JDK-8057797 : add a -quiet option for JarSigner
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u67,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Not an Issue
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2014-09-04
  • Updated: 2015-02-12
  • Resolved: 2015-02-12
Related Reports
Relates :  
JDK-8023338 - Update jarsigner to encourage timestamping
Description
A DESCRIPTION OF THE REQUEST :
With jdk7u51-b02, JarSigner got enhanced to have improved verification output and nag the user to use timestamping. (http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/7f2fc6c7c6dd)

Alongside got introduced that JarSigner unconditionally outputs "jar signed." in the end.
This is not so nice for quiet builds, as you cannot distinguish between info logging and warning / error logging and the log level is not configurable, except by -verbose.

Please add a -quiet option for JarSigner that suppresses the final "jar signed." output, so that only warnings and errors are output.

JUSTIFICATION :
If you e. g. use the JarSigner from a Gradle build, you cannot tell the Gradle build to be quiet and only output errors or warnings. You can make the JarSigner output only appear on INFO level, but then warnings and errors are also only visible on INFO level. And capturing its output and deciding on parsing whether there are warnings or errors is not really nice, besides that we call JarSigner in-process to save time and resources.

Any workflow that involves some automatic building that should not output any messages except if there are erorrs or warnings is affected by this, not only Gradle in-process workflows.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No output during normal successfull operation if "-quiet" is used.
ACTUAL -
No "-quiet" available
Comments
I've contacted with the bug reporter and it seems JDK-8056174 (New APIs for jar signing) suits him more. Currently I don't think removing "jar signed" is worth doing. It might break those tests that check for golden outputs.
09-10-2014
Of course we can remove that but I'm not sure what the problem is. A user can detect whether jarsigner fails or not by looking at the process exit code (with or without -strict). Even if the 'jar signed' words are removed I don't know how they deal with the warnings. Also, our new signing API for jdk9 can be more useful. I'll contact with the bug reporter.
24-09-2014
Max, can you evaluate this to see if it is reasonable? Why do we always output "jar signed"? Can we just remove that?
24-09-2014
something to be considered for JDK 9 perhaps
16-09-2014