EV Code Signing extremely slow

Try adding -sigalg SHA512withRSA to your jarsigner options.

The problem seems to be, that PKCS11 is actually using the token to compute the hash. (as noted in this comment Java : PKCS11 SafeNet eToken 5110 : Slow; and How to code for EBICS signature mechanism A006?)

The Gemalto SafeNet 5110 hardware only supports SHA256, so setting SHA512 forces software computation of the hash, which speeds up things a lot.

I was in contact with GlobalSign several times.

The answer was:

• a performance of signing a single jar with about 1900 class files inside ==> taking about nearly 3 minutes is normal for a usb hardware security token.

In comparision:

• using a local pfx file with certificate and private key took 5 seconds.

Why is it so slow?

Answer by Globalsign: For each class file the certificate will be retrieved from the token and the OCSP will be checked if the certificate was revoked.

Used hardware security token: Gemalto SafeNet 5110.

Globalsign told me, I can try to use another token, if it's faster.

I wonder, if https://www.yubico.com/products/yubihsm/ may be faster? Someone have experience with this? How do others code signing in java?