diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c53d1d5ee..109b3ed2e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,8 +16,6 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Install dependencies
       run: |
         brew update
@@ -79,7 +77,7 @@ jobs:
     container: fedora:${{ matrix.container }}
     strategy:
       matrix:
-        container: [39, 40]
+        container: [39, 40, 41]
     steps:
     - name: Install Deps
       run: |
@@ -93,8 +91,6 @@ jobs:
         sh cmake-3.28.1-linux-x86_64.sh --skip-license --prefix=/usr/local
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Build
       run: |
         cmake -DCMAKE_INSTALL_SYSCONFDIR=/etc -B build -S .
@@ -111,7 +107,7 @@ jobs:
     container: ubuntu:${{ matrix.container }}
     strategy:
       matrix:
-        container: ['20.04', '22.04', '24.04']
+        container: ['20.04', '22.04', '24.04', '24.10']
     env:
       DEBIAN_FRONTEND: noninteractive
       DEBFULLNAME: github-actions
@@ -121,8 +117,6 @@ jobs:
       run: apt update -qq && apt install --no-install-recommends -y git lsb-release build-essential devscripts debhelper lintian pkg-config ${UBUNTU_DEPS} doxygen swig openjdk-11-jdk-headless libpython3-dev python3-setuptools libboost-test-dev
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Setup changelog
       run: |
         export VERSION=$(grep project CMakeLists.txt | egrep -o "([0-9]{1,}\.)+[0-9]{1,}")
@@ -144,33 +138,28 @@ jobs:
     runs-on: ${{ matrix.image }}
     strategy:
       matrix:
-        toolset: [143, 142]
+        toolset: [143]
         platform: [x86, x64]
         include:
         - toolset: 143
           image: windows-2022
           vcvars: "C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\VC\\Auxiliary\\Build\\vcvarsall.bat"
-        - toolset: 142
-          image: windows-2019
-          vcvars: "C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Enterprise\\VC\\Auxiliary\\Build\\vcvarsall.bat"
     env:
       VER_SUFFIX: .VS${{ matrix.toolset }}
       CXXFLAGS: '/D_DISABLE_CONSTEXPR_MUTEX_CONSTRUCTOR' # https://github.com/actions/runner-images/issues/10004
-      VCPKG_INSTALLED_DIR: ${{ github.workspace }}/vcpkg_installed
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Prepare vcpkg
       uses: lukka/run-vcpkg@v11
       with:
-        vcpkgGitCommitId: 511d74f695bd45959d12b50b00f1b68f69e8f0b0
+        vcpkgGitCommitId: e2edf52610d2c94d2038fe30b247ea5a26964e1b
         vcpkgJsonGlob: ./vcpkg.json
         runVcpkgInstall: true
         runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]"
       env:
         VCPKG_DEFAULT_TRIPLET: ${{ matrix.platform }}-windows
+        VCPKG_INSTALLED_DIR: ${{ github.workspace }}/vcpkg_installed_${{ matrix.platform }}
     - name: Install dependencies
       run: choco install doxygen.install -y > $null
     - uses: actions/setup-python@v5
@@ -178,14 +167,9 @@ jobs:
       with:
         python-version: 3.12
         architecture: x86
-    - name: Install WiX
-      run: |
-        dotnet tool install -g wix --version 5.0.1
-        wix extension -g add WixToolset.UI.wixext/5.0.1
     - name: Build
       run: |
         & .\build.ps1 `
-          -vcpkg_installed ${{ env.VCPKG_INSTALLED_DIR }} `
           -vcvars "${{ matrix.vcvars }}" `
           -platform ${{ matrix.platform }} `
           -swig C:/ProgramData/chocolatey/bin/swig.exe `
@@ -199,14 +183,12 @@ jobs:
   pages:
     name: Deploy pages
     if: github.repository == 'open-eid/libdigidocpp' && contains(github.ref, 'master')
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y doxygen ${UBUNTU_DEPS}
     - name: Build docs
@@ -222,15 +204,13 @@ jobs:
   coverity:
     name: Run Coverity tests
     if: github.repository == 'open-eid/libdigidocpp' && contains(github.ref, 'coverity_scan')
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
       TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
       PROJECTNAME: ${{ github.repository }}
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y curl ca-certificates ${UBUNTU_DEPS}
     - name: Download Coverity Build Tool
@@ -257,14 +237,12 @@ jobs:
   codeql:
     name: Run CodeQL tests
     if: github.repository == 'open-eid/libdigidocpp'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-      with:
-        submodules: recursive
     - name: Install dependencies
       run: sudo apt update -qq && sudo apt install --no-install-recommends -y ${UBUNTU_DEPS}
     - name: Initialize CodeQL
diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index 188b55761..000000000
--- a/.gitmodules
+++ /dev/null
@@ -1,3 +0,0 @@
-[submodule "cmake"]
-	path = cmake
-	url = ../cmake
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 53a7100d7..1b9f06e04 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,19 +1,22 @@
 cmake_minimum_required(VERSION 3.16)
-if(NOT EXISTS ${CMAKE_SOURCE_DIR}/cmake/modules/VersionInfo.cmake)
-    message(FATAL_ERROR "cmake submodule directory empty, did you 'git clone --recursive'?")
-endif()
-
 if(POLICY CMP0122)
     cmake_policy(SET CMP0122 NEW)
 endif()
 if(POLICY CMP0167)
     cmake_policy(SET CMP0167 NEW)
 endif()
-project(libdigidocpp VERSION 4.0.0)
+project(libdigidocpp VERSION 4.1.0)
 set(CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/cmake/modules)
 list(APPEND CMAKE_PREFIX_PATH ${CMAKE_INSTALL_PREFIX})
 
