Complete Guide To Symbian Signed
From Symbian Developer Community
Please note that we have announced changes to Symbian Signed [1] which will come into effect on 8th March 2010 and will affect the information provided in this article. This article refers to the situation before 8th March 2010.
Contents |
About Symbian Signed
About this Guide
The Complete Guide to Symbian Signed has existed for some time, and serves as the most comprehensive guide to Symbian Signed. Previously, the guide has been published as a PDF file, but now exists as an exhaustive set of links to information on Symbian Signed across both this wiki, and elsewhere. This guide does not reproduce the information in those other places, but presents a very quick summary punctuated by links to other sources of information.
This guide is a wiki article, and as such should be contributed to by the community. Please do contribute to this guide, and include in it links to any additional information sources you find for Symbian Signed information - but please do try to keep this guide as generic and easy to read as possible.
Signing in Context
Signing is the process of encoding a tamper-proof digital certificate into an application. The certificate identifies the origin of the application by including information on the Publisher ID used during the signing process. Because the application origin is known, once an application is signed, it can use more sensitive features of the platform. An application whose origin is unknown - ie. one which has not been signed - will not be able to access this sensitive functionality and may not even install on the device depending on the security settings installed by the manufacturer.
In the Symbian platform, APIs protected by capabilities are those which allow sensitive operations such as those that may:
- access end users' private data, thus breaching the user's privacy
- potentially create billable events, and incur unexpected cost for the user
- access the mobile phone network and potentially disrupt it
- access handset functions that affect normal behaviour of the phone
- impact the performance of other applications on the device
If you are writing a straight-forward application, then you should be able to avoid using APIs protected by capabilities. This will simplify what you need to do to install an application, since it will only need to be self signed to be installed. (You may still wish to go through Symbian Signed however).
If you are writing an application designed for older versions of Symbian OS (prior to v9) then there is no compulsion for you to sign your application, though doing so will remove the warning given to the user at installation.
Introduction to www.symbiansigned.com
The Symbian Signed online portal currently resides at http://www.symbiansigned.com/ You will need to register at this site for all but the simplest of signing options. Registering on the site will also allow you to request UIDs and to keep track of the applications you sign.
The Future of Symbian Signed
Symbian Signed used to be adminstered by Symbian Software Limited. With the creation of the Symbian Foundation, the management responsibilities for Symbian Signed have transferred to the foundation.
The Symbian Foundation is an entirely independent entity, and as such, will reflect the views of the community in Symbian Signed. The Symbian Foundation is the custodian of the process on behalf of the community and will only make changes when they reflect the wishes of the community at large.
In this context, the community includes developers, device manufacturers and network operators amongst others.
Any changes to Symbian Signed will be done in consultation with the community and advanced notice given of once any decision to change has been taken.
Who's Who In Symbian Signed
The Symbian Signed Team at The Symbian Foundation
The Symbian Signed Team manage the ongoing signing process, and also to propose and implement improvements to the process in conjunction with the community at large.
Whilst all requests for support should be raised in the usual way on the support forums, the team can be contacted to discuss ideas about the process and future improvements at symbiansignedteam@symbian.org
Certificate Authority
New Publisher IDs should be obtained from TC Trustcenter. More information can be found at http://www.trustcenter.de/en/products/tc_publisher_id_for_symbian.htm
Symbian Signed Test Houses
There are three Test Houses to which you can submit your application for Certified Signed. You don't need to submit your application to a Test House for any of the other signing options, although if you use Express Signed and your application is selected for audit, then your application will be submitted to a Test House by the Symbian Foundation.
Things To Do Before You Submit
Get the right tools
You will need some tools in order to sign your SIS file and to make your submission. Please check the full article on Symbian Signed Tools to find out what you need and where to find it.
Work out which capabilities you need
There are 20 capabilities protecting the sensitive functionality of the platform. Before you submit your application you will need to know which capabilities you require. Information on this can be found in the platform SDK, but some further guidance is given in the main article on capabilities.
Get your UIDs right
UIDs for your application must be obtained correctly from either the protect or unprotected range. A UID identifies the application to the system and ensures that is does not interfere with other applications. There are other, less commonly used, types of UIDs which affect signing such as the Vendor ID functionality. More details on this are contained in the full article on UIDs.
Symbian Signed Testing
The Symbian Signed Test Criteria
The test criteria against which applications are tested before being signed are freely available from the Symbian Signed Test Criteria page. The Symbian Signed Test Criteria are designed to ensure that the application will not interfere with other applications on the phone, nor with the ability of the phone to make and receive phone calls and text messages.
