Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Renewal of Midlet signing certificate

2012-08-03
2013-05-29
  • Markus Bäurle
    Markus Bäurle
    2012-08-03

    Hello everybody.

    In September 2010, we got a code signing certificate from Thawte through the sponsorship of FOSSGIS e.V., a German club which supports OSS projects in the area of geo information and which also holds the FOSSGIS conference.

    This was helpful for J2ME phones which only allow the user to switch off some security popups if the Midlet is signed with a well-known certificate (eventually only Thawte and VeriSign certificates can be considered well-known by almost all phones). One example of such a phone was the Sony Ericsson W800 which I used at that time.

    The certificate is about to expire and now the question is if this is still needed because the certificate is rather expensive ($549 for 2 years) and as I don't like to give Thawte money for "not much" in exchange, I don't want to spend the money if it is not necessary.

    So if you are a user of such a phone, which benefits heavily from the signed Midlets, then please reply. Don't hesitate, the club can spend the money, it's just as I said, I only want to spend it if it still makes sense.

    If you are unsure whether your phone falls under this category, then the Wiki page and forum for "Devices working" should help.
    If you see a difference regarding permission popups e.g. while exporting tracks and waypoints, between GpsMid downloaded from our file area, using an external map file, and one generated by Osm2GpsMid, then you benefit from the certificate.
    In these cases, please do reply here.

    Also if anyone has questions, please ask.

    Best regards,
    Markus

     
  • Libor Striz
    Libor Striz
    2012-08-03

    My Nokia E52, and i guess Nokias in general, would benefit,
    able to use uncompressed external maps of large area with rich styles, as ZIP access is slow.

    OTOH I could live with unsigned generated Midlets for smaller areas. 

    My today record for custom file sizes little bigger than "even bigger" is 75 MB midlet.

    # == Advanced parameters for configuring number of files in the midlet ===
    #  With less files more memory will be required on the device to run GpsMid.
    #  Larger dictionary depth will reduce the number of dictionary files in GpsMid.
    maxDictDepth = 30
    #  Larger tile size will reduce the number of tile files in the midlet.
    # Maximum route tile size in bytes
    routing.maxTileSize = 32000
    # Maximum tile size in bytes
    maxTileSize = 64000
    # Maximum ways contained in tiles for level 0-3
    maxTileWays0 = 3000
    maxTileWays1 = 6000
    maxTileWays2 = 6000
    maxTileWays3 = 6000
    )
    Recently only about 65 MB was possible for big files settings.

     
  • Markus Bäurle
    Markus Bäurle
    2012-08-17

    Hi poutnikl.

    Thank you very much for the feedback - interestingly, it's the only feedback so far.

    Are you sure that signed Midlets make a difference for you?
    As your phone is running SymbianOS, I would be astonished if it needed signed Midlets to allow file access without repeated security popups.

    Can you please find out by using your big external uncompressed map with an unsigned version of GpsMid?
    You can most easily generate it by running Osm2GpsMid with a small map area.
    If you don't know how to do this or have problems, please get back with me.

    As I wrote before, it's rather important to find out if anybody actually benefits from Midlet signing these days because if we don't have to do it any longer, it a) will save the club a substantial amount of money which I'd rather not pay to Thawte and b) will make our release process and especially the process of generating pre-bundled maps easier.

    Don't get me wrong, I don't want to hear a "No, it doesn't help me" from you if this is not true. :-) I just want to be sure.

    Best regards,
    Markus

     
  • Libor Striz
    Libor Striz
    2012-08-17

    Hi mbaeurle,

    It is interesting, I would thought there would be much more such users.

    Well, technically,  it would make a difference for large area, like whole country with default or rich style.
    In such a case I would hit the Symbian limit of number of embedded files even with large or very large tiles ( as I was told it is not size limit ).
    Accessing large ZIPs is slow - at home I have to confirm how much slow ( matter of size, no compression ),
    and accessing small file is always to be approved - confirmed.

    But in reality I do not use it much anymore, I used bundled midlet either reduced, either for regional area only.

    So, if it would be just on me, you can abandon signed midlets.

    OTOH, I bet only minimum of GPSMId users are active on GPSMid forums.

     
  • Jyrki Kuoppala
    Jyrki Kuoppala
    2012-08-18

    "As your phone is running SymbianOS, I would be astonished if it needed signed Midlets to allow file access without repeated security popups."

    Consider yourself astonished then - opening a file does require confirmation every single time on every S60 phone I've used, when the midlet is not signed.

     
  • Jyrki Kuoppala
    Jyrki Kuoppala
    2012-08-18

    BTW talking about signed midlets I wonder if the bug which appears on the Nokia E72 only with signed midlets is still there. Can't test without signing, but would be good to fix, even if it's not too bad, IIRC it was just an extra message which was a bit annoying to OK, but didn't appear to hurt any real functions.

