@@ -308,11 +308,7 @@ When a JAR file is signed multiple times, there are multiple \f3\&.SF\fR and \f3
.nf
\f3KEVIN\&.DSA\fP
.fi
.nf
\f3\fR
.fi
.sp
\fINote:\fR It is also possible for a JAR file to have mixed signatures, some generated by the JDK 1\&.1 by the \f3javakey\fR command and others by \f3jarsigner\fR\&. The \f3jarsigner\fR command can be used to sign JAR files that are already signed with the \f3javakey\fR command\&.
.SH OPTIONS
The following sections describe the various \f3jarsigner\fR options\&. Be aware of the following standards:
.TP 0.2i
...
...
@@ -443,7 +439,7 @@ If this option is not specified, then \f3SHA256\fR is used\&. There must either
.br
If the \f3-certs\fR option appears on the command line with the \f3-verify\fR and \f3-verbose\fR options, then the output includes certificate information for each signer of the JAR file\&. This information includes the name of the type of certificate (stored in the \f3\&.DSA\fR file) that certifies the signer\&'s public key, and if the certificate is an X\&.509 certificate (an instance of the \f3java\&.security\&.cert\&.X509Certificate\fR), then the distinguished name of the signer\&.
The keystore is also examined\&. If no keystore value is specified on the command line, then the default keystore file (if any) is checked\&. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses\&. If the signer comes from a JDK 1\&.1 identity database instead of from a keystore, then the alias name displays in brackets instead of parentheses\&.
The keystore is also examined\&. If no keystore value is specified on the command line, then the default keystore file (if any) is checked\&. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses\&.
.TP
-certchain \fIfile\fR
.br
...
...
@@ -797,178 +793,6 @@ If you specify the \f3-certs\fR option with the \f3-verify\fR and \f3-verbose\fR
.fi
.sp
If the certificate for a signer is not an X\&.509 certificate, then there is no distinguished name information\&. In that case, just the certificate type and the alias are shown\&. For example, if the certificate is a PGP certificate, and the alias is \f3bob\fR, then you would get: \f3PGP, (bob)\fR\&.
If a JAR file was signed with the JDK 1\&.1 \f3javakey\fR tool, and the signer is an alias in an identity database, then the verification output includes an \f3i\fR\&. If the JAR file was signed by both an alias in an identity database and an alias in a keystore, then both \f3k\fR and \f3i\fR appear\&.
.PP
When the \f3-certs\fR option is used, any identity database aliases are shown in brackets rather than the parentheses used for keystore aliases, for example:
\f3 k = at least one certificate was found in keystore\fP
.fi
.nf
\f3 i = at least one certificate was found in identity scope\fP
.fi
.nf
\f3\fR
.fi
.nf
\f3 jar verified\&.\fP
.fi
.nf
\f3\fR
.fi
.sp
\fINote:\fR The alias \f3duke\fR is in brackets to denote that it is an identity database alias, and not a keystore alias\&.
.SH JDK\ 1\&.1\ COMPATIBILITY
The \f3keytool\fR and \f3jarsigner\fR tools replace the \f3javakey\fR tool in JDK 1\&.1\&. These new tools provide more features than \f3javakey\fR, including the ability to protect the keystore and private keys with passwords, and the ability to verify signatures in addition to generating them\&.
.PP
The new keystore architecture replaces the identity database that \f3javakey\fR created and managed\&. There is no backward compatibility between the keystore format and the database format used by \f3javakey\fR in JDK 1\&.1\&. However, be aware of the following:
.TP 0.2i
\(bu
It is possible to import the information from an identity database into a keystore through the \f3keytool -identitydb\fR command\&.
.TP 0.2i
\(bu
The \f3jarsigner\fR command can sign JAR files that were signed with the \f3javakey\fR command\&.
.TP 0.2i
\(bu
The \f3jarsigner\fR command can verify JAR files signed with \f3javakey\fR\&. The \f3jarsigner\fR command recognizes and can work with signer aliases that are from a JDK 1\&.1 identity database rather than a JDK keystore\&.
.SS UNSIGNED\ JARS
Unsigned JARs have the default privileges that are granted to all code\&.
.SS SIGNED\ JARS
Signed JARs have the privilege configurations based on their JDK 1\&.1\&.\fIn\fR identity and policy file status as described\&. Only trusted identities can be imported into the JDK keystore\&.
.PP
Default Privileges Granted to All Code
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: Yes/Untrusted
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.br
See 3 in Notes Regarding Privileges of Signed JARs\&.
.PP
.PP
Identity in 1\&.1 database: Yes/Untrusted
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 1 and 3 in Notes Regarding Privileges of Signed JARs\&.
.PP
Default Privileges and Policy File Privileges Granted
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.PP
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 2 in Notes Regarding Privileges of Signed JARs\&.
.PP
All Privileges Granted
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.br
See 1 in Notes Regarding Privileges of Signed JARs\&.
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 1 in Notes Regarding Privileges of Signed JARs\&.
.PP
Notes Regarding Privileges of Signed JARs
.TP 0.4i
1\&.
