jpkg enhancements to create signed modules
vincent.x.ryan at oracle.com
Tue May 11 07:09:16 PDT 2010
Thanks for your comments Max.
On 11/05/2010 13:15, Wang Weijun wrote:
> Simple ones first.
> HexDumpEncoder.encodeBuffer(*) is preferred.
> 1. --nosign and --signer etc can be combinated quite freely. Is there an
> illegal combination?
Now it throws an exception when --nosign is supplied with any of --signer
> 2. We used to specify NONE for PKCS #11 keystore name. Although it's not
> recommended now, is it allowed?
> 3. What if user specifies a non-JKS type but hasn't provided keystore name?
That's allowed, for example, PKCS11 and Windows-MY
> 4. The char returned by Password.readPassword() is not zeroed.
> 5. Do we have SHA256withDSA now?
That's a problem. Will investigate.
> 6. We've added CRL into signed jars recently. Any plan for it in signed
> modules? You might embed it in PKCS #7 block or create a supplementary
> module section (Is this possible?)
No plans to support this yet.
> hashtype is hardcoded to SHA256?
> ------- Original message -------
>> From: Vincent Ryan <vincent.x.ryan at oracle.com>
>> To: jigsaw-dev at openjdk.java.net
>> Sent: 11.5.'10, 0:46
>> Please review these code changes to support the creation of signed
>> It adds the following new options to the jpkg tool:
>> -S, --signer <ID> : module signer's identifier
>> -k, --keystore <location> : module signer's keystore location
>> -t, --storetype <type> : module signer's keystore type
>> --nosign : do not sign the module
>> --nopassword : do not prompt for a keystore password
>> Appropriate default values are supported and keystore passwords may be
>> supplied to jpkg by redirecting standard input.
>> This is just one of a number of changes to support signed modules
>> Please send me your comments as I'm hoping to address any issues and
>> these changes by the end of this week.
More information about the jigsaw-dev