Hello,
My environment is, Series60 phone (3650 and other series 60), MIDP1.0.
When customers download MIDlet they get the following message, "Application XXXXXXXX is untrusted. Continue anyway?" (This doesn't happen for my phone 3660, but apperently it must be happening for some series60 phones when downloading my applicaiton)
I think this is because the MIDlet needs signing. Does Series60 MIDP 1.0 midlets support MIDlet signing? Who supplies the certificates for MIDlets Verisign?
I talked to Thawte, about midlet code signing and I was told the following, "the only thing to make sure of is that the particular phone or appliance has our root certificate pre-installed..."
Well, is it installed for the Series60 Nokia phone. I need to know which Series60 Phones has root certificated pre-installed and for which "verisign or thawte" ?
Please note, this is information is crucial for me because I have an application sitting at the clients site that is not running because they want it to be signed.
This application has to be rolled out soon if i'm to get paid so please help me out!
Also,
1.can I generate the public/private key CSR on my machine?
2.Can I remotely login into the clients server, using telnet or some other form of communication software, and generate CSR and sign midlet there and have it work?
3.What method do developers use for signing midlets?
Earamsey,
I am also in the process of learning how to digitally sign a MIDlet. Have you solved your problem? If so please let me know what you did and who you used as the CA.
If you are still trying to figure it out. This is what I have learned so far ...
According to the site www.javaverified.com, to get certified as a Trusted 3rd party (the only option available to you unless the application is being developed for a Carrier/Operator or a particular Manufacturer) you must complete a certification and testing process managed by the Java Verified Process group (see the site for details).
What further confuses me is a link on the Verisign site that describe their Code Signing as "Used with the Signing tools part of the Sun Java SDK, this certificate is used for generating digital signatures for Java Archive (JAR) files: Java applets, midlets and other Java applications that may be deployed stand-alone or in the IE or Netscape browsers." -- This would seem to imply to me that it is possible to sign your self as long as you are a registered with a CA like verisign.
I've also begun the process of talk to another company called Geotrust (www.geotrust.com) who offer a similar service called Smartphone Certification.
Hope this was helpful. Let me know what progress you've made.
Cheers,
Rodney
Hi,
Have you successfully signed the midlet yet? I haven't I was working with a company at www.thawte.com and it turned out that theirs will not work. How have you solved the problem?
PS: Do all of the series 60 cellphone require signed midlets? I tested with a 3660 cellphone where the midlet was installed on a server. Then the midlet was downloaded ota, and I got no such message. So only the lastest midp2.0 phones wants to be signed? Or maybe only the latest midp 2.0 phones have root certificates installed on them that require an authority signature?
THanks,
Erica
The Series 60 phones do not (at least not any I've seen and used myself) require signed midlets. Unsigned will work, but give an installation warning.
Signing MIDlet Suites is introduced in MIDP 2.0, so MIDP-1.0-phones should never complain about unsigned MIDlets. When deploying MIDP-1.0-MIDlets in 2.0-capable phones, they are always considered untrusted. So what you probably have to do is to get a certificate (both thawte and VeriSign should work according to the MIDP-Specification if the fitting root-certificates are provided by the mobile) and sign your MIDlet Suite if you want to deploy to MIDP-2.0-phones. But if you only plan to deploy to MIDP-1.0-phones, signing is not an issue with the possible exception of a manufacturer extension supporting signing in MIDP 1.0.
What kind of certifificate should I from verisign? I call them and they told me that they don't support midlet signing. I talked to thawte and they told me that their certs have errors in it?
Please help me out!
tnf wrote:Signing MIDlet Suites is introduced in MIDP 2.0, so MIDP-1.0-phones should never complain about unsigned MIDlets. When deploying MIDP-1.0-MIDlets in 2.0-capable phones, they are always considered untrusted. So what you probably have to do is to get a certificate (both thawte and VeriSign should work according to the MIDP-Specification if the fitting root-certificates are provided by the mobile) and sign your MIDlet Suite if you want to deploy to MIDP-2.0-phones. But if you only plan to deploy to MIDP-1.0-phones, signing is not an issue with the possible exception of a manufacturer extension supporting signing in MIDP 1.0.
To sign midlets, the info you need is on http://www.javaverified.com/
The process is described there (http://www.javaverified.com/jvProcess.jsp) and says GeoTrust is the one signing the midlet (once it passes the tests).
I don't believe you can sign it yourself with any sort of certificate (except perhaps with a test certificate for your own phone).
The following is from the MIDP 2.0 Specification p. 34 (http://jcp.org/aboutJava/communityprocess/final/jsr118/index.html) as an example how MIDlet signing can be used. There is a lot more documentation in the JSR but this seems to be the way how a developer can sign a MIDlet suite or at least what the expert group leading the JSR wanted.
Example 1 - Developer Owns Signing Certificate
This encodes the origin of the MIDlet suite into the JAD (via the identity of the signer). If the certificate is revoked, all of the developer�s signed MIDlets on every device for every user will have their execution permissions revoked.
1. Developer creates MIDlet network application
2. Developer encodes permissions into JAR manifest and creates final MIDlet JAR
3. Developer generates a private-public key pair with a signing certificate and has the certificate signed by one or more protection domain root certificates
4. The developer�s certificate is used to sign the MIDlet JAR and create the associated JAD entries
5. MIDlet JAR can be distributed with a suitably populated JAD and run on a MIDP 2.0 compliant device with the appropriate protection domain root certificate
What VeriSign replied maybe is that they don't do the actual signing. But they should be able to give you a certificate that can be used to sign a MIDlet as in Suns reference implementation VeriSign is in the list of root certificates (as well as thawte). As I haven't had the chance to get a certificate yet I don't have any practical experience though.
I found a tutorial by Nokia about MIDlet signing that provides a step-by-step introduction on how to sign your MIDlet: http://ncsp.forum.nokia.com/download/?asset_id=11702;ref=symbian