diff --git a/WHATSNEW b/WHATSNEW
index 4dacbc190..8bc4caa29 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -44,6 +44,9 @@ Fixed bugs:
 * Commandline.describeCommand() methods would attempt to describe
   arguments even when none, other than the executable name, were present.
 
+* Create signjar's helper ExecTask instance directly rather than by
+  typedef discovery mechanisms. Bugzilla report 33433.
+
 Other changes:
 --------------
 
@@ -110,6 +113,9 @@ Other changes:
 
 * Added loginputstring attribute to the redirector type.
 
+* Tighten security by sending storepass and keypass to signjar
+  via the input stream of the forked process.
+
 Changes from Ant 1.6.2 to current Ant 1.6 CVS version
 =====================================================
 
diff --git a/docs/manual/CoreTasks/signjar.html b/docs/manual/CoreTasks/signjar.html
index c1c998882..c441dd330 100644
--- a/docs/manual/CoreTasks/signjar.html
+++ b/docs/manual/CoreTasks/signjar.html
@@ -16,13 +16,6 @@ generate; if this file exists then
 its modification date is used as a cue as to whether to resign any JAR file.
 </p>
 
-<p>
-<b>Security warning</b>. This task forks the <tt>jarsigner</tt> executable
-(which must of course be on the path). The store password is passed in on
-the command line, so visible in Unix to anyone running <tt>ps -ef</tt>
-on the same host, while signing takes place. Only sign on a secured system.
-</p>
-
 <h3>Parameters</h3>
 <table border="1" cellpadding="2" cellspacing="0">
   <tr>
diff --git a/src/main/org/apache/tools/ant/taskdefs/SignJar.java b/src/main/org/apache/tools/ant/taskdefs/SignJar.java
index 1b75dddb9..dcddb5600 100644
--- a/src/main/org/apache/tools/ant/taskdefs/SignJar.java
+++ b/src/main/org/apache/tools/ant/taskdefs/SignJar.java
@@ -25,6 +25,7 @@ import org.apache.tools.ant.Project;
 import org.apache.tools.ant.Task;
 import org.apache.tools.ant.taskdefs.condition.IsSigned;
 import org.apache.tools.ant.types.FileSet;
+import org.apache.tools.ant.types.RedirectorElement;
 import org.apache.tools.ant.util.JavaEnvUtils;
 import org.apache.tools.ant.util.FileUtils;
 
@@ -66,6 +67,7 @@ public class SignJar extends Task {
     protected boolean internalsf;
     protected boolean sectionsonly;
     private   boolean preserveLastModified;
+    private RedirectorElement redirector;
 
     /** The maximum amount of memory to use for Jar signer */
     private String maxMemory;
@@ -212,6 +214,7 @@ public class SignJar extends Task {
             throw new BuildException("jar must be set through jar attribute "
                                      + "or nested filesets");
         }
+        redirector = createRedirector();
         if (null != jar) {
             if (filesets.size() != 0) {
                 log("nested filesets will be ignored if the jar attribute has"
@@ -233,6 +236,27 @@ public class SignJar extends Task {
         }
     }
 
+    /**
+     * Create the redirector to use, if any.
+     * @return a configured RedirectorElement.
+     */
+    private RedirectorElement createRedirector() {
+        if (storepass == null && keypass == null) {
+            return null;
+        }
+        RedirectorElement result = new RedirectorElement();
+        StringBuffer input = new StringBuffer();
+        if (storepass != null) {
+            input.append(storepass).append('\n');
+        }
+        if (keypass != null) {
+            input.append(keypass).append('\n');
+        }
+        result.setInputString(input.toString());
+        result.setLogInputString(false);
+        return result;
+    }
+
     /**
      * sign one jar
      */
@@ -252,7 +276,8 @@ public class SignJar extends Task {
         }
 
         long lastModified = jarSource.lastModified();
-        final ExecTask cmd = (ExecTask) getProject().createTask("exec");
+        final ExecTask cmd = new ExecTask();
+        cmd.setProject(getProject());
         cmd.setExecutable(JavaEnvUtils.getJdkExecutable("jarsigner"));
 
         if (maxMemory != null) {
@@ -271,22 +296,10 @@ public class SignJar extends Task {
                 cmd.createArg().setValue(keystore);
             }
         }
-
-        if (null != storepass) {
-            cmd.createArg().setValue("-storepass");
-            cmd.createArg().setValue(storepass);
-        }
-
         if (null != storetype) {
             cmd.createArg().setValue("-storetype");
             cmd.createArg().setValue(storetype);
         }
-
-        if (null != keypass) {
-            cmd.createArg().setValue("-keypass");
-            cmd.createArg().setValue(keypass);
-        }
-
         if (null != sigfile) {
             cmd.createArg().setValue("-sigfile");
             cmd.createArg().setValue(sigfile);
@@ -316,6 +329,9 @@ public class SignJar extends Task {
         log("Signing JAR: " + jarSource.getAbsolutePath());
         cmd.setFailonerror(true);
         cmd.setTaskName(getTaskName());
+        if (redirector != null) {
+            cmd.addConfiguredRedirector(redirector);
+        }
         cmd.execute();
 
         // restore the lastModified attribute