If an identity or alias is mentioned in the policy file, then it must be imported into the keystore for the policy file to have any effect on privileges granted\&.
.TP 0.4i
2\&.
The policy file/keystore combination has precedence over a trusted identity in the identity database\&.
.TP 0.4i
3\&.
Untrusted identities are ignored in the Java platform\&.
@@ -373,7 +373,7 @@ Performs additional checks for Java Native Interface (JNI) functions\&. Specific
.TP
-Xcomp
.br
Disables interpretation of Java code and compile methods on first invocation\&. By default, the JIT compiler performs 10,000 interpreted method invocations to gather information for efficient compilation\&. To increase compilation performance at the expense of efficiency, use the \f3-Xcomp\fR flag to disable interpreted method invocations\&.
Forces compilation of methods on first invocation\&. By default, the Client VM (\f3-client\fR) performs 1,000 interpreted method invocations and the Server VM (\f3-server\fR) performs 10,000 interpreted method invocations to gather information for efficient compilation\&. Specifying the \f3-Xcomp\fR option disables interpreted method invocations to increase compilation performance at the expense of efficiency\&.
You can also change the number of interpreted method invocations before compilation using the \f3-XX:CompileThreshold\fR option\&.
.TP
...
...
@@ -937,11 +937,9 @@ Sets the minimum free space (in bytes) required for compilation\&. Append the le
Attaches a line to the \f3\&.hotspot_compiler\fR file with the command for the specific method of the class\&. For example, to exclude the \f3indexOf()\fR method of the \f3String\fR class from being compiled, use the following:
Specifies a command to perform on a method\&. For example, to exclude the \f3indexOf()\fR method of the \f3String\fR class from being compiled, use the following:
@@ -952,12 +950,21 @@ Attaches a line to the \f3\&.hotspot_compiler\fR file with the command for the s
.sp
Note that you must specify the full class name, including all packages and subpackages separated by a slash (\f3/\fR)\&.
Note that the full class name is specified, including all packages and subpackages separated by a slash (\f3/\fR)\&. For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
To add several commands, either specify this option multiple times, or separate each argument with the newline separator (\f3\en\fR)\&. To better understand the syntax of the JVM compiler commands, refer to the description of the \f3-XX:CompileCommandFile\fR option, which enables you to specify the file from which to read compiler commands\&. Notice how the syntax of the command file differs rom the syntax of the argument for the \f3-XX:CompileCommand\fR option\&. The commas and periods in the argument are aliases for spaces in the command file, making it easier to pass compiler commands through a shell\&. To pass arguments to \f3-XX:CompileCommand\fR with the same syntax as that used in the command file, you can enclose the argument in quotation marks:
If the method is specified without the signature, the command will be applied to all methods with the specified name\&. However, you can also specify the signature of the method in the class file format\&. In this case, you should enclose the arguments in quotation marks, because otherwise the shell treats the semicolon as command end\&. For example, if you want to exclude only the \f3indexOf(String)\fR method of the \f3String\fR class from being compiled, use the following:
@@ -965,10 +972,10 @@ To add several commands, either specify this option multiple times, or separate
.sp
For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
You can also use the asterisk (*) as a wildcard for class and method names\&. For example, to exclude all \f3indexOf()\fR methods in all classes from being compiled, use the following:
@@ -976,14 +983,27 @@ For easier cut and paste operations, it is also possible to use the method name
.sp
The following commands are available:
The commas and periods are aliases for spaces, making it easier to pass compiler commands through a shell\&. You can pass arguments to \f3-XX:CompileCommand\fR using spaces as separators by enclosing the argument in quotation marks:
Note that after parsing the commands passed on the command line using the \f3-XX:CompileCommand\fR options, the JIT compiler then reads commands from the \f3\&.hotspot_compiler\fR file\&. You can add commands to this file or specify a different file using the \f3-XX:CompileCommandFile\fR option\&.
To add several commands, either specify the \f3-XX:CompileCommand\fR option multiple times, or separate each argument with the newline separator (\f3\en\fR)\&. The following commands are available:
.RS
.TP
break
Set a breakpoint when debugging the JVM to stop at the beginning of compilation of the specified method\&.
.TP
compileonly
Exclude all methods from compilation except for the specified method\&.
Exclude all methods from compilation except for the specified method\&. As an alternative, you can use the \f3-XX:CompileOnly\fR option, which allows to specify several methods\&.
.TP
dontinline
Prevent inlining of the specified method\&.
...
...
@@ -1000,6 +1020,20 @@ Attempt to inline the specified method\&.
log
Exclude compilation logging (with the \f3-XX:+LogCompilation\fR option) for all methods except for the specified method\&. By default, logging is performed for all compiled methods\&.
.TP
option
This command can be used to pass a JIT compilation option to the specified method in place of the last argument (\fIoption\fR)\&. The compilation option is set at the end, after the method name\&. For example, to enable the \f3BlockLayoutByFrequency\fR option for the \f3append()\fR method of the \f3StringBuffer\fR class, use the following:
You can specify multiple compilation options, separated by commas or spaces\&.
.TP
print
Print generated assembler code after compilation of the specified method\&.
