[kihoikka]

I found this one interesting S60 app from Nokia betalabs. Downloaded and tried to install on my Samsung S60 device. Well, you know what happens; does not install, error message is "Certificate error, contact application provider". Well, I though I'd resign the sis package with a developer certificate... I remember in the past you were able to get a developer certificate with the devcert tool for one IMEI without a publisher ID (I'm just a consumer, I don't want to even know what a publisher ID is, let alone I would have one). This is now replaced with this Open Signed Online web service... this service is however pretty useless at least for me, all I keep getting with these apps is:

FAILURE: Submitted .sis file uses a UID that is not allocated to the account holder matching this email address (0x2002134f 0x20021350 0x2002137e 0x20021353 0x20021354 )

No wonder there is no apps business on Symbian... clearly there is applications for the platform but why am I not allowed to install them on my device to test 'em... after all I've payed ridiculous amount of money for the device and would be willing to take full responsibilty of the testing.... why is this stupid system preventing user from using their smartphone? I might as well buy a dumbphone or another platform next time..

[rodb]

Clearly Nokia have made a decision that they only want this application to install to Nokia phones. By signing it with a Nokia certificate that they know is only present on Nokia phones they have restricted installation to Nokia only phones.

[markw]

I don't think that's a fair assessment. Nokia sign things against their own root certificate even when they'd like them widely used, like Open C/C++ and Qt.

This is Nokia's issue and not a Symbian Signed issue though. Re-signing other people's applications with Open Signed Online is not allowed for good reasons.

[kihoikka]

Quote:

Originally Posted by markw

I don't think that's a fair assessment. Nokia sign things against their own root certificate even when they'd like them widely used, like Open C/C++ and Qt.

This is Nokia's issue and not a Symbian Signed issue though. Re-signing other people's applications with Open Signed Online is not allowed for good reasons.

It would be interesting to hear someone from Nokia commenting on this. I find it weird that they "bypass" Symbian signed if they really want wider audience than Nokia. Is it that they also find Symbian signed too slow/complex for their apps or is it just that they could not be bothered?

[kihoikka]

Another question:

assuming that there really is good reasons not to allow re-signing other peoples applications, why can't I get a developer certificate for my own device without a publisher ID? or at least I have't yet found a way.... the devcert tool states that: "However, you can still obtain a Symbian Developer Certificate for a single IMEI without an Publisher ID. " but how?

[danm]

Quote:

Originally Posted by kihoikka

Another question:

assuming that there really is good reasons not to allow re-signing other peoples applications, why can't I get a developer certificate for my own device without a publisher ID? or at least I have't yet found a way.... the devcert tool states that: "However, you can still obtain a Symbian Developer Certificate for a single IMEI without an Publisher ID. " but how?

I think the DevCert tool is out of date.

If you want to sign an application for just your device, you can use Open Signed Online for which you don't need a PublisherID. However, you don't get access to the DevCert used, you just get a link to the signed .sis file to download which will install onto your device.

[kihoikka]

that leads me back to my original problem:

FAILURE: Submitted .sis file uses a UID that is not allocated to the account holder matching this email address (0x2002134f 0x20021350 0x2002137e 0x20021353 0x20021354 )

which I suppose is the "cannot resign already signed application" -case...
to me it's not clear why can't I install any application I like on my device?

[markw]

Quote:

Is it that they also find Symbian signed too slow/complex for their apps or is it just that they could not be bothered?

In the case of Qt, that is almost exactly what I was told by the porting project manager. However, in most cases I think it's a question of process - they send everything they want to distribute to an internal signing service, who just sign against a Nokia cert rather than using Symbian Signed - more likely because they can and it's easier than that they really tried to use Symbian Signed.

[markw]

Quote:

to me it's not clear why can't I install any application I like on my device?

You've only tried to re-sign the application unchanged. However, if UIDs weren't restricted, how would we prevent people from signing modified (potentially maliciously) versions of other people's applications? You provide an IMEI, but we have no guarantee that it's yours.

There are lots of other ways an application vendor can restrict where it can be installed - including to a specific device model. If they choose to restrict the installation of a SIS file by certificate (or do it through ignorance or pure lazyness) that's up to them.

[kihoikka]

Perhaps someone (from SF) should talk to Nokia and remind them this kind of behavior (signing only with their own root cert) is just confusing end users and creating more fragmentation on an already troubled apps ecosystem.

[markw]

People have several times, including me. At least now Samsung and Nokia have a process worked out to get the important developer libraries signed (although they each sign with their own certificates at the moment, they do plan to use Symbian Signed eventually).

From a Nokia perspective though, I can see that they have no interest or motivation to make their beta labs applications available for their competitors devices. That seems fairly reasonable. Beta labs apps aren't commercial.

