How to improve freeware/opensource signing?

[mitts]

Do we have anybody out there actively involved with freeware and/or open source, either as "producer" or "consumer" that would like to share some views on how to improve the signing situation for S60 3.0 and later for freeware/open source?

Currently, if you are a private person or web-based open source community without access to VeriSign identification, you cannot get independent access to Symbian Signed - even if you were prepared to pay. Also some posters have commented that the delays in the current Symbian Freeware program are very long and thus not very attractive. Any input on what would constitue a good solution for these developers, assuming that we still want to operate within some reasonable confines of the current platforms security model?

For existing open source projects, seems that these distribute their apps unsigned and then users are expected to sign with their own developer certificate before installing on their device. I would suspect that this would somewhat limit the exposure that the applications get and certainly not work too well for final distribution. Once done with a release, what would be a good way to then distribute more widely?

If you put yourself into the role of a consumer of freeware/open source applications, what would you like to see in terms of access to and security levels of the applications you would like to install on your device?

Any comments appreciated.

[kkrish]

Hi Mitts,

i am glad to see this kind of stuff. from 3rd sdk onward there is lots of limitation to the developer spread there application as a whole, for free ware application nobody would like to pay the certificate cost also. in all the case either consumer has to pay amount or the developer. i think that is not fine for the open source community.

i would like to request to Symbian the open source application must be freely signed.

[symbianyucca]

One good thing would be to have oportunity to sign with Verisign ID belongging to the testing house, and pay normal fees othervise, would give opertunity to sing application that might not actually fell into the freeware category.

yucca

[mitts]

When talking to pro developers, they at least claim that the security of Symbian SIgned is largely due to the fact that the company gets identified by the VeriSIgn and you don't want to ruin the name of your company by putting out bad apps.

If anyone of you is doing freeware development, do you have some form of "electronic" credential that could be used instead of VeriSign? We do know about credit cards, but the ease of credit card fraud does not make that a very attractive choice.

Or for open source communities, any ideas on how to be able to ensure that open source communities publish apps "in their own name"?

[Paul.Todd]

What I am actually looking for is how Nokia/Symbian/SE intend to improve the beta process which is sort of aligned with the signing requirements.

Many projects need to have a wide beta and this is very poorly handled in Symbian Signed.

[mike_brock]

The ACS publisher certificate seems very expensive for what is involved in issuing it. Verisign say they first check the company exists (which is free to do in the UK using the Companies House web site). They then look up the phone number of the company using a public directory service (again free or a very small charge) and phone it to ensure they can reach the contact. (If they can't find a number then they need a copy of a phone bill or a notarised letter.) The cost of this is a few minutes and a phone call. They also have to provide a facility to revoke certificates.

I think there should be more than one source of certificates then the prices would fall as they have for Symbian Signed testing.

Also provide a way for non-limited companies to get a certificates. This doesn't just affect freeware developers, it affects people who are sole traders or partnerships.

[feenix]

would fall as they have for Symbian Signed testing.

Also provide a way for non-limited companies to get a certificates. This doesn't just affect freeware developers, it affects people who are sole traders or partnerships.

I agree. Verisign acquired Thawte, which is still supplying SSL/code signing certificates that are a lot cheaper and a lot easier to get (I mean, the process is easier, it's as secure as Verisign's since they do all the same checks) than those of Verisign. I don't know why they have two sections in one company doing this with different prices, but I'm glad they do. I don't have to do any business with their main branch.

I would really like to see a major cut in prices and no additional one-time signing purchases. There should be a way for anyone to get a code signing certificate and sign with it themselves. This would allow anyone to distribute software while still containing the information about the company signing the app. The only thing that is left out is the testing, which cannot rule out any malicious software anyway.

The operators could still only allow tested apps to be distributed to their devices etc, so this would not change that. And the devices could inform the user that this is a non-tested app if the manufacturer so chose. But at least we (small businesses especially) would be able to release new software and especially new versions of software without thinking about the costs. At the moment the cost of a simple bug fix is easily $300-400. Ridiculous.