-include(VersionInfo)
+macro(SET_ENV NAME DEF)
+    if(DEFINED ENV{${NAME}})
+        set(${NAME} $ENV{${NAME}} ${ARGN})
+    else()
+        set(${NAME} ${DEF} ${ARGN})
+    endif()
+endmacro()
+
 include(GNUInstallDirs)
 
 set_env( TSL_URL "https://ec.europa.eu/tools/lotl/eu-lotl.xml" CACHE STRING "TSL trust list primary URL" )
@@ -32,6 +35,11 @@ set( BUILD_TOOLS YES CACHE BOOL "Build digidoc-tool" )
 set( BUILD_SHARED_LIBS YES CACHE BOOL "Build library as SHARED or STATIC" )
 set( SIGNCERT "" CACHE STRING "Common name of certificate to used sign binaries, empty skip signing" )
 set( CROSSSIGNCERT "" CACHE STRING "Common name of certificate to used cross sign binaries, empty skip signing" )
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED YES)
+set(CMAKE_C_VISIBILITY_PRESET hidden)
+set(CMAKE_CXX_VISIBILITY_PRESET hidden)
+set(CMAKE_VISIBILITY_INLINES_HIDDEN YES)
 set(CMAKE_DEBUG_POSTFIX "d" CACHE STRING "Adds a postfix for debug-built libraries.")
 set(CPACK_PACKAGE_VERSION ${VERSION})
 set(CPACK_GENERATOR RPM)
@@ -64,10 +72,7 @@ if(UNIX)
     endif()
 else()
     find_package(unofficial-xmlsec REQUIRED)
-    target_link_libraries(xmlsec INTERFACE
-        unofficial::xmlsec::xmlsec1
-        unofficial::xmlsec::xmlsec1-openssl
-    )
+    target_link_libraries(xmlsec INTERFACE unofficial::xmlsec::xmlsec1-openssl)
 endif()
 find_package(SWIG)
 if(SWIG_FOUND)
diff --git a/ID.ico b/ID.ico
new file mode 100644
index 000000000..40018f81a
Binary files /dev/null and b/ID.ico differ
diff --git a/README.md b/README.md
index e6585f10d..74c0c80a3 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@
         # Ubuntu
         sudo apt install cmake libxml2-dev libxmlsec1-dev zlib1g-dev
         # Fedora
-        sudo dnf install cmake gcc-c++ openssl-devel libxml2-devel xmlsec1-openssl-devel zlib-devel
+        sudo dnf install cmake gcc-c++ openssl-devel libxml2-devel xmlsec1-openssl-devel libtool-ltdl-devel zlib-devel
 
 	* doxygen - Optional, for API documentation
 	* libboost-test-dev - Optional, for unittests
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index edcccf020..c70450f17 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,4 +1,4 @@
-Libdigidocpp library [3.18.0](https://github.com/open-eid/libdigidocpp/releases/tag/v3.18.0) release notes
+Libdigidocpp library [4.0.0](https://github.com/open-eid/libdigidocpp/releases/tag/v4.0.0) release notes
 --------------------------------------
 - Major rewrite of library internals due upstream dependecy xalan-c and xml-security-c package has been retired.
   https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/3726671873/Santuario
@@ -6,11 +6,11 @@ Libdigidocpp library [3.18.0](https://github.com/open-eid/libdigidocpp/releases/
 - Update libraries and platform support
   (#572, #565, #571, #570, #574, #578, #581, #582, #583, #579, #587, #589, #590, #563, #592, #597, #605, #608, #616)
 - Improve signature and container compatibility
-  (#573, #585, #586, #588, #591, #584, #596, #593, #595, #603, #604, #607, #613, #609)
+  (#573, #585, #586, #588, #591, #584, #596, #593, #595, #603, #604, #607, #613, #609, #619)
 - Other fixes and optimizations
   (#564, #577, #580, #599, #606, #612, #614, #611, #610)
 
-[Full Changelog](https://github.com/open-eid/libdigidocpp/compare/v3.17.0...v3.18.0)
+[Full Changelog](https://github.com/open-eid/libdigidocpp/compare/v3.17.0...v4.0.0)
 
 Libdigidocpp library [3.17.1](https://github.com/open-eid/libdigidocpp/releases/tag/v3.17.1) release notes
 --------------------------------------
diff --git a/banner.bmp b/banner.bmp
new file mode 100644
index 000000000..565997aa3
Binary files /dev/null and b/banner.bmp differ
diff --git a/build.ps1 b/build.ps1
index 4a0e86c83..a8b71976e 100644
--- a/build.ps1
+++ b/build.ps1
@@ -1,19 +1,18 @@
 #powershell -ExecutionPolicy ByPass -File build.ps1
 param(
   [string]$libdigidocpp = $PSScriptRoot,
+  [string]$platform = "x64",
   [string]$git = "git.exe",
   [string]$vcpkg = "vcpkg\vcpkg.exe",
   [string]$vcpkg_dir = (split-path -parent $vcpkg),
   [string]$vcpkg_installed = $libdigidocpp,
   [string]$vcpkg_installed_platform = "$vcpkg_installed\vcpkg_installed_$platform",
   [string]$build_number = $(if ($null -eq $env:BUILD_NUMBER) {"0"} else {$env:BUILD_NUMBER}),
-  [string]$msiversion = "4.0.0.$build_number",
-  [string]$platform = "x64",
+  [string]$msiversion = "4.1.0.$build_number",
   [string]$msi_name = "libdigidocpp-$msiversion$env:VER_SUFFIX.$platform.msi",
   [string]$cmake = "cmake.exe",
   [string]$generator = "NMake Makefiles",
   [string]$vcvars = "vcvarsall",
-  [string]$wix = "wix.exe",
   [string]$swig = $null,
   [string]$doxygen = $null,
   [switch]$boost = $false,
@@ -21,17 +20,16 @@ param(
 )
 