In order to help you running the Symbian Signed Test Criteria yourself, and to understand what each of the tests is for, there is a guide which we've put together which provides some discussion and advice for each of the test cases, and a little more information on the testing itself.
When do you need to run the tests?
The tests must be run before an application can be signed via either Express Signed or Certified Signed. With Express Signed, you must run the tests yourself and record the results in your submission. If you submit your application for Certified Signed, then the tests will be run by the test house to which you submit your application.
If your application is submitted via Express Signed and is selected for audit, then your application will be tested against the Symbian Signed Test Criteria, and so it is vital that you ensure your application complies with the Symbian Signed Test Criteria prior to submission in order to avoid the consequences of failing the audit.
Even though the test house will run the tests when you submit for Certified Signed, you should run the tests yourself first. If your application fails, then you will be liable for another testing fee if you resubmit, and you can avoid this by catching any failures yourself before you submit.
You don't need to run the tests before you sign your application using Open Signed Online or Open Signed Offline although it's still a good idea to understand the Symbian Signed Test Criteria and design your application with them in mind as your application will be required to pass them before it can be widely deployed on Symbian devices.
Running the Tests
Some of the tests only apply if you're writing an application of a certain type - for instance, a VoIP application will be tested to ensure it doesn't interfere with the operation of the in-built telephony application more than a non-VoIP application would be. You should be certain to read the Symbian Signed Test Criteria through before you start testing, and pay particular attention to the section which tells you what you'll need in order to run the tests.
When you run the tests, you should note down any failures (and correct them before submission to Symbian Signed) and any instances where you wish to claim an exception. When you make your submission, if you wish to claim an exception that you'll need to state that during the submission; exceptions cannot be applied for retrospecitvely.
Options for Signing
How to Choose Between the Signing Options
The signing options split into two pairs. One pair of options allows you to sign an application onto a limited pool of devices, and does not require compliance with the Symbian Signed Test Criteria. The other pair of options should be used to sign your application for wide distribution and will allow your application to install freely on Symbian devices, but do require compliance with the Symbian Signed Test Criteria.
Signing Your Application For Testing
The two signing options in this section are primarily to be used to sign an application for testing purpose, although Open Signed Online is also used to install an unsigned application onto your device for personal use.
A full article describing how you should sign your application for testing can be found here.
Open Signed - Online
This signing option allows you to quickly and easily sign an application for you to install onto your device. The signed application will be limited by IMEI number and will only install on the one device. However, this signing requires neither a www.symbiansigned.com login nor a Publisher ID and is free to use.
More details of what you need to do in order to use this signing option can be found here at the full article.
Open Signed - Offline
This signing option will allow you to create a Developer Certificate which you can then use to sign multiple applications multiple times - though in case the distribution of the application will be limited by IMEI number to the device pool specified when you create the DevCert.
More details of this signing option can be found here.
Signing Your Application For Distribution
You can distribute an unsigned application, and rely on the end user using Open Signed Online to sign the application before installing it onto their device. However, you can remove this burden from the user by signing your application in such a way that it's not limited by IMEI number.
The two signing options in this section are used to sign your application so that it can be installed without restriction on the IMEI number of the device(s). A full article presenting the two options side-by-side and allowing you to see which one is right for you can be found here.
Express Signed
This option provides a quick and easy way to sign your application without restriction by IMEI number to a particular pool of devices. You will need to test that your application complies with the Symbian Signed Test Criteria prior to submission as your application may be subject to a random audit and should it fail the audit, this will have consequences for your future projects.
Not all Capabilities are available to you using this signing option, however.
More details of this signing option can be found in the full article here.
Certified Signed
This is the most comprehensive signing option, and entails your application being sent to an independent Test House for signing. Through this option, you have access to the fullest range of Capabilities and are not subject to future audit of your application.
More details of this signing option can be found in the full article here.
Where to Find Out More...
Symbian Signed Forums
- Symbian Signed Support - for support queries needing an official response
- Symbian Signed - for general discussion & questions
Other Information Sources
More in-depth information can be found by following the links on this page. A questions and answers page also contains a lot of information you may find useful.
Sign in to comment…
Espen said…
Stichbury said…
@Epen: I agree. I've modified the #Signing in Context section - see what you think.
Please could you fill out your user page? It would be great to be able to put your future contributions to this wiki in context by having some background information.
Thanks! Jo
--Stichbury 14:48, 4 November 2009 (UTC)
"If you are writing a straight-forward application, then you should be able to avoid the signing process by not using APIs protected by capabilities. "
For S60 at least you HAVE to sign to get anything on the devices, self-signed being the easiest I guess. I think the comment above is misleading.
--Espen 10:56, 4 November 2009 (UTC)