Complete feature catalog for the sgcSign digital signature suite — signature standards, key providers, country profiles, validation, EU Trust List integration and ETSI validation reports for Delphi 7 through Delphi 13, C++Builder and .NET.
sgcSign separates key management, signing operations and output formats. Mix any key provider with any signer; switch between local PFX and cloud KMS by changing one component.
Abstract certificate and private-key access behind a single interface. Local files, Windows Certificate Store, PKCS#11 hardware tokens, Azure / AWS / Google Cloud KMS, HashiCorp Vault, Certum SimplySign and CSC v2 remote QTSPs.
Specialised signers for each ETSI format: TsgcXAdESSigner, TsgcPAdESSigner, TsgcCAdESSigner, TsgcAuthenticodeSigner. Plus TsgcDocumentSigner — a unified high-level API that selects and configures the right signer from a country profile.
TsgcTSAClient (RFC 3161 timestamps), TsgcOCSPClient (revocation), TsgcSignatureVerifier (validation), TsgcEUTrustList (LOTL/EUTL), TsgcASiCContainer (ASiC-S/ASiC-E ZIP packaging).
Full ETSI signature-format coverage at all four AdES levels (B-B, B-T, B-LT, B-LTA), plus Microsoft Authenticode for code signing.
XML Advanced Electronic Signatures. Enveloped, detached and enveloping modes. B-B / B-T / B-LT / B-LTA levels. SignatureParentElement for envelope formats that pin signature placement (KSeF /v2/auth/xades-signature). Polish, Spanish and German diacritics via WideString overloads on Delphi 7+.
PDF Advanced Electronic Signatures. Embedded signatures inside PDF; visible signature appearance with signer name, reason, location, contact info and configurable rectangle. Compatible with Adobe Acrobat. PAdES-T, -LT levels via TSA + OCSP.
CMS/PKCS#7 binary signatures over any file or data stream. Detached and attached forms. CAdES-BES, CAdES-T (timestamped), CAdES-XL (long-term with revocation values).
Associated Signature Containers. ZIP-format archive bundling one or more documents with a XAdES or CAdES signature. Simple (apASiCS, single document) or Extended (apASiCE, manifest + multiple documents). The first ZIP entry is an uncompressed mimetype marker so verifiers detect the container in the first ~50 bytes.
Microsoft Authenticode for Windows PE files (.exe, .dll, .sys, .ocx, .cpl, .scr). SHA-1, SHA-256 (default), SHA-384 and SHA-512 hash algorithms. RFC 3161 timestamp tokens. Nested (dual) signatures for legacy + modern verifier compatibility. Available in sgcSign Server.
All four ETSI conformance levels supported per format: B-B (basic), B-T (timestamp), B-LT (long-term, with revocation values), B-LTA (archival, with archive timestamp). Promote a signature from B-B to B-LT by adding a TSA client and OCSP responder.
Every provider implements IsgcKeyProvider. Switch between any of these key sources without changing your signing code.
| Component | Type | Use Case |
|---|---|---|
TsgcPFXKeyProvider |
Local file (PKCS#12) | Password-protected PFX/.p12 files. Native Windows CNG support. |
TsgcPEMKeyProvider |
Local file (PEM) | PEM certificates with encrypted PKCS#8 keys. Native PBES2 / PBKDF2 / AES-CBC decryption — no OpenSSL DLL required. |
TsgcWindowsCertStoreProvider |
Windows store | Local-machine and current-user stores. Active Directory and Group Policy integration. |
TsgcPKCS11Provider |
Hardware token | Smart cards and HSMs via PKCS#11 driver — SafeNet, YubiKey, Nitrokey, Thales, Utimaco, etc. |
TsgcAzureTrustedSigningProvider |
Cloud (Microsoft) | Azure Trusted Signing — Microsoft's qualified signing service. OAuth2 client credentials. Distinct from Azure Key Vault. |
TsgcAWSKMSKeyProvider |
Cloud (AWS) | AWS Key Management Service. Keys stay in AWS; only document hashes leave the network. |
TsgcGCloudKMSKeyProvider |
Cloud (Google) | Google Cloud Key Management. Service-account authentication. |
TsgcHashiCorpVaultKeyProvider |
Cloud (self-hosted) | HashiCorp Vault transit signing engine. Keys never leave the Vault cluster. |
TsgcCertumSimplySignProvider |
Remote QTSP | Certum SimplySign — qualified Polish e-signature provider. KSeF, ZUS, PUE compatible. |
TsgcCSCKeyProvider |
Remote QTSP (CSC v2) | Generic Cloud Signature Consortium v2 client — Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust, Intesi Group and any QTSP exposing the CSC v2 API. |
Each profile pre-tunes hash algorithm, canonicalization, signature level, RFC 3161 timestamp policy and OCSP-revocation expectations to satisfy the target country's regulator. Switch jurisdiction with one line.
