Creating and Signing an Installation File

Introduction

A Software Installation (SIS) file can be generated as an unsigned file, a self-signed or signed file. Self-signed and unsigned packages are considered to be unknown , and are installed by the Software Installer, depending on the security policy of the Symbian device.

If the SIS file is signed, the Software Installer validates the certificate chains and based on verification, installs the SIS file or aborts the installation.

Procedure

  1. Create a private key-public key pair and certificate request using the MakeKeys tool. For details, see MaKeKeys Tutorial .

  2. Submit the certificate request to a Certificate Authority (CA) and receive an authenticated digital certificate.

  3. Create a package (PKG) file containing all the elements required to create the installation file. For details see PKG File Format .

  4. Run MakeSIS at the command prompt to create an unsigned SIS file. Specify the PKG file as input argument, as shown in the following example:

              
               
              
              makesis mypackage.pkg
             

    MakeSIS generates an unsigned SIS file.

  5. Run SignSIS at the command prompt to sign the unsigned SIS file. Specify the unsigned SIS file as input, and public key certificate and private key as arguments, as shown in the following example:

              
               
              
              signsis trustedchain.pem eecertkey.key mypackage.sis
             

    Based on the certificate provided as input, SignSiS generates a signed SIS file. For details, see Signing

Note: As an alternative to step 4 and 5, run the CreateSIS tool at the command prompt to generate and sign the installation file. Specify the trusted certificate-key pairs as arguments, as shown in the following example:
        createsis create -cert trustedchain.pem -key eecertkey.key mypackage.pkg
       

The process of creating an installation file can be understood using the following illustration:

Notes

While creating a SIS file using the CreateSIS tool, if you do not specify the key or certificate on the command line the create method generates a key and a matching self-signed certificate, and uses it to sign the resulting SIS file.

The generated certificate and key is dumped into the current working directory as cert-gen.cer and key-gen.key files. If key-gen.key exists, the certificate and key filenames are indexed incrementally. That is, cert-genx.cer and key-genx.key , where x is the incremental index.

Note: The passphrase encryption is not an option. It must be provided with the -pass option. If this option is not specified, CreateSIS prompts for the passphrase during key generation.