 Try {
-  & $wix > $null
+  & wix > $null
 }
 Catch {
-  & dotnet tool install --global --version 5.0.1 wix
-  & $wix extension add -g WixToolset.UI.wixext/5.0.1
+  & dotnet tool install -g --version 5.0.2 wix
+  & wix extension add -g WixToolset.UI.wixext/5.0.2
 }
 
 if(!(Test-Path -Path $vcpkg)) {
   & $git clone https://github.com/microsoft/vcpkg $vcpkg_dir
   & $vcpkg_dir\bootstrap-vcpkg.bat
-  & $vcpkg install --clean-after-build --triplet x64-windows --x-feature=tests --x-install-root=$vcpkg_installed_platform
 }
 
 $cmakeext = @()
@@ -69,12 +67,11 @@ if($sign) {
     $vcpkg_installed_platform/$platform-windows/debug/bin/*.dll
 }
 
-& $vcvars $platform "&&" $wix build -nologo -arch $platform -out $msi_name $wixext `
+& $vcvars $platform "&&" wix build -nologo -arch $platform -out $msi_name $wixext `
   -ext WixToolset.UI.wixext `
-  -bv "WixUIBannerBmp=$libdigidocpp/cmake/modules/banner.bmp" `
-  -bv "WixUIDialogBmp=$libdigidocpp/cmake/modules/dlgbmp.bmp" `
-  -d "ICON=$libdigidocpp/cmake/modules/ID.ico" `
-  -d "MSI_VERSION=$msiversion" `
+  -bv "WixUIBannerBmp=$libdigidocpp/banner.bmp" `
+  -bv "WixUIDialogBmp=$libdigidocpp/dlgbmp.bmp" `
+  -d "ICON=$libdigidocpp/ID.ico" `
   -d "vcpkg=$vcpkg_installed_platform/$platform-windows" `
   -d "libdigidocpp=$(Get-Location)/$platform" `
   $libdigidocpp\libdigidocpp.wxs
diff --git a/cmake b/cmake
deleted file mode 160000
index 8ce75e605..000000000
--- a/cmake
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 8ce75e6057067ca51d7c619d34d88422bad201e5
diff --git a/cmake/modules/FindPKCS11.cmake b/cmake/modules/FindPKCS11.cmake
new file mode 100644
index 000000000..dab04793b
--- /dev/null
+++ b/cmake/modules/FindPKCS11.cmake
@@ -0,0 +1,21 @@
+# - Find pkcs11
+# Find the PKCS11 module
+#
+# PKCS11_MODULE - pkcs11 module path and name
+# PKCS11_FOUND  - True if pkcs11 module found.
+
+if(APPLE)
+    find_library(PKCS11_MODULE NAMES opensc-pkcs11.so HINTS /Library/OpenSC/lib)
+elseif(WIN32)
+    if(NOT PKCS11_MODULE)
+        set(PKCS11_MODULE opensc-pkcs11.dll)
+    endif()
+else()
+    if(NOT PKCS11_MODULE)
+        set(PKCS11_MODULE opensc-pkcs11.so)
+    endif()
+endif()
+
+include(FindPackageHandleStandardArgs)
+FIND_PACKAGE_HANDLE_STANDARD_ARGS(PKCS11 DEFAULT_MSG PKCS11_MODULE)
+MARK_AS_ADVANCED(PKCS11)
diff --git a/dlgbmp.bmp b/dlgbmp.bmp
new file mode 100644
index 000000000..e7b9c26be
Binary files /dev/null and b/dlgbmp.bmp differ
diff --git a/etc/Doxyfile.in b/etc/Doxyfile.in
index f31ec290f..3737d8041 100644
--- a/etc/Doxyfile.in
+++ b/etc/Doxyfile.in
@@ -61,7 +61,7 @@ PROJECT_BRIEF          =
 # pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
 # the logo to the output directory.
 
-PROJECT_LOGO           = @CMAKE_MODULE_PATH@/ID.ico
+PROJECT_LOGO           = @CMAKE_SOURCE_DIR@/ID.ico
 
 # With the PROJECT_ICON tag one can specify an icon that is included in the tabs
 # when the HTML document is shown. Doxygen will copy the logo to the output
diff --git a/libdigidocpp.wxs b/libdigidocpp.wxs
index 7ee740bdd..4155212c6 100644
--- a/libdigidocpp.wxs
+++ b/libdigidocpp.wxs
@@ -18,7 +18,7 @@
 <Wix xmlns="http://wixtoolset.org/schemas/v4/wxs"
      xmlns:ui="http://wixtoolset.org/schemas/v4/wxs/ui">
   <Package Name="Libdigidocpp $(sys.BUILDARCH)" UpgradeCode="$(var.UpgradeCode)"
-      Language="1033" Version="$(var.MSI_VERSION)" Manufacturer="RIA" InstallerVersion="500">
+      Language="1033" Version="!(bind.FileVersion.digidocpp)" Manufacturer="RIA" InstallerVersion="500">
     <MediaTemplate EmbedCab="yes" CompressionLevel="high" />
     <Icon Id="ID.ico" SourceFile="$(var.ICON)" />
     <Property Id="ARPPRODUCTICON" Value="ID.ico" />
@@ -54,7 +54,7 @@
     </ComponentGroup>
 
     <ComponentGroup Id="Libraries" Source="$(var.libdigidocpp)\bin">
-      <File Name="digidocpp.dll" />
+      <File Id="digidocpp" Name="digidocpp.dll" />
       <File Name="digidoc-tool.exe" />
       <File Source="$(var.libdigidocpp)\etc\digidocpp\digidocpp.conf" />
 <?ifdef var.swig ?>
diff --git a/prepare_osx_build_environment.sh b/prepare_osx_build_environment.sh
index d3c4a175e..1f6426a83 100755
--- a/prepare_osx_build_environment.sh
+++ b/prepare_osx_build_environment.sh
@@ -3,7 +3,7 @@ set -e
 
