On Wed, 15 Apr 2026 14:27:51 GMT, Sean Mullan <[email protected]> wrote:
>> src/jdk.jlink/share/classes/jdk/tools/jlink/resources/plugins.properties >> line 67: >> >>> 65: \ with the certificates of the specified >>> aliases\n\ >>> 66: \ only. <alias> is the name of an alias in >>> the\n\ >>> 67: \ cacerts keystore. >> >> I'm wondering about "cacerts keystore". Do you mean this in the abstract >> sense or the file in lib/security. JEP 220 is clear that files in lib >> directory "must be treated as private implementation details of the run-time >> system" and maybe we missed some areas of the docs when moving to the new >> run-time image structure. I note that the keytool man page refers to the >> cacerts file in lib/security and we should probably re-visit that wording. >> >> I'm just wondering if the usage and man page should reference to the JDK's >> trustcode for CA certificates or something more abstract rather than >> "cacerts". > > I can try to make this more abstract I suppose, but it will make it a bit > more unuser-friendly, because I would need to ask for the pathname to the > keystore so as not to assume it is the cacerts keystore, right? I have to > minimally assume it is a keystore though, since there is no other standard > API to get the root certificates. We should probably create an issue in JBS to look at the keytool man page. We might have missed that when moving to the run-time image in JDK 9. I think the `--cacerts` option name and having its values be a list of aliases is okay. The plugin will use the resource in java.base.jmod so should be no need to specify a file path. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/29700#discussion_r3087325767
