Thanks to SWB for reminding us that Symbian's Open Signed Online starts next week, in beta at least and with some throttling limits in place. We haven't been featuring every last 'unsigned' utility that's flooded the blogosphere in the last 3 months because, basically, the self-signing has been too hard for the average user. Will the new system improve matters? Comments welcome.
Read on in the full article.
Personally, I resent not being able to choose what I install on my phone, even if its only unsubmitted programs. One of Samirs apps got submitted a long time ago and its still not been released.
Unless they vastly improve the speed and ease of which you sign something, its going to be a rather laughable effort with many complaints.
bartmanekul, you can already run some unsigned software as long as it doesn't access certain key functions. I think what Symbian is worried about is malware which somehow installs itself without your permission and then spreads to other devices. By locking down key functions for all software, even if malware gets on your phone it can't spread any further.
Having said all that, the system for getting a piece of software signed is ridiculous and I'm as frustrated with it as anyone.
Why does the same author have to get software re-signed every time they release a new version with minor bug fixes? It must make Symbian development feel like trying to run through mud.
Why is the default expiry period for signed software just one year? Does that make any sense to anyone? It's not even that difficult to get round, you just alter the phone's calendar, so why have an expiry period at all? It just creates unnecessary pain for the end user as they have to keep going back and forth adjusting the calendar.
Why can't a trusted company or individual sign their own software? If they wanted to sign malware it would be incredibly easy to trace back to them.
Why are demos being made more difficult to release because of signing? Don't Symbian realise how important demos are to commercial software sales?
It's ludicrous that (for example) most of Babi's S60 3rd Edition themes can't be used without altering the calendar because of the expired certificate problem, and Antony Pranata's Screenshot app STILL hasn't had its latest version signed. It's ridiculous that a copy of K-Rally bought last year now refuses to work and has to be reinstalled.
For Symbian Signed to succeed it has to avoid damaging the quality of Symbian software, but at the moment it's doing a great deal of damage, and I'm sure it's putting people off writing for the OS.
Thanks for adding the source of your post Steve, but I am not Vaibhav. 😉 He is from The Symbian Blog.
Sorry about that - I have updated the news item.
The Symbian Signed stuff is more complicated that people realise. Despite what some people think Symbian is not being deliberately obtuse. Symbian Signed exists for a good reason. I also think people should appreciate the number of power users / consumers who are impacted by the problem is very small compared to the overall umbers of users.
While I personally think that Symbian should be doing more to help out freeware developers (and to be fair I know they are doing / intend to do(ing) so) developers also need to realise that releasing unsigned applications as 'final products' is a bad idea - it is fine for development purposes (i.e. beta testing), but it should not be used distribution.
I do appreciate opensource and freeware developers have a quandary here in that they don't want to have to pay for Publisher IDs etc. I am much less sympathetic to those who sell applications (Signing should just be seen as a cost of development that you have to recoup - its tiny next to the man hours of time development takes).
Open Signed should go a long way to helping solve this problem. However I would note that only UIDs from outside the protected range can be signed by anyone. This means for a user to sign an application (as opposed to a developer) the UID must be unprotected. Releasing finished apps in the unprotected range is not a good idea because of the potential for conflicts so I would hope developers would act responsibly and still get things properly signed for mass distribution. Open Signed should be seen as a way of allowing wider beta tests not for allowing distribution of unsigned applications.
For the benefit of people reading this thread I thought I would answer some of krisse's questions. Please note I've attempted to provide the thinking - doesn't mean they are satisfying answers...
Why does the same author have to get software re-signed every time they release a new version with minor bug fixes? It must make Symbian development feel like trying to run through mud.
Why is the default expiry period for signed software just one year? Does that make any sense to anyone? It's not even that difficult to get round, you just alter the phone's calendar, so why have an expiry period at all? It just creates unnecessary pain for the end user as they have to keep going back and forth adjusting the calendar.
Why can't a trusted company or individual sign their own software? If they wanted to sign malware it would be incredibly easy to trace back to them.
Why are demos being made more difficult to release because of signing? Don't Symbian realise how important demos are to commercial software sales?
It's ludicrous that (for example) most of Babi's S60 3rd Edition themes can't be used without altering the calendar because of the expired certificate problem, and Antony Pranata's Screenshot app STILL hasn't had its latest version signed. It's ridiculous that a copy of K-Rally bought last year now refuses to work and has to be reinstalled.
Most of these issues have been fixed by recent changes in Symbian Signed. The expiry issue is unfortunate, but can be rectified by resigning the applications. Developers releasing commercial software really should make updates available. Freeware is one are where there is still a definite issue.
For Symbian Signed to succeed it has to avoid damaging the quality of Symbian software, but at the moment it's doing a great deal of damage, and I'm sure it's putting people off writing for the OS.
I agree to an extent, but to be honest the number of people who are badly effected is relatively small when measured against the entire user base. Most people will end up buying fully signed applications.
Mistakes were made early on (in my opinion) and now these have been mostly corrected, but there's something of a legacy.