 OPENSSL_DIR=openssl-3.0.15
 LIBXML2_DIR=libxml2-2.12.9
-XMLSEC_DIR=xmlsec1-1.3.5
+XMLSEC_DIR=xmlsec1-1.3.6
 ANDROID_NDK=android-ndk-r26d
 FREETYPE_DIR=freetype-2.10.1
 FONTCONFIG_DIR=fontconfig-2.13.1
diff --git a/src/ASiC_E.cpp b/src/ASiC_E.cpp
index 5c69f5f03..18622b065 100644
--- a/src/ASiC_E.cpp
+++ b/src/ASiC_E.cpp
@@ -35,16 +35,19 @@ using namespace digidoc;
 using namespace digidoc::util;
 using namespace std;
 
-const string_view ASiC_E::ASIC_TM_PROFILE = "time-mark";
-const string_view ASiC_E::ASIC_TS_PROFILE = "time-stamp";
-const string_view ASiC_E::ASIC_TSA_PROFILE = "time-stamp-archive";
-const string_view ASiC_E::ASIC_TMA_PROFILE = "time-mark-archive";
 constexpr string_view MANIFEST_NS {"urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"};
 
 class ASiC_E::Private
 {
 public:
+    string unique_name() const
+    {
+        string file;
+        for(unsigned int i = 0; signatures.count(file = Log::format("META-INF/signatures%u.xml", i++)); );
+        return file;
+    }
     vector<DataFile*> metadata;
+    map<string,Signatures*> signatures;
 };
 
 /**
@@ -57,7 +60,7 @@ ASiC_E::ASiC_E()
 }
 
 /**
- * Opens BDOC container from a file
+ * Opens ASiC container from a file
  */
 ASiC_E::ASiC_E(const string &path)
     : ASiContainer(MIMETYPE_ASIC_E)
@@ -101,24 +104,28 @@ void ASiC_E::save(const string &path)
     s.addFile("mimetype", mimetype, zproperty("mimetype"), false);
 
     stringstream manifest;
-    createManifest(manifest);
+    if(!createManifest().save(manifest))
+        THROW("Failed to create manifest XML");
     s.addFile("META-INF/manifest.xml", manifest, zproperty("META-INF/manifest.xml"));
 
     for(const DataFile *file: dataFiles())
         s.addFile(file->fileName(), *(static_cast<const DataFilePrivate*>(file)->m_is), zproperty(file->fileName()));
 
     std::set<Signatures*> saved;
-    unsigned int i = 0;
     for(Signature *iter: signatures())
     {
-        string file = Log::format("META-INF/signatures%u.xml", i++);
-        auto *signature = static_cast<SignatureXAdES_B*>(iter);
-        if(!saved.insert(signature->signatures.get()).second)
+        auto *signatures = static_cast<SignatureXAdES_B*>(iter)->signatures.get();
+        if(!saved.insert(signatures).second)
             continue;
+        auto name = find_if(d->signatures.cbegin(), d->signatures.cend(), [signatures](const auto &k){
+            return k.second == signatures;
+        });
+        if(name == d->signatures.cend())
+            THROW("Unkown signature object");
         stringstream ofs;
-        if(!signature->signatures->save(ofs))
+        if(!signatures->save(ofs))
             THROW("Failed to create signature XML file.");
-        s.addFile(file, ofs, zproperty(file));
+        s.addFile(name->first, ofs, zproperty(name->first));
     }
 }
 
@@ -142,12 +149,9 @@ void ASiC_E::addAdESSignature(istream &data)
         THROW("No documents in container, can not add signature.");
     if(mediaType() != MIMETYPE_ASIC_E)
         THROW("'%s' format is not supported", mediaType().c_str());
-
     try
     {
-        auto signatures = make_shared<Signatures>(data, this);
-        for(auto s = signatures->signature(); s; s++)
-            addSignature(make_unique<SignatureXAdES_LTA>(signatures, s, this));
+        loadSignatures(data, d->unique_name());
     }
     catch(const Exception &e)
     {
@@ -164,14 +168,10 @@ unique_ptr<Container> ASiC_E::openInternal(const string &path)
 /**
  * Creates BDoc container manifest file and returns its path.
  *
- * Note: If non-ascii characters are present in XML data, we depend on the LANG variable to be set properly
- * (see iconv --list for the list of supported encoding values for libiconv).
- *
- *
  * @return returns created manifest file path.
  * @throws Exception exception is thrown if manifest file creation failed.
  */
-void ASiC_E::createManifest(ostream &os)
+XMLDocument ASiC_E::createManifest() const
 {
     DEBUG("ASiC_E::createManifest()");
     auto doc = XMLDocument::create("manifest", MANIFEST_NS, "manifest");
@@ -184,8 +184,15 @@ void ASiC_E::createManifest(ostream &os)
     add("/", mediaType());
     for(const DataFile *file: dataFiles())
         add(file->fileName(), file->mediaType());
-    if(!doc.save(os))
-        THROW("Failed to create manifest XML");
+    return doc;
+}
+
+void ASiC_E::loadSignatures(istream &data, const string &file)
+{
+    auto signatures = make_shared<Signatures>(data, mediaType());
+    d->signatures.emplace(file, signatures.get());
+    for(auto s = signatures->signature(); s; s++)
+        addSignature(make_unique<SignatureXAdES_LTA>(signatures, s, this));
 }
 
