02-14-2010 02:06 PM
I have got a key to sign the application for restricted API:s. It has been generated by the company I am developing for.
Where should I place this key? How do I sign my code with it?
Solved! Go to Solution.
02-14-2010 03:01 PM - edited 02-14-2010 03:05 PM
It depends on what you call the "key". Assuming sandard BlackBerry code module signing is used for restricting access to API, it could be the public key (1024 bit), it could be the private key (highly unlikely), it could be a .CSI file.
If you received a .CSI file, then you need to open it using the Signature Tool. As a result, your Signature Tool's public key will be securely registred with the web signer tool of the company that provided you with the .CSI file, and your Signature Tool's sigtool.db will be updated with the signer ID, customer ID, and signer URL for obtaining the signatures from that company.
If it's the public key (typically, a .key file with 128 bytes in hexadecimal ASCII representation), then it can't be used to obtain signatures.
If it's a private key, then please tell us what files you got (names and extensions).
02-14-2010 03:04 PM
P.S. Another case I forgot to mention is that you were given a sigtool.csk and sigtool.db files, which contain the company's customer ID(s) and the private key for authenticating to RIM signing servers for the purpose of obtaining code signatures from RIM. In this case you should simply make the Signature Tool use these files (if you use the Signature Tool from its standard location, <JDE HOME>/bin, then simply copy these two files to that location).
02-14-2010 03:45 PM
Sorry not being specific about the key.
The key has filtype "key". It has been created in order to sign cod files that need to use restricted API:s. The instructions included a function to send the key to the developer. How the developer should use the key where not very specific.
02-14-2010 04:20 PM
OK. Is the .key file a one line text file with groups of two hexadecimal (ASCII) digits separated by spaces and roughly 3 kB in size? If that's the case, then the file is the 1024-bit RSA public key that can be used to verify signatures or restrict access to APIs exported by your code or to Persistent Store objects used by your/their code. It cannot be used to generate or obtain signatures.
Please confirm whether the company is running their own Signing Authority (i.e., they installed RIM's Password Based Signing Authority suite). If they do, find out whether they are running the websigner Windows service. If they do, then they need to use the Signing Authority Administration tool to create a new customer, generate a .CSI file, and send it to you. The .CSI file will then tell your Signature Tool how to connect to the above websigner service (via HTTP) and register with the Signing Authority.
P.S. If the company is running their own Signing Authority, then that application suite will have generated a 1024-bit RSA key pair for signing. The .key file contains the public key of the pair. The only reason for you to include that public key into your code is to be able to programmatically verify whether a code module is signed by the above Signing Authority and/or to restrict access to APIs exported by your code, and to restrict access to Persistent Storage objects only to code that was signed by the above Signing Authority.
02-14-2010 04:32 PM
Must have misunderstood something. The company I am developing for created the keys as per the instructions and signed the cod files I have sent to them. They have a set of signed .cod files. Clicking on the cod files shows information that the .cod files are "Signed".
If I understand you, they are the only ones that can sign the files? I believed I could sign the files with the help of the .key file before sending them the .cod files.
What do I need in order to be able to sign the files before I send them?
02-14-2010 04:42 PM - edited 02-14-2010 04:46 PM
As per what instructions did the company create the keys you're referring to? Which keys are those? Please explain what that company is trying to achieve in detail. The code signing process is typically so misunderstood that it's really hard to establish what's happening when more than one party is involved (broken phone effect).
When most people talk about signing keys, they mean the key used by the Signature Tool to request signatures from RIM and other sources. Those people who run these "other sources" (signing servers, File/Web Signing Authority) start to understand the difference between the authentication keys and the actual signing keys. It's hard to say what group your company belongs to.
I'm trying to guess here, but it sounds like either the company installed their own Signing Authority letting it issue its own code signatures (which are not the same as the standard RIM signatures) with a non-standard signer ID (4-letter long ID) or the company is simply trying to get signatures from RIM (e.g., RBB, RRT, RCR, RCC).
If they are running their own Signing Authority, then it is possible for them to take your COD files and sign them. To automate this process, they could let your Signature Tool on your PC(s) request and obtain their signatures using the same protocol as the Signature Tool uses for RIM standard signatures. To do that though the company needs to generate (using the Signing Authority Administration Tool) and issue you a .CSI file for their signer ID.
02-14-2010 04:44 PM - edited 02-14-2010 04:45 PM
P.S. I suppose the first question to ask the people at the company is how they signed your COD files. Did they use the Signature Tool which requested all of the signatures from RIM, or did they use the File-Based Signing Tool (part of the Password Based Signing Authority suite) to issue their own signature(s), or did they use the Signature Tool to request their own (i.e., non-RIM) signatures from their own signature service/server.
02-14-2010 05:28 PM
I am the developer and my customer is a small company marketing the product. I have been developing using the simulator. Some of the code uses restricted API:s. My customer requested keys and got the 3 .csi files , installed the Signing tool and followed the instructions.
The cod files where then signed. Clicking on the .cod files says that they are signed. Is that evidence that the cod files should be able to access restricted API? Trying to run the application on a real device failed. Message "moblib is trying to access a restricted API" was encountered. So I wanted to run the application using the simulator and set "enable device security" to figure out why it is not working. Is there any way I can sign the modules or do I have send the cod files to them every time I have made a change in the code in order to get them signed?
I can readily understand why this signing concept is very much misunderstood since it is not really explained anywhere. (that I know of, and I have asked) If you have no experience in this field it is utterly confusing especially since it obviously cover several types of signing and different methods of signing. The instuctions do not explain, just tells what to do.
So what are the simplest way to get the application that uses restricted API:s running on a real device?
02-14-2010 05:47 PM
Is there any good reason why your customer/company has the keys instead of you? A much better setup is where you sign the code yourself. From the customer's perspective, unsigned code isn't really a full product as it won't run on BlackBerrys. I see no reason why it should be their responsibility to sign the code you deliver to them.
Provided you agree with the above, you should've bough "a set of keys" from RIM instead of your customer. You can then use these keys to obtain signatures for your code from RIM whenever you want (as long as their signing servers aren't down) and as many times as you want. The customer simply gets the signed CODs and will only need to worry about marketing.
The good news is that is seems there's no non-RIM Signing Authority is involved, which makes things much easier.
I suggest you buy the signing privilege from RIM ($20 or so). This is colloquially called "purchasing your own set of (signing) keys", but it's really a misnomer. All you get are actually three or four .CSI files which register your Signature Tool with RIM for the purposes of obtaining signatures from RIM in the future. In the interim, while you're obtaining these, you could request that the customer give you their copy of sigtool.csk and sigtool.db (located in the "bin" directory of JDE/Eclipse Plug-In) and the password for the key (that's the password they entered when they managed to sign your CODs). You can then place the two files into the directory from which you run the Signature Tool (usually the "bin" directory of the JDE/Eclipse Plug-In installation). Note that every time signing fails or succeeds, the customer will get an e-mail from RIM. That's why it's a better idea to register with RIM yourself.
You also mentioned that even the signed CODs wouldn't run on actual BlackBerrys. This means they are missing a required signature. This may have happened because your customer signed the CODs instead of you (the build process generates .csl and .cso files which list the required and optional signatures, which the Signature Tool uses as a hint -- you didn't provide the customer with these files, I suppose). To find out what signature is missing, install the CODs, clear the Event Log, cold-reboot the handheld by pulling the battery, reproduce the error prompt, obtain the Event Log and post it here.