Sign App With Uicc Carrier Privileges Certificates

I was reading information on this link in regards to signing an application with carrier privileges. I am aware of how to sign an application using a keystore for production releas

Solution 1:

The question that you should ask yourself is actually a different one: How do I get the certificate for my app signing key into the UICC? Once you have that, the actual signing process is no different than with any other keystore.

So, you would have a keystore containing your signing key pair and a certificate for that key. The certificate could either be a self-signed certificate (that's typically the case for Android app signing keys) or a certificate issued to you by the UICC owner (MNO/carrier). In the first case, you would need to convince the UICC owner to add that self-signed certificate to the access control list(/application) on your UICC. In the second case, the carrier would typically include the root certificate corresponding to the certificate issued to you to the UICC.

You could then use that keystore to sign an app (just as you usually do).

Solution 2:

The Accepted answer is actually not fully correct. In the SIM, there is no concept of root certificate or such things.

All access rules (APK vs APPLET) are stored in ARA-M or ARA-D. Both ARA-M and ARA-D are just separate APPLET only as per Global Spec.

In access rule, the APK signature and APPLET AID are stored to get carrierpriilege() grant.

The APK signature means, it is the SHA1 (20B) of actual signature of APK. Whatever way the APK signature is derived ( self signed or CA's certificate), the SHA1 will be always different. Hence, all the allowed signature (SHA) to be sent to respective ARA-M. Now, to access ARA-M, you need side either channel keys ( ENC, KEK, MAC) to manually send APDU or an OTA link if it is a real live SIM.

By the way, there is no concept of root certificate of MNO inside SIM. The SIM is still in decade back except in theory of GP and their SCP.