Qt & Application Signing
Qt applications on the Symbian platform are deployed in digitally signed installation packages called SIS files. This article helps you select the appropriate option for digitally signing your Qt application during development and for distribution. It then shows how to sign your application using Qt Creator or qmake.
Note that the article Deploying a Qt Application on Symbian explains how to configure your installation package, prior to signing.
What are the signing options?
The signing options are Symbian Signed (Express Signed and Certified Signed), Developer Certificate Signed, and Self-Signing. Each of the options gives different warnings to the user on installation and provides access to different capabilities - for more information on the capability to signing option mapping see: Capabilities (Symbian Signed).
The options are discussed in the following sections.
Symbian Signed is an application testing and signing program. Symbian Signed applications are encoded with a tamper-proof digital certificate that identifies the vendor, grants all the capabilities of the contained binaries, and allows the application to install on Symbian devices without warnings. Many distribution channels, including Handango and Nokia Store, require that applications be Symbian Signed.
Applications may be Symbian Signed using either Express Signed or Certified Signed routes. Most Qt applications can be Express Signed; some applications will require the restricted or device manufacturer capabilities granted through Certified Signed.
In either route, the application is expected to comply with the Symbian Signed Test Criteria. The difference is that every Certified Signed application is tested by a test house, while Express Signed applications are only occasionally audited (if they fail, the developer will subsequently need to use Certified Signed for several signing runs). Express Signing is consequently much cheaper, but as it conveys less trust, it can only grant user and system capabilities. Certified Signed applications may additionally have restricted capabilities if these are needed.
Qt applications that only use the user capabilities can be self-signed during development, and will not require a developer certificate.
Developer certificates (DevCerts) are limited certificates that are issued by Symbian Signed in order to give access to more advanced capabilities during development. Applications signed with a DevCert are locked to a particular mobile device (or set of devices) and always display a warning that the application is untrusted on installation.
Symbian Signed makes developer certificates available to registered members (see User Guide for the request process). The certificate returned to you is locked to the IMEIs that you specify when you request the certificate (up to 10 devices for individuals and up to 1000 devices for verified accounts).
Self-signing is where an application is signed with a certificate created by the developer.
As the platform has no basis for trusting the application:
- Self-signed applications that use more than the "user capabilities" (capabilities where the the user can make an informed decision about the risk of installing the application - NetworkServices, LocalServices, Location, ReadUserData, WriteUserData, and UserEnvironment) cannot be installed.
- Note that on early S60 3rd edition phones (pre-FP2), applications that use Location cannot be self-signed.
- On installation, the device user is informed that the application is untrusted. They are then told which user capabilities it requests and asked if they wish to continue the installation.
- Many distribution channels will not accept self-signed applications. For example, Nokia Store requires that your application is Symbian Signed.
The Qt Creator IDE and qmake self-sign applications by default. Provided you don't want to distribute applications through application stores that will not accept self-signed applications, and the warnings do not concern you, this may be an acceptable signing approach.
Selecting the right signing option
Which option should I use for testing/development?
Most Qt applications only require the "user capabilities", and can therefore be self-signed during development (a self-signed certificate is used by Qt Creator by default, so you don't need to do anything).
Applications that need more capabilities can use a Developer Certificate.
Which option should I use for distribution?
Qt applications that are to be distributed through application stores or that cannot have "trust warnings" must be Symbian Signed. Most Qt applications will be able to use the Express Signed route (Certified Signed is used if restricted capabilities are required, or if the application cannot comply with the test criteria and requires a waiver).
If installation warnings are not important, and the application only needs user capabilities, it can be self-signed.
Which option should I use for freeware signing?
Self-signing can be used for applications that only need the user capabilities.
Developer certificates can be used to sign freeware applications that require system capabilities, provided that they do not use the smart installer. These applications must therefore either embed the Qt binaries or deliver them separately.
At the time of writing, there is no mechanism for Symbian Signing freeware; note however that application stores will sometimes sponsor applications for signing.
Which option should I use for distributing through application stores?
Most application stores require that applications are Symbian Signed. Note that Nokia Store also requires that you embed the Smart Installer.
How to sign your application
This section explains how to sign your application with either Qt Creator or the command line qmake.
Note that Qt applications are usually deployed with the Nokia Smart Installer for Symbian, which has the implications that applications must be signed twice and that only qmake can be be used to create installation packages for distribution.
Signing an application during development
Using Qt Creator
If your application only requires the basic user capabilities then you don't need to do anything! Qt Creator automatically signs application SIS files with a default self-signed certificate suitable for testing. The SIS file does not include the Qt binaries or smart installer - Qt is assumed to have been installed when you set up your development environment.
If your application needs system capabilities (or higher) then you will need to request a Developer Certificate. User guide: Symbian Signed provides a step-by-step guide explaining how to get a developer certificate. Once this has been obtained you can replace the certificate used by Qt Creator for signing by following the instructions here.
Note that at the time of writing you can't use Qt Creator if your private key has a passphrase: QTCREATORBUG-950.
