Symbian Developer Library



[Index] [Previous] [Next]

CreateSIS - Wrapper for MakeSIS, SignSIS and MakeKeys syntax



CreateSIS is a wrapper around around the PC tools MakeSIS, SignSIS and MakeKeys to automate the process of generating and signing SIS files. It supports creating new SIS files from package files, signing existing package files and generating new key/certificate pairs for purposes of signing.

If neither certificate or key are specified (as outlined in the Usage Scenarios section below), a self-signed certificate will be generated and used to sign the resulting SIS file. In addition, CreateSIS may be used to dump details of signatures and certificate chains into a pre-existing SIS file.



The following diagram shows how the PC based tool (CreateSIS) is used to construct an installation package (SIS file) from component files, using instructions detailed in a PKG file, and sign it.


Command-line syntax

From an MSDOS command-line prompt (or batch file) the syntax for using CreateSIS is as follows:

Command Description
createsis create [-cert <cert>] [-key <key>] [-pass <passphrase>] <pkgfile>

Creates and Signs a SIS File with a Trusted Key

createsis sign –cert <cert> -key <key> [-pass <passphrase>] <sis_input> <sis_output>

Signs a Pre-existing SIS File with a Trusted Key

createsis strip <sisfile>

Removes the most recent signature from the SIS file

createsis dump <sisfile>

Dumps the Certificates and Signatures in a Pre-existing SIS File

createsis –h | -?

Command line help


Argument Description


The certificate file used for signing


The certificate's private key file


The certificate's private key file's passphrase


The SIS file to be signed, unsigned or investigated


The SIS file generated by signing or unsigning


Name of the PKG file


If not specified, will be derived from the name of the PKG file, but with a SIS file extension


Usage scenarios

Create and sign a SIS file with a trusted key

The user, having previously obtained a trusted EE certificate (i.e. one that chains back to a trusted root in the target device SWI certstore) and matching key, may either specify the signing key/certificate pair on the CreateSIS command line, using the -key and -cert parameters as specified above, or using the package file syntax for specifying keys and certificates as defined in the MakeSIS documentation. This function uses the create method, and requires a package file as input. Optionally, the user may be required to specify a passphrase to decrypt the private key using the -pass parameter, this applies to both keys.


createsis create -cert trustedchain.pem -key eecertkey.key mypackage.pkg

Sign a pre-existing SIS file with a trusted key

As above, the user may initially sign, or resign a pre-existing SIS file using the sign method. To sign a package, a key and certificate chain must be provided on the command line. The output SIS file will be different to the input SIS file, so the original data is not destroyed.


createsis sign -cert trustedchain.pem -key eecertkey.key mysis.sis mysis-signed.sis

Dump the certificates and signatures in a pre-existing SIS file

A user may use the dump method of CreateSIS to display details of all valid signatures and the associated certificates in a SIS file they provide.


createsis dump myssis.sis

Create and self-sign a SIS file

In the event that no key/certificate pair is presented on the command line, or in the package file, then the create method will generate a key and matching self-signed certificate, and use these to sign the resulting SIS file.

In this situation, the DN in the certificate generated uses strings from the MakeSIS and locale settings from the host PC. The DN will include the follow attributes:

The generated certificate and key will be dumped into the current working directory, in files called cert-gen.cer and key-gen.key. If key-gen.key exists, then the certificate and key filenames will be indexed incrementally, i.e. cert-genx.cer and key-genx.key, where x is the incremental index.

Passphrase encryption is not an option. Users can provide it with the -pass option, or CreateSIS will prompt for the passphrase during key generation.

Also see the Notes section below.

Sign a pre-existing SIS file with a self-signed certificate

If, when using the sign method (as stated above) no key/certificate pair are supplied either as command line parameters, or indeed using the package file syntax, CreateSIS defaults to signing the specified SIS file with an automatically generated self-signed certificate.

All the notes on user interaction and certificate generation from the Create and Self-sign a SIS file section apply to this case too.



Self-signed certificate handling

Software Installation's (SWI’s) certificate handling has been modified such that, in the event of receiving a self-signed SIS file, it will validate the signatures chains without reference to the certificates contained in the SWI certstore. Pre-v9.1, self-signed certificate chains were rejected as invalid, as there would not have been a trust anchor present in the SWI certstore to act as root for the chain.

OCSP on self-signed certificates

SWI’s OCSP check has been changed such that it can appropriately evaluate certificate chains terminating at an untrusted root. While it continues to be the case that SWI alerts the user to unknown certificates in trusted chains during an OCSP check, this is now considered the normal state of affairs for self-signed certificates and the user should not be alerted to the fact.


Also see