Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens).
Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken.
According to the GlobalSign site, I should sign my jars as following:
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass mypass myapp.jar myalias
I contacted GlobalSign support, but they were unable to help me further as the signing actually works... just very slow.
Things I tried:
- Alternative TSA
- Signing without a TSA
- Put project on the same disk and partition of the jarsigner's location
- Using the command line instead of maven profile (configured in my IDE)
Nothing had impact on the slow signing. Does anyone have other ideas or has had the same issue?
I was in contact with GlobalSign several times.
The answer was:
- a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.
In comparision:
- using a local pfx file with certificate and private key took 5 seconds.
Why is it so slow?
Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.
Used hardware security token: Gemalto SafeNet 5110.
Globalsign told me, I can try to use another token, if it's faster.
I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?
Try adding -sigalg SHA512withRSA to your jarsigner options.
The problem seems to be, that PKCS11 is actually using the token to compute the hash. (as noted in this comment Java : PKCS11 SafeNet eToken 5110 : Slow; and How to code for EBICS signature mechanism A006?)
The Gemalto SafeNet 5110 hardware only supports SHA256, so setting SHA512 forces software computation of the hash, which speeds up things a lot.
来源:https://stackoverflow.com/questions/44003975/ev-code-signing-extremely-slow