To assure end users that the data on their mobile phones is protected, it’s essential to properly package your apps and to sign them whenever possible.
Considering the wide range of choices for developers, the question is: Which packaging and signing solution is the right one for your application?
Java™ ME
Nokia publishers can request to have their Java™ apps signed for free. For more details, see the Nokia signing Symbian and Java apps for free section.
A Java™ Platform, Micro Edition (Java™ ME) application is distributed in two files: Java Application Descriptor (JAD) and Java Archive (JAR). The JAR file is the package for the application itself, and the JAD file contains additional definitions for the application. The JAD file should be used to begin application installation, so that all the possible configurations will be taken into account.
The Java ME security model specifies four domains in which the application can be installed. Two of them, controlled by operators and manufacturers, are known as the Operator and Manufacturer domains. The others, which are more easily accessible, are the Untrusted Third Party and Trusted Third Party domains. The main difference between the third-party domains is that the former is for unsigned apps and the latter is for signed apps.
Unsigned Java ME apps can be distributed, but those that use certain phone features, such as HTTP connections, tend to prompt users more often than signed apps. There are two common methods for signing Java ME apps:
- VeriSign or Thawte Code Signing Certificates.
- The Java Verified™ Program.
Find out more about signing Java ME apps in Nokia’s MIDP 2.0: Signed MIDlet Developer's Guide, the Nokia Developer Wiki’s Signing and Certification category, and the Java Verified site’s documents titled Signing Java ME Applications and Why Doesn’t My Signed MIDlet Work?
Nokia signing Symbian, MeeGo and Java apps for free
For Nokia publishers creating Symbian and Java™ apps, there typically are initial investment costs such as those associated with obtaining a Publisher ID and having the apps Symbian Signed or Java Verified™. Currently, this process can take about four weeks and cost up to $215 (157 euros).
Nokia publishers can request to have certain apps signed for free by Nokia, reducing the turnaround time to two weeks and eliminating the signing costs. Qt, Symbian C++, Java™, and Adobe Flash Lite apps can be signed by Nokia.
Symbian and Qt apps
1. The publisher applies for an Nokia Publish account and accept the latest Nokia Store Registration and Distribution agreement.
2. The publisher also provides up to five phone IMEI’s (International Mobile Equipment Identities) to be used to create a certificate installer for the Publisher’s phones to Nokia Developer Support.
3. Nokia Publisher Support sends the Publisher a list of UID’s, a certificate installer, and a developer certificate/key pair for testing a qualified app. Additional UID’s can be requested at any time as needed by contacting Nokia Developer Support.
4. The publisher packages the app's unsigned SIS file using the UID provided and tests it on a phone, being sure to test it against the Symbian Signed Test Criteria.
5. The publisher submits the app (the unsigned SIS file with the UID provided) via the Nokia Publish tool.
6. Nokia Store quality assurance (QA) tests the app based on Content Guidelines, specific operator guidelines, and the Symbian Signed Test Criteria. If it passes, the app will be express-signed by Nokia and published in Nokia Store.
It’s important to note that this arrangement covers only those SIS files that would typically be express-signed. SIS files that require certified signing, will not be signed by Nokia; publishers will need to have them signed via third parties.
Publisher requirements for Symbian signing by Nokia
- To meet express-signed levels the content cannot make use any of the following capabilities: AllFiles, DRM, TCB, CommDD, DiskAdmin, NetworkControl, and MultimediaDD.
- All UIDs in the application must have been assigned by Nokia.
- The primary UID of the application must match the one declared in the Nokia Publish tool Metadata.
- All embedded SIS files must already be signed.
- The localized and non-localized vendor information in the package file should closely match the publisher's name as it is seen in the Nokia Publish tool. When there is an obvious mismatch of names please provide supporting documentation to show reason. Often for content aggregators this can be a contract or similar business agreement that shows it is ok to have Party_A’s content published by Party_B.
- The Vendor_Name field cannot be 'Nokia', 'Vendor'/'Vendor-EN', or left blank. The Vendor_Name can be seen by the consumer after installing your app.
Publisher requirements for Qt Symbian signing by Nokia
In addition to the standard Symbian signing requirements listed above:
- The publisher submits the app via the Nokia Publish tool, along with additional documents as needed.
- Nokia QA tests the app based on Content Guidelines, specific operator guidelines, and Unified Testing Criteria, available on the Java Verified web site. If it passes, the app will be signed by Nokia and published in Nokia Store.
- The file must be properly packaged with the Nokia Smart Installer.
- The package must have been created with a non-beta version of Qt.
Java apps
1. The publisher applies for an Nokia Publish account and accept the latest Nokia Store Registration and Distribution agreement.
2. The publisher submits the app via Nokia Publish tool.
3. Nokia QA tests the app based on Content Guidelines, specific operator guidelines, and Unified Testing Criteria, available on the Java Verified web site. If it passes, the app will be signed by Nokia and published in Nokia Store.
