From 04a541221cbc527ac88a716e624b093cb92a04cd Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Mon, 7 Feb 2005 23:51:01 +0000
Subject: [PATCH] This is actually a serious issue. if i have a login on a
 machine, I can get the keystore password by waiting for someone to sign a JAR
 on it. We can fix this, either by running jarsigner in VM, or by passing the
 input over stdio.

git-svn-id: https://svn.apache.org/repos/asf/ant/core/trunk@277617 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/CoreTasks/signjar.html | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/manual/CoreTasks/signjar.html b/docs/manual/CoreTasks/signjar.html
index a77c1b51d..9c74232c9 100644
--- a/docs/manual/CoreTasks/signjar.html
+++ b/docs/manual/CoreTasks/signjar.html
@@ -16,6 +16,13 @@ generate; if this file exists then
 its modification date is used as a cue as to whether to resign any JAR file.
 </p>
 
+<p>
+<b>Security warning</b>. This task forks the <tt>jarsigner</tt> executable
+(which must of course be on the path). The store password is passed in on
+the command line, so visible in Unix to anyone running <tt>ps -ef</tt>
+on the same host, while signing takes place. Only sign on a secured system.
+</p>
+
 <h3>Parameters</h3>
 <table border="1" cellpadding="2" cellspacing="0">
   <tr>