Catálogo completo de recursos da suite de assinatura digital sgcSign — padrões de assinatura, provedores de chaves, perfis por país, validação, integração com EU Trust List e relatórios de validação ETSI para Delphi 7 ao Delphi 13 Florence, C++Builder e .NET.
ARQUITETURA
Três camadas, um motor
O sgcSign separa o gerenciamento de chaves, as operações de assinatura e os formatos de saída. Combine qualquer provedor de chaves com qualquer assinador; mude de PFX local para KMS na nuvem alterando um componente.
Provedores de chaves (IsgcKeyProvider)
Abstrai o acesso a certificados e chaves privadas por trás de uma única interface. Arquivos locais, Windows Certificate Store, tokens de hardware PKCS#11, Azure / AWS / Google Cloud KMS, HashiCorp Vault, Certum SimplySign e QTSPs remotos CSC v2.
Assinadores
Assinadores especializados para cada formato ETSI: TsgcXAdESSigner, TsgcPAdESSigner, TsgcCAdESSigner, TsgcAuthenticodeSigner. Mais TsgcDocumentSigner — uma API de alto nível unificada que seleciona e configura o assinador correto a partir de um perfil por país. TsgcSAFTPTSigner produz a assinatura de fatura da Portaria 363/2010 de Portugal.
Componentes de suporte
TsgcTSAClient (timestamps RFC 3161), TsgcOCSPClient (revogação), TsgcSignatureVerifier (validação), TsgcX509Certificate (decodificador de certificado + verificação de emissor), TsgcEUTrustList (LOTL/EUTL), TsgcASiCContainer (empacotamento ZIP ASiC-S/ASiC-E).
PADRÕES DE ASSINATURA
XAdES, PAdES, CAdES, ASiC e Authenticode
Cobertura completa dos formatos de assinatura ETSI em todos os quatro níveis AdES (B-B, B-T, B-LT, B-LTA), mais Microsoft Authenticode para assinatura de código.
XAdES — ETSI EN 319 132
XML Advanced Electronic Signatures. Enveloped, detached and enveloping modes. B-B / B-T / B-LT / B-LTA levels. SignatureParentElement for envelope formats that pin signature placement (KSeF /v2/auth/xades-signature). Polish, Spanish and German diacritics via WideString overloads on Delphi 7+.
PAdES — ETSI EN 319 142
PDF Advanced Electronic Signatures. Embedded signatures inside PDF; visible signature appearance with signer name, reason, location, contact info and configurable rectangle. Compatible with Adobe Acrobat. PAdES-T, -LT levels via TSA + OCSP.
CAdES — ETSI EN 319 122
CMS/PKCS#7 binary signatures over any file or data stream. Detached and attached forms. CAdES-BES, CAdES-T (timestamped), CAdES-XL (long-term with revocation values).
ASiC-S / ASiC-E — ETSI EN 319 162
Associated Signature Containers. ZIP-format archive bundling one or more documents with a XAdES or CAdES signature. Simple (apASiCS, single document) or Extended (apASiCE, manifest + multiple documents). The first ZIP entry is an uncompressed mimetype marker so verifiers detect the container in the first ~50 bytes.
Authenticode — Code Signing
Microsoft Authenticode for Windows PE files (.exe, .dll, .sys, .ocx, .cpl, .scr). SHA-1, SHA-256 (default), SHA-384 and SHA-512 hash algorithms. RFC 3161 timestamp tokens. Nested (dual) signatures for legacy + modern verifier compatibility. Available in sgcSign Server.
AdES Levels — B-B / B-T / B-LT / B-LTA
All four ETSI conformance levels supported per format: B-B (basic), B-T (timestamp), B-LT (long-term, with revocation values), B-LTA (archival, with archive timestamp). Promote a signature from B-B to B-LT by adding a TSA client and OCSP responder.
10 KEY PROVIDERS
Local, Hardware, Cloud & Remote QTSPs
Every provider implements IsgcKeyProvider. Switch between any of these key sources without changing your signing code.
Component
Type
Use Case
TsgcPFXKeyProvider
Local file (PKCS#12)
Password-protected PFX/.p12 files. Native Windows CNG support.
