Self-Sign jar to make it trusted 3rd party app

[dabrainstabber]

I'm currently developing a J2ME software for my Nokia N80. ONLY I will be using it ONLY ON MY PHONE. My main problem is the continuous asking of read/write to filesystem. I realize that I need to sign to get rid of this.

I'm currently following this to do so. But I can't seem to install the crt certificate onto my N80 (I get file corrupted error). And installing using the jad still doesn't really install it signed.

Here's the commands I've run:

Code:

"C:\Program Files\Java\jdk1.7.0_10\bin\jarsigner" -keystore keystore.ks -signedjar signedServer.jar server.jar mobser
"C:\Program Files\Java\jdk1.7.0_10\bin\keytool" -exportcert -keystore keystore.ks -storepass keystore -alias mobser -file mobsern.crt -rfc
"C:\Program Files\NetBeans 7.2.1\mobility\Java_ME_platform_SDK_3.2\bin\jadtool" -addcert -alias mobser -keystore keystore.ks -inputjad Server.jad -outputjad signedServer.jad
"C:\Program Files\NetBeans 7.2.1\mobility\Java_ME_platform_SDK_3.2\bin\jadtool" -addjarsig -alias mobser -keystore keystore.ks -keypass keystore -jarfile Server.jar -inputjad Server.jad -outputjad signedServer.jad

I also manually changed the JAD to reflect the signed jar's size etc. Please tell me what I'm doing wrong or missing. Surely since it's an open system there MUST be a way to give full trust to my app without paying a company for it, especially since only I'm using it!

Thanks.

[symbianyucca]

Symbian has very nice security system, and you can not really work-around of it, thus if you need more capabities (such as read/write to general areas of file system), then I would suggest you would use Symbian C++ for the application development for this particular device you have selected to be your target device.

[wizard_hu_]

In the case you are a different person from Revolter, you may find his recent thread useful, or revealing at least: http://www.developer.nokia.com/Commu...al-application
"Self-sign" and "trusted" are just living in two different universes.

[dabrainstabber]

Hi, thanks for the responses.

So after reading I presume it IS NOT possible to self-sign and get this working, and the only option is to pay? I have a Nokia Developer account I paid for but I don't want to PUBLISH it, mainly because it isn't going to be useful to anyone else but me. I'll also have to pass their code quality rules etc.

This is too much hassle for someone that develops for himself. You can say Symbian has a very nice security system, but if the user has no right to decide if he wants to trust an app or not, I don't think that's very good.

Do let me know if there are ways to self-sign or even obtain a free certificate that works... I have a feeling this exists but haven't found a way to successfully do so. Perhaps the below 2 certificate makers:
http://www.shoujizu.net/en
https://www.symbiansigned.com

I tried them but it didn't help since it's for sisx and I don't know how to sign a jar using that.

[grahamhughes]

You might find this article in the wiki interesting, if only to confirm what has been said previously.

Much easier is to change the application settings in the app manager so that file access is set to "ask first time" instead "ask always". You will still see one prompt each time you run the app, but only one. Getting rid of that last one will probably cost you more in money or time than it's worth...

[dabrainstabber]

You might find this article in the wiki interesting, if only to confirm what has been said previously.

Much easier is to change the application settings in the app manager so that file access is set to "ask first time" instead "ask always". You will still see one prompt each time you run the app, but only one. Getting rid of that last one will probably cost you more in money or time than it's worth...

Hi Graham, you see actually that was what I originally intended on doing. I'm not too fussed about signing. BUT, as you can see here my Nokia N80 does NOT have a first time option, it's either ask every time or not allowed. Since my application is a server, REQUIRING user intervention to keep on allowing read/write access everytime its needed makes my application redundant. I wanted to sign so I could make it ask first time only. Perhaps another way to do so? As long as I only have to allow ONCE everytime I start the app, that would solve my problem.

[traud]

I can't seem to install the crt certificate onto my N80 (I get file corrupted error).

Then you do something wrong. Make sure you do not use a certificate request, but a certificate authority. Furthermore, make sure to use DER encoding not PEM. However, this is waste of time because:

I'm currently developing a J2ME software for my Nokia N80.

Your mentioned trick does not work since Symbian/S60 3rd Edition anymore, why ever. You have to hack your phone to get full permissions. Unfortunately, here, we are not allowed to link to such tutorials directly. That is the only option, I am aware of.

[dabrainstabber]

Then you do something wrong. Make sure you do not use a certificate request, but a certificate authority. Furthermore, make sure to use DER encoding not PEM. However, this is waste of time because:Your mentioned trick does not work since Symbian/S60 3rd Edition anymore, why ever. You have to hack your phone to get full permissions. Unfortunately, here, we are not allowed to link to such tutorials directly. That is the only option, I am aware of.

Hi Traud,

Just to re-confirm, the trick mentioned here will not work for me for getting trusted (identified) 3rd party status for my jar app on JUST MY phone?

[wizard_hu_]

That particular description mentions S60 2nd edition devices only. You can try following it with your N80, but one of the steps will probably fail, my guess is "Installing the Certificate on the phone".

[traud]

One of the steps will probably fail, my guess is "Installing the Certificate on the phone".

Installation of the certificate works perfectly (as TLS, EAP, OCSP, … certificate), however, that certificate cannot be used for code-signing.

The trick mentioned here will not work for me for getting trusted (identified) 3rd party status for my jar app on JUST MY phone?

Exactly, because the trick was for S60 2nd Edition. You are using S60 3rd Edition.

Which permission do you need? Which user confirmation blocks your idea?

[wizard_hu_]

Installation of the certificate works perfectly (as TLS, EAP, OCSP, … certificate), however, that certificate cannot be used for code-signing.

If you check the article, it has a 2-substep description under the title "Installing the Certificate on the phone". Guess if the 2nd one says: Once the certificate is installed it needs to be authorised for "Application Installation"

[guy7545]

hello, I am in the same case of dabrainstabber.
I am not a devellopper but a user of this apllication: http://code.google.com/p/gadjet/
This is the first application I found to synchronise your google calendar with your phones. The probleme is that the application ask for rights each time it want to add a meeting in your calendar.
I read that to avoid this you have to sign your application and I need help for this.
Thanks

[traud]

guy7545, GCalSync is dead since 2007. I would use its successor, PrimoSync, which is signed. More details …

[guy7545]

thanks you a lot.
It works perfectly. I search for 3hours about a application like that but i can't find one.
thanks again
have a nice evening
guy7545

[dabrainstabber]

Installation of the certificate works perfectly (as TLS, EAP, OCSP, … certificate), however, that certificate cannot be used for code-signing.Exactly, because the trick was for S60 2nd Edition. You are using S60 3rd Edition.

Which permission do you need? Which user confirmation blocks your idea?

Hey, I basically need read/write access to the filesystem without popups coming up everytime. I don't mind if it just came once at the beginning.