[mike_brock]

Since I made my post about the certificate price I've learnt that it has been announced that ACS publisher certificates will soon be available from Trustcenter for $200. It is reported in this article:
http://www.allaboutsymbian.com/featu...-The_Demos.php

[feenix]

Since I made my post about the certificate price I've learnt that it has been announced that ACS publisher certificates will soon be available from Trustcenter for $200. It is reported in this article:
http://www.allaboutsymbian.com/featu...-The_Demos.php

Great start, now we only need to eliminate the whole testing process and signing fees :P

[antonypr]

Thanks to mitts for initiating this discussion. I have written an open letter to Symbian Signed authority to improve the process for freeware/open source. You can check it at http://mobile.antonypranata.com/2007...ned-authority/.
This was written based on my experience using "Symbian Signed for Freeware" for about 1 year or so.

Actually the initiative of "Symbian Signed for Freeware" is good. We appreciate that because we don't need to subscribe an "expensive" ACS Publisher ID and pay "even more expensive" testing fee.

The current problem is mainly the signing process. It takes normally more than 1 month to sign an application. Is there a way to improve this? If we can cut down the process to less than a week, that would be very great.

About your question to ACS Publisher ID. There should be many ways, either "electronically" or "non-electronically", to verify that someone is really the one he claims. Most of financial institutions (at least in North America) have several way to verify someone. mike_brock has mentioned some of them, e.g. phone number lookup, certified copy of ID, phone bills, etc.

In my opinion, open source/freeware developers are not going to publish "nasty" applications after their ID has been verified. We don't want to ruin our names in the open source communities, the same as commercial developers.


As summary, if we cannot improve "Symbian Signed For Freeware" process, I have to agree with feenix. Cut the price down to reasonable level for freeware/open source communities (may be subsidized by Symbian or Nokia???).

[Paul.Todd]

You might also like to follow my thread over at Symbian on Beta programs

http://developer.symbian.com/forum/t...tstart=0#58458

[davidmaxwaterman]

The current problem is mainly the signing process. It takes normally more than 1 month to sign an application. Is there a way to improve this? If we can cut down the process to less than a week, that would be very great.

That's not the worst part, IMO.

I submitted my application for freeware testing, but it was during the whole SymbianSigned web site problem time, and I'm not 100% sure it uploaded properly. I didn't see my application listed on my 'Applications' web page on the SymbianSigned web site, so I emailed them. I got this response :

"Currently, In freeware submissions, the submitted applications will appear on the list only after they were approved and signed. Also, no confirmation email is sent to acknowledge the submission.
You will see your application after it has finished the process. "

Clearly, this is completely brain-dead. There's no way to know if your application has even been successfully submitted. The only way to know is to wait until you don't get it back signed, and that can take a month. Imagine if the upload had failed for some reason, but you didn't know...you wait for a month only to find out it hadn't been submitted in the first place - although, how you can find that out even is beyond me.

They said I could contact mobile@staff.cellmania.com to find out about my application, but I get no response from that email address at all.

Stupid, stupid, stupid.

[antonypr]

Don't expect too much from Symbian Signed right now. I don't think it is still alive. I have submitted my application 4 months ago without result. I resubmitted it again 1 month ago and still no result. Fortunately, there was an angel who helped me. They sponsor my application to go through commercial Symbian Signed. This might be the way to go for you. Try to find a big company who want to sponsor your application for signing.

Antony

[davidmaxwaterman]

Don't expect too much from Symbian Signed right now. I don't think it is still alive. I have submitted my application 4 months ago without result. I resubmitted it again 1 month ago and still no result. Fortunately, there was an angel who helped me. They sponsor my application to go through commercial Symbian Signed. This might be the way to go for you. Try to find a big company who want to sponsor your application for signing.

Antony

I'm not complaining about the time it takes - though that's something to complain about for sure. I'm complaining that there's no way to know if an application has even been submitted. I could be waiting all this time for no reason and I have no way of knowing.

Of course, if I knew it would only take a week to sign, then not so much time would be wasted due to a failed submittion, but still...

[antonypr]

Unfortunately there is no way of knowing whether they have accepted your application or not. The only way is, of course, via commercial signing. I don't think sending email them asking the status will not help. I had the same problem too; got no reply at all.

Antony