Tizen applications must be code signed in two cases:
- to submit to the Galaxy Store
- to install the app on a Galaxy Watch device
Code Signing is a technique that assures the users of the security on Tizen. It ensures that the application code has not been modified after it was last signed. Tizen applications are (code) signed using a Certificate profile issued by Samsung.
This rest of document explains briefly about the Certificate profile concept and how to create it.
A Samsung Certificate Profile is a set of Samsung certificates required to sign a Tizen application. When you hit the build key in Visual Studio, the Visual Studio tools for Tizen performs application signing by adding a digital signature--generated by a certificate profile--to the tizen package file.
To create these certificates, first you need to install the Samsung Certificate Extension. After installing it, create the Samsung certificates using the Tizen Certificate Manager tool.
Installing Certificate Extension
Samsung Certificate Extension is an add-on SDK that enables you to create certificate profiles issued by Samsung.
Follow the steps below to install the Samsung Certificate Extension:
In Visual Studio menu, click Tools > Tizen > Tizen Package Manager, the package manager window will appear. Select Extension SDK tab from the package manager window.
Click the Configuration icon on the top right, the configuration window will appear. Toggle Auto Update to ON, and click OK. The update might take a few seconds.
Locate and install Samsung Certificate Extension in the Extras drop down menu.
After installing the extension, you can now use Samsung Certificate Manager tool to create Samsung certificates.
Creating a Certificate profile
You can create and manage Samsung Certificate profiles using the Tizen Certificate Manager tool. A Certificate profile consists of an author certificate and a distributor certificate.
Take the following steps to create your certificate profile:
In Visual Studio menu, click Tools > Tizen > Tizen Certificate Manager to launch the Certificate Manager.
In the Certificate Manager window, click the + button, the certificate manager window will appear.
Select Samsung.Note: Tizen certificate profiles allow you to install your application on a Tizen device, but it doesn't allow you to publish your application on the Galaxy Store.
Select Mobile/Wearable, and click Next.
Select "Create a new certificate profile". Enter a profile name, and click Next.
Create author certificate
An author certificate includes information about the developer of the application. The author certificate creates an author signature, which ensures the integrity of the application by the author since the publication of the application.
Take the following steps to create an author certificate:
Select "Create a new author certificate", and click Next.
Enter the author name and password, we recommended that you set a strong password. If you want to use the same password for the distributor certificate in the next step, select the check box as shown in the following figure:
Additional Fields contains more Certificate Signing Request(CSR) information to add, but are not mandatory. Click Next.
Samsung Account sign-in window will appear, you must have a Samsung Account to create an author certificate. Sign in or Create new account if you don't have an account.
Create a backup for your author certificate, and click Next.Warning: If you lose the author certificate, you cannot update any application that was signed with that certificate. We highly recommend that you backup the certificate.
The next window controls creating a distributor certificate, which we explain in the next section.
Create distributor Certificate
The distributor certificate ensures the integrity of the app store, such as the Galaxy Store. Thus, the distributor certificate that you create using the Certificate Manager is actually called a pseudo-distributor certificate. In fact, when you submit your application on the Galaxy Store, or any other store market, your distributor certificate will be switched to the actual distributor certificate of the store.
A pseudo-distributor certificate still has its purpose. Before submitting your application to the app store, a pseudo-distributor certificate defines a list of devices that can install your packages on. Specifically, your application package file can only be installed on devices in which their Device Unique ID(DUID) have been registered in your pseudo-distributor certificate. This ensures that the application can only be installed on your device and the ones that you have approved even when your package file is leaked. You can think of it as a "personal" distributor certificate.
Take the following steps to create a pseudo-distributor certificate:
Select "Create a new distributor certificate" to create a new certificate, and click Next.
Select the Privilege level for the distributor certificate.
Tizen APIs are categorized into 3 privilege levels according to their accessibility:
- Public level APIs are open to all Tizen software developments.
- Partner level APIs are used in software development for Samsung's business partners.
- Platform level APIs are used in Samsung internal software developments.
The application must be signed using a distributor certificate with the appropriate privilege level to use the corresponding APIs on the device. Partner privilege allows access to public level APIs, and platform privilege allows access to both public and partner level APIs.
Enter the password for your distributor certificate.
If you have selected the option to apply the same password from the author certificate earlier in the steps, the password is already written for you. If you want to change the password, type the new password.
Add individual DUIDs.
If you connect the device to the host PC, the device's DUID is automatically added to the list. You can add up to 50 DUIDs. The previous DUIDs in the list are not deleted even if you disconnect the device. To delete the DUIDs, click the trash icon on the right side of each DUID entry. If you don't know how to connect your Galaxy Watch to PC, follow the guides in How to connect the device to PC via WiFi.
Click Next to get the distributor certificate, then click Finish to get your certificate profile.