eSeGeCe — Enterprise Communication Components for Delphi & .NET
FEATURED · sgcSign

Sign documents. Sign code. Prove it.

XAdES for XML, PAdES for PDF, CAdES for CMS and ASiC containers for the whole bundle. Authenticode, ClickOnce, NuGet and VSIX for what you ship. From a native Delphi, C++Builder or .NET component, or from sgcSign Server over REST, with the same signing engine behind both.

  • ETSI levels B-B to B-LTA
  • 10 key providers
  • 21 country profiles
  • RFC 3161 timestamping
sgcSign

The digital signature suite for Delphi 7 to RAD Studio 13, C++Builder and .NET. Documents, code, and a self-hosted signing server, with full source and royalty-free deployment.

Product overview See pricing →

Documents on One Side, Code on the Other

The same key providers, the same timestamp client and the same validation pipeline sign a Spanish invoice and a Windows installer. Learn the API once, apply it everywhere.

The four ETSI signature families

Every format supports all four AdES conformance levels, so you can start at B-B and promote to B-LTA when the archive rules demand it.

XAdES

ETSI EN 319 132. XML signatures in enveloped, detached and enveloping modes. The format behind e-invoicing and EU employment contracts.

PAdES

ETSI EN 319 142. Signatures embedded in the PDF itself, with a visible appearance carrying signer name, reason, location and contact. Compatible with Adobe Acrobat.

CAdES

ETSI EN 319 122. CMS / PKCS#7 binary signatures over any file or stream, detached or attached.

ASiC-S / ASiC-E

ETSI EN 319 162. A ZIP container bundling the documents with their XAdES or CAdES signature. Simple for one document, Extended for a manifest plus many.

Baseline levels
B-B basic B-T timestamp B-LT long-term B-LTA archival

Everything you ship to a customer

Code signing runs through sgcSign Server, so the private key lives in one place and your build agents never touch it.

Authenticode

Windows PE files: .exe, .dll, .sys, .ocx, .cpl and .scr. SHA-256 by default, plus SHA-1, SHA-384 and SHA-512. Nested dual signatures keep legacy verifiers happy.

ClickOnce

Sign .application and .manifest files so Windows clients install your app without a trust prompt.

NuGet

Sign .nupkg packages so the NuGet client can validate publisher identity. Author and repository signatures are both supported.

VSIX

Sign Visual Studio extension packages so the Marketplace and the IDE accept them as trusted.

Applied to every artifact
SHA-256 default RFC 3161 timestamp Dual signing Hash-only mode

Local Files, Hardware Tokens, Cloud KMS

Every provider implements the same IsgcKeyProvider interface, so a signer works with any key source without modification. Moving from a PFX file to AWS KMS means changing one component.

PFX / PKCS#12

TsgcPFXKeyProvider

Local password-protected key files. Native Windows CNG, no OpenSSL DLL required.

PEM Files

TsgcPEMKeyProvider

PEM certificates and encrypted PKCS#8 keys, with native PBES2 / PBKDF2 / AES-CBC decryption.

Windows Certificate Store

TsgcWindowsCertStoreProvider

Local machine and current user stores, straight into your Windows PKI and Active Directory setup.

PKCS#11 Hardware Tokens

TsgcPKCS11Provider

Smart cards and HSMs over the standard PKCS#11 interface, including SafeNet, YubiKey and Nitrokey.

Azure Trusted Signing

TsgcAzureTrustedSigningProvider

Microsoft's qualified signing service with OAuth2 client credentials. Private keys never leave Azure.

AWS KMS

TsgcAWSKMSKeyProvider

Keys stay in AWS Key Management Service. The document hash goes out, the raw signature comes back.

Google Cloud KMS

TsgcGCloudKMSKeyProvider

Service-account authentication against keys hosted in Google Cloud Key Management.

HashiCorp Vault

TsgcHashiCorpVaultKeyProvider

The Vault transit signing engine. Hashes travel over an authenticated REST API, keys stay inside Vault.

Certum SimplySign

TsgcCertumSimplySignProvider

Qualified Polish e-signature provider. Cloud remote signing for KSeF, ZUS and other public portals.

CSC v2

TsgcCSCKeyProvider

Generic Cloud Signature Consortium v2 client for remote QTSPs, including Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust and Intesi Group.

Swap the provider, keep the signer. All ten providers in detail →

21 Pre-Configured Country Profiles

Each profile pre-tunes hash algorithm, canonicalization, signature level, timestamp and OCSP revocation policy to match the target jurisdiction. Switching country is a one-line change.

E-invoicing profiles (12)

Spain VeriFactu (AEAT) Spain, Basque TicketBAI Spain Facturae 3.x / FACe Italy FatturaPA (SDI) Portugal SAF-T PT Poland KSeF France / Germany Factur-X / ZUGFeRD Romania e-Factura (ANAF) Hungary NAV Online Croatia Fiskalizacija Belgium & Bulgaria Peppol UBL Greece myDATA (AADE)

EU employment-contract profiles (9)

Germany B-LT Italy B-LT Spain B-T France B-T Austria B-LT Belgium B-LT Portugal B-LT Netherlands B-T Poland B-T

Formats aligned with eIDAS

The profiles target the AdES or QES level each member state expects, with the hash, canonicalization, timestamp and revocation policy already set. Germany asks for a qualified signature under § 126a BGB, Spain accepts AdES for SEPE and TGSS, Poland routes through Profil Zaufany or a qualified certificate for ZUS. The profile encodes those differences, your code does not.

