Generating and validating signatures fails when run with a SecurityManager. There are a few places in the code (such as reading system properties) that should be wrapped in AccessController.doPrivileged blocks so that applications that normally would not have these permissions can generate and validate signatures when run with a SecurityManager enabled.
Just fixed the other problem I was aware of (dereferencing http URIs should no longer require PropertyPermission). So I am marking this as fixed.