Monday, March 17, 2008

Signed Online vs Developer Certificate Q&A

1.1 Why did you suddenly turn off the ability to download Developer Certificates without a Publisher ID?.

Current plans and approach were announced in consultation with the developer community in September 2007 and implementation has been phased in since that time.

Many non-developers have been accessing the site through unapproved tools; hence it may have appeared sudden to these users as these unapproved tools would have stopped working and any documentation provided may not have been updated.

1.2 My friends have certificates which are still valid for their phone, why can't I get one?

In September 2007, we announced that we would provide an alternate solution to Developer Certificates using Open Signed Online, which is now in beta (since February 2008). Test applications can now be signed more simply without the need to acquire a Developer Certificate.

1.3 My phone was broken and returned and my certificate does not work, why can't I get a new one?
Open Signed Online will work for developing applications on your new phone. Developer Certificates are not necessary.

1.4 I paid money for my phone and should be able to install whatever software I want, why are you stopping me?

There are 10,000+ applications available, where developers have followed the correct release and deployment process, such that they can be installed on your phone without requiring you (the end-user) to use Symbian Signed service.

This is approach is in line with agreed mobile industry recommendations.

Symbian Signed is provided for development and testing purposes only. The policy of what an end-user can install on their phone, without Symbian Signed, is determined by your device manufacturer, via the concept of “User-Grantable Capabilities” configured by the manufacturer on shipment.

A small number of developers are forcing end-users to go through a process intended for developers only.

1.5 Why can I not get a certificate to sign Freeware, there is no other way to install Freeware?

Contact your freeware developer and request him/her to re-release the application such that Developer Certificates are not required.

a) Approx 60% of APIs do not require any Capabilities and applications using only those APIs do not need to use Symbian Signed services.

b) The Capabilities; LocalServices, Location*, NetworkServices,ReadUserData ,UserEnvironment, WriteUserData: are user-grantable on the device. Applications using these Capabilities are not required to be Symbian Signed; an end-user can grant the permissions on their device. This allows people to do application development with a large amount of functionality for interesting apps. At least 25% of commercial apps are released without needing to use any Symbian Signed services.

c) The Capabilities; PowerMgmt, Location*, ProtServ, ReadDeviceData, SurroundingsDD, SwEvent, TrustedUI, WriteDeviceData: are grantable by Open Signed Online, as well as all the user grantable permissions described in (2) .There is a requirement (as requested by the developer community) that you must own the application’s UID, or you may use a test UID (i.e. in the range 0xE0000000 to 0xEFFFFFFF). This protects the integrity of UID allocation process and prevents developers signing applications with UIDs which have been reserved by other developers.

Note: Location* depends on device type

1.6 I donated money to Freeware providers for their software and now I cannot install it because my phone has changed, why are you stopping me doing this?

Contact your freeware developer (especially if they are accepting money) and request him/her to be responsible and release the application appropriately as most other developers have done; i.e. Express Sign the applications to assure end users that the application comes from a trusted source and meets the recommended minimum quality level as detailed in the Symbian Signed Test Criteria.

1.7 Why is Symbian trying to make me pay $200 to get developer certificates, they are just trying to make more money?

Symbian does not receive any money for a Publisher ID. Publisher IDs are available from TC Trustcenter and meet industry-agreed identity requirements for tracing the origin of an application.

Publisher IDs are required to release applications to end-users in the mass market; developers using Express Signed and Certified Signed only need to obtain a Publisher ID once.

1.8 I bought my phone specifically so that I can install applications like RotateMe, why can I no longer get a Developer Certificate?

A beta UIQ version of RotateMe is being successfully signed via Open Signed Online the correct appropriate manner.

1.9 Why does Open Signed Online not work with Freeware applications?

There are 1000s of applications (including freeware) being successfully signed using Open Signed Online. Please contact the developer and encourage them to release their application in the correct manner.

1.10 The Freeware route through Symbian does not work, how else can I distribute my Freeware application?

There are already 1000s of applications (including freeware) being successfully signed using Open Signed Online?

Once tested and as your freeware application becomes more popular, please consider going through Express Signed; it provides more trust to end users and Open Signed has a finite capacity which may have to be limited if it is over-used.

1.11 Why is there all this security on Symbian OS, why can’t my phone just be completely open like others’ mobile phones?

Symbian Signed’s approach to security is in line with mobile industry recommendations . All open mobile phones shipping in mass market volumes are required to have some degree of trust and quality to protect mass market consumers’ from damage caused by poor applications.

Symbian Signed aims to allow developers to sign an application once to deploy globally, without needing to be concerned by other stakeholders controlling the channel for deployment to a device.

It is important that on behalf of mass market consumers, developers meet the requirements of Symbian Signed Services to provide trust and quality to deploy applications to 100s-of-millions of devices.

