When I try to sign a binary file of 2 MB with pkcs11-tool.exe --sign --input-file tempfile.bin -m ECDSA-SHA256--output-file signature.bin -v --ID {private_key_id}
The signature verification always fails, but the signing command itself says everything is OK.
It seems the HSM is not able to process files bigger than about 1k. That might be logical as it could also take a very long time to calculate the SHA with the HSM but why doesn’t it complain the file is too big and just aborts the signing.
Most likely the same problem occurs when we want to verify a big file
You don’t need or maybe even should not need to verify the signature using the HSM, which are usually slower devices… Verification can be done in the software using the public key.
This is a limitation of many smartcard-based devices … can you try to hash the binary with sha256 first and then sign the result with ECDSA?
I understand why it’s not working and how to work around by making a SHA upfront, what is also much faster . But the problem I have there is no feedback the size is too big, and it just returns an invalid signature and giving the suggestion everything is fine.
. But the problem I have there is no feedback the size is too big, and it just returns an invalid signature 
and giving the suggestion everything is fine.