How to use jsign to sign without transferring payload files to system with signing certificate?

[videoguy]

I have a build VM with Windows binaries. Lets call this system BuildSys. I have another system with GaraSign CSP with access to HSM. Lets call this SignerSys. Lets say the SHA1 of signing cert is 675432. I like to sign the exe/dll files on BuildSys without transferring them to SignerSys. Instead generate hashes (or intermediate files that jsign understands). Transfer these files to SignerSys. Then generate signatures for the hashes. Transfer them back and generate Authenticode signatures injected into source binaries.

Is it something that jsign supports out of the box?
I appreciate pointers. If I have to roll my own Java wrapper to do this, I don't mind doing it.

Thanks

[ebourg]

The best solution would be to implement a SigningService calling the GaraSign REST API. This is the base interface used for calling other code signing services like AWS KMS or Azure Key Vault. When the API is called only the hash of the file is sent to the server.