.TP
...
...
@@ -1018,12 +1052,15 @@ Do not print the compile commands\&. By default, the commands that you specify w
You can suppress this by specifying the \f3-XX:CompileCommand=quiet\fR option before other \f3-XX:CompileCommand\fR options\&.
.RE
.TP
-XX:CompileCommandFile=\fIfilename\fR
.br
Sets the file from which JIT compiler commands are read\&. By default, the \f3\&.hotspot_compiler\fR file is used to store commands performed by the JIT compiler\&.
.RS
The optional last argument (\fIoption\fR) can be used to pass a JIT compilation option to the specified method\&. The compilation option is set at the end, after the method name\&. For example, to enable the \f3BlockLayoutByFrequency\fR option for the \f3append()\fR method of the \f3StringBuffer\fR class, use the following:
Each line in the command file represents a command, a class name, and a method name for which the command is used\&. For example, this line prints assembly code for the \f3toString()\fR method of the \f3String\fR class:
@@ -1031,16 +1068,25 @@ The optional last argument (\fIoption\fR) can be used to pass a JIT compilation
.sp
.RE
For more information about specifying the commands for the JIT compiler to perform on methods, see the \f3-XX:CompileCommand\fR option\&.
.TP
-XX:CompileCommandFile=\fIfilename\fR
-XX:CompileOnly=\fImethods\fR
.br
Sets the file from which compiler commands are read\&. By default, the \f3\&.hotspot_compiler\fR file is used to store commands performed by the JVM compiler\&.
Sets the list of methods (separated by commas) to which compilation should be restricted\&. Only the specified methods will be compiled\&. Specify each method with the full class name (including the packages and subpackages)\&. For example, to compile only the \f3length()\fR method of the \f3String\fR class and the \f3size()\fR method of the \f3List\fR class, use the following:
Each line in the command file represents a command, a class name, and a method name for which the command is used (all three parts are separated by spaces)\&. For example, this line prints assembly code for the \f3toString()\fR method of the \f3String\fR class:
Note that the full class name is specified, including all packages and subpackages separated by a slash (\f3/\fR)\&. For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
@@ -1048,14 +1094,16 @@ Each line in the command file represents a command, a class name, and a method n
.sp
To add commands to the beginning of the \f3\&.hotspot_compiler\fR file, use the \f3-XX:CompileCommand\fR option\&. Note how the syntax of the command file is different from the syntax of the argument for the \f3-XX:CompileCommand\fR option\&. The commas and periods in the argument are aliases for spaces in the command file, making it easier to pass compiler commands through a shell\&. Although it is possible to pass arguments to \f3-XX:CompileCommand\fR with the same syntax as that used in the command file, you would have to enclose the string argument in quotation marks\&.
.TP
-XX:CompileOnly=\fImethods\fR
.br
Sets the list of methods (separated by commas) to which compilation should be restricted\&. Only the specified methods will be compiled\&. Specify each method with the full class name (including the packages and subpackages)\&. For example, to compile only the \f3length()\fR method of the \f3String\fR class and the \f3size()\fR method of the \f3List\fR class, use the following:
Although wildcards are not supported, you can specify only the class or package name to compile all methods in that class or package, as well as specify just the method to compile methods with this name in any class:
@@ -308,11 +308,7 @@ When a JAR file is signed multiple times, there are multiple \f3\&.SF\fR and \f3
.nf
\f3KEVIN\&.DSA\fP
.fi
.nf
\f3\fR
.fi
.sp
\fINote:\fR It is also possible for a JAR file to have mixed signatures, some generated by the JDK 1\&.1 by the \f3javakey\fR command and others by \f3jarsigner\fR\&. The \f3jarsigner\fR command can be used to sign JAR files that are already signed with the \f3javakey\fR command\&.
.SH OPTIONS
The following sections describe the various \f3jarsigner\fR options\&. Be aware of the following standards:
.TP 0.2i
...
...
@@ -443,7 +439,7 @@ If this option is not specified, then \f3SHA256\fR is used\&. There must either
.br
If the \f3-certs\fR option appears on the command line with the \f3-verify\fR and \f3-verbose\fR options, then the output includes certificate information for each signer of the JAR file\&. This information includes the name of the type of certificate (stored in the \f3\&.DSA\fR file) that certifies the signer\&'s public key, and if the certificate is an X\&.509 certificate (an instance of the \f3java\&.security\&.cert\&.X509Certificate\fR), then the distinguished name of the signer\&.
The keystore is also examined\&. If no keystore value is specified on the command line, then the default keystore file (if any) is checked\&. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses\&. If the signer comes from a JDK 1\&.1 identity database instead of from a keystore, then the alias name displays in brackets instead of parentheses\&.
The keystore is also examined\&. If no keystore value is specified on the command line, then the default keystore file (if any) is checked\&. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses\&.
.TP
-certchain \fIfile\fR
.br
...
...
@@ -797,178 +793,6 @@ If you specify the \f3-certs\fR option with the \f3-verify\fR and \f3-verbose\fR
.fi
.sp
If the certificate for a signer is not an X\&.509 certificate, then there is no distinguished name information\&. In that case, just the certificate type and the alias are shown\&. For example, if the certificate is a PGP certificate, and the alias is \f3bob\fR, then you would get: \f3PGP, (bob)\fR\&.
