EV Code Signing extremely slow

Question

Since February, GlobalSign only issues EV Code Signing certificates. This means that code signing has to be done with a hardware token (Safenet USB eTokens).

Since I had to switch to EV Code Signing, I noticed a huge time increase while signing my application. From a few minutes with a regular java keystore, to over 40 minutes with the eToken.

According to the GlobalSign site, I should sign my jars as following:

jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.config -storepass mypass myapp.jar myalias

I contacted GlobalSign support, but they were unable to help me further as the signing actually works... just very slow.

Things I tried:

Alternative TSA
Signing without a TSA
Put project on the same disk and partition of the jarsigner's location
Using the command line instead of maven profile (configured in my IDE)

Nothing had impact on the slow signing. Does anyone have other ideas or has had the same issue?

Sadly no, SafeNet points the finger to GlobalSign, GlobalSign point the finger to SafeNet... — Perneel, Oct 10 '17 at 16:34
I'm experiencing this performance issue, too. I'm using * SafeNet Authentication Client 10.3 x64 * JDK 8 - 131 3mb jar takes nearly 3 Minutes. But CPU load is extremely low, so does not seem to be a CPU issue... Any news? — Markus, Jan 09 '18 at 06:09
Have you tried -sigalg SHA512withRSA it worked wonders here... — dren.dk, Mar 17 '20 at 14:54

score 11 · Answer 1 · answered Feb 28 '19 at 14:53

11

Try adding -sigalg SHA512withRSA to your jarsigner options.

The problem seems to be, that PKCS11 is actually using the token to compute the hash. (as noted in this comment Java : PKCS11 SafeNet eToken 5110 : Slow; and How to code for EBICS signature mechanism A006?)

The Gemalto SafeNet 5110 hardware only supports SHA256, so setting SHA512 forces software computation of the hash, which speeds up things a lot.

answered Feb 28 '19 at 14:53

Hannes Schuette

121
1
4

wow... That's crazy. Thank you so much. With this parameter the time reduces from ~32 minutes to ~3 minutes with a 40mb jar file. – dominic.e Apr 02 '19 at 07:38
Holy hell! this exact problem bit us, a small jar took 2 minutes to sign using defaults, with this option it's about 2-3 seconds. – dren.dk Mar 17 '20 at 14:52

score 3 · Accepted Answer · answered Jan 09 '18 at 15:48

I was in contact with GlobalSign several times.

The answer was:

a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.

In comparision:

using a local pfx file with certificate and private key took 5 seconds.

Why is it so slow?

Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.

Used hardware security token: Gemalto SafeNet 5110.

Globalsign told me, I can try to use another token, if it's faster.

I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?

I haven't tried another token, I kinda learned to live with it as that is about the resumee of the GlobalSign answer :) I'm happy they gave you a clearer answer about why it is happening. I'll accept your answer for now as it contains enough information to help other people out. — Perneel, Jan 10 '18 at 08:21

EV Code Signing extremely slow

2 Answers2

Linked