Validation and long-term proof

TsgcEUTrustList parses the ETSI TS 119 612 List of Trusted Lists and the per-member-state Trusted Lists, so any X.509 certificate can be classified against the live EU registry. TsgcTSAClient adds RFC 3161 timestamps that promote a signature to B-T, B-LT and B-LTA, and every verification emits a standardised ETSI TS 119 102-2 XML validation report.

Browse all 21 profiles →

Centralised Signing for Your Build Farm

A self-hosted signing daemon with a REST API, a Bootstrap web admin and a Windows-service installer. Build agents ask for a signature, the key provider does the signing, and the key material never lands on a runner.

  1. Build

    Your pipeline compiles the artifact on any agent, Windows or Linux.

  2. Request a signature

    The agent calls POST /api/v1/sign over TLS with a bearer API key and an X-Project header.

  3. HSM or KMS signs

    The server reaches the configured key provider. Private keys stay in the HSM, in Azure, AWS, Google Cloud or Vault.

  4. Signed artifact returns

    The signed binary streams straight back to the agent, with signer subject and duration in the response headers.

  5. Timestamped and audited

    An RFC 3161 timestamp is applied and the operation lands in a SHA-256 hash-chained audit log, with Prometheus metrics and HMAC-signed webhooks.

GitHub Actions Azure DevOps Jenkins Docker Helm chart Windows service Multi-tenant projects Two-step approval

Authenticode, ClickOnce, NuGet, VSIX, XAdES, PAdES and CAdES all share the same endpoint shape. sgcSign Server overview →

Sign a PDF, In Process or Over REST

The same PAdES signature, produced three ways. Pick the component when the app signs, pick the server when the pipeline signs.

// PAdES with a visible signature and an RFC 3161 timestamp
var
  vKeyProvider: TsgcPFXKeyProvider;
  vSigner: TsgcPAdESSigner;
  vTSA: TsgcTSAClient;
begin
  vKeyProvider := TsgcPFXKeyProvider.Create(nil);
  vSigner := TsgcPAdESSigner.Create(nil);
  vTSA := TsgcTSAClient.Create(nil);
  try
    vKeyProvider.FileName := 'certificate.pfx';
    vKeyProvider.Password := 'secret';
    vKeyProvider.LoadFromFile;

    vTSA.URL := 'https://freetsa.org/tsr';

    vSigner.KeyProvider := vKeyProvider;
    vSigner.TSAClient := vTSA;
    vSigner.Reason := 'Approved';
    vSigner.Location := 'Madrid, Spain';
    vSigner.VisibleSignature.Enabled := True;
    vSigner.SignPDF('contract.pdf', 'contract-signed.pdf');
  finally
    vTSA.Free;
    vSigner.Free;
    vKeyProvider.Free;
  end;
end;
# PAdES-sign contract.pdf through sgcSign Server
curl -X POST https://sign.example.com/api/v1/sign/pades \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Project: production" \
  -F "file=@./contract.pdf" \
  -o contract-signed.pdf

# Headers returned by the server
# X-Sgcsign-Signer-Subject: CN=ACME Corp, O=ACME, C=US
# X-Sgcsign-Duration-Ms: 312
name: Sign Release
on: [push]

jobs:
  sign:
    runs-on: windows-latest
    steps:
      - uses: esegece/sgcsign-action@v1
        with:
          server: https://sign.acme.local
          project: acme-release
          file: myapp.exe
          format: authenticode

Same engine, same key providers, same country profiles. Quick start →

Six Libraries, One Toolbox

sgcSign is one of six eSeGeCe component libraries for Delphi, C++Builder and .NET. They share conventions, they ship with full source, and they deploy royalty-free.

sgcSign

XAdES, PAdES, CAdES and ASiC for documents, Authenticode, ClickOnce, NuGet and VSIX for code. Ten key providers, 21 country profiles, plus sgcSign Server.

Learn more →

sgcWebSockets

WebSocket, HTTP/2, HTTP/3, MQTT, AMQP, WebRTC, AI and 30+ API integrations. Sign WebSocket and MQTT payloads with the same signing engine.

Learn more →

sgcHTML

Server-side HTML and UI components built on Bootstrap 5 and htmx. Give a signing workflow a web front end without a JavaScript stack to maintain.

Learn more →

sgcOpenAPI

OpenAPI 3.x parser, Pascal SDK generator and OpenAPI server, plus 1,195+ pre-built SDKs for AWS, Azure, Google Cloud and Microsoft Graph.

Learn more →

sgcBiometrics

Windows Hello, fingerprint sensors and the Windows Biometric Framework. Unlock a signing key with a fingerprint before the signer runs.

Learn more →

sgcIndy

Updated Indy TCP/IP components with modern TLS, IPv6 and HTTP/2 for Delphi 7 through 13. Trusted transport to TSAs, OCSP responders and EU verifiers.

Learn more →

One subscription covers the whole set. View pricing or grab the sgcWebSockets free trial.

What Developers Say

Trusted by Delphi, C++ Builder, Lazarus and .NET developers around the world.

Thanks so much for your help and support — I love your components.
Mark Steinfeld CTO
sgcWebSockets is amazing and your support is the best!
Christian Meyer Founder & CTO
Your sgcWebSockets library is very useful and easy to setup. Keep up the good work!
Simone Moretti Delphi Developer

You are seeing the Sign & Comply view of eSeGeCe.

Show me another angle →
30-Day Money-Back GuaranteeNot satisfied? Request a full refund within 30 days of purchase. See refund policy

Ship eIDAS-Compliant Signatures Today

Add XAdES, PAdES, CAdES and ASiC signing to your Delphi, C++Builder or .NET application, or stand up a centralised signing service for your build farm.