stevel 2005/02/07 15:51:01
Modified: docs/manual/CoreTasks signjar.html
Log:
This is actually a serious issue. if i have a login on a machine, I can get
the keystore password by waiting for someone to sign a JAR on it. We can fix
this, either by running jarsigner in VM, or by passing the input over stdio.
Revision Changes Path
1.13 +7 -0 ant/docs/manual/CoreTasks/signjar.html
Index: signjar.html
===================================================================
RCS file: /home/cvs/ant/docs/manual/CoreTasks/signjar.html,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- signjar.html 26 Nov 2004 09:52:06 -0000 1.12
+++ signjar.html 7 Feb 2005 23:51:01 -0000 1.13
@@ -16,6 +16,13 @@
its modification date is used as a cue as to whether to resign any JAR file.
</p>
+<p>
+<b>Security warning</b>. This task forks the <tt>jarsigner</tt> executable
+(which must of course be on the path). The store password is passed in on
+the command line, so visible in Unix to anyone running <tt>ps -ef</tt>
+on the same host, while signing takes place. Only sign on a secured system.
+</p>
+
<h3>Parameters</h3>
<table border="1" cellpadding="2" cellspacing="0">
<tr>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