TsgcPEMKeyProvider
Local file (PEM)
PEM certificates with encrypted PKCS#8 keys. Native PBES2 / PBKDF2 / AES-CBC decryption — no OpenSSL DLL required.
TsgcWindowsCertStoreProvider
Windows store
Local-machine and current-user stores. Active Directory and Group Policy integration.
TsgcPKCS11Provider
Hardware token
Smart cards and HSMs via PKCS#11 driver — SafeNet, YubiKey, Nitrokey, Thales, Utimaco, etc.
Generic Cloud Signature Consortium v2 client — Universign, D-Trust sign-me, A-Trust, FNMT Cl@ve Firma, Evrotrust, Intesi Group and any QTSP exposing the CSC v2 API.
21 PRE-CONFIGURED COUNTRY PROFILES
European E-Invoicing & Employment-Contract Signing
Each profile pre-tunes hash algorithm, canonicalization, signature level, RFC 3161 timestamp policy and OCSP-revocation expectations to satisfy the target country's regulator. Switch jurisdiction with one line.
E-Invoicing Profiles (12)
Profile
Country
System
Format
Level
spVeriFactu
Spain
VeriFactu (AEAT)
XAdES-EPES
B-B
spTicketBAI
Spain (Basque)
TicketBAI
XAdES-EPES
B-B
spFacturaeB2B
Spain
Facturae 3.x / FACe
XAdES-EPES
B-T
spFatturaPA
Italy
FatturaPA (SDI)
XAdES-BES
B-B
spSAFTPT
Portugal
SAF-T PT
RSA-SHA256
B-B
spKSeF
Poland
KSeF (Krajowy System e-Faktur)
XAdES
B-T
spFacturX
France / Germany
Factur-X / ZUGFeRD
XAdES
B-B
spEFactura
Romania
e-Factura (ANAF)
XAdES
B-T
spNAVOnline
Hungary
NAV Online
XML-DSig
B-B
spFiskalizacija
Croatia
Fiskalizacija
XML-DSig
B-B
spPeppolBE
Belgium
Peppol UBL 2.0
XAdES
B-T
spPeppolBG
Bulgaria
Peppol UBL 2.1
XAdES
B-T
spMyDATA
Greece
myDATA (AADE)
XAdES
B-B
Portugal: além de assinar o próprio arquivo SAF-T (PT), o componente dedicado TsgcSAFTPTSigner produz a assinatura por fatura da Portaria 363/2010, a assinatura RSA-SHA1 cujos quatro caracteres nas posições 1, 11, 21 and 31 são impressos na fatura e incluídos no QR-code field Q.
TicketBAI: as variantes por província spTicketBAIAraba, spTicketBAIBizkaia e spTicketBAIGipuzkoa carregam, cada uma, o identificador oficial de política de assinatura e o digest SHA-256 da respectiva Hacienda provincial. spTicketBAI mapeia para o par Bizkaia para manter a compatibilidade com versões anteriores.
EU Employment-Contract Profiles (9)
eIDAS-compliant signatures for member-state labour-law requirements (e.g. § 126a BGB in Germany, FEQ in Italy). Pre-tuned per jurisdiction; loaded into TsgcXAdESSigner via Profile.LoadProfile(spEmploymentXX).
Profile
Country
Level
Hash
Timestamp
OCSP
Notes
spEmploymentDE
Germany
B-LT
SHA-256
Yes
Yes
QES required by § 126a BGB for written-form contracts.
spEmploymentIT
Italy
B-LT
SHA-256
Yes
Yes
FEQ qualified signature; INPS portals consume both XAdES and CAdES.
spEmploymentES
Spain
B-T
SHA-256
Yes
No
AdES sufficient. SEPE / TGSS portals require FNMT or DNIe.
spEmploymentFR
France
B-T
SHA-256
Yes
No
AdES OK; QES preferred for remote-signing under DSP2 / RGS.
spEmploymentAT
Austria
B-LT
SHA-256
Yes
Yes
QES via Handy-Signatur / ID Austria common.
spEmploymentBE
Belgium
B-LT
SHA-256
Yes
Yes
QES via eID card (BeID).
spEmploymentPT
Portugal
B-LT
SHA-256
Yes
Yes
QES via Cartão do Cidadão / Chave Móvel Digital.
spEmploymentNL
Netherlands
B-T
SHA-256
Yes
No
AdES generally accepted; QES for some HR portals (UWV).
spEmploymentPL
Poland
B-T
SHA-256
Yes
No
QES via Profil Zaufany or qualified cert when contract goes to ZUS / PUE.