If a JAR file was signed with the JDK 1\&.1 \f3javakey\fR tool, and the signer is an alias in an identity database, then the verification output includes an \f3i\fR\&. If the JAR file was signed by both an alias in an identity database and an alias in a keystore, then both \f3k\fR and \f3i\fR appear\&.
.PP
When the \f3-certs\fR option is used, any identity database aliases are shown in brackets rather than the parentheses used for keystore aliases, for example:
\f3 k = at least one certificate was found in keystore\fP
.fi
.nf
\f3 i = at least one certificate was found in identity scope\fP
.fi
.nf
\f3\fR
.fi
.nf
\f3 jar verified\&.\fP
.fi
.nf
\f3\fR
.fi
.sp
\fINote:\fR The alias \f3duke\fR is in brackets to denote that it is an identity database alias, and not a keystore alias\&.
.SH JDK\ 1\&.1\ COMPATIBILITY
The \f3keytool\fR and \f3jarsigner\fR tools replace the \f3javakey\fR tool in JDK 1\&.1\&. These new tools provide more features than \f3javakey\fR, including the ability to protect the keystore and private keys with passwords, and the ability to verify signatures in addition to generating them\&.
.PP
The new keystore architecture replaces the identity database that \f3javakey\fR created and managed\&. There is no backward compatibility between the keystore format and the database format used by \f3javakey\fR in JDK 1\&.1\&. However, be aware of the following:
.TP 0.2i
\(bu
It is possible to import the information from an identity database into a keystore through the \f3keytool -identitydb\fR command\&.
.TP 0.2i
\(bu
The \f3jarsigner\fR command can sign JAR files that were signed with the \f3javakey\fR command\&.
.TP 0.2i
\(bu
The \f3jarsigner\fR command can verify JAR files signed with \f3javakey\fR\&. The \f3jarsigner\fR command recognizes and can work with signer aliases that are from a JDK 1\&.1 identity database rather than a JDK keystore\&.
.SS UNSIGNED\ JARS
Unsigned JARs have the default privileges that are granted to all code\&.
.SS SIGNED\ JARS
Signed JARs have the privilege configurations based on their JDK 1\&.1\&.\fIn\fR identity and policy file status as described\&. Only trusted identities can be imported into the JDK keystore\&.
.PP
Default Privileges Granted to All Code
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: Yes/Untrusted
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.br
See 3 in Notes Regarding Privileges of Signed JARs\&.
.PP
.PP
Identity in 1\&.1 database: Yes/Untrusted
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 1 and 3 in Notes Regarding Privileges of Signed JARs\&.
.PP
Default Privileges and Policy File Privileges Granted
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.PP
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 2 in Notes Regarding Privileges of Signed JARs\&.
.PP
All Privileges Granted
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.br
See 1 in Notes Regarding Privileges of Signed JARs\&.
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 1 in Notes Regarding Privileges of Signed JARs\&.
.PP
Notes Regarding Privileges of Signed JARs
.TP 0.4i
1\&.
If an identity or alias is mentioned in the policy file, then it must be imported into the keystore for the policy file to have any effect on privileges granted\&.
.TP 0.4i
2\&.
The policy file/keystore combination has precedence over a trusted identity in the identity database\&.
.TP 0.4i
3\&.
Untrusted identities are ignored in the Java platform\&.
@@ -373,7 +373,7 @@ Performs additional checks for Java Native Interface (JNI) functions\&. Specific
.TP
-Xcomp
.br
Disables interpretation of Java code and compile methods on first invocation\&. By default, the JIT compiler performs 10,000 interpreted method invocations to gather information for efficient compilation\&. To increase compilation performance at the expense of efficiency, use the \f3-Xcomp\fR flag to disable interpreted method invocations\&.
Forces compilation of methods on first invocation\&. By default, the Client VM (\f3-client\fR) performs 1,000 interpreted method invocations and the Server VM (\f3-server\fR) performs 10,000 interpreted method invocations to gather information for efficient compilation\&. Specifying the \f3-Xcomp\fR option disables interpreted method invocations to increase compilation performance at the expense of efficiency\&.
You can also change the number of interpreted method invocations before compilation using the \f3-XX:CompileThreshold\fR option\&.
.TP
...
...
@@ -937,11 +937,9 @@ Sets the minimum free space (in bytes) required for compilation\&. Append the le
Attaches a line to the \f3\&.hotspot_compiler\fR file with the command for the specific method of the class\&. For example, to exclude the \f3indexOf()\fR method of the \f3String\fR class from being compiled, use the following:
Specifies a command to perform on a method\&. For example, to exclude the \f3indexOf()\fR method of the \f3String\fR class from being compiled, use the following:
@@ -952,12 +950,21 @@ Attaches a line to the \f3\&.hotspot_compiler\fR file with the command for the s
.sp
Note that you must specify the full class name, including all packages and subpackages separated by a slash (\f3/\fR)\&.
