I'm really annoyed about having to buy a j2me code signing certificate to sign java apps to run on my phone. The JSR have decided that you should not be able to install your own java root certificates on your own phone, but you should be forced into buying one from verisign or thawte each year, even if you are a developer. Thanks guys.
| || || |
"For anyone else interested in lodging a complaint with the working group on MIDP 3.0 (JSR-271), download their early release draft, and scroll down to page 69. There you will find the following gem:
| || || |
Early Draft Review: p69 - "Any Authority Certificates obtained after device manufacture MUST NOT be used for authentication of MIDlet suites."
| || || |
Public Review: p67 - "Any Authority Certificates obtained after device manufacture MUST NOT be used as Protection Domain root certificate but MAY be used as Application Access root certificate."
The Plan - Please Donate
So, what I'm proposing is a group of folks get together and buy a certificate and share it. It's possibly against the term and conditions of the certificate, but If I want to develop apps to work on my own phone as a hobby, I shouldn't be forced to sign them each year to make them work properly. I'm sure one organisation can use a single certificate, and not use one per developer, so lets create our own organisation to do this.
Does anybody have an expired code-signing certificate? See Plan C
Once I get $299 I'll buy a thawte certificate and let everyone who donated know how to join the 'organisation' and get access to the signing cert. After $800 I'll buy a verisign one.
I can understand that people may not be happy with contributing any money to a project that may unfortunately never come to fruition, so you may pledge to donate $20 via pledgebank, if just 14 other folks do this, that's enough for our first certificate!
| || |
Hooray, We have our first couple of pledges and a donation, excellent! Lets hope this gets some momentum.
The Code Signing Providers
My N82 S60v3 has four J2ME trusted certificate authorities, I haven't verified that these are definitely the correct certificates that need purchased.
MIDP2 Geotrust - I think this is for javaverified certificates.
MIDP2 Nokia - Possibly for Nokia internal use only
Plan B - Hacking Phone Firmware
There is instructions on how to patch the firmware for a few models of S60 phones to allow you to do this. It's a bit too risky for me. http://www.symbaali.info/
Plan C - Cheap And Nasty
Does anybody have an expired code-signing certificate? Please donate it to the cause? You can sign with an expired certificate and install by setting the time back on your phone, the signature time is only tested on installation, this would be fine for a developer or for testing purposes.