[
https://issues.apache.org/jira/browse/MJARSIGNER-72?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17796102#comment-17796102
]
ASF GitHub Bot commented on MJARSIGNER-72:
------------------------------------------
schedin commented on code in PR #18:
URL:
https://github.com/apache/maven-jarsigner-plugin/pull/18#discussion_r1425086390
##########
src/main/java/org/apache/maven/plugins/jarsigner/JarsignerSignMojo.java:
##########
@@ -115,6 +122,17 @@ public class JarsignerSignMojo extends
AbstractJarsignerMojo {
@Parameter(property = "jarsigner.maxRetryDelaySeconds", defaultValue = "0")
private int maxRetryDelaySeconds;
+ /**
+ * How many threads to use (in parallel) when signing jar files. Increases
performance when signing multiple jar
Review Comment:
I thought about this a bit. In https://github.com/apache/maven-surefire it
does not look like they have a limit (for both JUnit and TestNG). The
https://github.com/apache/maven-compiler-plugin does not have a similar
parameter. I tested to set `threadCount` to 10000 on my 129 jar-file-project. I
only got 129 threads (because of the details in how ThreadPoolExecutor per
default behaves).
Since I don't know what the future holds (how fast storage, CPU and how much
network latency there may be) I suggest that I do not put a limit on this. In
practice the threads are limited by the number of jar files anyway.
> Parallel signing for increased speed
> ------------------------------------
>
> Key: MJARSIGNER-72
> URL: https://issues.apache.org/jira/browse/MJARSIGNER-72
> Project: Maven Jar Signer Plugin
> Issue Type: New Feature
> Affects Versions: 3.0.0
> Reporter: Lennart Schedin
> Priority: Minor
> Labels: performance
>
> *Background:*
> As of June 1 2023, a new industry standard mandates the storage of private
> keys used for code signing on external hardware devices. Refer to
> [https://knowledge.digicert.com/general-information/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022]
> for details. Various devices, from the Thales SafeNet USB eToken (about
> $30), Yubico YubiHSM 2 FIPS (about €1000) up to Thales Luna S700 Series
> (about €30000) can store these keys. Cloud-based HSM solutions (like DigiCert
> KeyLocker ($90/year)) also exist.
>
> This ticket primarily targets HSM as a service but could benefit network
> attached HSM solutions as well.
>
> *Problem:*
> Using the {{jarsigner:sign}} goal it is possible to specify
> {{{}archiveDirectory{}}}, that points to a directory with many jar files.
> This is useful for signing every dependency the project has.
>
> Using the DigiCert Keylocker HSM as a service I measured that it took 240
> seconds to sign 128 jar files. I was in Sweden and the DigiCert Keylocker
> service is in USA. The response time of server is about 500 to 700 ms
> (without any login and without any signing).
>
> I created a quick parallel hack (using the Linux command parallel) that used
> 8 threads and it took only 31 seconds. That is: for this specific HSM service
> it scales linearly with the number of threads used.
>
> *To implement:*
> I propose to implement a parallelization for maven-jarsigner-plugin that can
> be used when signing many jar files at once.
>
> The configuration for this could be a new parameter named {{threadCount}}
> (with user property {{{}jarsigner.threadCount{}}}) with default to 1 (no
> parallelization).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
