What do I need to do?
Some commonly asked questions are answered below, followed by technical details about application signing
On CommCare HQ, applications are signed each time a new version is made. If you make a new version after the certificate has entered service (September 26, 2013), it will be signed with the new certificate.
Upon opening CommCare, a mobile user would see the message: "Certificate invalid according to phone's date."
No. The application is signed after the version is created, and CommCare retains the binary for all of the prior versions, so you can make a new build of your app with its current CommCare version, regardless of which version of CommCare you are running. However, we do recommend that you consider updating CommCare if you are getting a new certificate in order to take advantage of new bug fixes and features available on newer versions of CommCare.
In order to release builds of CommCare onto J2ME phones with appropriate privileges, it is required that the CommCare.jar file (one of the files required to run your CommCare application) be digitally signed with a certificate issued against a known signing authority. This verifies that the files are issued by a vendor in good faith, and protects the application from being modified maliciously before running on the mobile phone.
Digital signatures must be renewed periodically to ensure that vendors who issue malicious software can be prevented from doing so in the future. This does mean that CommCare applications must be rebuilt on a regular schedule with the new signing signature. Applications which have been installed and run prior to expiration will continue operating indefinitely, but only if they are not removed/re-installed onto the phone (IE: application is on SD card, which is removed and re-inserted).
NOTE: This is only relevant to CommCare for J2ME/Java/Feature Phones, NOT CommCare ODK for Android Smartphones.
This list describes all of the current and previous code signing certificates used to sign valid CommCare releases, along with their expiration dates.
Certificate Valid From
Certificate Expiration Date
November 2, 2009
November 13, 2010
September 21, 2010
November 13, 2011
November 14, 2011
September 13, 2011
November 12, 2013
|September 26, 2013||September 24, 2011||November 12, 2015||Valid|
If you need to, you can remove the signing information itself from a CommCare.jad file. This will work around problems related to the phone lacking the appropriate root certificate authority, etc, but will severely restrict what functionality CommCare has access to.
NOTE: This workaround is not recommended, since it results in the application being unsigned. This leave the applicaiton vulnerable to malicious code and prevents the applications from accessing some privileges on the phone