I also think its easy to just blame Symbian. Its worth bearing in mind that the majority of developers understand the system, but unfortunately some choose to do things that go against it (in a sense) - e.g. releasing unsigned applications or fail to take account of it (e.g. expiring certificate issues).
I do realise this is a sensitive area and the above does not reflect by personal view point entirely. I did want to provide some perspective though.
We haven't been featuring every last 'unsigned' utility that's flooded the blogosphere in the last 3 months because, basically, the self-signing has been too hard for the average user.
Note that, IINM, signing applications is a task for developers, not end users, average or otherwise. Having end users sign applications themselves has made life much harder for developers over the last year, due to the problems they've caused for the SymbianSigned web site.
I've noticed a few stories on AAS seem to encourage end users to sign applications - making note of various applications to make it easier/etc/etc.
Rafe's comments are appreciated and seem to correct this stance. IMO, it would be good if it were AAS official policy to not (appear to) encourage it - I'm fairly sure he's noticed the recent discussion on the FNC email list on this topic.
However, I do feel like users should be able to install what they want on their own device, but until symbiansigned come up with an easy way for <b>end users</b> to do that, then I think they shouldn't bother. Complain/etc/etc as much as you like, but some kind of DoS on the SymbianSigned web site doesn't do anyone any good (IMO).
davidmaxwaterma wrote:I've noticed a few stories on AAS seem to encourage end users to sign applications - making note of various applications to make it easier/etc/etc.Rafe's comments are appreciated and seem to correct this stance. IMO, it would be good if it were AAS official policy to not (appear to) encourage it - I'm fairly sure he's noticed the recent discussion on the FNC email list on this topic.
However, I do feel like users should be able to install what they want on their own device, but until symbiansigned come up with an easy way for <b>end users</b> to do that, then I think they shouldn't bother. Complain/etc/etc as much as you like, but some kind of DoS on the SymbianSigned web site doesn't do anyone any good (IMO).
As Steve mentioned we've deliberately not given much space to unsigned applications (at least partly because we don't want to encourage it) and its an official policy of sorts - similar to the fact we don't leak stuff about new devices - both could do real harm.
I've had quite a bit of email on this topic (e.g. why don't you feature x,y and z). Some unsigned applications are very popular with edge users and All About Symbian does serve that community (as well as developers, people in the industry, consumers etc. etc.) and so its no always a simple yes or no thing. And yes I listen to all sources of information on this topic and do keep a close eye on things.
What's actually happening here as a result of the Symbian Signed mess is that there are a handful of developers who sell software (I do stand by the word "handful", even if there may be more), and that's it. Freeware developers are completely left out.
And sorry but blaming developers of freeware, who do it out of nothing but passion, for the issues of signing apps by the end-user is perhaps too much to bear for me.
We do certainly have different backgrounds, but I won't be convinced that the end user would rather like to pay for something instead of getting it for free. I've paid for, say, Handy Taskman, only to later find a freeware program that does everything it does a lot better (JBak Taskman, in case anyone cares). Yes it's unsigned, but what the folk here appear to be saying is "let's disregard such apps completely". Till Symbian Signed gets fixed. Will that really ever happen? I mean the situation has been as it is for a very long time and no, to me at least, they don't seem to care (should the fact that if freeware should be, ehm, free, than no royalties will be paid to them have anything to do with this?).
Don't get me wrong, I'm all for developers making profits, but I'm primarily for choice. My choice, as an end user.
And btw, don't, say, a timer and stopwatch seem to have been left out (incredibly, imho) from S60 so that someone would sell me an app that does that for $10-20? This is not me paying for some developer's innovation (which I have absolutely no problem with), this is me paying for something that even a RAZR has.
So let's not get ahead of ourselves, shall we? People like Samir deserve statues (and to be hired by, say, Nokia), and NOT to be disconsidered in this way.
And not to be misinterpreted, I do really appreciate how secure Symbian is, I do understand that some compromises should be made to achieve such security, but saying that unsigned apps shold not be covered at all has nothing to do with security.
Is it hard for the average Joe to 'get' the signing process? Fine. It isn't for me, and for many others who know a few things about Symbian, so why should we not be informed of the great (and some very very innovative) freeware apps out there?
bvlad wrote:
So let's not get ahead of ourselves, shall we? People like Samir deserve statues (and to be hired by, say, Nokia), and NOT to be disconsidered in this way.
And not to be misinterpreted, I do really appreciate how secure Symbian is, I do understand that some compromises should be made to achieve such security, but saying that unsigned apps shold not be covered at all has nothing to do with security.
Is it hard for the average Joe to 'get' the signing process? Fine. It isn't for me, and for many others who know a few things about Symbian, so why should we not be informed of the great (and some very very innovative) freeware apps out there?
Some of us regard Samir as far less of a hero than others do. Access to betas via donations is commercial software by other means. Moreover it's effective commercial distribution of unsigned apps. This results in problems for Symbian Signed as hundreds of users try to sign apps causing down time which means no signing for real developers.
