Symbian Express Signed: sign your application yourself !

News posted October 16th, 2007 by eric
Keywords:

Symbian Ltd has today announced some further details on the evolution of the Symbian Signed program that are to be deployed later this year (expected time around november / december, but no official commitment yet).
Symbian Signed is currently a program with almost no option but the choice to sign for passive content or application. And if you sign an application, there is not much difference in the testing process if you develop a small game or a complex email client or whatever your business is (note that I didn't write that developing a game isn't a complex task as well!). The cost for submitting variants and evolutions to Symbian Signed makes development of several software not worth it, or at least not supporting it. The new evolutions of the program are a good move towards less burden, faster signature and less cost for the developer. Here are the different options:

Open Signed without Publisher Id


This scheme is intended for application under development. This is a free scheme where the application is signed online and no publisher id is required. The signed package can only be installed on a single device during 36 months. The 13 basic capabilities can be granted through this scheme (LocalServices, ReadUserData, WriteUserData, NetworkServices, UserEnvironment, SwEvent, ProtServ, TrustedUI, PowerMgmt, SurroundingsDD, ReadDeviceData, WriteDeviceData and Location).

Open Signed with a Publisher Id


This scheme is an evolution of the above and makes it easier for developer to sign applications for limited deployment to known devices. The limit has been raised to 1000 devices which would allow to conduct reasonable beta-testing of commercial applications. A valid Publisher Id is required to sign your application. This scheme is similar to the current process and you have to obtain a Developer Certificate fro; the Symbian Signed web site as well.

The benefits of this scheme:

  1. it allows you the access to four more capabilities (CommDD, DiskAdmin, MultimediaDD, NetworkControl).
  2. the application can install on up to 1000 devices.
  3. you can sign an unlimited number of applications with your developer certificate.

Access to sensitive capabilities (AllFiles, DRM, TCB) is still possible but requires specific demand to the device manufacturer.

Express Signed


This is the big news here. The Express Signed scheme gives commercial developers the ability to self-signed their applications and distribute them at a lower cost. The signature is almost immediate as no test houses are involved in the process: the user has the responsibility to test his application himself.

The process is similar to the current signing process:

  1. you need a valid Publisher Id (from TC TrustCenter only, Verisign ACSID cannot be used here)
  2. you sign the application with your private key and submit it to the Symbian Signed web site

The end of the process is slightly different. As no test house is involved, the signing process is almost immediate and is done by the Certification Authority. A fee of 20US$ will be required through Content Ids. These Content Ids can be bought from TC TrustCenter by pack of 10 for 200 US$ (which gives you access to 10 signing actions at 20US$ each). Bigger pack are available and the cost can go down to 10US$ per signature if you buy 500 signing actions at a time.

Some audit of the submitted application will be performed by Symbian and result will be published. In case of malware and really badly bahaving application, some more actions can be taken by Symbian.
Express Signed scheme allows access to the 13 capabilites available in the Open Signed without Publisher Id process.

Certified Signed


This scheme is the closest to the current existing scheme. The application is submitted by the developer to the Symbian Signed web site, a test house is involved and does the testing.

A valid Published Id from TC Trustcenter or Verisign is required and four extra-capabilities (CommDD, DiskAdmin, MultimediaDD, NetworkControl) can be granted through this certification.
Whether the program allows the access to the three most sensitive capabilities or not is a Device Manufacturer choice and typically is no for S60 where additional criteria may be required (see below).

Symbian Signed for Nokia


Symbian Signed for Nokia is the way to go to have access to these sensitive capabilities. It is mostly and Extension to the Certified Signed scheme except that it is done througn an invitation only website. To have access to this scheme, you need to send an Open Signed offline request to get the access to the capabilities explaining why you need them. Your request will be evaluated by Nokia and may be accepted or rejected. In case of success and after a bit of legal paperwork, you will be able to submit your application.
The application will go through a test house as for the standard certification. You have to note that extra requirements may be added by the manufacturer to the existing Symbian Signed requirements.