 /**
@@ -251,9 +258,7 @@ void ASiC_E::parseManifestAndLoadFiles(const ZipSerialize &z)
                 try
                 {
                     auto data = z.extract<stringstream>(file);
-                    auto signatures = make_shared<Signatures>(data, this);
-                    for(auto s = signatures->signature(); s; s++)
-                        addSignature(make_unique<SignatureXAdES_LTA>(signatures, s, this));
+                    loadSignatures(data, file);
                 }
                 catch(const Exception &e)
                 {
@@ -286,7 +291,9 @@ Signature* ASiC_E::prepareSignature(Signer *signer)
         THROW("No documents in container, can not sign container.");
     if(!signer)
         THROW("Null pointer in ASiC_E::sign");
-    return addSignature(make_unique<SignatureXAdES_LTA>(newSignatureId(), this, signer));
+    auto signatures = make_shared<Signatures>();
+    d->signatures.emplace(d->unique_name(), signatures.get());
+    return addSignature(make_unique<SignatureXAdES_LTA>(signatures, newSignatureId(), this, signer));
 }
 
 Signature *ASiC_E::sign(Signer* signer)
diff --git a/src/ASiC_E.h b/src/ASiC_E.h
index 0a61ba87f..c7887d9fb 100644
--- a/src/ASiC_E.h
+++ b/src/ASiC_E.h
@@ -23,6 +23,8 @@
 
 namespace digidoc
 {
+    struct XMLDocument;
+
     /**
      * Implements the BDOC specification of the signed digital document container.
      * Container can contain several files and all these files can be signed using
@@ -34,10 +36,10 @@ namespace digidoc
     class ASiC_E final : public ASiContainer
     {
       public:
-          static const std::string_view ASIC_TM_PROFILE;
-          static const std::string_view ASIC_TS_PROFILE;
-          static const std::string_view ASIC_TMA_PROFILE;
-          static const std::string_view ASIC_TSA_PROFILE;
+          static constexpr std::string_view ASIC_TM_PROFILE = "time-mark";
+          static constexpr std::string_view ASIC_TS_PROFILE = "time-stamp";
+          static constexpr std::string_view ASIC_TMA_PROFILE = "time-mark-archive";
+          static constexpr std::string_view ASIC_TSA_PROFILE = "time-stamp-archive";
 
           ~ASiC_E() final;
           void save(const std::string &path = {}) final;
@@ -54,7 +56,8 @@ namespace digidoc
           ASiC_E();
           ASiC_E(const std::string &path);
           DISABLE_COPY(ASiC_E);
-          void createManifest(std::ostream &os);
+          XMLDocument createManifest() const;
+          void loadSignatures(std::istream &data, const std::string &file);
           void parseManifestAndLoadFiles(const ZipSerialize &z);
 
           class Private;
diff --git a/src/ASiC_S.cpp b/src/ASiC_S.cpp
index 78fa9b51e..6cd83fc4a 100644
--- a/src/ASiC_S.cpp
+++ b/src/ASiC_S.cpp
@@ -61,7 +61,7 @@ ASiC_S::ASiC_S(const string &path): ASiContainer(MIMETYPE_ASIC_S)
                 if(!signatures().empty())
                     THROW("Can not add signature to ASiC-S container which already contains a signature.");
                 auto data = z.extract<stringstream>(file);
-                auto signatures = make_shared<Signatures>(data, this);
+                auto signatures = make_shared<Signatures>(data, mediaType());
                 for(auto s = signatures->signature(); s; s++)
                     addSignature(make_unique<SignatureXAdES_LTA>(signatures, s, this));
             }
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 01317a3d8..d457b3431 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -9,6 +9,22 @@ else()
     target_link_libraries(minizip ZLIB::ZLIB)
 endif()
 
+if($ENV{BUILD_NUMBER})
+    set(BUILD_VER $ENV{BUILD_NUMBER})
+elseif(PROJECT_VERSION_TWEAK)
+    set(BUILD_VER ${PROJECT_VERSION_TWEAK})
+else()
+    set(BUILD_VER 0)
+endif()
+
+add_definitions(
+    -DMAJOR_VER=${PROJECT_VERSION_MAJOR}
+    -DMINOR_VER=${PROJECT_VERSION_MINOR}
+    -DRELEASE_VER=${PROJECT_VERSION_PATCH}
+    -DBUILD_VER=${BUILD_VER}
+)
+set(VERSION ${PROJECT_VERSION}.${BUILD_VER})
+
 configure_file( libdigidocpp.pc.cmake libdigidocpp.pc @ONLY )
 configure_file( ${CMAKE_SOURCE_DIR}/etc/digidocpp.conf.cmake digidocpp.conf )
 
@@ -130,6 +146,8 @@ set_target_properties(digidocpp PROPERTIES
     FRAMEWORK_VERSION 1
     FRAMEWORK "${FRAMEWORK}"
     MACOSX_FRAMEWORK_IDENTIFIER "ee.ria.digidocpp"
+    MACOSX_FRAMEWORK_SHORT_VERSION_STRING ${PROJECT_VERSION}
+    MACOSX_FRAMEWORK_BUNDLE_VERSION ${BUILD_VER}
     MACOSX_RPATH YES
     COMPILE_DEFINITIONS TARGET_NAME="$<TARGET_NAME:digidocpp>"
     POSITION_INDEPENDENT_CODE YES
diff --git a/src/SignatureXAdES_B.cpp b/src/SignatureXAdES_B.cpp
index aca9988c2..24d396b60 100644
--- a/src/SignatureXAdES_B.cpp
+++ b/src/SignatureXAdES_B.cpp
@@ -190,7 +190,7 @@ int initXmlSecCallback()
             return is;
         },
         [](void *ctx, char *buf, int len) -> int {
-            auto *is = static_cast<std::istream*>(ctx);
+            auto *is = static_cast<istream*>(ctx);
             is->read(buf, len);
             return int(is->gcount());
         },
@@ -207,7 +207,7 @@ Signatures::Signatures()
     addNS(XADES_NS, "xades");
 }
 
