diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index a3f2192e9..a87318151 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -46,7 +46,7 @@ class Options(object):
     self.signapk_shared_library_path = "lib64"   # Relative to search_path
     self.extra_signapk_args = []
     self.java_path = "java"  # Use the one on the path by default.
-    self.java_args = "-Xmx2048m" # JVM Args
+    self.java_args = ["-Xmx2048m"]  # The default JVM args.
     self.public_key_suffix = ".x509.pem"
     self.private_key_suffix = ".pk8"
     # use otatools built boot_signer by default
@@ -727,11 +727,10 @@ def SignFile(input_name, output_name, key, password, min_api_level=None,
   java_library_path = os.path.join(
       OPTIONS.search_path, OPTIONS.signapk_shared_library_path)
 
-  cmd = [OPTIONS.java_path, OPTIONS.java_args,
-         "-Djava.library.path=" + java_library_path,
-         "-jar",
-         os.path.join(OPTIONS.search_path, OPTIONS.signapk_path)]
-  cmd.extend(OPTIONS.extra_signapk_args)
+  cmd = ([OPTIONS.java_path] + OPTIONS.java_args +
+         ["-Djava.library.path=" + java_library_path,
+          "-jar", os.path.join(OPTIONS.search_path, OPTIONS.signapk_path)] +
+         OPTIONS.extra_signapk_args)
   if whole_file:
     cmd.append("-w")
 
@@ -883,7 +882,7 @@ def ParseOptions(argv,
     elif o in ("--java_path",):
       OPTIONS.java_path = a
     elif o in ("--java_args",):
-      OPTIONS.java_args = a
+      OPTIONS.java_args = shlex.split(a)
     elif o in ("--public_key_suffix",):
       OPTIONS.public_key_suffix = a
     elif o in ("--private_key_suffix",):
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 7f69a575e..394ad0a88 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -472,11 +472,11 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
   # recovery uses a version of the key that has been slightly
   # predigested (by DumpPublicKey.java) and put in res/keys.
   # extra_recovery_keys are used only in recovery.
-
-  p = common.Run(["java", "-jar",
-                  os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")]
-                 + mapped_keys + extra_recovery_keys,
-                 stdout=subprocess.PIPE)
+  cmd = ([OPTIONS.java_path] + OPTIONS.java_args +
+         ["-jar",
+          os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] +
+         mapped_keys + extra_recovery_keys)
+  p = common.Run(cmd, stdout=subprocess.PIPE)
   new_recovery_keys, _ = p.communicate()
   if p.returncode != 0:
     raise common.ExternalError("failed to run dumpkeys")