Code Signing

Published on December 29, 2007
Each of the mobile platform has a code signing process that will verify that the mobile application is authentic. The objective of code signing is to ensure that mobile applications is well trusted, virus-free, and traceable to the company.

Verisign ACS (Authenticated Content Signing) Portal issues certificates for various mobile platforms. It has a good diagram on how mobile code signing works:

Window Mobile Signing

Symbian Signing
  • Open Signed with Publisher ID
    • As of Q3 2007, there is big change to the Symbian signing process. It is suppose to make signing more cost effective and easier. The CA they use is TrustCenter, instead of Verisign ACS. Get a Publisher ID from TrustCenter for USD $200/year. But you may still you existing Publisher ID from Verisign ACS.
    • Open Signed with Publisher ID is for development process only, in which it makes convenience for the developer to sign an application for up to 1000 IMEI numbers. To deploy commercially, Express Signed and above is needed. Below describe Open Signed process.
    • Register an account at www.SymbianSigned.com
    • Buy a Publisher ID from TrustCenter for USD$200/year. Get the Publisher ID file (.cer) and Private Key file (.key) and the private key password.
    • Run DevCertRequest tool to generate certificate request CSR file. The CSR file will obtain you a Developer Certificate.
    • Go to www.SymbianSigned.com to upload your CSR file.
    • Download the Developer Certificate.
    • Developers can now use the Developer Certificate to sign the SIS file, using SignSIS tool.
  • Express Signed
    • Express Signed for for general commercial release.
    • Assuming that you have tried for Open Signed previously, the steps to Express Signed is as follows.
    • Use SignSIS to sign the SIS file locally, using TrustCenter's Publisher ID private certificate and password instead.
    • Go through a test ?
    • Go to www.SymbianSigned.com, Submissions -> Express Signed. You will upload the SIS and PKG in a zip file. Each submission requires a prepaid Content ID, costing US$20 each. Content IDs can be bought from the portal.
    • Prepare various information - Write a readme.txt that describe how to use the application. List the capabilities used, their uses and the methods.
    • After submission, the application is sent to the CA for signing against the Symbian B root certificate. The signed application will be able to be downloaded from the portal immediately.
    • The application might be selected for audition - testing done by SymbianSigned with no cost from you. But the outcome might affect your future developments. If failed, your Express Signed option will be disabled. You will then need to be Certified Signed, which requires testing.

Java ME Signing
  • The worst of all platforms when it comes to signing. Partly due to the number of vendors and devices it has to support. So much so that developers has to know what are the certificates present on the device first. Multiple certificates might be needed to work on all phones.
  • Steps to MIDlet signing - Very comprehensive, including common problems with the signing and the tools