If this site started mentioning unsigned stuff left, right and centre it would cause real problems. I assume it has got a big readership beyond the audience who find out about unsigned stuff anyway. So I think they're doing the right thing - presumably at some cost to themselves.
And of course I like freeware as much as the next guy, we all do and as noted above this is a problem area for Symbian signed that needs to be fixed.
I'm stunned about some of the comments on SymbianSigned here.
Basically, SymbianSigned has disrupted the whole developer community. And it's design is struggling with real-life problems.
It's kind of funny to blame end-users trying to sign "unsigned" applications - while SymbianSigned.com is simply inviting them to do so.
The only reason for "developers" to offer "unsigned" applications is, that they cannot afford to go the "Certified Signed" route - costing at minimum US$380, but effectively A LOT more. PLUS the cost for preparing for Certified Signed, PLUS the cost for preparing for a Publisher ID, PLUS the cost for failing the tests ...
Unfortunately, the market for third party apps isn't paying off well, so there's really no point in saying you should try to recoup those costs - ESPECIALLY if those costs are of no equivalent value to the developer. Those are market entry costs (or should I say penalties) and nothing more.
For a number of developers, the preconditions for obtaining a Publisher ID could be the main obstacle (running a registered company, for example.)
SymbianSigned addressed this crucial issue early with talking of publishers signing for developers: for example, Handango could sign your application in addition to distributing it. However, as far as I know, this sort of solution is still unavailable or in its early stage.
Talking of freeware, I have a mixed feeling (being a commercial developer myself.) A freeware developer might release a competing free product and even gets the signing for free!?
There's an inherent conflict here - and this might explain why freeware developers have had bad experiences with SymbianSigned so far.
Another obvious dilemma is the testing process: the test-house will be payed per testing round! If an application fails some tests, it needs to get re-tested. In other words, the more fails the more money. This is apparently a wrong incentive, but it's of course difficult to find an alternative.
I think there has been plenty of time to fix the problems with end-users signing "unsigned" applications a.k.a. SymbianSigned.com repeated downtimes:
1.) replace the IBM XT powering the PKI with some proper hardware (okay, okay, that's a bit unfair and I admit I'm not exactly sure why SymbianSigned.com is down every now and then)
2.) try to tell between developers and end-users (that's what they will do with the new Open Signed next week where you can only sign your own, self-developed applications.)
Also, Symbian Signed isn't a proper quality assurance regime or even a protection against malware! That's simply not true. Being able to self-sign applications openly contradicts the assumption, SymbianSigned is there to save your phone from malware.
I think, the developers have to live with Symbian Signed because it won't vanish soon. I'm not strictly against it even - I'd just like to have some things fixed and some things clarified.
For example, ExpressSigned is a great new offer from Symbian (US$ 20 per signed application, Publisher ID required.)
I'm deeply grateful that Symbian has introduced this new and uncomplicated way of signing your applications. Maybe it's an indication that Symbian is indeed looking at the developer community and trying to improve things for (smaller) developer/companies.
PIPS from Symbian and Open C from Nokia (for easier porting of Unix/Posix applications to Symbian) could be another evidence that this platform is meant to be open for developers after all.
However, what's also true is that Symbian has evolved from a niche manufacturer of handhelds to a niche provider of a smartphone OS to the major provider of the most popular smartphone OS to a provider of an OS for mass market phones.
It's obvious that you'd need to manage the stability and security issue of your mass market OS at a higher priority than the openness and "hackability" for third party developers. The restrictions imposed by SymbianSigned might be a pre-condition for becoming a mass market OS.
A word on the details of signing:
A developer (or any user) can simply self-sign an application given it's using only user-grantable capabilities. The application UID has to be from the unprotected range. This doesn't involve any costs and the application can be installed on almost any Symbian phone. Many, many applications can be and will be distributed this way.
It's perfectly fine and okay, in my opinion, if a commercial developer decides to distribute it's commercial grade software via the self-signing route.
Otherwise, we'd probably see only a TINY FRACTION of applications available to Symbian OS 9 based phones and even more importantly, there would be an even TINIER FRACTION of bug-fixed and improved releases of applications.
[Think of it: for each and every bug fix (a tiny typo) and for each new feature implemented upon user request, you would actually need to pay at least US$180 again and again ... ]
Just my 2 cents ...
Unregistered wrote:This results in problems for Symbian Signed as hundreds of users try to sign apps causing down time which means no signing for real developers.
There must be something similar to Stockholm Syndrome going on here.
Why blame freeware / open source / semi-hobbyist software developers for the failings of Symbian Signed? Those are exactly the kind of people that a platform owner like Symbian should help and be delighted to have instead of hinder.
A healthy hobbyist developer community is important for many reasons. To mention a few: it provides a talent pool for commercial software houses from which they can hire skilled developers, they push the cool new ideas (most recent example, all the nifty accelerometer hacks) that eventually find their way into mainstream software, they "fill the gaps" by providing small apps that are too simple to really build a business around but that S60/UIQ for some reason lacks (notepad, clocks, screenshot, themes,..).
Add self-signing to the PC Suite Application Installer or something..