$Id: trustcenter-pys60-scripts.txt,v 1.1 2008/02/27 01:03:29 pmaoki Exp $ signing python scripts for the nokia S60 phone (pys60) using trustcenter certs NOTE: this has only been verified on series 60 (S60) 3rd edition FP1 (and in particular on the N95-1 and N95-3). requesting, installing and signing python SIS files using a "free" developer certificate (devcert) is a relatively common and well-understood process: - download and install the DevCertRequest application. - running the application with a single device IMEI and a list of capabilities results in a certificate request file (.csr) and an RSA private key file (.key). - create an account on symbiansigned.com. (note that they block most "free email" providers.) - upload the CSR file and download the resulting signing certificate (.cer). - the .cer/.key files are used without modification to sign the SIS file (using tools such as ensymble). (note that they have recently also been throwing additional arbitrary restrictions into the registration and devcert request process.) if you are a corporate developer and are testing on several devices, managing SIS files for each device gets tedious. for a fee (US$200/year as of this writing) and some basic incorporation documentation, you can obtain a "publisher id" from the company to which symbian outsources its registration, tc trustcenter (trustcenter.de). (note that they do not issue publisher ids to individuals, only to institutions.) a number of different passwords are used to protect certificates as well as files (e.g., browser keystores) that contain multiple certificates. i am going to assume that you are smart enough to figure out which one you need where. in particular, you had better write down the password you used to request the "publisher id" because you will need it to change certificate and key formats. when you complete the registration process, trustcenter sends you an email with a link that enables you to download the publisher id certificate/key to your browser keystore. so now what? - IMMEDIATELY export (IE) or backup (firefox) the publisher id certificate/key from the browser keystore so you don't lose it if you machine crashes! - in IE, export "with private key" as PKCS#12 - firefox should automatically export with private key as PKCS#12 you should now have an exported publisher id certificate/key bundle in PKCS#12 format (whether it is called .pfx or .p12). - extract a code-signing certificate (.cer) and two private key (.key) files from the PKCS#12 certificate/key exchange file. - prequisites: - windows: - obtain TC-ConvertP12.zip from symbiansigned.com. this contains Win32 binaries for OpenSSL and a DOS batch file. mostly you just want the OpenSSL binary. - linux: - you almost certainly already have OpenSSL installed - install it, if not. - generate a .cer file: % openssl pkcs12 -in tc.p12 -nokeys -clcerts -out tc.cer this says to extract only client certs (no CA certs or cert chains, and no private keys) and save them into a PKCS#12 private key exchange file (.cer). - generate a PKCS#8 private key .key file for symbiansigned.com: % openssl pkcs12 -in tc.p12 -nocerts -out tmp.pem -nodes this says to extract only private keys (no CA certs, cert chains, or client certs) and save them into an unencrypted PKCS#12 exchange file. % openssl pkcs8 -in tmp.pem -inform PEM -topk8 -out tc.key -outform PEM -nocrypt this says to convert the unencrypted PKCS#12 private key exchange file to an unencrypted PKCS#8 private key file. - generate a "traditional" private key .key file for code-signing: % openssl rsa -in tmp.pem -inform PEM -out sign.key -outform PEM -des3 this says to convert the unencrypted PKCS#12 exchange file and convert it into a "traditional" private key file. - obtain DevCertRequest to produce a .csr file. - instead of using a self-generated private key, you now have a publisher id - so use tc.cer and tc.key from above. - you can now enter up to 1000 IMEIs (fortunately, the tool will import text files). - unlike the "free" process, no new .key file will be produced. - sign the SIS. - to sign SIS files, use tc.cer and sign.key (NOT tc.key - it contains the same key but is not encoded in a format that ensymble understands).