[kihoikka]

Fair enough, the remaining question then is: if I just wanted to test/debug a piece of software on my (expensive) S60 smartphone and don't want to invest money on a publisher ID; am I expected to submit my app to the open signed website every time I change the app and want to run a debugging session on a phone? (which really does not work)

In my case this would put me off from Symbian development and I believe a lot of others as well. If you just want to have a play on some silly idea you don't want to invest any oney until its mature enough to be deployed and you can make some money on it and at the same time you need to test your code on a device, emulator is just not good enough for anything creative.

[markw]

The answer there depends on what capabilities your application requires. The vast majority of applications can be self-signed (no developer certificate or open signed online) required. If you need to use some capabilities that are restricted in the platform security model, then yes, you currently either need a publisher ID, or to use open signed online.

Rod & Dan are currently working on a way to make developer certificates available freely again though. The problem before was just the level of abuse of the system for pirate software (or possibly some sort of DoS attack - were there really that many people requesting developer certificates for use?). The number of certificates being requested far exceeded the number of software developers in the world (let alone for the platform) and was overloading the servers.

I'm sure they'll announce something when it's ready.

[simonpope]

Dev cert tool is certainly unreliable at times with certain devices now that some devices seem to have generic MUIDs

[rodb]

Can you be more specific? What is the problem exactly?

[jamescooper]

Quote:

Originally Posted by markw

The answer there depends on what capabilities your application requires. The vast majority of applications can be self-signed (no developer certificate or open signed online) required. If you need to use some capabilities that are restricted in the platform security model, then yes, you currently either need a publisher ID, or to use open signed online.

Rod & Dan are currently working on a way to make developer certificates available freely again though. The problem before was just the level of abuse of the system for pirate software (or possibly some sort of DoS attack - were there really that many people requesting developer certificates for use?). The number of certificates being requested far exceeded the number of software developers in the world (let alone for the platform) and was overloading the servers.

I'm sure they'll announce something when it's ready.

Some people who write apps for Symbian let the users sign the app themselves... they made available an unsigned version and if someone wanted to install it it is up to them to sign it.

They do this because the signing process is such a pain.

[markw]

Quote:

Some people who write apps for Symbian let the users sign the app themselves... they made available an unsigned version and if someone wanted to install it it is up to them to sign it.

They do this because the signing process is such a pain.

Actually, most developers that did this had to do so because the official signing process required (and still does currently) that you be a registered company and they weren't, they were just hobbyists or small independents. This is another thing that is being fixed now.

[bootchec]

Not much has changed huh? I thought that the new symbian will be better. No wonder iPhone is taking over. I wrote couple of apps last year and till now I cannot sign them. Is the online signing still impossible for other users because UIDs etc have to be assigned for the same email?


BTW did this forum replace previous one, I think many helpful posts are missing along with my account

[teknolog]

Quote:

Is the online signing still impossible for other users because UIDs etc have to be assigned for the same email?

If you use the experimental 0xE range of UIDs open signed online works fine. Not sure how well this is documented though.

Things will improve, it has sadly taken longer than we intended. We are sorry for that.

[lucian]

Quote:

Originally Posted by markw

Actually, most developers that did this had to do so because the official signing process required (and still does currently) that you be a registered company and they weren't, they were just hobbyists or small independents. This is another thing that is being fixed now.

I'll be coming to London next week and quite frankly I don't understand why I should obey the UK driving stile, which is obviously backwards compared to what is used in the civilized world. Any workaround for not following the rules? After all, it just me and my friends and we can't even hire a taxi yet alone buy a car. But trust me, the Queen cannot drink the tea without me, you have to bend the rules to let me in.

Quote:

Originally Posted by teknolog

If you use the experimental 0xE range of UIDs open signed online works fine. Not sure how well this is documented though.

That is an R&D signing method and yes, it is documented as such. It also has a license agreement that prevents it for being used for for public releases, be they freeware or commercial.

[teknolog]

Quote:

Originally Posted by lucian

I'll be coming to London next week and quite frankly I don't understand why I should obey the UK driving stile, which is obviously backwards compared to what is used in the civilized world. Any workaround for not following the rules? After all, it just me and my friends and we can't even hire a taxi yet alone buy a car. But trust me, the Queen cannot drink the tea without me, you have to bend the rules to let me in.

Not sure this is a very good analogy. We are obviously not where we want to be with the signing process. Things will be announced at SEE, but don't expect miracles yet.

[koshui]

6 steps for (somewhat) succesfull signing:

1. dumpsis to extract the package
This doesn't work well with packages having embedded sis files in :/
2. elftran to change the UID3s to experimental range
+Hack app UID3 check if it won't start
3. elftran to remove possible VID
4. elftran to change capabilities for what you can sign
5. re-pack with makesis
6. open sign

I know this is not the most elegant way to do it

[teknolog]

Quote:

Originally Posted by koshui

I know this is not the most elegant way to do it

And it sounds like copyright infringement and/or licence violation if you ask me.

