I'm using signtool to sign about 70 files. Each file has to be signed with SHA1 and SHA256, so that is 140 signing operations. It takes about 10 minutes on a very fast computer, or roughly 4 seconds per signature. I get the impression this is not normal.
Since this is EV code signing, a USB token has to be used. The token is on the computer I'm at, but the signing is taking place on the computer I'm RDP'd into, which is probably a factor.
There is no way to reliably sign in an RDP session with the USB token on the computer doing the signing. I've tried many, many ways over many years using various approaches, USB network gates, etc, but eventually the token is no longer found, and then you're up a creek if you don't have physical access to the signing computer to remove the token, reboot, and put the token back in.
The two command lines being used are:
SHA1: signtool.exe sign /fd sha1 /v /t http://timestamp.digicert.com /i Digicert C:\MyApp.exe
SHA256: signtool.exe sign /as /fd sha256 /v /tr http://timestamp.digicert.com /i Digicert C:\MyApp.exe
I've tried a variety of timestamp URLs, and digicert's seems to be one of the fastest.
From what I've read, it seems that signtool.exe might send the contents of the file to be signed to the USB token to be hashed, which means it's going across the network in my case. If that's the case, is there any way to avoid this? Signtool can surely do a hash itself?
One problem is serialization - if I have many signtool.exe running in parallel, they get slower and slower (60-100 seconds per signing). Perhaps there is some serialization happening in the USB token?? For that reason the signing has to be done one at a time.
Is there anything else that could be done to speed this up?
You can try signing with another tool like Jsign (disclaimer: I'm the author) but the limiting factor is most probably the USB token and the timestamping unfortunately.
Some devices like the Nitrokey 3 can take 1 second per RSA operation, while a Yubikey 5 takes only 100ms. Also the time depends on the size of the key, signing with a 2048 bit key is significantly faster than with a 4096 bit key.
Note that the token only needs to sign the hash of the file. If your build sends the full files to the machine hosting the token that causes an unnecessary slow down. In this case you can use the detached signature feature of signtool (with the
/dgand/dioptions).The timestamping is also limiting, some services can throttle the requests. You can try using https://rfc3161.ai.moda which is a loadbalancer forwarding the timestamping requests to different servers.