Java Application Signing

Last Certificate Rollover Date was November 12, 2013

Notice: CommCare's last security certificate renewal date was on November 12, 2013. This means that after November 12, 2013, Nokia phones will not allow you to install a copy of CommCare that was created before September 26, 2013, when the new certificate entered service.

What do I need to do?
If you are managing a deployment, all you need to do is go to the "Deploy" section and make a new version of each of your applications. Any time a new installation is performed, it should be done with a version that has been made since September 26, 2013. You may need to make and save a small change to enable making a new version.

Some commonly asked questions are answered below, followed by technical details about application signing


Q. Which projects are affected by the rollover?

All Java Phone projects which have versions built and in use from before September 26, 2013, when the new certificate was introduced. Android Projects are not affected by the certificate rollover.

Q. Will my versions currently installed and in use on phones keep working after the rollover date (November 12)? 

Yes. Applications which were "installed" (run at least once) before the certificate rollover will continue working on their current phone with no intervention. The only exception is if an application is being run directly from an SD Card, and the SD card is removed and re-inserted. In this case the phone will re-validate the certificate.

Q. How do I update an application to be signed against a new certificate?

On CommCare HQ, applications are signed each time a new version is made. If you make a new version after the certificate has entered service (September 26, 2013), it will be signed with the new certificate.

Q. How will I know if my CommCare mobile users are having a problem with their certificate?

Upon opening CommCare, a mobile user would see the message: "Certificate invalid according to phone's date."

Q. Is there any way to install an old version if I really need to?

Yes. If the phone gives you the error "Certificate invalid according to phone's date" you when you try to run CommCare, you can still run that version. 

Workaround - Change the phone's time

  1. On the phone, go to the settings menu, and configure the phone's date and time settings. Set the date to be before the certificate expired.
  2. Run CommCare at least once, being sure to set any of the necessary application access permissions beforehand
  3. Return to the settings menu and set the phone's date and time to the correct value

Q. Do I need to update which version of CommCare my application is built with (IE: CommCare 2.3.0 to CommCare 2.8.0) in order to get the new certificate?

No. The application is signed after the version is created, and CommCare retains the binary for all of the prior versions, so you can make a new build of your app with its current CommCare version, regardless of which version of CommCare you are running. However, we do recommend that you consider updating CommCare if you are getting a new certificate in order to take advantage of new bug fixes and features available on newer versions of CommCare.

Q. What is going on with this anyway, why do I need to make new versions?

Applications on Nokia phones must be cryptographically "signed" to prevent them from being tampered with. This process requires a certificate from a trusted authority which must be renewed bi-yearly. Each version of your app can only be "signed" for a certain timespan, so after the rollover period between when an old certificate expires new app installs should happen with versions signed against the new certificate.

Technical Details

Digital Release Signing

In order to release builds of CommCare onto J2ME phones with appropriate privileges, it is required that the CommCare.jar file (one of the files required to run your CommCare application) be digitally signed with a certificate issued against a known signing authority. This verifies that the files are issued by a vendor in good faith, and protects the application from being modified maliciously before running on the mobile phone. 

Digital signatures must be renewed periodically to ensure that vendors who issue malicious software can be prevented from doing so in the future. This does mean that CommCare applications must be rebuilt on a regular schedule with the new signing signature. Applications which have been installed and run prior to expiration will continue operating indefinitely, but only if they are not removed/re-installed onto the phone (IE: application is on SD card, which is removed and re-inserted).

NOTE: This is only relevant to CommCare for J2ME/Java/Feature Phones, NOT CommCare ODK for Android Smartphones.

Certificate List/Schedule

This list describes all of the current and previous code signing certificates used to sign valid CommCare releases, along with their expiration dates.

Service Entry

Certificate Valid From

Certificate Expiration Date



November 2, 2009

November 13, 2010



September 21, 2010

November 13, 2011


November 14, 2011

September 13, 2011

November 12, 2013


September 26, 2013September 24, 2011November 12, 2015Valid

Manually unsigning an app

If you need to, you can remove the signing information itself from a CommCare.jad file. This will work around problems related to the phone lacking the appropriate root certificate authority, etc, but will severely restrict what functionality CommCare has access to.

NOTE: This workaround is not recommended, since it results in the application being unsigned. This leave the applicaiton vulnerable to malicious code and prevents the applications from accessing some privileges on the phone

  1. Locate and download the CommCare.jad *and *CommCare.jar files you wish to run on a phone
  2. Open the CommCare.jad file with a text editor on your computer
  3. Navigate to the bottom of the file and remove all lines which begin with the entries:
    1. MIDlet-Jar-RSA-SHA1
    2. MIDlet-Certificate
  4. Install CommCare onto the phone as usual