Comments on: Midlet Signing

By: Mahesh

Mahesh — Tue, 08 Feb 2011 09:09:45 +0000

Excellent article thank you

By: MihaiB

MihaiB — Wed, 22 Dec 2010 14:17:59 +0000

Cool article. Sad truth.

By: David C.

David C. — Tue, 30 Nov 2010 10:45:15 +0000

Hello:

I have a Thawte certificate (299$/year) and I want to sign my MIDlet. My app has two permissions: javax.wireless.messaging.sms.send and javax.microedition.io.Connector.sms.

First scenario:

I use Netbeans. If I try to sign my MIDlet, only the .jad file changes. Netbeans adds the following lines:

MIDlet-Certificate-1-1: MIIEJjCCAw6gAwIBAgIQHJqq1asymZ……..
MIDlet-Certificate-1-2: MIIEnDCCA4SgAwIBAgIQR5dNeHOlv……
MIDlet-Certificate-1-3: MIIERTCCA66gAwIBAgIQM2VQCH….

If I try to install this MIDlet sending the jad and the jar files throught Bluetooth, the installation goes ok. The app is secure. But if I try to send a SMS, (I push a “Send” command in a Form), the SMS is sent, but the application asks me before send the message!!!, each time.

The second scenario:

I try to install the application using only the .jar file.

I sign my application with jarsigner:

jarsigner -tsa https://timestamp.geotrust.com/tsa -keystore Keystore.p12 -storetype pkcs12 MyMIDlet.jar myalias

Doing this, the jar file increases it size. I can see inside the META-INF folder (inside the jar file), that:

1. The Manifest file has several digest. One for each file inside the jar:

Manifest-Version: 1.0
bla bla bla…

Name: res/icon.png
SHA1-Digest: NFzSgJ9d8aHy/v4thNG+sMAhNiQ=

Name: etc…

2. I have two new files: myalias.SF and myalias.RSA

But if I try to install this jar I obtain an error message: The application is not trusted!

Help!!

By: Robert Wagner - Utah Dermatology

Robert Wagner - Utah Dermatology — Tue, 27 Jul 2010 04:30:29 +0000

It’s just a way to make some easy money. 240 euro for such a simple test, give me a break.

By: mobile spy guy

mobile spy guy — Sun, 25 Jul 2010 14:49:34 +0000

now i have come to know that how does signing procedure work and why its so tedious and costly!! as mobile phone software developer i didn’t know this thing before!

By: vahndee

vahndee — Sun, 25 Jul 2010 05:13:40 +0000

i still dont get it, why we must get certificate? i think it was open source programming..
im sorry im still new.. but im interesting to develop in mobile
but when i read your article, it make me think twice..

By: David

David — Tue, 04 May 2010 07:07:25 +0000

What happens if I sign a MIDlet with a Thawte certificate with one year validation, and I install the MIDlet in my phone?

After one year using the MIDlet it crashes? Thank you!

By: serg

serg — Wed, 02 Dec 2009 15:22:48 +0000

Does anyone use this service for midlet signing – http://j2start.com ?

They say they will sign midlets with normal root certificate and cheap anough

By: Peter S.

Peter S. — Thu, 27 Aug 2009 13:16:08 +0000

Hi guy’s.

I wanted to write some gadgets for my own mobile and got super frustrated by this signing problem. Now I don’t know enough about certificates, but I bought a HTC and found a neat solution on http://www.xs2us.eu
Lately I got a Nokia from a friend, but this doesn’t work with the same trick. So I presume there even is a difference between the way different manufacturers apply Java security ? It sucks !

By: Garrett

Garrett — Mon, 09 Mar 2009 20:43:34 +0000

Oh and by the way, the $20 limited-use signing keys I got from RIM for signing BlackBerry only apps gave me 2,147,483,647(approx 2.2 billion) signing attempts.

$20 for 2.2 billion signing attempts for BlackBerry only, or upwards of $200-500/year for any phone.. I think I made the right choice