EV代码签名非常慢 [英] EV Code Signing extremely slow

问题描述

自2月以来，GlobalSign仅颁发EV代码签名证书.这意味着必须使用硬件令牌(Safenet USB eToken)进行代码签名.

Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens).

由于我不得不切换到EV代码签名，因此我发现对我的应用程序进行签名的时间大大增加了.从使用常规Java密钥库的几分钟到使用eToken的40多分钟.

Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken.

根据GlobalSign网站，我应该按照以下步骤签名我的jar:

According to the GlobalSign site, I should sign my jars as following:

jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass mypass myapp.jar myalias

我联系了GlobalSign支持，但由于签名确实有效，他们无法进一步帮助我.

I contacted GlobalSign support, but they were unable to help me further as the signing actually works... just very slow.

我尝试过的事情:

• 替代性TSA
• 在没有TSA的情况下签名
• 将项目放在jarsigner位置的同一磁盘和分区上
• 使用命令行而不是maven配置文件(在我的IDE中配置)

对缓慢的签名没有任何影响.是否有人有其他想法或遇到过相同的问题?

Nothing had impact on the slow signing. Does anyone have other ideas or has had the same issue?

推荐答案

我多次与GlobalSign联系.

I was in contact with GlobalSign several times.

答案是:

• 对单个jar进行签名的性能，其中包含大约1900个类文件 对于= strong> usb硬件安全令牌，==>花费将近3分钟是正常的.

• a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.

相比之下

• 使用带有证书和私钥的本地pfx 文件花费了 5秒 .

为什么这么慢?

Globalsign的答案:对于每个类文件，将从令牌中检索证书，并检查是否撤销了OCSP.

Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.

使用的硬件安全令牌:Gemalto SafeNet 5110.

Used hardware security token: Gemalto SafeNet 5110.

Globalsign告诉我，如果速度更快，我可以尝试使用另一个令牌.

Globalsign told me, I can try to use another token, if it's faster.

我想知道， https://www.yubico.com/products/yubihsm/可能更快?有人对此有经验吗?其他人如何在Java中进行代码签名?

I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?

这篇关于EV代码签名非常慢的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！