Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens).
Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken.
According to the GlobalSign site, I should sign my jars as following:
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass mypass myapp.jar myalias
I contacted GlobalSign support, but they were unable to help me further as the signing actually works... just very slow.
Things I tried:
- Alternative TSA
- Signing without a TSA
- Put project on the same disk and partition of the jarsigner's location
- Using the command line instead of maven profile (configured in my IDE)
Nothing had impact on the slow signing. Does anyone have other ideas or has had the same issue?
I was in contact with GlobalSign several times.
The answer was:
- a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.
In comparision:
- using a local pfx file with certificate and private key took 5 seconds.
Why is it so slow?
Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.
Used hardware security token: Gemalto SafeNet 5110.
Globalsign told me, I can try to use another token, if it's faster.
I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?