02-07-2012 12:44 PM
Great point John and something I missed in my last post.
The answer is you *can* create a new .P12 certificate file and as long as it uses the same values as the previous then it will not break your upgrade path. Future signed apps will receive the same Author and Package IDs.
The issue comes with the RDK signature files which will need to remain original. These should be backed up as soon as registered (registering now created a P12 automatically based on the company used when ordering your Tablet signing keys).
If you need to know the CN then you can either use the method outlined above by Peter or it can be viewed in the Signing menu of Native and AIR development tools.
02-07-2012 01:42 PM
Thanks Garett. So, if I understand correctly, and I really don't feel like I do yet, the answer to RottenOgre's original question is that we will generate a new .P12 file (somehow), and that will give us a new expiry time a year in the future, but we won't do this by using the https://www.blackberry.com/SignedKeys/ form but rather just something we run at the command line?
The "RDK signature files" you're talking about... are those the original two .csj files we got? One with PBDT in them, and the other with RDK? Or do you mean just the barsigner.csk (and perhaps barsigner.db) files?
When we first got the csj files (only the RDK one in my case, back on Feb 17, I think we did this first:
blackberry-signer -csksetup (and more options)
That appears to have generated the barsigner.csk file in \users\(username)\AppData\Local\Research In Motion, with a Salt=, and PrivateKey= entry. Since the command required entering a "storepass", I assume that's what's stored there. (?)
Next we did this, entering both the storepass and our original csj PIN from when we used the web form:
blackberry-signer -register (and more options)
and that "registered with server", though I'm not sure I've ever seen a clear description of what that's actually doing.
Next we generated our certificate in the .P12 file, this time entering the storepass:
blackberry-keytool -genkeypair (and more options)
So, with respect to this certificate expiry question, are we just redoing the final step? Generating a new key pair (certificate) with the identical CN= value, and then using it for the double signing procedure as before?
02-07-2012 01:58 PM
The RDK and PBDT csj files are what gets mailed out to you after filling out the following form:
Upon registering these keys the following files will be created:
The first 2 will not expire and must be backed up. The last one is a standard .P12 file which is not even specific to BlackBerry. You can create a new P12 using the following command:
blackberry-keytool -genkeypair -storepass <storepass> -author <company_name>
This new P12 can then be used to double-sign your code as done previously.
Note, if you name the new P12 author.p12 and place it in the same directory as the barsigner.db then you can sign with 1 command:
blackberry-signer -storepass <KeystorePassword> <BAR_file.bar>
You no longer need to sign manually with RIM keys then the P12.
02-07-2012 02:18 PM
02-07-2012 02:20 PM - edited 02-07-2012 02:21 PM
Where does the new p.12 get stored? I tried that command, but I don't see the .p12 in the SDK bin directory, or in the directory where I entered the command. The command does seem to work though - as exporting a .crt shows a new certificate created today, I'm just missing the .p12 itself.
As a side note, the new certificate shows an expiry in 2032, so looks like only people who created their certificates before a certain date will have the one year expiry - everyone else should have 20 years.
02-07-2012 02:21 PM
02-07-2012 02:26 PM
Check in the directory that the barsigner.db file is stored:
The P12 is now automatically placed there and named author.p12 by default.
02-07-2012 02:35 PM - edited 02-07-2012 02:38 PM
Excellent, Garett! Thanks.
I just created a new certificate:
C:\> blackberry-keytool -genkeypair -storepass STOREPASS -author "Engenuity Corporation" -keystore author.p12 -verbose -validity 365
Generating 521 bit EC key pair and self-signed certificate (SHA512withECDSA) with a validity of 365 days
for: CN=Engenuity Corporation
I suspect the quotation marks are required if you have spaces or certain special characters in your company name, which mine does.
Edit: I hadn't seen Garett's followup before I posted... the output by default is "author.p12" and goes into the right location automatically, so you don't need the "-keystore author.p12" that I used above, and you don't need the manual copy step I used next...
I then copied that to the directory Garett mentioned (since I wasn't in it at the time):
C:\> copy author.p12 "c:\users\(username)\AppData\Local\Research In Motion"
1 file(s) copied.
I then made a new build of my app, incrementing the version number since the last time I had signed it, and making sure "development mode" was not specified (i.e. no -devmode option on the command line, as I don't use the IDE).
Signed it the new way, with the addition of the -cskpass option which it appears is required:
C:\> blackberry-signer -cskpass MYCSKPASS -storepass STOREPASS BatteryGuru.bar
Info: Bar signed.
C:\> unzip -t batteryguru.bar
testing: META-INF/MANIFEST.MF OK
testing: META-INF/AUTHOR.SF OK
testing: META-INF/AUTHOR.EC OK
testing: META-INF/RDK.SF OK
testing: META-INF/RDK.EC OK
Looks like that's a wrap. :-)
02-07-2012 02:35 PM
02-07-2012 02:39 PM