Self-signing a MIDlet for use on ~10 phones without spending money

[MatthiasStevens]

Hello everyone,

I just spend like 4 hours researching how to sign MIDlet and I am totally confused.

Instead of asking for general instructions I am going to explain what I want to do. Hopefully that will enable people to tell me whether or not this is possible and what steps I should take.

What I want to do:

• I have a MIDlet, written for J2ME CLDC 1.1/MIDP 2.0
• This program needs to read and write files, as well as access GPS (using the Location API)
• The end goal is to be able to run this program on a limited number (<=10) of phones with known IMEI numbers. All phones are owned by my organisation and run S60 3rd Ed. FP1/2
• And now for the important thing:the program should not throw runtime warnings when files are accessed or the location API is used
• Because this is an entirely non-commercial thing the whole signing process should not cost me any money

So far I've been testing this application on a single Nokia N95-2 (8GB). Because the MIDlet is unsigned (or at least I believe that is why) if throws lots of warnings (concerning file access and location access). So this is exactly what I need to avoid when deploying this program on the ~10 other phones.

I understand that it is most likely impossible to achieve this with a single "signed" file that can be deployed on all 10 phones. However, supposing there is some free(!) "self-signing" procedure that produces a MIDlet that will work without runtime warnings on a specific phone (identified by IMEI#), I am perfectly willing to go through this procedure for every phone involved.

So is this possible? And if so, what are the steps I should take. Please give me as much info as possible. I've been googling for hours and I ave yet to find a decent explanation for a scenario like this.

Thanks in advance!

[MatthiasStevens]

One scenario I hav researched a bit is the following:
Packaging my MIDlet (which currently is a JAR+JAD pair) in a SIS file and then signing that SIS file for single IMEI#'s using the "Open Signed Online" service at symbansigned.com.
However, I do not know if this would achieve my goal of having the MIDlet running without warnings. In fact I doubt it because I have read somewhere that the singing of SIS files is something entirely different than signing MIDlets. And in any case, I have not been able to try this out because I do not know how to package a MIDlet in a SIS file.

Note: this just one scenario I was thinking about. If there are other ways to achieve what I want to do (see first post) I'd like to hear about those...

[bogdan.galiceanu]

One scenario I hav researched a bit is the following:
Packaging my MIDlet (which currently is a JAR+JAD pair) in a SIS file and then signing that SIS file for single IMEI#'s using the "Open Signed Online" service at symbansigned.com.
However, I do not know if this would achieve my goal of having the MIDlet running without warnings. In fact I doubt it because I have read somewhere that the singing of SIS files is something entirely different than signing MIDlets. And in any case, I have not been able to try this out because I do not know how to package a MIDlet in a SIS file.

Hi,

I'm no expert on this matter but from what I understand after researching the scenario I quoted above, that would be completely useless. This thread, which is yours, explains some things but the fact is that the JAR+JAD are just files packaged in that sis. By signing the sis you don't alter them. So it would have absolutely no effect and the midlet would still ask for permission/show warnings for every event.

Also, I strongly doubt it will be possible to get the midlet signed for free.

[MatthiasStevens]

bogdan.galiceanu: thanks for clearing that up.

Other ideas? Anyone?

[dcrocha]

Hi all,

I can clarify this issue. Bogdan was right in pointing out that signing the .sis file doesn't affect .jad and .jar files at all, since they are not installed by the .sis installer, just copied to some folder.

With that said, for positioning (GPS, Location APIs) it is possible to configure unsigned midlets to ask for permission only once during an application session. For JSR 75 however, only "Ask every time" is available for unsigned midlets.

The only way you can completely get rid of the security prompts is by signing your midlet with a valid certificate. By valid I mean either a Verisign or Thawate code-signing cert or getting it through Java Verified. There is no way of self-signing a midlet for S60 3rd Edition devices like your N95s. This was available on S60 2nd Edition but was actually a bug, not a feature, since it defeats the main purpose of signing an app: identifying the vendor in case of the application is harmful.

Therefore I'm afraid you are out of luck with your project, since the last condition (cost-free) is not reachable.

Daniel