| Profile | Country | System | Format | Level |
|---|---|---|---|---|
spVeriFactu | Spain | VeriFactu (AEAT) | XAdES-EPES | B-B |
spTicketBAI | Spain (Basque) | TicketBAI | XAdES-EPES | B-B |
spFacturaeB2B | Spain | Facturae 3.x / FACe | XAdES-EPES | B-T |
spFatturaPA | Italy | FatturaPA (SDI) | XAdES-BES | B-B |
spSAFTPT | Portugal | SAF-T PT | RSA-SHA256 | B-B |
spKSeF | Poland | KSeF (Krajowy System e-Faktur) | XAdES | B-T |
spFacturX | France / Germany | Factur-X / ZUGFeRD | XAdES | B-B |
spEFactura | Romania | e-Factura (ANAF) | XAdES | B-T |
spNAVOnline | Hungary | NAV Online | XML-DSig | B-B |
spFiskalizacija | Croatia | Fiskalizacija | XML-DSig | B-B |
spPeppolBE | Belgium | Peppol UBL 2.0 | XAdES | B-T |
spPeppolBG | Bulgaria | Peppol UBL 2.1 | XAdES | B-T |
spMyDATA | Greece | myDATA (AADE) | XAdES | B-B |
eIDAS-compliant signatures for member-state labour-law requirements (e.g. § 126a BGB in Germany, FEQ in Italy). Pre-tuned per jurisdiction; loaded into TsgcXAdESSigner via Profile.LoadProfile(spEmploymentXX).
| Profile | Country | Level | Hash | Timestamp | OCSP | Notes |
|---|---|---|---|---|---|---|
spEmploymentDE | Germany | B-LT | SHA-256 | Yes | Yes | QES required by § 126a BGB for written-form contracts. |
spEmploymentIT | Italy | B-LT | SHA-256 | Yes | Yes | FEQ qualified signature; INPS portals consume both XAdES and CAdES. |
spEmploymentES | Spain | B-T | SHA-256 | Yes | No | AdES sufficient. SEPE / TGSS portals require FNMT or DNIe. |
spEmploymentFR | France | B-T | SHA-256 | Yes | No | AdES OK; QES preferred for remote-signing under DSP2 / RGS. |
spEmploymentAT | Austria | B-LT | SHA-256 | Yes | Yes | QES via Handy-Signatur / ID Austria common. |
spEmploymentBE | Belgium | B-LT | SHA-256 | Yes | Yes | QES via eID card (BeID). |
spEmploymentPT | Portugal | B-LT | SHA-256 | Yes | Yes | QES via Cartão do Cidadão / Chave Móvel Digital. |
spEmploymentNL | Netherlands | B-T | SHA-256 | Yes | No | AdES generally accepted; QES for some HR portals (UWV). |
spEmploymentPL | Poland | B-T | SHA-256 | Yes | No | QES via Profil Zaufany or qualified cert when contract goes to ZUS / PUE. |
Full validation pipeline plus EU Trust List integration and the standardised ETSI TS 119 102-2 XML Validation Report — legal proof of signature validity accepted by EU labour courts and public-administration verifiers.
TsgcSignatureVerifier covers the full pipeline: digest checks, RSA / ECDSA signature verification, certificate-chain validation, OCSP revocation checking, embedded RevocationValues for Long-Term Validation, and Id-based fragment lookup for SignedProperties.
TsgcEUTrustList parses the ETSI TS 119 612 List of Trusted Lists and ~31 per-Member-State Trusted Lists. Classify any X.509 certificate as eIDAS-qualified by looking it up against the live EU registry. Offline-mode caching for air-gapped deployments.