-Signatures::Signatures(istream &data, ASiContainer *container)
+Signatures::Signatures(istream &data, string_view mediaType)
     : XMLDocument(openStream(data))
 {
     /* http://www.etsi.org/deliver/etsi_ts/102900_102999/102918/01.03.01_60/ts_102918v010301p.pdf
@@ -219,7 +219,7 @@ Signatures::Signatures(istream &data, ASiContainer *container)
      * Case container is ADoc 1.0 then handle document-signatures root element
      */
     try {
-        if(container->mediaType() == ASiC_E::MIMETYPE_ADOC && name() == "document-signatures" && ns() == OPENDOCUMENT_NS)
+        if(mediaType == ASiC_E::MIMETYPE_ADOC && name() == "document-signatures" && ns() == OPENDOCUMENT_NS)
             validateSchema(File::path(Conf::instance()->xsdPath(), "OpenDocument_dsig.xsd"));
         else
             validateSchema(File::path(Conf::instance()->xsdPath(), "en_31916201v010101.xsd"));
@@ -234,8 +234,8 @@ Signatures::Signatures(istream &data, ASiContainer *container)
 /**
  * Creates an empty BDOC-BES signature with mandatory XML nodes.
  */
-SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *container, Signer *signer)
-    : signatures(make_shared<Signatures>())
+SignatureXAdES_B::SignatureXAdES_B(const shared_ptr<Signatures> &signatures, unsigned int id, ASiContainer *container, Signer *signer)
+    : signatures(signatures)
     , bdoc(container)
 {
     X509Cert c = signer->cert();
@@ -295,7 +295,7 @@ SignatureXAdES_B::SignatureXAdES_B(unsigned int id, ASiContainer *container, Sig
  * @param bdoc BDOC container
  * @throws SignatureException
  */
-SignatureXAdES_B::SignatureXAdES_B(const std::shared_ptr<Signatures> &signatures, XMLNode s, ASiContainer *container)
+SignatureXAdES_B::SignatureXAdES_B(const shared_ptr<Signatures> &signatures, XMLNode s, ASiContainer *container)
     : signatures(signatures)
     , signature(s)
     , bdoc(container)
diff --git a/src/SignatureXAdES_B.h b/src/SignatureXAdES_B.h
index ee84bea9e..67605d1a0 100644
--- a/src/SignatureXAdES_B.h
+++ b/src/SignatureXAdES_B.h
@@ -43,7 +43,7 @@ namespace digidoc
     {
     public:
         explicit Signatures();
-        Signatures(std::istream &data, ASiContainer *container);
+        Signatures(std::istream &data, std::string_view mediaType);
 
         constexpr XMLNode signature() const noexcept
         {
@@ -55,7 +55,7 @@ namespace digidoc
     {
 
       public:
-          SignatureXAdES_B(unsigned int id, ASiContainer *bdoc, Signer *signer);
+          SignatureXAdES_B(const std::shared_ptr<Signatures> &signatures, unsigned int id, ASiContainer *bdoc, Signer *signer);
           SignatureXAdES_B(const std::shared_ptr<Signatures> &signatures, XMLNode s, ASiContainer *container);
           ~SignatureXAdES_B();
 
diff --git a/src/SignatureXAdES_LT.cpp b/src/SignatureXAdES_LT.cpp
index e4ad59603..a69940d67 100644
--- a/src/SignatureXAdES_LT.cpp
+++ b/src/SignatureXAdES_LT.cpp
@@ -35,11 +35,11 @@
 using namespace digidoc;
 using namespace std;
 
-SignatureXAdES_LT::SignatureXAdES_LT(unsigned int id, ASiContainer *bdoc, Signer *signer)
-: SignatureXAdES_T(id, bdoc, signer)
+SignatureXAdES_LT::SignatureXAdES_LT(const shared_ptr<Signatures> &signatures, unsigned int id, ASiContainer *bdoc, Signer *signer)
+: SignatureXAdES_T(signatures, id, bdoc, signer)
 {}
 
-SignatureXAdES_LT::SignatureXAdES_LT(const std::shared_ptr<Signatures> &signatures, XMLNode s, ASiContainer *container)
+SignatureXAdES_LT::SignatureXAdES_LT(const shared_ptr<Signatures> &signatures, XMLNode s, ASiContainer *container)
     : SignatureXAdES_T(signatures, s, container)
 {
     try {
diff --git a/src/SignatureXAdES_LT.h b/src/SignatureXAdES_LT.h
index 1cab1a7c3..47b345061 100644
--- a/src/SignatureXAdES_LT.h
+++ b/src/SignatureXAdES_LT.h
@@ -29,7 +29,7 @@ class OCSP;
 class SignatureXAdES_LT: public SignatureXAdES_T
 {
 public:
-    SignatureXAdES_LT(unsigned int id, ASiContainer *bdoc, Signer *signer);
+    SignatureXAdES_LT(const std::shared_ptr<Signatures> &signatures, unsigned int id, ASiContainer *bdoc, Signer *signer);
     SignatureXAdES_LT(const std::shared_ptr<Signatures> &signatures, XMLNode s, ASiContainer *container);
 
