Lennart Schedin created MJARSIGNER-72:
-----------------------------------------
Summary: Parallel signing for increased speed
Key: MJARSIGNER-72
URL: https://issues.apache.org/jira/browse/MJARSIGNER-72
Project: Maven Jar Signer Plugin
Issue Type: New Feature
Affects Versions: 3.0.0
Reporter: Lennart Schedin
*Background:*
As of June 1 2023, a new industry standard mandates the storage of private keys
used for code signing on external hardware devices. Refer to
[https://knowledge.digicert.com/general-information/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022]
for details. Various devices, from the Thales SafeNet USB eToken (about $30),
Yubico YubiHSM 2 FIPS (about €1000) up to Thales Luna S700 Series (about
€30000) can store these keys. Cloud-based HSM solutions (like DigiCert
KeyLocker ($90/year)) also exist.
This ticket primarily targets HSM as a service but could benefit network
attached HSM solutions as well.
*Problem:*
Using the {{jarsigner:sign}} goal it is possible to specify
{{{}archiveDirectory{}}}, that points to a directory with many jar files. This
is useful for signing every dependency the project has.
Using the DigiCert Keylocker HSM as a service I measured that it took 240
seconds to sign 128 jar files. I was in Sweden and the DigiCert Keylocker
service is in USA. The response time of server is about 500 to 700 ms (without
any login and without any signing).
I created a quick parallel hack (using the Linux command parallel) that used 8
threads and it took only 31 seconds. That is: for this specific HSM service it
scales linearly with the number of threads used.
*To implement:*
I propose to implement a parallelization for maven-jarsigner-plugin that can be
used when signing many jar files at once.
The configuration for this could be a new parameter named {{threadCount}} (with
user property {{{}jarsigner.threadCount{}}}) with default to 1 (no
parallelization).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