VALIDATION & TRUST
Verify the Way the EU Verifies
Full validation pipeline plus EU Trust List integration and the standardised ETSI TS 119 102-2 XML Validation Report — legal proof of signature validity accepted by EU labour courts and public-administration verifiers.
Signature Verification with LTV
TsgcSignatureVerifier covers the full pipeline: digest checks, RSA / ECDSA signature verification, certificate-chain validation, OCSP revocation checking, embedded RevocationValues for Long-Term Validation, and Id-based fragment lookup for SignedProperties.
EU Trust List (LOTL / EUTL)
TsgcEUTrustList parses the ETSI TS 119 612 List of Trusted Lists and ~31 per-Member-State Trusted Lists. Classify any X.509 certificate as eIDAS-qualified by looking it up against the live EU registry. Offline-mode caching for air-gapped deployments.
ETSI TS 119 102-2 Validation Report
Standardised XML Validation Report (v1.2.1) produced for every verification — the format accepted by EU labour courts and public-administration verifiers as legal proof of signature validity.
RFC 3161 Timestamping
TsgcTSAClient connects to any RFC 3161 timestamp authority. Promotes signatures from B-B to B-T, B-LT and B-LTA — verifiable long after the signing certificate has expired.
OCSP Revocation
TsgcOCSPClient performs RFC 6960 Online Certificate Status Protocol checks. Real-time revocation, with the OCSP response embedded in B-LT signatures so the document remains verifiable when the responder is later offline.
Decodificador de certificado X.509 & verificação do emissor
TsgcX509Certificate expõe todos os campos que um decodificador online exibe: tamanho da chave, nomes de algoritmos, número de série (com dois-pontos e decimal), nomes distintos RFC 2253 / LDAP, políticas de certificado, identificadores de chave, impressões digitais SHA-1 / SHA-256 / MD5 e o pin SubjectPublicKeyInfo SHA-256. Verifica criptograficamente a assinatura do emissor (RSA e ECDSA), resolve a CA a partir da URL AIA caIssuers e executa uma verificação OCSP automática via CheckCertificateAuto.
XML Canonicalization (C14N)
Inclusive C14N (xml-c14n11) and Exclusive C14N (xml-exc-c14n) for consistent XML signature processing. Each country profile selects the canonicalization expected by its regulator.
FOUNDATION
Native, Self-Contained, Cross-Version
Zero External DLLs
Windows CNG / BCrypt cryptography throughout — no OpenSSL DLL required. Native PBES2 / PBKDF2 / AES-CBC for encrypted PKCS#8 PEM. WinHTTP for network operations.
Delphi 7 through Delphi 13 Florence
Supports every Delphi compiler from Delphi 7 to RAD Studio 13, plus C++Builder. Modern units guarded for legacy compatibility (e.g. TsgcASiCContainer requires D2010+ generics; gracefully compiles as empty unit on D7).
.NET Implementation
Mirror C# port for .NET Framework 2.0–4.8, .NET Core, .NET 5–9 and .NET Standard. Same Tsgc* class names; same API surface as the Delphi library.
Full Source Code
Complete source included with every license. Inspect, customise, audit and extend. Component class names registered for design-time IDE integration.
UTC Timestamps Throughout
All X.509 / CRL / OCSP / TSA timestamps stored as UTC TDateTime values, matching RFC 5280, RFC 3161 and RFC 6960. Local-time conversion via *Local properties on each component.
Zero Runtime Royalties
Free binary redistribution. Sign as many documents as you like with no per-document fees and no per-deployment licenses.