[koshui]

Quote:

Originally Posted by teknolog

And it sounds like copyright infringement and/or licence violation if you ask me.

And that too in most of the countries. It was sort of a dry joke, I don't think that people can be bothered to do the steps that I mention.

For testing apps the publisher ID isn't that expensive and if that is too much then there is what the most active Symbian community is using.. I'll refrain to say it in fear of moderation

[markw]

I wouldn't moderate a post for telling the truth about the broken signing ecosystem and how people get around it. No details or links though please - we don't want to encourage it!

The biggest problem is not the cost, you don't hear many people complaining about that for iPhone do you, and most people have to buy themselves a Mac for that? The main problem is that you can't actually get a publisher ID unless you are a registered company. In some cases that can be very expensive, not just to start but for annual accountancy and administrative fees. It's not feasible or desirable for your average bedroom coder - perhaps doing mobile apps in his spare time. I've been reading recently that some of the most respected iPhone developers don't think there's enough money in it at the moment to make a full-time living for 99% of people trying, you need other income too - so bedroom coders pretty much is the market outside of medium to large service companies and a few niche-market exceptions.

[koshui]

Getting a trade name is quite cheap in Finland. I know a lot of people registered one in order to get .fi domain and static IP when those were not available few years ago without being registered legal entity (people do find loopholes). I don't know how expensive it is in other countries.

Workaround that I had in mind was to hack the phone to get rid of platform security. I'm not going to link to that site even if IMO it is the best Symbian related news site in the web.

[markw]

In most of Europe the situation is the same. Unfortunately in most cases, you need the registered legal entity to satisfy TC TrustCentre or VeriSign in order to get a publisher ID. In Germany, home of TrustCentre, it's not a problem but elsewhere is.

That's why the Symbian Signed changes involve the availability of a new class of publisher ID for anyone with a credit card.

[richardcoles]

Well yes, the standard solution for lots of more technically skilled users is to exploit the phone and turn off platform security entirely... people do the same thing on the iPhone, though; Symbian is not unique in this respect. Jailbreak the device and install a quick patch, and then you can test code on the phone without paying Apple the fee to do so (though you still need to pay them *eventually* if you are going to submit your app to the app store). On both platforms you then *also* get the ability to install apps which do things not blessed by the manufacturer (which may be very useful, or may be hiding malicious intent) and the ability to pirate commercial applications...

To be honest I think this is inevitable and unavoidable, and that it's *vital* to massively lower the barrier to legitimate use cases, in order to stop the bad ones from happening

See Sony/Microsoft, in the current console generation: the Xbox 360 doesn't let you run anything MS haven't signed, but the PS3 lets you boot up the OS of your choice on the hardware, with a few restrictions intended to stop commercial developers using this as a way to avoid licence fees for "real" games. (though they have removed this capability in the new slim version...)

Result: Dozens of extremely skilled people have, collectively, hacked the 360 to death and you can now boot linux, run pirated games, and before long now probably cheat on Live. The PS3's security system remains entirely unbroken, and there's barely anyone even discussing attacking it at all.

The people with the skills to actually compromise these security systems aren't doing so to pirate stuff, they're doing it because they want to use the device they own...

[teknolog]

Look, there is no reason to try to justify the present situation or even try to explain it. And while we do appreciate feedback, we can't give any good answers yet.

This is the story: We are not happy with Symbian Signed at the moment. We obviously want individuals to be able to create applications for Symbian devices. We want the cost to go down significantly, and we want to testing process to be a lot smoother. We want Symbian to be the greatest platform to develop for, and without a significantly improved Symbian Signed we can have the world's best SDK, and it wouldn't be enough.

We are working hard to fix all this, and if it was only up to the Symbian Foundation, it would be fixed already. Some things are outside our direct control, but we're doing our best to influence the stakeholders.

I am confident that we will get there, but this will take some time. I am not happy about this, but it is the harsh reality.

[koshui]

Quote:

Originally Posted by markw

That's why the Symbian Signed changes involve the availability of a new class of publisher ID for anyone with a credit card.

A nice initiative, but I don't think this will help a lot of people (again Finland).
In order to get credit card you need to be 18 years (some companies 20), have steady income and you haven't had payment difficulties. Steady income means that you have regular job any temp,seasonal etc will be discualified. This also means students. If you are student you will not get a credit card from major companies with exception of Diners.

So your target audience with this change is people who are already employeed by a company that is into software development and here the company can pay the Publisher ID fee.

EDIT: it might help some 1-2 person indie companies that save where they can.