The `jarsigner` and `keytool` tools have been updated to support the Hierarchical Signature System/Leighton-Micali Signature (HSS/LMS) signature algorithm. `jarsigner` supports signing JAR files with HSS/LMS and verifying JAR files signed with HSS/LMS while `keytool` supports generating HSS/LMS key pairs.

The JDK includes a security provider that supports HSS/LMS signature verification only. In order to use the key pair generation and signing features of `keytool` and `jarsigner`, a third-party provider that supports HSS/LMS key pair and signature generation and a keystore implementation that can store HSS/LMS keys is required.

Even though there’s no specific Java SE API to initialize an HSS/LMS key pair generator, `keytool` can function with a third-party `KeyPairGenerator` implementation that supports initialization via an integer keysize or a `NamedParameterSpec` object. In such cases, users are able to provide the parameters using the existing `-keysize` or `-groupname` options of `keytool`.

As part of this change, the JAR specification was modified to repurpose the existing “.DSA” extension for JAR files signed with HSS/LMS and other forthcoming signature algorithms.