Java Application Signing
Last Certificate Rollover Date was November 12, 2013
FAQ's
Q. How do I update an application to be signed against a new certificate?
On CommCare HQ, applications are signed each time a new version is made. If you make a new version after the certificate has entered service (September 26, 2013), it will be signed with the new certificate.
Q. How will I know if my CommCare mobile users are having a problem with their certificate?
Upon opening CommCare, a mobile user would see the message: "Certificate invalid according to phone's date."
Workaround - Change the phone's time
- On the phone, go to the settings menu, and configure the phone's date and time settings. Set the date to be before the certificate expired.
- Run CommCare at least once, being sure to set any of the necessary application access permissions beforehand
- Return to the settings menu and set the phone's date and time to the correct value
Q. Do I need to update which version of CommCare my application is built with (IE: CommCare 2.3.0 to CommCare 2.8.0) in order to get the new certificate?
No. The application is signed after the version is created, and CommCare retains the binary for all of the prior versions, so you can make a new build of your app with its current CommCare version, regardless of which version of CommCare you are running. However, we do recommend that you consider updating CommCare if you are getting a new certificate in order to take advantage of new bug fixes and features available on newer versions of CommCare.
Technical Details
Digital Release Signing
In order to release builds of CommCare onto J2ME phones with appropriate privileges, it is required that the CommCare.jar file (one of the files required to run your CommCare application) be digitally signed with a certificate issued against a known signing authority. This verifies that the files are issued by a vendor in good faith, and protects the application from being modified maliciously before running on the mobile phone.
Digital signatures must be renewed periodically to ensure that vendors who issue malicious software can be prevented from doing so in the future. This does mean that CommCare applications must be rebuilt on a regular schedule with the new signing signature. Applications which have been installed and run prior to expiration will continue operating indefinitely, but only if they are not removed/re-installed onto the phone (IE: application is on SD card, which is removed and re-inserted).
NOTE: This is only relevant to CommCare for J2ME/Java/Feature Phones, NOT CommCare ODK for Android Smartphones.
Certificate List/Schedule
This list describes all of the current and previous code signing certificates used to sign valid CommCare releases, along with their expiration dates.
Service Entry | Certificate Valid From | Certificate Expiration Date | Status |
---|---|---|---|
| November 2, 2009 | November 13, 2010 | Expired |
| September 21, 2010 | November 13, 2011 | Expired |
November 14, 2011 | September 13, 2011 | November 12, 2013 | Expired |
September 26, 2013 | September 24, 2011 | November 12, 2015 | Valid |
Manually unsigning an app
If you need to, you can remove the signing information itself from a CommCare.jad file. This will work around problems related to the phone lacking the appropriate root certificate authority, etc, but will severely restrict what functionality CommCare has access to.
NOTE: This workaround is not recommended, since it results in the application being unsigned. This leave the applicaiton vulnerable to malicious code and prevents the applications from accessing some privileges on the phone
- Locate and download the CommCare.jad *and *CommCare.jar files you wish to run on a phone
- Open the CommCare.jad file with a text editor on your computer
- Navigate to the bottom of the file and remove all lines which begin with the entries:
- MIDlet-Jar-RSA-SHA1
- MIDlet-Certificate
- Install CommCare onto the phone as usual