Thawte signing for Java ME
This document describes how to code sign a Java ME app using Thawte. This is one of two mechanisms for avoiding security messages when accessing secured APIs.
Article Metadata
Contents |
Introduction
Let's assume you want to get rid of those annoying security messages when accessing JSR-75 (or another), what can you do? There are 2 main ways to reduce the number of messages:
- JavaVerified
- Code signing
This document describes how to code sign a Java ME app using Thawte (the alternative is to use Verisign). Thawte provides certificates for US$ 299, cheaper than Verisign, and I just followed the whole process, so I'll describe the process, as it worked for me.
1) Generate keystore and CSR for JavaSoft Certificate
Follow this document from Thawte: Solution SO3186
You will use a tool from Sun called keytool.
You will end up with a keystore (which is basically a file where your keys are stored) and a CSR, which is a text that you must send to Thawte.
2) Buy certificate from Thawte
- Go to: Code Signing Certificate
- Choose Certificates for Organization or Individuals.
3) Prove Thawte that "you are you".
They'll ask you more information and maybe documents. In my case, our company is located outside the US (in Chile) and the whole process took 2 weeks. I guess if you are in the US, it will be much faster.
4) Import the certificate into your keystore
Read this small document from Thawte Solution SO1079
5) Sign your application
For this step, there is no information in Thawte's site. You may find this document Solution SO7517, but it's about signing standard jars, not midlets.
If you like working with the console, you may follow the instructions from Verisign Sign Midlet Suites with JadTool or read more deeply about Sun's JADtool.
But I recommend you turn to Netbeans (I guess Eclipse will have a similar feature).
Open up your project, go to its Properties and the Signing tab. Check the "Sign Distribution" option and click in "Open Keystores Manager". Here you need to add the keystore you created in the step 1. Be sure to unlock your keystore and then your key.
Next, rebuild your project and Viola! Your application is signed!
To verify it, open the jad file. You will notice a number of new lines regarding the certification stuff. Also, your jar file will be a bit bigger than without the signing.
26 Sep
2009
This gives developers an another alternative of code signing their application to remove unwanted security messages while application is running. TTHAWTE is an alternative to code sign your application with cheaper rates than Verisign.
Article explains step by step procedure and instructions on getting and signing application.Very important for those who want to spend less money on application signing.Article content is given after signing application.
28 Sep
2009
This article discusses the process of signing Java ME midlets using Thawte digital certificates. The article discusses the basic steps involved in getting your midlet signed using a Thawte certificate. The article is split into the five basic steps involved in signing your midlet, namely generating the keystore, buying your certificate, the certification process, importing the digital certificate and signing your application. Links are provided to useful resources related to the Thawte signing process where appropriate.
Having recently gone through the process of acquiring a digital certificate from Thawte and signing midlets using this certificate myself, I can recommend this article. It does a good job of clearly outlining the major steps involved in the signing process. One of the most confusing parts of the process for me was the fact that Thawte uses the rather outdated term “JavaSoft” to refer to code signing certificates for Java. Little (and on some pages no) mention is made of midlets at all, so developers would be forgiven for being a bit anxious about whether they were choosing the correct option. I was pleased to see this mentioned in this article.
The links provided are useful, and I uncovered many of these links myself while figuring out the signing process. It was also nice to see a discussion on how to perform signing in NetBeans. This feature really simplifies the process nicely. Most of the process described in this article is the same, whether one uses Thawte, Verisign, or another Certification Authority (CA).
Crazywizard - Certificate Reusability
I guess the most important question for me is, if I buy the certificate and sign my app with it, will I have to buy another when I release another version?crazywizard 12:08, 18 March 2012 (EET)