CodeSigner objects and ProtectionDomain are used to ensure classes signed by other certificate can not be loaded for known package. This is achieved by associating some signers with the package and then rejecting attempts to load class if signers do not match. However, this seem to have significant cost - signers need to be created for each of the classes and then they need to be compared.

    In 6u14/15/18 we added functionality that returns null signer objects for FX runtime and that saved 5-10% of warm start time (100-150ms) for simple FX apps. Current workaround in the deployment code can not be extended to arbitrary apps because it is not secure for generic case.

    Reducing this overhead might be very helpful to improve startup experience of signed apps (popular in the enterprise).