1.12 I am not a developer I just own a phone, why do you keep saying you are thinking about developers?

Symbian Signed is provided as a tool for developers to develop and release trusted applications for Symbian OS. The expectation is that developers should provide trusted and high quality applications to end users by ensuring their applications meet the Symbian Signed Test Criteria (using Express Signed and Certified Signed).

Unfortunately a small number of developers are encouraging end-users to access Symbian Signed themselves rather than release applications in the correct manner.

Device Manufacturers implement “User-Grantable Capabilites” on your device which determine what can be installed on your device without being Symbian Signed. As such many applications (and most certainly end-users) do not need to be aware of Symbian Signed.

By installing an application that has been signed only with a Developer Certificate, you have no guarantee of origin and you put your device at increased risk of damage through a poorly performing application.

1.13 I just want to sign the “Hello World” application that I have developed using Carbide to run on my Nokia phone.

You should not need to use any Symbian Signed services to do this successfully. Check the documentation on Forum Nokia’s web site via the following link:

1.14 Why do you only allow developers with a Publisher ID to acquire a Developer Certificates?

This allows traceability to and accountability of the company responsible for signing (including Developer Certificates).

1.15 I would like to purchase a Publisher ID, but I was told that only professional developers are able to get them. Is that right, or can anyone purchase such a certificate ?

In compliance with industry recommendations (e.g. for Signing Schemes, a Class 3 Publisher ID is obtainable from TC Trustcenter.

An Authorised Entity MUST be validated by either of the following:
- Confirmation of articles of incorporation or
- Registration with 3rd party databases (e.g. Dun and Bradstreet, German Handelsregister)
- Or equivalent

Class 3 certificates establish a level of trust that meets high standards for commercial needs. Any organizational data contained in a certificate is confirmed on the basis of the company memorandum (or similar documents) or documents signed by authorized employees.

Class 3 certificates state, in addition to the checks required that

1. A natural person be responsible for the certificate has been identified on the basis of his official identity card or passport.
2. Personal data contained in the certificate matches with that in the identity card or passport. “

1.16 I want to purchase a publisher ID, but before I do, I have some questions: how many IMEIs can I enter when creating a .csr file?.

Open Signed Offline using a Publisher ID allows a Developer Certificate to be created with up to 1000 IMEIs

1.17 How many certificates can I generate per day on if I use a publisher ID? Are there any other limits when I have a publisher ID?

There are daily limits in place to ensure fair usage. The limits are subject to change and are in line with reasonable development scenarios; i.e. a small number each day.

1.18 Will Developer Certificates be available for users without a Publisher ID again? if not,why?

Open Signed Online grants the same functionality as Developer Certificates, allows fair usage and has an easier to use interface with no registration/login required.

1.19 What is the UID Range for Open Signed Online?

Open Signed Online allows SIS files to be signed where
- UIDs are in the Test Range (0xE0000000 to 0xEFFFFFFF) OR
- UIDs where the email address of the submitter matches the email address of the UID owner for the Protected Range (0x20000000 - 0x2FFFFFFF) and Unprotected Range (0xA0000000 - 0xAFFFFFFF)

1.20 I tried out the Open Signed Online beta now, with an application with an UID from the unprotected range (0xa000112c). Despite this, I got this error message:
“FAILURE: Submitted .sis file uses a UID that is not allocated to the account holder matching this email address (0xa000112c)”

Open Signed Online allows SIS files to be signed where
- UIDs are in the Test Range (0xE0000000 to 0xEFFFFFFF) OR
- UIDs where the email address of the submitter matches the email address of the UID owner for the Protected Range (0x20000000 - 0x2FFFFFFF) and Unprotected Range (0xA0000000 - 0xAFFFFFFF)

1.21 Aren’t packages with UIDs from this range intended to be signable by anyone?

The approach that has been implemented was at the request of developers to ensure they retain control over how their UIDs were used. Current recommendations are

- Protected Range (0x20000000 - 02AFFFFFFF): Only to be used in Open Signed by the owner of the UID and required for Express Signed and Certified Signed.
- Unprotected Range (0xA0000000 - 0xAFFFFFFF): Only to be used in Open Signed by the owner of the UID, cannot be used in Express Signed and Certified Signed.

1.22 Do I need to register an account on to use Open Signed Online?

Registration/Login is not required to use Open Signed Online.

However if you need to use UIDs in the Protected (0x20000000 - 0x2FFFFFFF) and Unprotected Range (0xA0000000 - 0xAFFFFFFF)your submission email address must match the email address of the UID owner.

1.23 What is the Size limitation on files submitted for signing?

- Open Signed Offline: No effective limit, done locally on your development machine
- Open Signed Online: 4Mb
- Express Signed: 40Mb
- Certified Signed: 40Mb

No comments:

stats counter