Signing Java ME Applications
Not surprisingly, signing a Java ME application is similar to signing an Android application, because both platforms are Java-based. You begin with a key pair created by keytool, perhaps countersigned by a certificate authority (follow the steps outlined by VeriSign, Thawte, or GeoTrust). Once you receive the digital id (your countersigned key) from the certificate authority, follow these steps:
- Create a release build of your application (creating the JAD and JAR files).
- Import the digital id in your keystore using keytool (here, I'm importing a digital id certfromca.ce into my keystore named "keystore"):
keytool –import –trustcacerts –keystore keystore –alias Yoyodyne –file certfromca.cer
- Sign the resulting JAR file using JadTool:
JadTool.jar –addjarsig –keystore keystore –alias Yoyodyne –jarfile truncheon.jar –inputjad truncheon.jad –outputjad truncheon.jad
You can actually sign a Java ME application using more than one digital ID; this is important if you're delivering your application on many different devices and networks, because different devices and networks may use different certificate authorities. Simply repeat these three steps for each digital id you want to use in the signing process.
Because Java ME applications can be distributed a number of ways (direct download, cable loading, operator stores, and so on), certification requirements vary (although any certification process will require you to sign your application). For details, consult the developer web sites for the carrier networks over which you want to distribute your application, as well as the Java Verified program's web site, which provides an umbrella of authorized testing centers for Java ME application certification.
Signing Symbian (S60 and UIQ) Applications
Today's Symbian-powered devices (including S60 and UIQ) require signed applications as well, although like Android and Java ME, applications can be self-signed. For commercial distribution, if you need a trusted signature, you must obtain a digital id from VeriSign. To sign a Symbian application, follow these steps:
- Download and save the VeriSign digital id file.
- Use the Symbian SDK's vs_pkcs utility to obtain your private key and certificate:
vs_pkcs -p12 certfromca.pfx –passwd secret –key key.key –cer cert.cer
- Build your application in release configuration and create the SIS file using MakeSIS.
- Run signsis.exe to sign the resulting SIS file:
signsis –o –s –v truncheon.sis truncheon-signed.sis cert.cer key.key password
You don't need to certify your Symbian application prior to distribution in most cases, although access to some APIs may be restricted on some platforms if you don't obtain certification. To certify your application, go to the Symbian Signed web site
and follow the instructions there. You'll need to provide a properly signed application package, an indication of which company the Symbian Signed program should engage for the application certification and documentation for your application.
Ensuring Integrity and Security
Application signing is more than an annoyance levied by platform vendors and network operators: it's a crucial part of ensuring the identity of the individual or organization providing an application. By signing your application with the help of a trusted certificate authority, you stand behind your application, adding security for your users and ensuring your share of the value proposition in today's mobile marketplace.