     std::string trustedSigningTime() const override;
diff --git a/src/XmlConf.cpp b/src/XmlConf.cpp
index d38446401..0dbd930a7 100644
--- a/src/XmlConf.cpp
+++ b/src/XmlConf.cpp
@@ -164,7 +164,7 @@ void XmlConf::Private::init(const string& path, bool global)
         optional<bool> lock;
         if(auto val = elem["lock"]; !val.empty())
             lock = val == "true";
-        auto setValue = [&](auto &param) {
+        auto setValue = [&](auto &param) constexpr {
             if(paramName != param.name)
                 return false;
             if(global && lock.has_value()) param.locked = lock.value();
@@ -384,9 +384,12 @@ GET1(string, proxyUser)
 GET1(string, proxyPass)
 GET1(bool, proxyForceSSL)
 GET1(bool, proxyTunnelSSL)
+DIGIDOCPP_WARNING_PUSH
+DIGIDOCPP_WARNING_DISABLE_GCC("-Wdeprecated-declarations")
 GET1EX(string, PKCS12Cert, Conf::PKCS12Cert())
-GET1EX(string, PKCS12Pass, Conf::PKCS12Cert())
+GET1EX(string, PKCS12Pass, Conf::PKCS12Pass())
 GET1EX(bool, PKCS12Disable, Conf::PKCS12Disable())
+DIGIDOCPP_WARNING_POP
 GET1(string, TSUrl)
 GET1(bool, TSLAutoUpdate)
 GET1(string, TSLCache)
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 5f96be6ee..e5849555c 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -1,4 +1,3 @@
-set_env(RUN_TESTS "" CACHE STRING "Run tests on build")
 set_env(TEST_FORMAT XML CACHE STRING "Test result format (XML/JUNIT)")
 set( CMAKE_SKIP_RPATH OFF )
 add_definitions(
diff --git a/vcpkg-ports/xmlsec/CMakeLists.txt b/vcpkg-ports/xmlsec/CMakeLists.txt
index 2d580ce55..bbd9ea9d2 100644
--- a/vcpkg-ports/xmlsec/CMakeLists.txt
+++ b/vcpkg-ports/xmlsec/CMakeLists.txt
@@ -60,12 +60,13 @@ set(CMAKE_STATIC_LIBRARY_PREFIX "lib")
 add_library(xmlsec1 ${SOURCESXMLSEC})
 add_library(xmlsec1-openssl ${SOURCESXMLSECOPENSSL})
 
-include_directories(${CMAKE_CURRENT_BINARY_DIR}/include include)
-
-target_link_libraries(xmlsec1 PRIVATE LibXml2::LibXml2)
-target_link_libraries(xmlsec1-openssl PRIVATE
-    LibXml2::LibXml2 OpenSSL::Crypto xmlsec1
+target_include_directories(xmlsec1 PUBLIC
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
+    $<INSTALL_INTERFACE:include>
 )
+target_link_libraries(xmlsec1 PUBLIC LibXml2::LibXml2)
+target_link_libraries(xmlsec1-openssl PUBLIC xmlsec1 OpenSSL::Crypto)
 
 add_compile_definitions(inline=__inline)
 add_compile_definitions(PACKAGE="xmlsec1")
@@ -76,8 +77,6 @@ add_compile_definitions(HAVE_CTYPE_H)
 add_compile_definitions(HAVE_MALLOC_H)
 add_compile_definitions(HAVE_MEMORY_H)
 add_compile_definitions(XMLSEC_DEFAULT_CRYPTO="openssl")
-add_compile_definitions(XMLSEC_NO_GOST)
-add_compile_definitions(XMLSEC_NO_GOST2012)
 add_compile_definitions(UNICODE)
 add_compile_definitions(_UNICODE)
 add_compile_definitions(_MBCS)
@@ -85,29 +84,27 @@ add_compile_definitions(_REENTRANT)
 
 set_target_properties(xmlsec1 xmlsec1-openssl PROPERTIES VERSION ${XMLSEC_VERSION_MAJOR}.${XMLSEC_VERSION_MINOR})
 
+set(XMLSEC_CORE_CFLAGS "")
 if(NOT BUILD_SHARED_LIBS)
-    set(XMLSEC_CORE_CFLAGS "-DLIBXML_STATIC -DLIBXSLT_STATIC -DXMLSEC_STATIC -DXMLSEC_NO_CRYPTO_DYNAMIC_LOADING")
-    set(XMLSEC_OPENSSL_CFLAGS ${XMLSEC_CORE_CFLAGS})
-else()
-    set(XMLSEC_CORE_CFLAGS "-DXMLSEC_DL_WIN32")
-    set(XMLSEC_OPENSSL_CFLAGS ${XMLSEC_CORE_CFLAGS})
+    set(XMLSEC_CORE_CFLAGS "-DLIBXML_STATIC -DXMLSEC_STATIC -DXMLSEC_NO_CRYPTO_DYNAMIC_LOADING")
+    target_compile_definitions(xmlsec1 PUBLIC XMLSEC_STATIC XMLSEC_NO_CRYPTO_DYNAMIC_LOADING)
 endif()
+set(XMLSEC_OPENSSL_CFLAGS ${XMLSEC_CORE_CFLAGS})
 
 target_compile_definitions(xmlsec1
-    PRIVATE ${XMLSEC_CORE_CFLAGS}
+    PRIVATE $<$<PLATFORM_ID:Windows>:XMLSEC_DL_WIN32>
     PUBLIC XMLSEC_NO_XSLT XMLSEC_CRYPTO_OPENSSL
 )
-target_compile_definitions(xmlsec1-openssl PRIVATE ${XMLSEC_OPENSSL_CFLAGS})
+target_compile_definitions(xmlsec1-openssl PUBLIC XMLSEC_NO_GOST XMLSEC_NO_GOST2012)
 
 install(TARGETS xmlsec1 xmlsec1-openssl
-    EXPORT xmlsecExport
+    EXPORT unofficial-xmlsec-targets
     RUNTIME DESTINATION bin
     LIBRARY DESTINATION lib
     ARCHIVE DESTINATION lib
 )
 
-install(EXPORT xmlsecExport
-    FILE unofficial-xmlsec-config.cmake
+install(EXPORT unofficial-xmlsec-targets
     NAMESPACE unofficial::xmlsec::
     DESTINATION share/unofficial-xmlsec
 )
@@ -116,7 +113,7 @@ if(INSTALL_HEADERS_TOOLS)
 	file(GLOB PUBLIC_HEADERS
 		include/xmlsec/*.h
 		include/xmlsec/openssl/*.h)
-    list(FILTER PUBLIC_HEADERS EXCLUDE REGEX "exports\\.h$")
+	list(FILTER PUBLIC_HEADERS EXCLUDE REGEX "exports\\.h$")
 
 	foreach(file IN LISTS PUBLIC_HEADERS)
 		get_filename_component(dir ${file} DIRECTORY)
@@ -137,16 +134,13 @@ if(INSTALL_HEADERS_TOOLS)
 		target_link_libraries(xmlsec PRIVATE crypt32.lib)
 	endif()
 
