Java ME signing for dummies
So your MIDlet causes too many confirmation dialogs? Someone suggested signing for you? You are in the right place....
Want a theoretic overview of Java ME security policy? No? Then read on for more down-to-earth story.
What certificates to use? Mostly the answer is VeriSign, Thawte, or Java Verified. (but note that they cost money, and that Java Verified is in fact a certification and testing program). Note also that these certificates are widely available on various devices, but they are not available on all devices (device-level, regional, and operator-specific differences are many).
Are there any differences between Java Verified MIDlets and MIDlets signed with Verisign/Thawte? Even though those MIDlets are signed against different root certificate, they are placed in the same security domain, called trusted 3rd party domain (so the API access rights are the same between these MIDlets). Note also that sometimes this protection domain is also called identified 3rd party domain.
Yes, when you buy a certificate (usually for a certain duration of time - 1 or 2 years) you can use that certificate for signing for the duration of the certificate. You can install MIDlets on the phone even after that period, granted that the corresponding root certificate is still valid - which they should be until sometime in 2020...
What are the steps for signing? Check these step-by-step instructions to sign with a VeriSign certificate. After signing the JAD file should be a little fatter (with RSA-SHA and Certificate chain attributes) whereas there are no changes for the JAR.
No, you cannot install an additional certificate for MIDlet signing on your phone. It does not matter if you created the certificate yourself or if got some root certificate from a trusted CA. (ok, ok, there is a bug on S60 2nd Edition devices which makes this possible...) And please, direct your complaints to MIDP specification group.
What? You deleted a code signing certificate from your phone? No way to revert that. Sorry. See above.
You made changes to your MIDlet after signing? Seriously, no problem. Just sign the MIDlet again. (Of course if you got the signature from Java Verified after passing the tests, you need to go through the testing again and pay for the additional testing round.)