This is actually a serious issue. if i have a login on a machine, I can get the keystore password by waiting for someone to sign a JAR on it. We can fix this, either by running jarsigner in VM, or by passing the input over stdio.

git-svn-id: https://svn.apache.org/repos/asf/ant/core/trunk@277617 13f79535-47bb-0310-9956-ffa450edef68

docs/manual/CoreTasks/signjar.html

@@ -16,6 +16,13 @@ generate; if this file exists then
 its modification date is used as a cue as to whether to resign any JAR file.
 </p>
 
+<p>
+<b>Security warning</b>. This task forks the <tt>jarsigner</tt> executable
+(which must of course be on the path). The store password is passed in on
+the command line, so visible in Unix to anyone running <tt>ps -ef</tt>
+on the same host, while signing takes place. Only sign on a secured system.
+</p>
+
 <h3>Parameters</h3>
 <table border="1" cellpadding="2" cellspacing="0">
   <tr>