On the command line, go to the application project directory (contains the .pro file) and do:
qmake //create make files make release-gcce //build application release version with the GCCE compiler make sis //create the application SIS file (self-signed with default certificate)
On completion the application directory contains the applicationname.sis file that has been self-signed with the default certificate. If you want to create a Smart Installer version, you can create application_installer.sis in the same directory using:
make installer-sis //create the wrapper SIS file containing application SIS and Smart Installer (self-signed)
If your application needs system capabilities (or higher) then you will need to request a Developer Certificate. User guide: Symbian Signed provides a step-by-step guide explaining how to get a developer certificate. Once this has been obtained, you can replace the certificate used with the QT_SIS_CERTIFICATE, QT_SIS_KEY, and QT_SIS_PASSPHRASE options as shown below (note that in this case the private key does not have a passphrase):
qmake //create make files make release-gcce //build application release version with the GCCE compiler make sis QT_SIS_CERTIFICATE=yourcertificate.cer QT_SIS_KEY=yourkey.key make installer-sis QT_SIS_CERTIFICATE=yourcertificate.cer QT_SIS_KEY=yourkey.key
Self-signing an application for distribution
Applications that are to be distributed are normally signed with a certificate that includes the author's details and will often include the Smart Installer (to ensure that the user doesn't need to do anything else after installing the application in order to run it).
The MakeKeys tool can be used to create the certificate - the MakeKeys Tutorial provides concise instructions. Note that MakeKeys is included in Symbian standalone SDKs, but not in the Nokia Qt SDK (QTSDK-127).
When you've created the certificate, the smart installer application_installer.sis is created as discussed in the previous section:
qmake make release-gcce make sis QT_SIS_CERTIFICATE=yourcertificate.cer QT_SIS_KEY=yourkey.key make installer-sis sis QT_SIS_CERTIFICATE=publisherid.cer QT_SIS_KEY=publisherid.key
Note that when distributing an application you will probably also update some of the application details used in the SIS package definition itself. This is discussed in the article Deploying a Qt Application on Symbian.
Symbian Signing your application
Applications submitted to Symbian Signed must be signed with a publisher ID (this certificate is verified by a certificate authority and guarantees that your are the vendor of the application) and packaged in a specific way prior to submission. The article Publisher ID explains how to get the publisher ID. In most cases you will either need to, or want to, include the Smart Installer. This means that you'll need to sign the file twice.
The process of signing the SIS file for Symbian Signing is therefore:
qmake //create make files make release-gcce //build application release version with the GCCE compiler make sis QT_SIS_CERTIFICATE=yourPublisherID.cer QT_SIS_KEY=yourPrivateKey.key
Next, package and submit the applicationname.sis file as discussed in Express Signed (Symbian Signed) or Certified Signed (Symbian Signed). When the signed SIS file is returned, copy it over the original unsigned SIS file and do the following to create the wrapper SIS file and sign it with your publisher ID:
make installer-sis sis QT_SIS_CERTIFICATE=yourPublisherID.cer QT_SIS_KEY=yourPrivateKey.key
This file can be submitted to Express Signed (Symbian Signed) (the wrapper does not have to be certified signed), and the returned file can be distributed.
Note that when distributing an application through Symbian Signed, you will also need to update some of the application details used in the SIS package definition itself. This is discussed in the article Deploying a Qt Application on Symbian.
Freeware applications that only need user capabilities can be self-signed following the previous instructions.
Frequently Asked Questions
How does the "smart installer" affect signing?
The Nokia Smart Installer for Symbian is a tool that may be included in a wrapper SIS file along with your application SIS file; when the wrapper is installed on a device, the application's Qt dependencies are downloaded and installed (if they are not yet present) prior to installing the application. This is the most effective way of ensuring that your application can run as soon as it is installed because the Smart Installer takes much less space than bundling the Qt binaries themselves. Some app stores (for instance, Nokia Store) require that Qt applications include the Smart Installer.
Applications that use the smart installer must be signed twice! First the application must be bundled in a SIS file and signed, and then both the signed application and the smart installer are embedded in another SIS file which must also be signed. The qmake command line toolchain takes care of this for you when using local certificates (self-signing or developer certificates). If you're Symbian Signing your application, you will need to go through a few hoops because the application SIS file will need to be submitted to the https://www.symbiansigned.com/signedui/welcome website for signing twice.
There is also additional cost, because each signing instance requires money. Several approaches are being investigated to reduce this burden - for example, at the time of writing Nokia Store is beta testing a service to absorb the cost of signing for a small one-off membership fee.
How do I change the certificate used by Qt Creator for Signing?
Certificates are specified in "Project" mode (see button in left sidebar) for "device" build targets. The section of interest is Build Steps | Create sis Package. Simply select the radio button for "Custom certificate", and specify your replacement certificate, private key, and passphrase.
How do I get started?
After reading this article you should have a fairly good idea which signing option you need to use based on the Capabilities (Symbian Signed) required by your application. For Qt developers, the choice will usually be either self-signed or Express Signed.
The next step is to read Deploying a Qt Application on Symbian, which explains other changes that you might need to make in your project file prior to signing.
Where can I find more information?
Symbian Signed Requests can be made on the forum Symbian Signed Support, Application Packaging and Distribution and Security.
If you have a specific clarification request about any statement in this article, please post a wiki comment.
This article provides a simple introduction to application signing for Qt application developers. It describes the signing options, how you change the certificate used by Qt Creator to sign your application, and how you sign your application using the Qt toolchain.