETSI EN 319 132 — XML Advanced Electronic Signatures

Enveloped, detached and enveloping signatures over XML. Levels B-B / B-T / B-LT / B-LTA. Polish, Spanish and German diacritics round-trip losslessly via WideString overloads on Delphi 7+.

PAdES

ETSI EN 319 142 — PDF Advanced Electronic Signatures

Embed digital signatures into PDF documents. Visible signature appearance with signer name, reason, location, contact info and configurable rectangle. Compatible with Adobe Acrobat.

CAdES

ETSI EN 319 122 — CMS/PKCS#7 Advanced Electronic Signatures

CMS/PKCS#7 binary signatures over any file or data stream. Detached and attached forms. BES, T and XL conformance levels.

ASiC-S / ASiC-E

ETSI EN 319 162 — Associated Signature Containers

Bundle one or more documents and the associated XAdES or CAdES signature into a single ZIP archive. Simple (one document) or Extended (manifest + multiple documents).

Authenticode + ClickOnce + NuGet + VSIX

Code signing — sgcSign Server

Sign Windows PE files (.exe, .dll, .sys, .ocx), ClickOnce manifests, NuGet packages and VSIX bundles. SHA-256 (default), SHA-384, SHA-512 and dual-signing for legacy compatibility.

10 KEY PROVIDERS

Local Files, Hardware Tokens, Cloud KMS

Every provider implements the same IsgcKeyProvider interface, so signers work with any key source without modification. Switch from a PFX file to AWS KMS by changing one component.

PFX / PKCS#12

TsgcPFXKeyProvider

Local password-protected PFX files. Native Windows CNG support; no OpenSSL DLL required.

PEM Files

TsgcPEMKeyProvider

PEM-encoded certificates and encrypted PKCS#8 private keys. Native PBES2 / PBKDF2 / AES-CBC decryption — no external library required.

Windows Certificate Store

TsgcWindowsCertStoreProvider

Local machine and current user certificate stores. Seamless integration with Windows PKI and Active Directory.

PKCS#11 Hardware Tokens

TsgcPKCS11Provider

Smart cards and HSMs over the standard PKCS#11 interface — SafeNet, YubiKey, Nitrokey and any vendor with a PKCS#11 driver.

Azure Trusted Signing

TsgcAzureTrustedSigningProvider

Microsoft's qualified signing service. OAuth2 client credentials, private keys never leave Azure. Distinct from Azure Key Vault.

AWS KMS

TsgcAWSKMSKeyProvider

AWS Key Management Service. Sign with keys held in AWS; the document hash is sent, the raw signature returns.

Google Cloud KMS

TsgcGCloudKMSKeyProvider

Google Cloud Key Management. Service-account authentication with keys hosted in Google Cloud.

HashiCorp Vault

TsgcHashiCorpVaultKeyProvider

Vault transit signing engine. Keys stay inside Vault; document hashes are sent over an authenticated REST API.

Certum SimplySign

TsgcCertumSimplySignProvider

Qualified Polish e-signature provider. Cloud-based remote signing for KSeF, ZUS and other Polish public-administration portals.

CSC v2 (Cloud Signature Consortium)

TsgcCSCKeyProvider

Generic CSC v2 client for remote QTSPs — Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust, Intesi Group and more.

21 PRE-CONFIGURED COUNTRY PROFILES

European E-Invoicing & Employment Contracts

Each profile pre-tunes hash algorithm, canonicalization, signature level, timestamp and OCSP-revocation policy to match the target country's regulator. Switch jurisdiction with a one-line change.

E-Invoicing Profiles (12)

Profile Country System Format Level
spVeriFactuSpainVeriFactu (AEAT)XAdES-EPESB-B
spTicketBAISpain (Basque)TicketBAIXAdES-EPESB-B
spFacturaeB2BSpainFacturae 3.x / FACeXAdES-EPESB-T
spFatturaPAItalyFatturaPA (SDI)XAdES-BESB-B
spSAFTPTPortugalSAF-T PTRSA-SHA256B-B
spKSeFPolandKSeF (Krajowy System e-Faktur)XAdESB-T
spFacturXFrance / GermanyFactur-X / ZUGFeRDXAdESB-B
spEFacturaRomaniae-Factura (ANAF)XAdESB-T
spNAVOnlineHungaryNAV OnlineXML-DSigB-B
spFiskalizacijaCroatiaFiskalizacijaXML-DSigB-B
spPeppolBE / spPeppolBGEU (Belgium, Bulgaria)Peppol UBL 2.xXAdESB-T
spMyDATAGreecemyDATA (AADE)XAdESB-B

EU Employment-Contract Profiles (9)

eIDAS-compliant signatures for member-state labour-law requirements on employment contracts. Pre-tuned to the AdES / QES level, hash, canonicalization, timestamp and OCSP-revocation policy of each jurisdiction. Accepted by labour-administration verifiers.

Germany — spEmploymentDE

Level B-LT, QES required by § 126a BGB for written-form contracts (e.g. fixed-term > 24 months, post-contract non-compete).

Italy — spEmploymentIT

Level B-LT, FEQ qualified signature. CAdES (.p7m) widely used; XAdES accepted. INPS portals consume both.

Spain — spEmploymentES

Level B-T, AdES sufficient. SEPE / TGSS portals require FNMT or DNIe certificate; CRL via FNMT trust list.

France — spEmploymentFR

Level B-T, AdES OK. QES preferred for remote-signing flows under DSP2 / RGS.

Austria — spEmploymentAT

Level B-LT. QES via Handy-Signatur / ID Austria common.

Belgium — spEmploymentBE

Level B-LT. QES via eID card (BeID).