-	target_link_libraries(xmlsec PRIVATE
-		${LIBXML2_LIBRARIES} OpenSSL::Crypto xmlsec1 xmlsec1-openssl
-	)
+	target_link_libraries(xmlsec PRIVATE xmlsec1-openssl)
 
 	if(BUILD_SHARED_LIBS)
 		target_compile_definitions(xmlsec PRIVATE -DXMLSEC_CRYPTO_DYNAMIC_LOADING)
 	else()
-        find_package(Threads REQUIRED)
-		target_compile_definitions(xmlsec PRIVATE -DLIBXML_STATIC -DLIBXSLT_STATIC -DXMLSEC_STATIC)
-        target_link_libraries(xmlsec PUBLIC Threads::Threads)
+		find_package(Threads REQUIRED)
+		target_link_libraries(xmlsec PUBLIC Threads::Threads)
 	endif()
 	install(TARGETS xmlsec DESTINATION tools/xmlsec)
 endif()
@@ -159,7 +153,7 @@ set(libdir ${prefix}/${CMAKE_INSTALL_LIBDIR})
 set(includedir ${prefix}/${CMAKE_INSTALL_INCLUDEDIR})
 set(VERSION ${XMLSEC_VERSION})
 set(LIBXML_MIN_VERSION ${LIBXML2_VERSION_STRING})
-set(OPENSSL_LIBS "-lssl -lcrypto")
+set(OPENSSL_LIBS "-lcrypto")
 set(XMLSEC_CORE_CFLAGS "${XMLSEC_CORE_CFLAGS} -DXMLSEC_DL_LIBLTDL=1 -I\${includedir}/xmlsec1 -DXMLSEC_CRYPTO_OPENSSL=1")
 set(XMLSEC_CORE_LIBS "-lxmlsec1 -lltdl")
 set(XMLSEC_OPENSSL_CFLAGS "${XMLSEC_OPENSSL_CFLAGS} -I\${includedir}/xmlsec1")
diff --git a/vcpkg-ports/xmlsec/portfile.cmake b/vcpkg-ports/xmlsec/portfile.cmake
index 0fa84067d..47b0d6577 100644
--- a/vcpkg-ports/xmlsec/portfile.cmake
+++ b/vcpkg-ports/xmlsec/portfile.cmake
@@ -5,7 +5,7 @@ vcpkg_from_github(
     OUT_SOURCE_PATH SOURCE_PATH
     REPO lsh123/xmlsec
     REF "${release_tag}"
-    SHA512 8574eca37c0be55126e50a76322f96171c9d82dbdd793fdbc26430526488e69db8b41351f136f77bd36f8a3ea238c350bc62dd99214b8348b65dd8055a1c6148
+    SHA512 6e41c35042e5a74e135cfb7468aa5c09b3c9ba684ab2431ecedce950f7c99c92fc8765c1c8c2ddfd87718bd00f4a287028227da1e987f2ef17ce2594356e81af
     HEAD_REF master
     PATCHES 
         pkgconfig_fixes.patch
@@ -28,5 +28,6 @@ vcpkg_copy_pdbs()
 # unofficial legacy usage
 file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/xmlsec-config.cmake" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}")
 
+file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/unofficial-xmlsec-config.cmake" DESTINATION "${CURRENT_PACKAGES_DIR}/share/unofficial-xmlsec")
 file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}")
 file(INSTALL "${SOURCE_PATH}/Copyright" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" RENAME copyright)
diff --git a/vcpkg-ports/xmlsec/unofficial-xmlsec-config.cmake b/vcpkg-ports/xmlsec/unofficial-xmlsec-config.cmake
new file mode 100644
index 000000000..3a2b0c952
--- /dev/null
+++ b/vcpkg-ports/xmlsec/unofficial-xmlsec-config.cmake
@@ -0,0 +1,4 @@
+include(CMakeFindDependencyMacro)
+find_dependency(LibXml2)
+find_dependency(OpenSSL)
+include("${CMAKE_CURRENT_LIST_DIR}/unofficial-xmlsec-targets.cmake")
diff --git a/vcpkg-ports/xmlsec/vcpkg.json b/vcpkg-ports/xmlsec/vcpkg.json
index 8525d1249..c504e7733 100644
--- a/vcpkg-ports/xmlsec/vcpkg.json
+++ b/vcpkg-ports/xmlsec/vcpkg.json
@@ -1,6 +1,6 @@
 {
   "name": "xmlsec",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "description": "XML Security Library is a C library based on LibXML2. The library supports major XML security standards.",
   "homepage": "https://www.aleksey.com/xmlsec/",
   "license": "X11 AND MPL-1.1",
diff --git a/vcpkg.json b/vcpkg.json
index de815d66d..2d8f1954a 100644
--- a/vcpkg.json
+++ b/vcpkg.json
@@ -1,6 +1,6 @@
 {
     "name": "libdigidocpp",
-    "version": "4.0.0",
+    "version": "4.1.0",
     "dependencies": [
       {
         "name": "libxml2",
@@ -12,7 +12,7 @@
     "features": {
       "tests": { "description": "Build tests", "dependencies": ["boost-test"] }
     },
-    "builtin-baseline": "0f8b6ddf49fa8ae66a7826234e9ba3fda5f46d3c",
+    "builtin-baseline": "e2edf52610d2c94d2038fe30b247ea5a26964e1b",
     "vcpkg-configuration": {
         "overlay-ports": [
           "vcpkg-ports/openssl",