This step-by-step guide describes how to sign sis packages with SISContents.
In order to sign a package you need certificate, corresponding private key and password to decode the key if it is encrypted. There are two different certificate types available for end users: self-signed certificate and Symbian developer certificate. The choice what certificate to use depends on package UID and capabilities application being signed needs. By default SISContents has a self-signed certificate and private key, delivered with the application, so you don’t need to make your own one. But in case developer certificate is needed and you don’t have it, you can submit a request on OPDA forums and other portals capable to make them as holders of Publisher Id (they are issued by Symbian anyway).
The features and limits of self-signed certificate are:
- it is not restricted to the list of devices with specified IMEI (i.e. no restrictions by IMEI);
- it can have different period of validity (for example, SISContents self-signed certificate is valid for 25 years);
- it can grant only a basic set of capabilities, which are called user grantable. These are: NetworkServices, LocalServices, ReadUserData, WriteUserData, UserEnvironment (and Location in S60v3.2 and newer S60 based devices and UIQ 3.0+ devices);
- suitable to sign packages with UID from unprotected range (0xA0000000 – 0xAFFFFFFF and test range: 0xE0000000 – 0xEFFFFFFF). Packages with UID from protected range cannot be signed against this type of certificate.
The features and limits of developer certificate are:
- it is restricted to the list of devices which IMEI(s) are specified in the certificate. This means that signed package can be installed only on these specified devices;
- fixed validity period – 3 years;
- it can grant basic set of capabilities (see self-signed certificate features and limits) and capabilities providing low-level access to system functions: Location (in S60v3.0 и S60v3.1 based devices, in others it is user grantable), ReadDeviceData, WriteDeviceData, PowerMgmt, ProtServ, SwEvent, SurroundingsDD, Trusted UI, CommDD, DiskAdmin, MultimediaDD, NetworkControl. Capabilities CommDD, DiskAdmin, MultimediaDD and NetworkControl are available only for certificates issued with Publisher Id;
- suitable to sign packages with UID both from unprotected and protected (0x00000000-0x7FFFFFFF) range.
To sign sis package with SIScontents you should do the following:
1. Run SISContents and open sis package you would like to sign (menu File->Open file)
2. Check the package UID. If it has value from protected range, developer certificate must be used for signing, regardless of capabilities. If the value is from unprotected range, the type of certificate depends on capabilities the executable files in the package require.
3. Check the capabilities of executable files in the package. For this switch to “Contents” tab and look at all files in the list. If one of the files require system capabilities (see features and limits of developer certificate), then developer certificate must be used. In case some files require AllFiles, DRM and TCB capabilities, the package cannot be signed, because neither self-signed nor developer certificate can grant them. If the package does not have any executable files, does not require any capabilities or require user grantable ones (see features and limits of self-signed certificate) and it has UID from unprotected range, self-signed certificate can be used.
4. If a package has several components (embedded package), UID and capabilities must be checked for every component. You can see all components at the list box in the top right part of the main windows of SISContents (right of the name of a package currently open).
5. In the menu press Tools->Sign package. There are two tabs in the signing dialog window: “Package” and “Key pairs”. On the package tab you can see the components of a package, the amount of signatures each component has, list box with the signing profiles and buttons “Add signature” and “Delete signature”. First you may need to add your own developer certificate to the list of signing profiles. To do this switch to “Key pairs” tab and specify the path to certificate file, its private key file, type the password for deciphering private key (if it is encrypted) and the name of the profile (in order you can distinguish added profiles). After that switch back to “Package” tab and depending on what certificate you need to sign the current package, choose the profile for signing and click “Add signature” button. If a package has several components they must be signed individually (note: the type of certificate should be determined for each component of the package according to the package UID and capabilities of that component). You must as well follow the rule: the child components are signed before their parents. After you click “Add signature” the newly added signature will appear in the list below the list of components.
6. Close the signing dialog and in the menu “File” select “Save as” to save your signed package.
For more information about Symbian SIS Packages. Click Here.