问题
Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens).
Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken.
According to the GlobalSign site, I should sign my jars as following:
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass mypass myapp.jar myalias
I contacted GlobalSign support, but they were unable to help me further as the signing actually works... just very slow.
Things I tried:
- Alternative TSA
- Signing without a TSA
- Put project on the same disk and partition of the jarsigner's location
- Using the command line instead of maven profile (configured in my IDE)
Nothing had impact on the slow signing. Does anyone have other ideas or has had the same issue?
回答1:
I was in contact with GlobalSign several times.
The answer was:
- a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.
In comparision:
- using a local pfx file with certificate and private key took 5 seconds.
Why is it so slow?
Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.
Used hardware security token: Gemalto SafeNet 5110.
Globalsign told me, I can try to use another token, if it's faster.
I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?
回答2:
Try adding -sigalg SHA512withRSA to your jarsigner options.
The problem seems to be, that PKCS11 is actually using the token to compute the hash. (as noted in this comment Java : PKCS11 SafeNet eToken 5110 : Slow; and How to code for EBICS signature mechanism A006?)
The Gemalto SafeNet 5110 hardware only supports SHA256, so setting SHA512 forces software computation of the hash, which speeds up things a lot.
来源:https://stackoverflow.com/questions/44003975/ev-code-signing-extremely-slow