     
  • fireball4
    fireball4
    2012-09-03

    I'm here because today I would try the new 0.8 build with my Nokia E52. Unfortunately it isn't signed anymore, too bad.
    Is there any newer version than 0.7.7 which is signed? You said the certificate has run out since a few days or weeks? Maybe you have signed some nightlys before?
    If not I have 3 possibilities:
    1.) I buy a new smartphone, which doesnt need signed midlets. For 549 bucks I will get a very very great phone because very small people responsed to your question, so a new signed GPSMID-midlet seems to be out of reach.
    2.) I live with smaller midlet's - that's a bad option, because I have to build many maps and to switch between them, routing over long distances isn't possible wih that, too ;-(
    3.) Anyway, hoping for a signed GPSMID-build in the future and still using the old Version 0.7.7 for that unknown period of time ;-(   (It's the cheapest version to me, but not satisfying over time.)

    The best feature I'm missing in v0.7.7 is the "not routing anymore over barriers" (e.g. bollards, lift gates, etc.). Is this feature already included within v0.8-stable?

     
  • Jyrki Kuoppala
    Jyrki Kuoppala
    2012-09-03

    "The best feature I'm missing in v0.7.7 is the "not routing anymore over barriers" (e.g. bollards, lift gates, etc.). Is this feature already included within v0.8-stable?"

    0.8 doesn't route via barriers (bollards etc.) but the nightly 0.8.0 again routes via barriers; apparently in some places not routing via barriers causes too often situations where GpsMid tries to route forever.  (There's a closed way / road behind a bollard, and GpsMid tries to find a route to enter the closed way/road, but will never succeed as the barriers causes it to be impossible to enter the closed road).

    I think the J2ME signing certificate hasn't expired quite yet, hopefully we will soon have some news about signing 0.8 or the forthcoming 0.8.1

     
  • fireball4
    fireball4
    2012-09-03

    I think the J2ME signing certificate hasn't expired quite yet, hopefully we will soon have some news about signing 0.8 or the forthcoming 0.8.1

    Sounds interesting, hopefully I haven't to wait too long for v0.8.1, because I'm quite excited ;-).

    …apparently in some places not routing via barriers causes too often situations where GpsMid tries to route forever.

    I talk to that problem here, I will not disturb mbaeurle's certificate discussion in here.  ;-)

     
  • Jyrki Kuoppala
    Jyrki Kuoppala
    2012-09-03

    DId some googling, and found someone saying Certum has offered certification for free to open source projects.

    Link given was http://www.certum.eu/certum/cert,offer_code_signing.xml and it does seem to talk about no-pay signing.

    Maybe it's not J2ME Midlets, though - talks only about "Java applets" and "Java-based application" wrt java.

     
  • Jyrki Kuoppala
    Jyrki Kuoppala
    2012-09-03

    At least a while ago, one way to get a midlet signed was Nokia's online store - put the app for the store, and Nokia will sign it. Not sure about current situation though.

     
  • Jyrki Kuoppala
    Jyrki Kuoppala
    2012-09-03

    Signing seems to be still possible via the Nokia store. Though appears the app should pass a test procedure described in a 86 page document, Java Verified criteria. Don't know if the Nokia signature works for other devices than Nokia's, though.

    http://www.developer.nokia.com/Resources/Library/Publisher_Guide/#!prepare-content/prepare-apps/prepare-java-apps.html

     
  • fireball4
    fireball4
    2012-09-11

    Thanks again for signing the new v0.8.x versions ;-)

     
  • Matthew Takeda
    Matthew Takeda
    2012-09-13

    I have a Samsung SH A927  and it won't allow access to the filesystem with unsigned apps. Due to memory restrictions, maps of any reasonable size need to be on the MMC card. v0.7.7 was working fine, but v0.8.x do not, and now I can't get v0.7.7 to work either.

     
  • fireball4
    fireball4
    2012-09-13

    I'm sorry to hear that, but I can only witness that v0.7.7 and 0.8.2 of GPSMID works fine on my Nokia E52. Its means for Nokia phones the certificate works fine but maybe not for Samsung phones?!?  I've heard rumors that not all certificates are accepted on all phones, some want/need/like Thwate and other Verisign certificates. I think the problem are the installed root certificates on the phones ex factory, but maybe I'm wrong.

    To be certain:
    I hope you have tried to install the files from here and not a file which you have created yourself with OSM2GPSMID because these files have no certificate with it.

     
  • Matthew Takeda
    Matthew Takeda
    2012-09-15

    Yes, the files I tried to install are the GpsMid-Generic-full-0.8.2-map72 jad/jarj files dated 2012-09-09.

     
  • Markus Bäurle
    Markus Bäurle
    2012-09-29

    I uploaded the signed JAD files on 2012-09-10.
    So you have picked 0.8.2 before I signed it. Please retry with a newly downloaded JAD file (the JAR is not changed by the signing process).
    I know why I always criticized releasing of an unsigned version, shortly followed by the signed files - to avoid confusion like this.

     

  • Anonymous
    2013-01-18

    Sorry, but I have the same problem with my Sonim XP 5300.
    I can't install the midlet and the unsigned version produces tons of permission requests.
    The latest file version of  GpsMid-Generic-full-0.8.2-map72 is from 2012-09-09
    The certificate expired on 2012-09-21
    Can you please provide an updated file?
    That would really help! :)