• Forums
  • >
  • Java
  • >
  • Required "Code Signing Certificates" really not code signing certificates
Reply to Post
Topic Options
whutchi
Skilled Spy
5 Posts
Member since ‎09.22.2008

Required "Code Signing Certificates" really not code signing certificates

Options

‎09.22.2008 12:31 PM

 The AT&T “Java Signing Specification” at http://developer.att.com/developer/index.jsp?page=toolsTechDetail&id=11300207 gives a table of “Code Signing Certificates” that lists 5 "Java Certificates". The only one for Verisign is labeled in the table as VeriSign Class 3 Public Primary Certification Authority, and its Fingerprint in the table starts with 742C.

I believe there is an error here. In my Nokia 6555 phone’s list of certificates, there is an entry called “Class 3 Public Primary Certificate” whose Fingerprint begins 742C (matching AT&T’s table). However, my understanding is that the Public Primary certificate is for browsers, not for code signing. My phone also lists a Verisign Class 3 Code Signing Certificate, but its Fingerprint starts with 2C07.

The very same thing is true for the Thawte certificates: there is a Code Signing Certificate and a Premium Server CA, and the one in the AT&T table is not the Code Signing Certificate despite that being the label for the table.

            So it looks like there is an error of one kind or the other in the AT&T documentation. The table calls the certificates Code Signing Certificates (with subheading Java Certificates), and Verisign sells a Java code signing certificate, and it is listed inside my phone, but the certificate they show in their documentation table, complete with Fingerprint, is a Public Primary Certificate rather than the Code Signing Certificate. Is this true, or do they also allow the Code Signing Certificate? Would the Code Signing Certificate work also? This is critical to me, since my midlet won’t work unless it is signed properly.

0
Reply to Post
whutchi
Skilled Spy
5 Posts
Member since ‎09.22.2008

Should I depend on the phone list of certificates, or the AT&T guideline list

Options

‎09.22.2008 07:16 PM

Let me simplify the question in the previous post: If a certificate is listed on the phone, can I trust that to mean it will enable access to a restricted API (in this case, MMAPI JSR135 audio RecordControl) that requires being a trusted app?  Referring to my previous post, can I get a Java Code Signing Certificate from Verisign or Thawte, which are listed in the phone but not in the list of 5 certificates in the AT&T documentation? It doesn't make sense to me to get a server certificate.

 

Thanks! I need help!

0
Reply to Post
  • of 1