Note that the full class name is specified, including all packages and subpackages separated by a slash (\f3/\fR)\&. For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
To add several commands, either specify this option multiple times, or separate each argument with the newline separator (\f3\en\fR)\&. To better understand the syntax of the JVM compiler commands, refer to the description of the \f3-XX:CompileCommandFile\fR option, which enables you to specify the file from which to read compiler commands\&. Notice how the syntax of the command file differs rom the syntax of the argument for the \f3-XX:CompileCommand\fR option\&. The commas and periods in the argument are aliases for spaces in the command file, making it easier to pass compiler commands through a shell\&. To pass arguments to \f3-XX:CompileCommand\fR with the same syntax as that used in the command file, you can enclose the argument in quotation marks:
If the method is specified without the signature, the command will be applied to all methods with the specified name\&. However, you can also specify the signature of the method in the class file format\&. In this case, you should enclose the arguments in quotation marks, because otherwise the shell treats the semicolon as command end\&. For example, if you want to exclude only the \f3indexOf(String)\fR method of the \f3String\fR class from being compiled, use the following:
@@ -965,10 +972,10 @@ To add several commands, either specify this option multiple times, or separate
.sp
For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
You can also use the asterisk (*) as a wildcard for class and method names\&. For example, to exclude all \f3indexOf()\fR methods in all classes from being compiled, use the following:
@@ -976,14 +983,27 @@ For easier cut and paste operations, it is also possible to use the method name
.sp
The following commands are available:
The commas and periods are aliases for spaces, making it easier to pass compiler commands through a shell\&. You can pass arguments to \f3-XX:CompileCommand\fR using spaces as separators by enclosing the argument in quotation marks:
Note that after parsing the commands passed on the command line using the \f3-XX:CompileCommand\fR options, the JIT compiler then reads commands from the \f3\&.hotspot_compiler\fR file\&. You can add commands to this file or specify a different file using the \f3-XX:CompileCommandFile\fR option\&.
To add several commands, either specify the \f3-XX:CompileCommand\fR option multiple times, or separate each argument with the newline separator (\f3\en\fR)\&. The following commands are available:
.RS
.TP
break
Set a breakpoint when debugging the JVM to stop at the beginning of compilation of the specified method\&.
.TP
compileonly
Exclude all methods from compilation except for the specified method\&.
Exclude all methods from compilation except for the specified method\&. As an alternative, you can use the \f3-XX:CompileOnly\fR option, which allows to specify several methods\&.
.TP
dontinline
Prevent inlining of the specified method\&.
...
...
@@ -1000,6 +1020,20 @@ Attempt to inline the specified method\&.
log
Exclude compilation logging (with the \f3-XX:+LogCompilation\fR option) for all methods except for the specified method\&. By default, logging is performed for all compiled methods\&.
.TP
option
This command can be used to pass a JIT compilation option to the specified method in place of the last argument (\fIoption\fR)\&. The compilation option is set at the end, after the method name\&. For example, to enable the \f3BlockLayoutByFrequency\fR option for the \f3append()\fR method of the \f3StringBuffer\fR class, use the following:
You can specify multiple compilation options, separated by commas or spaces\&.
.TP
print
Print generated assembler code after compilation of the specified method\&.
.TP
...
...
@@ -1018,12 +1052,15 @@ Do not print the compile commands\&. By default, the commands that you specify w
You can suppress this by specifying the \f3-XX:CompileCommand=quiet\fR option before other \f3-XX:CompileCommand\fR options\&.
.RE
.TP
-XX:CompileCommandFile=\fIfilename\fR
.br
Sets the file from which JIT compiler commands are read\&. By default, the \f3\&.hotspot_compiler\fR file is used to store commands performed by the JIT compiler\&.
.RS
The optional last argument (\fIoption\fR) can be used to pass a JIT compilation option to the specified method\&. The compilation option is set at the end, after the method name\&. For example, to enable the \f3BlockLayoutByFrequency\fR option for the \f3append()\fR method of the \f3StringBuffer\fR class, use the following:
Each line in the command file represents a command, a class name, and a method name for which the command is used\&. For example, this line prints assembly code for the \f3toString()\fR method of the \f3String\fR class:
@@ -1031,16 +1068,25 @@ The optional last argument (\fIoption\fR) can be used to pass a JIT compilation
.sp
.RE
For more information about specifying the commands for the JIT compiler to perform on methods, see the \f3-XX:CompileCommand\fR option\&.
.TP
-XX:CompileCommandFile=\fIfilename\fR
-XX:CompileOnly=\fImethods\fR
.br
Sets the file from which compiler commands are read\&. By default, the \f3\&.hotspot_compiler\fR file is used to store commands performed by the JVM compiler\&.
