Signing SIS Files

An installation (SIS) file must be signed with a digital signature, which helps in verifying the identity of the vendor. This ensures that the file has not been tampered with since it was signed.

Software install package files can be signed multiple times. However, it is not required to sign the file with multiple signatures at the same time. Signatures can be added and removed from a package file at any time if the relevant keys are available. SignSIS supports the signing of SIS files with self-signed certificates or Symbian developer certificates.

Self-signed certificates

The term self-signed means that the SIS file is signed by the creator of the SIS file. A SIS file is self-signed if it signed by a certificate that has been self generated. For example, using MakeKeys.

SIS files can be signed by Symbian application developers for programs that:

  • do not use any APIs protected by capability checks.

  • only require platform security capabilities that belong to the "user" or "basic" capabilities group. If the Software Installer is required to install a program with these capabilities, it can display capability information to the Symbian device user and provide an option to continue or cancel the installation.

    As long as the application requests no system capabilities, self-signed SIS files can be installed depending on how the installation policy has been configured by the device creator.

Note: Self-signed SIS files are not associated with a root certificate present on the device.

Symbian developer certificates

To test applications on Symbian devices, the SIS file can be signed with a Symbian developer certificate. This allows the application to be installed without the need for an external testing and signing process. Symbian developer certificates can be obtained through www.symbiansigned.com.

The usage of Symbian developer certificates is restricted to the following:

  • Usage with one or more listed phones only (through the IMEI/ESN number).

  • Validity until a specific date, after which the certificate expires.

  • An agreed set of capabilities that the certificate can grant.

  • A set of SIDs of executables that can be installed by the SIS file. If the SIS file package UID is in the protected range then it must be included in the list of UIDs in the certificate.

Note: A Symbian developer certificate is indirectly signed against one of the Symbian root certificates, which are present on the Symbian device by default.

Symbian signed program

Some applications require platform security capabilities that cannot be granted by the Symbian application developer. These programs must be tested externally and signed with a certificate, which the Software Installer recognizes as provided by a trusted entity.

This process is done through the Symbian Signed programme. For details on ACS Publisher ID certificates, Symbian developer certificates and the signing process, see www.symbiansigned.com.

MANDATORY certificates

If a certificate is marked as MANDATORY then any package certificate presented during the software installation, must have a certificate chain that resolves to this certificate (and any other certificates marked as MANDATORY). If the certificate chain does not resolve to a mandatory certificate, the installation fails. This feature prevents any unauthorized applications from being installed on the device.

Note: Unsigned or self-signed applications cannot be installed, if a MANDATORY certificate is present.

Related reference
SignSIS
MakeKeys