Tech Note 11: Signing your Application

February 01, 2009

© NSB Corporation. All rights reserved.


Introduction

Before an app can be run on most devices, it needs to be signed. Signing defines what Capabilities an app is allowed and provides a secure way to identify the originator of an app.

Signing is one of the most complex aspects of creating apps for Symbian OS. It was created to protect users and carriers from unwanted or dangerous software. We have done our best to make it easy to do signing with NS Basic/Symbian OS, especially during development.

Symbian has a special website dedicated to signing: http://www.symbiansigned.com. There is a lot of additional information there, including The Complete Guide To Symbian Signed, which may need to be read several times to make sense.

1. Self Signed

An application is regarded as Untrusted if signed with the Self Signed Certificate. Self Signed apps are recommended for freeware applications using unrestricted capabilities.

The advantage of self-signing is that it's fast, since it's done locally on developer's machine and that a self-signed installable package can be installed on more than one device, i.e. no restriction applies (based on IMEI number, for example).

The drawback of self-signed certificate is that a user will be prompted a warning dialog. It says that the application is not trusted and the user should decide whether or not to continue the installation. The warning dialog does not appear when the application is signed via higher levels of Symbian Signed.

NS Basic/Symbian OS creates automatically creates Self Signed applications. No other steps are needed. For S60 devices, the file extension will be .sisx; for UIQ, it will be .sis.

2. Open Signed Online (beta)

The Open Signed Online server is here: https://www.symbiansigned.com/app/page/public/openSignedOnline.do

You will need to enter your IMEI number and your email address, upload your .sis file (not the sisx), select all capabilities and complete the form.

A confirmation email will be sent to you which contains a web link. You need to open the web link to complete the confirmation. Following this confirmation your file will be processed and a download link will be sent in an email to the address you provided, usually within a minute or two.

Download this file: it will have the same name as the .sis file you uploaded. You can then install it to the specified device.

3. Open Signed OffLine

4. Express Signed

5. Certified Signed

UID3 Ranges

A UID3 is a unique number that each application has, assigned by Symbian. This number is entered into Project Properties.

UID3 values < 0x80000000 are called "Protected" and are used for commercial applications that have passed all the Symbian Signed testing system. If you intend to use this option you need to read the Symbian website.

UID3 values >= 0x80000000 are called "Unprotected" and are used for Self Signed apps designed to be distributed (0xAxxxxxxxx) and for development and internal testing apps (0xExxxxxxxx). By default, NS Basic/Symbian OS gives each new product a unique UID3 (to the user) value in the 0xExxxxxxxx range for development purposes. If you wish to produce an application for distribution you will need to get a Symbian Signed Account and get Symbian to allocate you a unique block of UID3s in the 0xAxxxxxxxx range. This is easy to do and cost free.

The Protected range is < 0x80000000.

0xAxxxxxxxx is for applications that are self signed. The UID is requested and associated with a Symbian signed account. This prevents different applications using the same UID and assists tracability when redistributed. Specifically it is for applications requiring only user grantable capabilities. From FP2 this includes Location. By default the certificate has a life of a year. There is a patch to extend it.

0x2xxxxxxx range is for applications that must be Symbian signed by the licenced owner because they are using Extended Set capabilties. The UID is associated with a Symbian Signed account. This prevents different applications using the same UID. Specifically it is intended that ALL applications in this range will be Symbian Signed BEFORE being redistributed publically.

0XExxxxxx range is internal testing applications/prototypes/Proof of concept. These UIDS are for internal test applications requiring enhanced set capabilties. These uids are NOT associated with an email account and they are intended just for the developers personal machine as UID clashes can and will occur. Specifically these applications should not be redistributed at all. If you are not using any extended set capabiltiies, use a self signed certificate There is an update here to allow self signed sis files to have their certificate life extended from the default

Common Installer Errors: http://wiki.forum.nokia.com/index.php/S60_SW_installer_troubleshooting

Glossary

Term Definition
Capabilities The Symbian OS protects certain API functions. Apps must have permission to use them. The Symbian Signed certificates provide the permission. Here are the minimum capabilities required by an NS Basic/Symbian OS app:
  1. Access to remote services
  2. Access to send or receive information locally
  3. Access to read personal data
  4. Access to create/change personal data
IMEI International Mobile Equipment Identity. A unique number that each phone has. You can usually get this from your device by dialing *#06#.
Protected Range UID3 values < 0x80000000. These numbers are assigned by Symbian
Publisher ID An ID, unique to the developer, issued by TC Trust Center, at http://www.trustcenter.de/order/publisherid/dev
Trusted App An app which is Symbian Signed.
Unprotected Range UID3 values >= 0x80000000. For Self Signed and internal testing apps.
UID3 A unique number assigned to each application. They can come from the Protected Range or the Unprotected Range. By default, NS Basic/Symbian OS gives each new product a unique UID3 (to the user) value in the Unprotected Range.