XSTJ-67: In this release of
--key option has been split into
--keyFile depending on operation (
--keyFile is used with
--keyAlias is used with keystores and with PKCS#11 tokens). The
--key option can still be used in both contexts but will result in a deprecation warning. The
--key option will be removed in the next major release of
XSTJ-68: Previous versions of
xmlsectool set an explicit heap limit of 256MB to compensate for the very low defaults imposed by early versions of Java.
xmlsectool no longer does this, as recent Java versions on modern hardware now allows the allocation of a much larger heap by default. This means that
xmlsectool will be more likely to work on large documents. For documents which need still more heap, set a non-default heap size by invoking
xmlsectool like this:
JVMOPTS="-Xmx1.5G" ...xmlsectool --sign ...
xmlsectool 3.0.0 includes defensive coding to limit the effect of some changes that have been made to the XML DSIG code within the JDK and the Santuario XML security dependency library. The intention is to ensure that
xmlsectool produces the same output across versions of these dependencies, and to ensure that signed output does not include encoded CR characters (
or similar) known to cause problems for some consumers. One result is that in most circumstances,
xmlsectool 3.0.0 produces identical output to
xmlsectool 2.0.0, although this is not guaranteed and in particular may not be the case for a future major version of
xmlsectool 3.0.0 is now based on the Shibboleth Project's Java 11 product platform. This means that it requires a minimum of Java 11 to run. For more details on supported Java versions and distributions, see System Requirements.
XSTJ-82: Changes in the way Java handles the SunPKCS11 provider have necessarily resulted in changes to the way
xmlsectool provides this functionality. The full details can be found in Using PKCS#11 Credentials; if you are upgrading from a previous version of
xmlsectool then Upgrading from a previous version of xmlsectool gives detailed instructions.
XSTJ-85: for reasons of clarity and inclusivity, the following command-line options have been renamed:
If you use one of the old option names, it will still work but you will be reminded to use the new name through a deprecation warning. The old names for these options will be removed in the next major release of