Symbian3/SDK/Source/GUID-AFBD4ED6-9588-531C-8EDF-566DB1D03088.dita
author Dominic Pinkman <dominic.pinkman@nokia.com>
Wed, 16 Jun 2010 10:24:13 +0100
changeset 10 d4524d6a4472
parent 0 89d6a7a84779
permissions -rw-r--r--
removal of PIPS 'antiword' example pending a decision on its license

<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) 2007-2010 Nokia Corporation and/or its subsidiary(-ies) All rights reserved. -->
<!-- This component and the accompanying materials are made available under the terms of the License 
"Eclipse Public License v1.0" which accompanies this distribution, 
and is available at the URL "http://www.eclipse.org/legal/epl-v10.html". -->
<!-- Initial Contributors:
    Nokia Corporation - initial contribution.
Contributors: 
-->
<!DOCTYPE concept
  PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept id="GUID-AFBD4ED6-9588-531C-8EDF-566DB1D03088" xml:lang="en"><title>Signing
SIS Files</title><prolog><metadata><keywords/></metadata></prolog><conbody>
<p>An installation (SIS) file must be signed with a digital signature, which
helps in verifying the identity of the vendor. This ensures that the file
has not been tampered with since it was signed. </p>
<p>Software install package files can be signed multiple times. However, it
is not required to sign the file with multiple signatures at the same time.
Signatures can be added and removed from a package file at any time if the
relevant keys are available. <xref href="GUID-B20EE8A3-D7B2-5872-AF43-001A88C1A46E.dita">SignSIS</xref> supports
the signing of SIS files with self-signed certificates or Symbian developer
certificates. </p>
<section id="GUID-52029821-0FA4-58C7-94B9-C6B845C42098"><title>Self-signed
certificates</title> <p>The term <i>self-signed</i> means that the SIS file
is signed by the creator of the SIS file. A SIS file is <i>self-signed</i> if
it signed by a certificate that has been self generated. For example, using <xref href="GUID-557BF1DA-B6E8-521B-89F0-15C84E3BCB1A.dita">MakeKeys</xref>. </p> <p>SIS
files can be signed by Symbian application developers for programs that: </p> <ul>
<li id="GUID-E2CB54EA-B638-5589-88FF-36DDA57E3388"><p>do not use any APIs
protected by capability checks. </p> </li>
<li id="GUID-717FBB11-F58A-5DE5-855A-F41A0CC9AF1B"><p>only require platform
security capabilities that belong to the "user" or "basic" capabilities group.
If the Software Installer is required to install a program with these capabilities,
it can display capability information to the Symbian device user and provide
an option to continue or cancel the installation. </p> <p>As long as the application
requests no system capabilities, self-signed SIS files can be installed depending
on how the installation policy has been configured by the device creator. </p> </li>
</ul> <p> <b>Note</b>: Self-signed SIS files are not associated with a root
certificate present on the device. </p> </section>
<section id="GUID-95FEC08E-0E38-5F88-9FE5-D2DE16BE08FD"><title>Symbian developer
certificates</title> <p>To test applications on Symbian devices, the SIS file
can be signed with a Symbian developer certificate. This allows the application
to be installed without the need for an external testing and signing process.
Symbian developer certificates can be obtained through <xref href="http://www.symbiansigned.com" scope="external">www.symbiansigned.com</xref>. </p> <p>The usage of Symbian
developer certificates is restricted to the following: </p> <ul>
<li id="GUID-01E1055E-C77B-5C42-B54F-EF7A396669BD"><p>Usage with one or more
listed phones only (through the IMEI/ESN number). </p> </li>
<li id="GUID-D78F1294-5BB2-52BE-BA31-C06D72261B28"><p>Validity until a specific
date, after which the certificate expires. </p> </li>
<li id="GUID-676EB812-5C9B-5291-8746-6FA50B41F651"><p>An agreed set of capabilities
that the certificate can grant. </p> </li>
<li id="GUID-8C79AB5F-6708-538E-A0EA-71D493D3D576"><p>A set of SIDs of executables
that can be installed by the SIS file. If the SIS file package UID is in the
protected range then it must be included in the list of UIDs in the certificate. </p> </li>
</ul> <p> <b>Note</b>: A Symbian developer certificate is indirectly signed
against one of the Symbian root certificates, which are present on the Symbian
device by default. </p> </section>
<section id="GUID-C35BB441-E849-5CC4-B1B8-C50C6F250129"><title>Symbian signed
program</title> <p>Some applications require platform security capabilities
that cannot be granted by the Symbian application developer. These programs
must be tested externally and signed with a certificate, which the Software
Installer recognizes as provided by a trusted entity. </p> <p>This process
is done through the Symbian Signed programme. For details on ACS Publisher
ID certificates, Symbian developer certificates and the signing process, see <xref href="http://www.symbiansigned.com" scope="external">www.symbiansigned.com</xref>. </p> </section>
<section id="GUID-D04B60BA-59A7-59FF-824F-2DC27CE01B74"><title> MANDATORY
certificates </title> <p>If a certificate is marked as <codeph>MANDATORY</codeph> then
any package certificate presented during the software installation, must have
a certificate chain that resolves to this certificate (and any other certificates
marked as <codeph>MANDATORY</codeph>). If the certificate chain does not resolve
to a mandatory certificate, the installation fails. This feature prevents
any unauthorized applications from being installed on the device. </p> <p> <b>Note</b>:
Unsigned or self-signed applications cannot be installed, if a <codeph>MANDATORY</codeph> certificate
is present. </p> </section>
</conbody><related-links>
<link href="GUID-03BBEA31-3266-5B1C-9017-4EE7EA4AF1A8.dita"><linktext>Creating
and Signing an Installation File</linktext></link>
<link href="GUID-B20EE8A3-D7B2-5872-AF43-001A88C1A46E.dita"><linktext>SignSIS</linktext>
</link>
<link href="GUID-557BF1DA-B6E8-521B-89F0-15C84E3BCB1A.dita"><linktext>MakeKeys</linktext>
</link>
</related-links></concept>