Standardised XML Validation Report (v1.2.1) produced for every verification — the format accepted by EU labour courts and public-administration verifiers as legal proof of signature validity.
TsgcTSAClient connects to any RFC 3161 timestamp authority. Promotes signatures from B-B to B-T, B-LT and B-LTA — verifiable long after the signing certificate has expired.
TsgcOCSPClient performs RFC 6960 Online Certificate Status Protocol checks. Real-time revocation, with the OCSP response embedded in B-LT signatures so the document remains verifiable when the responder is later offline.
Inclusive C14N (xml-c14n11) and Exclusive C14N (xml-exc-c14n) for consistent XML signature processing. Each country profile selects the canonicalization expected by its regulator.
Windows CNG / BCrypt cryptography throughout — no OpenSSL DLL required. Native PBES2 / PBKDF2 / AES-CBC for encrypted PKCS#8 PEM. WinHTTP for network operations.
Supports every Delphi compiler from Delphi 7 to RAD Studio 13, plus C++Builder. Modern units guarded for legacy compatibility (e.g. TsgcASiCContainer requires D2010+ generics; gracefully compiles as empty unit on D7).
Mirror C# port for .NET Framework 2.0–4.8, .NET Core, .NET 5–9 and .NET Standard. Same Tsgc* class names; same API surface as the Delphi library.
Complete source included with every license. Inspect, customise, audit and extend. Component class names registered for design-time IDE integration.
All X.509 / CRL / OCSP / TSA timestamps stored as UTC TDateTime values, matching RFC 5280, RFC 3161 and RFC 6960. Local-time conversion via *Local properties on each component.
Free binary redistribution. Sign as many documents as you like with no per-document fees and no per-deployment licenses.
spFatturaPA for Italy, spKSeF for Poland
// Sign Spanish VeriFactu invoice
var
vKeyProvider: TsgcPFXKeyProvider;
vSigner: TsgcDocumentSigner;
begin
vKeyProvider := TsgcPFXKeyProvider.Create(nil);
try
vKeyProvider.FileName := 'certificate.pfx';
vKeyProvider.Password := 'secret';
vKeyProvider.LoadFromFile;
vSigner := TsgcDocumentSigner.Create(nil);
try
vSigner.KeyProvider := vKeyProvider;
vSigner.Profile := spVeriFactu;
memoSigned.Text := vSigner.SignXML(memoXML.Text);
finally
vSigner.Free;
end;
finally
vKeyProvider.Free;
end;
end;// Authenticode-sign with Azure Trusted Signing
var
vKeyProvider: TsgcAzureTrustedSigningProvider;
vSigner: TsgcAuthenticodeSigner;
begin
vKeyProvider := TsgcAzureTrustedSigningProvider.Create(nil);
vSigner := TsgcAuthenticodeSigner.Create(nil);
try
vKeyProvider.AccountName := 'my-trusted-signing-account';
vKeyProvider.CertificateProfileName := 'public-trust';
vKeyProvider.Endpoint := 'https://eus.codesigning.azure.net';
vSigner.KeyProvider := vKeyProvider;
vSigner.SignFile('myapp.exe', 'myapp-signed.exe');
finally
vSigner.Free;
vKeyProvider.Free;
end;
end;// PAdES-T with visible signature appearance
var
vKeyProvider: TsgcWindowsCertStoreProvider;
vSigner: TsgcPAdESSigner;
vTSA: TsgcTSAClient;
begin
vKeyProvider := TsgcWindowsCertStoreProvider.Create(nil);
vSigner := TsgcPAdESSigner.Create(nil);
vTSA := TsgcTSAClient.Create(nil);
try
vKeyProvider.SubjectName := 'CN=Acme Corp';
vKeyProvider.LoadFromStore;
vTSA.URL := 'https://freetsa.org/tsr';
vSigner.KeyProvider := vKeyProvider;
vSigner.TSAClient := vTSA;
vSigner.Reason := 'Approved';
vSigner.Location := 'Madrid, Spain';
vSigner.VisibleSignature.Enabled := True;
vSigner.SignPDF('contract.pdf', 'contract-signed.pdf');
finally
vTSA.Free;
vSigner.Free;
vKeyProvider.Free;
end;
end;