Publisher requirements for Java signing by Nokia
- The permissions declared in the documentation must match those in the Java Application Descriptor (JAD) file and Java Archive (JAR) manifest file.
Qt
Qt apps for Symbian phones are distributed in the SIS format, the standard format for Symbian installation packages. Qt apps for the Nokia N9 smartphone and Maemo™ 5 phones are packaged into standard Linux Debian packages, in the DEB format.
DEB packages for the Nokia N9 smartphone are signed automatically during the Nokia Store publication process (no action is required by the developer), while for Maemo 5 phones DEB packages don't require any form of signing.
Symbian OS platform security was introduced in Symbian OS v9. The most important factor from a developer’s point of view is the existence of distinct ‘capabilities’, which are used to prevent the misuse of sensitive functions in Symbian OS. The operating system is divided into 21 parts, one of which is open and 20 of which are behind various capabilities, based on how sensitive they are and what functionality they protect. The developer must declare which capabilities an application requires.
Every SIS file must be signed with a certificate. The Qt SDK will do this signing automatically. Such SIS files are not trusted by phones and will display a warning message during installation. These apps can have one or more of the following capabilities: LocalServices, ReadUserData, WriteUserData, NetworkServices, UserEnvironment, and Location. Users are prompted to allow usage of the capabilities at app-installation time. This form of packaging and signing can be used when mobile users share the apps with other users or through their own websites.
If more capabilities are required, the application can undergo the Symbian Signed process. This will ensure more-professional application distribution. For details, visit the Symbian Signed website.
Find out more about capabilities on the Nokia Developer Wiki
Phones that support Qt apps
 |
Qt apps can be published in Nokia Store. The Nokia Store functionality for Qt content has been tested and enabled for the following 32 Nokia phone models: Compatible with Qt 4.7
Compatible with Qt 4.6
|
This list will be updated as additional phone models gain support, enabling Qt developers to reach a growing market of Nokia phone users.
Nokia Store requires usage of the Nokia Smart Installer for Symbian-based phone models. This is to improve the Nokia users experience when downloading and installing the growing number of Qt apps.
Symbian C++
Nokia publishers can request to have certain Symbian apps signed for free. For more details, see the Nokia signing Symbian and Java apps for free section.
Like Qt apps for Symbian OS, Symbian C++ apps are distributed in the SIS format, the standard format for Symbian installation packages.
Symbian OS platform security was introduced in Symbian OS v9. The most important factor from a developer’s point of view is the existence of distinct ‘capabilities’, which are used to prevent the misuse of sensitive functions in Symbian OS. The operating system is divided into 21 parts, one of which is open and 20 of which are behind various capabilities, based on how sensitive they are and what functionality they protect. The developer must declare which capabilities an application requires.
Every SIS file must be signed with a certificate. The Qt SDK will do this signing automatically. Such SIS files are not trusted by phones and will display a warning message during installation. These apps can have one or more of the following capabilities: LocalServices, ReadUserData, WriteUserData, NetworkServices, UserEnvironment, and Location. Users are prompted to allow usage of the capabilities at app-installation time. This form of packaging and signing can be used when mobile users share the apps with other users or through their own websites.
If more capabilities are required, the application can undergo the Symbian Signed process. This will ensure more-professional application distribution. For details, visit the Symbian Signed website.
Maemo™ 5 and MeeGo
Native Maemo™ apps for Maemo 5 phones are packaged into standard Linux Debian packages, in the DEB format. Nokia Publish automatically signs all submitted MeeGo apps, provided that they are packaged correctly using the Qt SDK for MeeGo.
The DEB packages on Maemo 5 phones currently do not support any form of signing. Qt developers can upload Maemo 5 apps for the Nokia N900 mobile computer using the Nokia Publish tool.
Series 40 web apps
Series 40 web apps are submitted to Nokia Store as *.wgt files — these files are created using Nokia Web Tools and the process described in the Series 40 web apps: Publishing guide. After submission and when your web app has passed the QA process, a small Java application is created for distribution in Nokia Store. When a user downloads or buys your web app from Nokia Store the Java application is installed onto their Series 40 phone. Once install the Java application provides an icon on the user's phone, when the user clicks this icon the URL to your web app is passed to the Nokia Browser and your web app run. These packages don't require any form of signing.
S60 WRT
S60 Web Runtime (WRT) apps are distributed in WGZ packages so that Nokia phone users can easily download, install and discover the applications via icons in their phone menus. Installing WGZ files also enables Nokia phone users to uninstall the applications just like Qt, Symbian, or Java applications. These packages currently do not support any form of signing, and the process for packaging WGZ files is fairly simple.
Themes
The packaging format for distribution of a theme depends on the target environment. For Symbian phones, the theme must be packaged into a SIS file, and for Series 40 phones, an NTH file.
SIS files must be signed to be installed. Signing options for theme content are the same as for Symbian C++ apps.
