RFR 8242260: Remove customizable ContentSigner from jarsigner

Alan Bateman Alan.Bateman at oracle.com
Sat Apr 11 14:56:36 UTC 2020


On 11/04/2020 15:41, Weijun Wang wrote:
> The options were already deprecated long ago:
>
> $ $J14/bin/jarsigner
> Usage: jarsigner [options] jar-file alias
>         jarsigner -verify [options] jar-file [alias...]
> ...
>
> [-altsigner <class>]        class name of an alternative signing mechanism
>                              (This option has been deprecated.)
>
> [-altsignerpath <pathlist>] location of an alternative signing mechanism
>                              (This option has been deprecated.)
> ...
>
> and they are listed in a "Deprecated Options" section in the tooldoc with "might be removed in a future JDK release".
>
> The only problem is I forgot to add a forRemoval=true argument to the @Deprecated annotation of the classes.
>
I think the next step is to terminally deprecate the API, this means 
adding forRemoval=true to create awareness at compile-time.  You can 
then remove in some future release. You can use the opportunity to add a 
warning to the jarsigner tool so that someone using these options gets a 
warning and knows it will be removed in the future (they might not see 
deprecation notice in the usage/help output).

-Alan


More information about the security-dev mailing list