Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Adobe AIR Development

Reply
BlackBerry Development Advisor (Retired)
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Carrier: Bell

Re: What happens when the signing certificate expires?

Great point John and something I missed in my last post.

 

The answer is you *can* create a new .P12 certificate file and as long as it uses the same values as the previous then it will not break your upgrade path. Future signed apps will receive the same Author and Package IDs.

 

The issue comes with the RDK signature files which will need to remain original. These should be backed up as soon as registered (registering now created a P12 automatically based on the company used when ordering your Tablet signing keys). 

 

If you need to know the CN then you can either use the method outlined above by Peter or it can be viewed in the Signing menu of Native and AIR development tools.

 

Cheers,

Garett
@garettBeuk
--
Goodbye everybody!
Please use plain text.
Developer
peter9477
Posts: 6,447
Registered: ‎12-08-2010
My Carrier: none

Re: What happens when the signing certificate expires?

Thanks Garett.  So, if I understand correctly, and I really don't feel like I do yet, the answer to RottenOgre's original question is that we will generate a new .P12 file (somehow), and that will give us a new expiry time a year in the future, but we won't do this by using the https://www.blackberry.com/SignedKeys/ form but rather just something we run at the command line?

 

The "RDK signature files" you're talking about... are those the original two .csj files we got?  One with PBDT in them, and the other with RDK?  Or do you mean just the barsigner.csk (and perhaps barsigner.db) files?

 

When we first got the csj files (only the RDK one in my case, back on Feb 17, I think we did this first:

 

blackberry-signer -csksetup (and more options)

That appears to have generated the barsigner.csk file in \users\(username)\AppData\Local\Research In Motion, with a Salt=, and PrivateKey= entry.  Since the command required entering a "storepass", I assume that's what's stored there. (?)

Next we did this, entering both the storepass and our original csj PIN from when we used the web form:

blackberry-signer -register (and more options)

and that "registered with server", though I'm not sure I've ever seen a clear description of what that's actually doing.

 

Next we generated our certificate in the .P12 file, this time entering the storepass:

blackberry-keytool -genkeypair (and more options)

 

So, with respect to this certificate expiry question, are we just redoing the final step?  Generating a new key pair (certificate) with the identical CN= value, and then using it for the double signing procedure as before?


Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.
BlackBerry Development Advisor (Retired)
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Carrier: Bell

Re: What happens when the signing certificate expires?

Hi Peter, 

 

 

The RDK and PBDT csj files are what gets mailed out to you after filling out the following form:

https://www.blackberry.com/SignedKeys/

 

Upon registering these keys the following files will be created:

barsigner.csk

barsigner.db

author.p12

 

The first 2 will not expire and must be backed up. The last one is a standard .P12 file which is not even specific to BlackBerry. You can create a new P12 using the following command:

blackberry-keytool -genkeypair -storepass <storepass> -author <company_name>

 This new P12 can then be used to double-sign your code as done previously.

 

Note, if you name the new P12 author.p12 and place it in the same directory as the barsigner.db then you can sign with 1 command:

blackberry-signer -storepass <KeystorePassword> <BAR_file.bar>

 You no longer need to sign manually with RIM keys then the P12.

 

Cheers,

 

Garett
@garettBeuk
--
Goodbye everybody!
Please use plain text.
Developer
peter9477
Posts: 6,447
Registered: ‎12-08-2010
My Carrier: none

Re: What happens when the signing certificate expires?

Interesting that the default validity now appears to be 7300 days (20 years). You need option "-validity 365" or whatever to make it something shorter, like a year.

Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.
Developer
RottenOgre
Posts: 274
Registered: ‎11-01-2010
My Carrier: WiFi

Re: What happens when the signing certificate expires?

[ Edited ]

Where does the new p.12 get stored? I tried that command, but I don't see the .p12 in the SDK bin directory, or in the directory where I entered the command. The command does seem to work though - as exporting a .crt shows a new certificate created today, I'm just missing the .p12 itself.

 

As a side note, the new certificate shows an expiry in 2032, so looks like only people who created their certificates before a certain date will have the one year expiry - everyone else should have 20 years.

Please use plain text.
BlackBerry Development Advisor (Retired)
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Carrier: Bell

Re: What happens when the signing certificate expires?

Yep, the default validity length has been greatly increased :smileyhappy:

Garett
@garettBeuk
--
Goodbye everybody!
Please use plain text.
BlackBerry Development Advisor (Retired)
gbeukeboom
Posts: 2,559
Registered: ‎10-16-2009
My Carrier: Bell

Re: What happens when the signing certificate expires?

Check in the directory that the barsigner.db file is stored:

http://supportforums.blackberry.com/t5/Testing-and-Deployment/Backup-and-Restore-BlackBerry-Code-Sig...

 

The P12 is now automatically placed there and named author.p12 by default.

Garett
@garettBeuk
--
Goodbye everybody!
Please use plain text.
Developer
peter9477
Posts: 6,447
Registered: ‎12-08-2010
My Carrier: none

Re: What happens when the signing certificate expires?

[ Edited ]

Excellent, Garett!  Thanks.

 

I just created a new certificate:

C:\> blackberry-keytool -genkeypair -storepass STOREPASS -author "Engenuity Corporation" -keystore author.p12 -verbose -validity 365
Generating 521 bit EC key pair and self-signed certificate (SHA512withECDSA) with a validity of 365 days
        for: CN=Engenuity Corporation
[Storing author.p12]

I suspect the quotation marks are required if you have spaces or certain special characters in your company name, which mine does.

 

Edit: I hadn't seen Garett's followup before I posted... the output by default is "author.p12" and goes into the right location automatically, so you don't need the "-keystore author.p12" that I used above, and you don't need the manual copy step I used next...

 

I then copied that to the directory Garett mentioned (since I wasn't in it at the time):

C:\> copy author.p12 "c:\users\(username)\AppData\Local\Research In Motion"
        1 file(s) copied.

I then made a new build of my app, incrementing the version number since the last time I had signed it, and making sure "development mode" was not specified (i.e. no -devmode option on the command line, as I don't use the IDE).

 

Signed it the new way, with the addition of the -cskpass option which it appears is required:

C:\> blackberry-signer -cskpass MYCSKPASS -storepass STOREPASS BatteryGuru.bar
Info: Bar signed.
C:\> unzip -t batteryguru.bar
Archive:  batteryguru.bar
    testing: META-INF/MANIFEST.MF     OK
    testing: META-INF/AUTHOR.SF       OK
    testing: META-INF/AUTHOR.EC       OK
    testing: META-INF/RDK.SF          OK
    testing: META-INF/RDK.EC          OK
..

Looks like that's a wrap. :-)


Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.
Developer
RottenOgre
Posts: 274
Registered: ‎11-01-2010
My Carrier: WiFi

Re: What happens when the signing certificate expires?

Perfect. Just tested it and it works fine, installing over the existing application as expected.

 

Thanks :smileyhappy:

Please use plain text.
Developer
peter9477
Posts: 6,447
Registered: ‎12-08-2010
My Carrier: none

Re: What happens when the signing certificate expires?

RottenOgre, yes I meant to mention that I'd also tested by installing, and it nicely went right where it was supposed to, as an update to the existing app.

Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Please use plain text.