Sets the list of methods (separated by commas) to which compilation should be restricted\&. Only the specified methods will be compiled\&. Specify each method with the full class name (including the packages and subpackages)\&. For example, to compile only the \f3length()\fR method of the \f3String\fR class and the \f3size()\fR method of the \f3List\fR class, use the following:
Each line in the command file represents a command, a class name, and a method name for which the command is used (all three parts are separated by spaces)\&. For example, this line prints assembly code for the \f3toString()\fR method of the \f3String\fR class:
Note that the full class name is specified, including all packages and subpackages separated by a slash (\f3/\fR)\&. For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
@@ -1048,14 +1094,16 @@ Each line in the command file represents a command, a class name, and a method n
.sp
To add commands to the beginning of the \f3\&.hotspot_compiler\fR file, use the \f3-XX:CompileCommand\fR option\&. Note how the syntax of the command file is different from the syntax of the argument for the \f3-XX:CompileCommand\fR option\&. The commas and periods in the argument are aliases for spaces in the command file, making it easier to pass compiler commands through a shell\&. Although it is possible to pass arguments to \f3-XX:CompileCommand\fR with the same syntax as that used in the command file, you would have to enclose the string argument in quotation marks\&.
.TP
-XX:CompileOnly=\fImethods\fR
.br
Sets the list of methods (separated by commas) to which compilation should be restricted\&. Only the specified methods will be compiled\&. Specify each method with the full class name (including the packages and subpackages)\&. For example, to compile only the \f3length()\fR method of the \f3String\fR class and the \f3size()\fR method of the \f3List\fR class, use the following:
Although wildcards are not supported, you can specify only the class or package name to compile all methods in that class or package, as well as specify just the method to compile methods with this name in any class:
@@ -308,11 +308,7 @@ When a JAR file is signed multiple times, there are multiple \f3\&.SF\fR and \f3
.nf
\f3KEVIN\&.DSA\fP
.fi
.nf
\f3\fR
.fi
.sp
\fINote:\fR It is also possible for a JAR file to have mixed signatures, some generated by the JDK 1\&.1 by the \f3javakey\fR command and others by \f3jarsigner\fR\&. The \f3jarsigner\fR command can be used to sign JAR files that are already signed with the \f3javakey\fR command\&.
.SH OPTIONS
The following sections describe the various \f3jarsigner\fR options\&. Be aware of the following standards:
.TP 0.2i
...
...
@@ -443,7 +439,7 @@ If this option is not specified, then \f3SHA256\fR is used\&. There must either
.br
If the \f3-certs\fR option appears on the command line with the \f3-verify\fR and \f3-verbose\fR options, then the output includes certificate information for each signer of the JAR file\&. This information includes the name of the type of certificate (stored in the \f3\&.DSA\fR file) that certifies the signer\&'s public key, and if the certificate is an X\&.509 certificate (an instance of the \f3java\&.security\&.cert\&.X509Certificate\fR), then the distinguished name of the signer\&.
The keystore is also examined\&. If no keystore value is specified on the command line, then the default keystore file (if any) is checked\&. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses\&. If the signer comes from a JDK 1\&.1 identity database instead of from a keystore, then the alias name displays in brackets instead of parentheses\&.
The keystore is also examined\&. If no keystore value is specified on the command line, then the default keystore file (if any) is checked\&. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses\&.
.TP
-certchain \fIfile\fR
.br
...
...
@@ -797,178 +793,6 @@ If you specify the \f3-certs\fR option with the \f3-verify\fR and \f3-verbose\fR
.fi
.sp
If the certificate for a signer is not an X\&.509 certificate, then there is no distinguished name information\&. In that case, just the certificate type and the alias are shown\&. For example, if the certificate is a PGP certificate, and the alias is \f3bob\fR, then you would get: \f3PGP, (bob)\fR\&.
If a JAR file was signed with the JDK 1\&.1 \f3javakey\fR tool, and the signer is an alias in an identity database, then the verification output includes an \f3i\fR\&. If the JAR file was signed by both an alias in an identity database and an alias in a keystore, then both \f3k\fR and \f3i\fR appear\&.
.PP
When the \f3-certs\fR option is used, any identity database aliases are shown in brackets rather than the parentheses used for keystore aliases, for example:
\f3 k = at least one certificate was found in keystore\fP
.fi
.nf
\f3 i = at least one certificate was found in identity scope\fP
.fi
.nf
\f3\fR
.fi
.nf
\f3 jar verified\&.\fP
.fi
.nf
\f3\fR
.fi
.sp
\fINote:\fR The alias \f3duke\fR is in brackets to denote that it is an identity database alias, and not a keystore alias\&.
.SH JDK\ 1\&.1\ COMPATIBILITY
The \f3keytool\fR and \f3jarsigner\fR tools replace the \f3javakey\fR tool in JDK 1\&.1\&. These new tools provide more features than \f3javakey\fR, including the ability to protect the keystore and private keys with passwords, and the ability to verify signatures in addition to generating them\&.
.PP
The new keystore architecture replaces the identity database that \f3javakey\fR created and managed\&. There is no backward compatibility between the keystore format and the database format used by \f3javakey\fR in JDK 1\&.1\&. However, be aware of the following:
.TP 0.2i
\(bu
It is possible to import the information from an identity database into a keystore through the \f3keytool -identitydb\fR command\&.
.TP 0.2i
\(bu
The \f3jarsigner\fR command can sign JAR files that were signed with the \f3javakey\fR command\&.
