1 Reply Latest reply on Apr 10, 2018 12:48 PM by 6118c29f-c598-478c-a30e-5a7e4c3d92fc

    Allow only signed applets to be installed on JavaCard managed by GlobalPlatform


      I'd like to provision a JavaCard so that it only allows the installation of applets that are signed by a certain key. I am not sure whether this signature is part of the cap file format. I can already install a cap file from an Android device via code taken from GlobalPlatformPro. The GlobalPlatformPro README (https://github.com/martinpaljak/GlobalPlatformPro/blob/master/README.md) mentions application signing. But I am not sure this is the way to accomplish what I need to do. I am not even sure this is possible at all.

      1. How do I need to prepare a card to only allow installation of signed cap files?
      2. How do I create such a cap file?

      I can already lock a card with a certain key, and then this key is needed to install any cap file. But this would mean that I need to distribute the key with the cap files, so it can be installed. That is not an option as it would compromise the key.