Portugal — spEmploymentPT

Level B-LT. QES via Cartão do Cidadão / Chave Móvel Digital.

Netherlands — spEmploymentNL

Level B-T. AdES generally accepted; QES for some HR portals (UWV).

Poland — spEmploymentPL

Level B-T. QES via Profil Zaufany or qualified certificate when contract goes to ZUS / PUE.

VALIDATION & TRUST

EU Trust List, ETSI Validation Reports & LTV

sgcSign verifies signatures the same way the EU verifies them — against the live LOTL, with a standardised XML report that labour courts and public administrations accept as legal proof.

Signature Verification with LTV

Full validation pipeline — digest checks, RSA/ECDSA signature verification, certificate-chain validation, OCSP revocation checking, embedded RevocationValues for Long-Term Validation, Id-based fragment lookup for SignedProperties.

EU Trust List (LOTL / EUTL)

TsgcEUTrustList parses the ETSI TS 119 612 List of Trusted Lists and ~31 per-Member-State Trusted Lists. Classify any X.509 certificate as eIDAS-qualified by looking up its issuing TSP service against the live EU registry.

ETSI TS 119 102-2 Validation Report

Standardised XML Validation Report (v1.2.1) produced for every verification — accepted by EU labour courts and public-administration verifiers as legal proof of signature validity.

RFC 3161 Timestamping

Built-in TsgcTSAClient for any RFC 3161 timestamp authority. Promotes signatures to XAdES-T, XAdES-LT and XAdES-LTA — verifiable long after the signing certificate has expired.

CODE EXAMPLES

From Local PFX to Cloud KMS — the Same API

Sign a VeriFactu Invoice with a Local PFX

  • Load certificate from PFX with password
  • VeriFactu profile auto-applied
  • One method call returns signed XML
SignVeriFactu.pas 
// Sign Spanish VeriFactu invoice
var
  vKeyProvider: TsgcPFXKeyProvider;
  vSigner: TsgcDocumentSigner;
begin
  vKeyProvider := TsgcPFXKeyProvider.Create(nil);
  try
    vKeyProvider.FileName := 'certificate.pfx';
    vKeyProvider.Password := 'secret';
    vKeyProvider.LoadFromFile;

    vSigner := TsgcDocumentSigner.Create(nil);
    try
      vSigner.KeyProvider := vKeyProvider;
      vSigner.Profile := spVeriFactu;
      memoSigned.Text := vSigner.SignXML(memoXML.Text);
    finally
      vSigner.Free;
    end;
  finally
    vKeyProvider.Free;
  end;
end;

Authenticode-Sign an EXE with Azure Trusted Signing

  • No local PFX, no USB token
  • Private key stays in Azure
  • Microsoft-issued public-trust cert
SignWithAzure.pas 
// Authenticode-sign with Azure Trusted Signing
var
  vKeyProvider: TsgcAzureTrustedSigningProvider;
  vSigner: TsgcAuthenticodeSigner;
begin
  vKeyProvider := TsgcAzureTrustedSigningProvider.Create(nil);
  vSigner := TsgcAuthenticodeSigner.Create(nil);
  try
    vKeyProvider.AccountName := 'my-trusted-signing-account';
    vKeyProvider.CertificateProfileName := 'public-trust';
    vKeyProvider.Endpoint := 'https://eus.codesigning.azure.net';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.SignFile('myapp.exe', 'myapp-signed.exe');
  finally
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;

PAdES-LT — Visible Signature with Timestamp

  • Certificate from Windows store
  • RFC 3161 TSA promotes to PAdES-T
  • Visible signature with reason & location
SignPDFVisible.pas 
// PAdES-T with visible signature appearance
var
  vKeyProvider: TsgcWindowsCertStoreProvider;
  vSigner: TsgcPAdESSigner;
  vTSA: TsgcTSAClient;
begin
  vKeyProvider := TsgcWindowsCertStoreProvider.Create(nil);
  vSigner := TsgcPAdESSigner.Create(nil);
  vTSA := TsgcTSAClient.Create(nil);
  try
    vKeyProvider.SubjectName := 'CN=Acme Corp';
    vKeyProvider.LoadFromStore;

    vTSA.URL := 'https://freetsa.org/tsr';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.TSAClient := vTSA;
    vSigner.Reason := 'Approved';
    vSigner.Location := 'Madrid, Spain';
    vSigner.VisibleSignature.Enabled := True;
    vSigner.SignPDF('contract.pdf', 'contract-signed.pdf');
  finally
    vTSA.Free;
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;
SGCSIGN SERVER

Centralised Signing for Your Build Farm

Need centralised signing for your build pipeline? sgcSign Server wraps the same engine behind a REST API and Bootstrap web admin — Windows-service installer, ready-made GitHub Actions / Azure DevOps / Jenkins / Docker / Helm pipelines, multi-tenant project model, two-step approval workflow, SHA-256 hash-chained audit log, Prometheus metrics and HMAC-signed webhooks.

  • Authenticode, ClickOnce, NuGet, VSIX signing
  • REST API, web admin, Windows service installer
  • All features included by default
Learn more about sgcSign Server
github-actions.yml 
name: Sign Release
on: [push]

jobs:
  sign:
    runs-on: windows-latest
    steps:
      - uses: esegece/sgcsign-action@v1
        with:
          server: https://sign.acme.local
          project: acme-release
          file: myapp.exe
          format: authenticode

Ship eIDAS-Compliant Signatures Today

Add XAdES, PAdES, CAdES and ASiC signing to your Delphi, C++Builder or .NET application — or stand up a centralised signing service for your build farm.

Download Free Trial View Pricing