.TP 0.2i
\(bu
The \f3jarsigner\fR command can verify JAR files signed with \f3javakey\fR\&. The \f3jarsigner\fR command recognizes and can work with signer aliases that are from a JDK 1\&.1 identity database rather than a JDK keystore\&.
.SS UNSIGNED\ JARS
Unsigned JARs have the default privileges that are granted to all code\&.
.SS SIGNED\ JARS
Signed JARs have the privilege configurations based on their JDK 1\&.1\&.\fIn\fR identity and policy file status as described\&. Only trusted identities can be imported into the JDK keystore\&.
.PP
Default Privileges Granted to All Code
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: Yes/Untrusted
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.br
See 3 in Notes Regarding Privileges of Signed JARs\&.
.PP
.PP
Identity in 1\&.1 database: Yes/Untrusted
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 1 and 3 in Notes Regarding Privileges of Signed JARs\&.
.PP
Default Privileges and Policy File Privileges Granted
Identity in 1\&.1 database: \fINo\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.PP
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 2 in Notes Regarding Privileges of Signed JARs\&.
.PP
All Privileges Granted
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.PP
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fIYes\fR
.br
Policy file grants privileges to identity/alias: \fINo\fR
.br
See 1 in Notes Regarding Privileges of Signed JARs\&.
.PP
Identity in 1\&.1 database: \fIYes/Trusted\fR
.br
Trusted identity imported into Java keystore from 1\&.1\&. database: \fINo\fR
.br
Policy file grants privileges to identity/alias: \fIYes\fR
.br
See 1 in Notes Regarding Privileges of Signed JARs\&.
.PP
Notes Regarding Privileges of Signed JARs
.TP 0.4i
1\&.
If an identity or alias is mentioned in the policy file, then it must be imported into the keystore for the policy file to have any effect on privileges granted\&.
.TP 0.4i
2\&.
The policy file/keystore combination has precedence over a trusted identity in the identity database\&.
.TP 0.4i
3\&.
Untrusted identities are ignored in the Java platform\&.
@@ -373,7 +373,7 @@ Performs additional checks for Java Native Interface (JNI) functions\&. Specific
.TP
-Xcomp
.br
Disables interpretation of Java code and compile methods on first invocation\&. By default, the JIT compiler performs 10,000 interpreted method invocations to gather information for efficient compilation\&. To increase compilation performance at the expense of efficiency, use the \f3-Xcomp\fR flag to disable interpreted method invocations\&.
Forces compilation of methods on first invocation\&. By default, the Client VM (\f3-client\fR) performs 1,000 interpreted method invocations and the Server VM (\f3-server\fR) performs 10,000 interpreted method invocations to gather information for efficient compilation\&. Specifying the \f3-Xcomp\fR option disables interpreted method invocations to increase compilation performance at the expense of efficiency\&.
You can also change the number of interpreted method invocations before compilation using the \f3-XX:CompileThreshold\fR option\&.
.TP
...
...
@@ -937,11 +937,9 @@ Sets the minimum free space (in bytes) required for compilation\&. Append the le
Attaches a line to the \f3\&.hotspot_compiler\fR file with the command for the specific method of the class\&. For example, to exclude the \f3indexOf()\fR method of the \f3String\fR class from being compiled, use the following:
Specifies a command to perform on a method\&. For example, to exclude the \f3indexOf()\fR method of the \f3String\fR class from being compiled, use the following:
@@ -952,12 +950,21 @@ Attaches a line to the \f3\&.hotspot_compiler\fR file with the command for the s
.sp
Note that you must specify the full class name, including all packages and subpackages separated by a slash (\f3/\fR)\&.
Note that the full class name is specified, including all packages and subpackages separated by a slash (\f3/\fR)\&. For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
To add several commands, either specify this option multiple times, or separate each argument with the newline separator (\f3\en\fR)\&. To better understand the syntax of the JVM compiler commands, refer to the description of the \f3-XX:CompileCommandFile\fR option, which enables you to specify the file from which to read compiler commands\&. Notice how the syntax of the command file differs rom the syntax of the argument for the \f3-XX:CompileCommand\fR option\&. The commas and periods in the argument are aliases for spaces in the command file, making it easier to pass compiler commands through a shell\&. To pass arguments to \f3-XX:CompileCommand\fR with the same syntax as that used in the command file, you can enclose the argument in quotation marks:
If the method is specified without the signature, the command will be applied to all methods with the specified name\&. However, you can also specify the signature of the method in the class file format\&. In this case, you should enclose the arguments in quotation marks, because otherwise the shell treats the semicolon as command end\&. For example, if you want to exclude only the \f3indexOf(String)\fR method of the \f3String\fR class from being compiled, use the following:
@@ -965,10 +972,10 @@ To add several commands, either specify this option multiple times, or separate
.sp
For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
You can also use the asterisk (*) as a wildcard for class and method names\&. For example, to exclude all \f3indexOf()\fR methods in all classes from being compiled, use the following:
@@ -976,14 +983,27 @@ For easier cut and paste operations, it is also possible to use the method name
.sp
The following commands are available:
The commas and periods are aliases for spaces, making it easier to pass compiler commands through a shell\&. You can pass arguments to \f3-XX:CompileCommand\fR using spaces as separators by enclosing the argument in quotation marks:
Note that after parsing the commands passed on the command line using the \f3-XX:CompileCommand\fR options, the JIT compiler then reads commands from the \f3\&.hotspot_compiler\fR file\&. You can add commands to this file or specify a different file using the \f3-XX:CompileCommandFile\fR option\&.
