Thawte signing for Java ME
This document describes how to code sign a Java ME app using Thawte. This is one of two mechanisms for avoiding security messages when accessing secured APIs.
Let's assume you want to get rid of those annoying security messages when accessing JSR-75 (or another), what can you do? There are 2 main ways to reduce the number of messages:
- Code signing
This document describes how to code sign a Java ME app using Thawte (the alternative is to use Verisign). Thawte provides certificates for US$ 299, cheaper than Verisign, and I just followed the whole process, so I'll describe the process, as it worked for me.
1) Generate keystore and CSR for JavaSoft Certificate
Follow this document from Thawte: Solution SO3186
You will use a tool from Sun called keytool.
You will end up with a keystore (which is basically a file where your keys are stored) and a CSR, which is a text that you must send to Thawte.
2) Buy certificate from Thawte
- Go to: Code Signing Certificate
- Choose Certificates for Organization or Individuals.
3) Prove Thawte that "you are you".
They'll ask you more information and maybe documents. In my case, our company is located outside the US (in Chile) and the whole process took 2 weeks. I guess if you are in the US, it will be much faster.
4) Import the certificate into your keystore
Read this small document from Thawte Solution SO1079
5) Sign your application
For this step, there is no information in Thawte's site. You may find this document Solution SO7517, but it's about signing standard jars, not midlets.
But I recommend you turn to Netbeans (I guess Eclipse will have a similar feature).
Open up your project, go to its Properties and the Signing tab. Check the "Sign Distribution" option and click in "Open Keystores Manager". Here you need to add the keystore you created in the step 1. Be sure to unlock your keystore and then your key.
Next, rebuild your project and Viola! Your application is signed!
To verify it, open the jad file. You will notice a number of new lines regarding the certification stuff. Also, your jar file will be a bit bigger than without the signing.