EV代码签名非常慢 [英] EV Code Signing extremely slow
问题描述
自2月以来,GlobalSign仅颁发EV代码签名证书.这意味着必须使用硬件令牌(Safenet USB eToken)进行代码签名.
Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens).
由于我不得不切换到EV代码签名,因此我发现对我的应用程序进行签名的时间大大增加了.从使用常规Java密钥库的几分钟到使用eToken的40多分钟.
Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken.
根据GlobalSign网站,我应该按照以下步骤签名我的jar:
According to the GlobalSign site, I should sign my jars as following:
jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass mypass myapp.jar myalias
我联系了GlobalSign支持,但由于签名确实有效,他们无法进一步帮助我.
I contacted GlobalSign support, but they were unable to help me further as the signing actually works... just very slow.
我尝试过的事情:
- 替代性TSA
- 在没有TSA的情况下签名
- 将项目放在jarsigner位置的同一磁盘和分区上
- 使用命令行而不是maven配置文件(在我的IDE中配置)
对缓慢的签名没有任何影响.是否有人有其他想法或遇到过相同的问题?
Nothing had impact on the slow signing. Does anyone have other ideas or has had the same issue?
推荐答案
我多次与GlobalSign联系.
I was in contact with GlobalSign several times.
答案是:
- 对单个jar进行签名的性能,其中包含大约1900个类文件 对于= strong> usb硬件安全令牌,==>花费将近3分钟是正常的.
- a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.
相比之下
- 使用带有证书和私钥的本地pfx 文件花费了 5秒 .
为什么这么慢?
Globalsign的答案:对于每个类文件,将从令牌中检索证书,并检查是否撤销了OCSP.
Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.
使用的硬件安全令牌:Gemalto SafeNet 5110.
Used hardware security token: Gemalto SafeNet 5110.
Globalsign告诉我,如果速度更快,我可以尝试使用另一个令牌.
Globalsign told me, I can try to use another token, if it's faster.
我想知道, https://www.yubico.com/products/yubihsm/一个>可能更快?有人对此有经验吗?其他人如何在Java中进行代码签名?
I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?
这篇关于EV代码签名非常慢的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!