Module jdk.jartool should provide jarsigner tool

Wei-Jun Wang weijun.wang at oracle.com
Sun Feb 7 03:42:23 UTC 2021


We considered this before but thought jarsigner has too many options, and the password prompt thing is certainly a pain. Also the verification part are all based on public APIs and only the signing part is worth investigating.

Finally we produce the JarSigner API in the jdk.security.jarsigner package in the jdk.jartool module, and move most signing code in jarsigner there. It’s certainly much more programmer-friendly than the jarsigner tool.

—Max

> On Feb 4, 2021, at 5:36 AM, Alan Bateman <Alan.Bateman at oracle.com> wrote:
> 
> On 04/02/2021 07:38, Christian Stein wrote:
>> Module jdk.jartoo already provides java.util.spi.ToolProvider with
>> sun.tools.jar.JarToolProvider. [0]
>> 
>> Is there a reason why it does provide a JarSignerToolProvider allowing
>> `jarsigner` to be run in-process? Perhaps too many System.exit() calls
>> in sun/security/tools/jarsigner/Main.java?
>> 
>> 
> cc'ing security-dev as that is where the jarsigner tool is maintained.
> 
> This may have come up in JDK 9 but I can't find any mails in the archives. Yes, it would need a bit of refactoring so that the System.exit is only called when invoked via the launcher/main method. There are also CLI options that prompt for a password that may not be suitable for programmatic use. I'm sure Max or others on security-dev will have more to say on this.
> 
> -Alan



More information about the security-dev mailing list