How about a ToolProvider for jarsigner (and maybe keytool)?

Weijun Wang at
Wed Feb 27 08:48:05 UTC 2019

Hi Philipp,

Thanks for looking into this. 

We have thought about this several years ago (when ToolProvider was created and javac became a tool) but had decided not to do it. 

There were several reasons:

1. These tools have too many functions, esp, keytool. 

2. There are user interactions that do not match the ToolProvider style, especially, the password input. 

3. A lot of functions are already available through public APIs, for example, verification of signed jars, reading certificates, managing entries in a keystore. 

So at last we decided to only extract some
functions (that can only be down with the tool) into individual APIs and let these tools call them. This includes:

1. Signing of jars. 

2. Generating certificates and certificate requests. 

The first is now a JDK API. The second one is stalled. We are not sure how useful it is and it’s a pain describing X.509 extensions.

Any more discussion is welcome. 


> 在 2019年2月27日,15:25,Philipp Kunz <philipp.kunz at> 写道:
> Quite a few command line tools are available through java.util.spi.ToolProvider. But not so jarsigner and keytool.

More information about the security-dev mailing list