Details
-
New Feature
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
3.0.0
Description
Background:
As of June 1 2023, a new industry standard mandates the storage of private keys used for code signing on external hardware devices. Refer to https://knowledge.digicert.com/general-information/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022 for details. Various devices, from the Thales SafeNet USB eToken (about $30), Yubico YubiHSM 2 FIPS (about €1000) up to Thales Luna S700 Series (about €30000) can store these keys. Cloud-based HSM solutions (like DigiCert KeyLocker ($90/year)) also exist.
This ticket primarily targets HSM as a service but could benefit network attached HSM solutions as well.
Problem:
Using the jarsigner:sign goal it is possible to specify archiveDirectory, that points to a directory with many jar files. This is useful for signing every dependency the project has.
Using the DigiCert Keylocker HSM as a service I measured that it took 240 seconds to sign 128 jar files. I was in Sweden and the DigiCert Keylocker service is in USA. The response time of server is about 500 to 700 ms (without any login and without any signing).
I created a quick parallel hack (using the Linux command parallel) that used 8 threads and it took only 31 seconds. That is: for this specific HSM service it scales linearly with the number of threads used.
To implement:
I propose to implement a parallelization for maven-jarsigner-plugin that can be used when signing many jar files at once.
The configuration for this could be a new parameter named threadCount (with user property jarsigner.threadCount) with default to 1 (no parallelization).
Attachments
Issue Links
- links to