To add several commands, either specify the \f3-XX:CompileCommand\fR option multiple times, or separate each argument with the newline separator (\f3\en\fR)\&. The following commands are available:
.RS
.TP
break
Set a breakpoint when debugging the JVM to stop at the beginning of compilation of the specified method\&.
.TP
compileonly
Exclude all methods from compilation except for the specified method\&.
Exclude all methods from compilation except for the specified method\&. As an alternative, you can use the \f3-XX:CompileOnly\fR option, which allows to specify several methods\&.
.TP
dontinline
Prevent inlining of the specified method\&.
...
...
@@ -1000,6 +1020,20 @@ Attempt to inline the specified method\&.
log
Exclude compilation logging (with the \f3-XX:+LogCompilation\fR option) for all methods except for the specified method\&. By default, logging is performed for all compiled methods\&.
.TP
option
This command can be used to pass a JIT compilation option to the specified method in place of the last argument (\fIoption\fR)\&. The compilation option is set at the end, after the method name\&. For example, to enable the \f3BlockLayoutByFrequency\fR option for the \f3append()\fR method of the \f3StringBuffer\fR class, use the following:
You can specify multiple compilation options, separated by commas or spaces\&.
.TP
print
Print generated assembler code after compilation of the specified method\&.
.TP
...
...
@@ -1018,12 +1052,15 @@ Do not print the compile commands\&. By default, the commands that you specify w
You can suppress this by specifying the \f3-XX:CompileCommand=quiet\fR option before other \f3-XX:CompileCommand\fR options\&.
.RE
.TP
-XX:CompileCommandFile=\fIfilename\fR
.br
Sets the file from which JIT compiler commands are read\&. By default, the \f3\&.hotspot_compiler\fR file is used to store commands performed by the JIT compiler\&.
.RS
The optional last argument (\fIoption\fR) can be used to pass a JIT compilation option to the specified method\&. The compilation option is set at the end, after the method name\&. For example, to enable the \f3BlockLayoutByFrequency\fR option for the \f3append()\fR method of the \f3StringBuffer\fR class, use the following:
Each line in the command file represents a command, a class name, and a method name for which the command is used\&. For example, this line prints assembly code for the \f3toString()\fR method of the \f3String\fR class:
@@ -1031,16 +1068,25 @@ The optional last argument (\fIoption\fR) can be used to pass a JIT compilation
.sp
.RE
For more information about specifying the commands for the JIT compiler to perform on methods, see the \f3-XX:CompileCommand\fR option\&.
.TP
-XX:CompileCommandFile=\fIfilename\fR
-XX:CompileOnly=\fImethods\fR
.br
Sets the file from which compiler commands are read\&. By default, the \f3\&.hotspot_compiler\fR file is used to store commands performed by the JVM compiler\&.
Sets the list of methods (separated by commas) to which compilation should be restricted\&. Only the specified methods will be compiled\&. Specify each method with the full class name (including the packages and subpackages)\&. For example, to compile only the \f3length()\fR method of the \f3String\fR class and the \f3size()\fR method of the \f3List\fR class, use the following:
Each line in the command file represents a command, a class name, and a method name for which the command is used (all three parts are separated by spaces)\&. For example, this line prints assembly code for the \f3toString()\fR method of the \f3String\fR class:
Note that the full class name is specified, including all packages and subpackages separated by a slash (\f3/\fR)\&. For easier cut and paste operations, it is also possible to use the method name format produced by the \f3-XX:+PrintCompilation\fR and \f3-XX:+LogCompilation\fR options:
@@ -1048,14 +1094,16 @@ Each line in the command file represents a command, a class name, and a method n
.sp
To add commands to the beginning of the \f3\&.hotspot_compiler\fR file, use the \f3-XX:CompileCommand\fR option\&. Note how the syntax of the command file is different from the syntax of the argument for the \f3-XX:CompileCommand\fR option\&. The commas and periods in the argument are aliases for spaces in the command file, making it easier to pass compiler commands through a shell\&. Although it is possible to pass arguments to \f3-XX:CompileCommand\fR with the same syntax as that used in the command file, you would have to enclose the string argument in quotation marks\&.
.TP
-XX:CompileOnly=\fImethods\fR
.br
Sets the list of methods (separated by commas) to which compilation should be restricted\&. Only the specified methods will be compiled\&. Specify each method with the full class name (including the packages and subpackages)\&. For example, to compile only the \f3length()\fR method of the \f3String\fR class and the \f3size()\fR method of the \f3List\fR class, use the following:
Although wildcards are not supported, you can specify only the class or package name to compile all methods in that class or package, as well as specify just the method to compile methods with this name in any class: