Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

BlackBerry Code Signing Server Outage

Unknown Lamer posted more than 3 years ago | from the no-keys-for-you dept.

Blackberry 32

ThirdNormal writes "In a really painful move for most third party developers RIM's code signing servers have been down and having issues since the weekend started. This has caused a furor in the Blackberry Support Forum, and must surely exacerbate the defecting of developers from the Blackberry platform."

cancel ×

32 comments

Sorry! There are no comments related to the filter you selected.

A little bit late (1)

AnotherShep (599837) | more than 3 years ago | (#36739560)

The outage was resolved earlier today. But yeah, it's a bit of a pissoff.

Re:A little bit late (4, Funny)

zill (1690130) | more than 3 years ago | (#36739676)

Great, I can't wait until the slashdot story tomorrow about the outage being resolved. The suspense is killing me.

Re:A little bit late (1)

idontgno (624372) | more than 3 years ago | (#36739844)

And after that, a dupe about this exact code signing server outage. And some bitcoin spam.

I find the predictability comforting, TBH.

When will they learn? (1, Insightful)

Normal Dan (1053064) | more than 3 years ago | (#36739620)

The easier you make it for people to develop on your platform, the better it will be.

Unless you're apple, then you can get away with anything it seems.

Re:When will they learn? (2)

grub (11606) | more than 3 years ago | (#36739880)


Apple doesn't require access to their code signing servers to run an app-in-progress on development devices or the simulator.

If this outage happened at Apple , it would have affected (only?) those uploading apps to the store.

Re:When will they learn? (1)

Lucky_Norseman (682487) | more than 3 years ago | (#36740506)

BlackBerry doesn't require signing on the simulator, only for running on the devices.
And the reason for requiring it on the devices is that there are no dedicated development devices. All devices can be used for development.

adb install (1)

tepples (727027) | more than 3 years ago | (#36740582)

there are no dedicated development devices [for applications on the BlackBerry platform]. All devices can be used for development.

This is true of Android as well, but it doesn't need any sort of signature (other than perhaps a self-signature) to adb install a homemade program.

Re:adb install (1)

yvajj (970228) | more than 3 years ago | (#36745306)

You can install apps on the playbook without requiring signing if you install a debug token on the device.

Company is a required field (1)

tepples (727027) | more than 3 years ago | (#36747700)

According to this page [deleteaso.com] , to create a debug token, one must first sign up for signing keys. According to this page [blackberry.com] , signing keys are without charge, but "Company" is marked as a required field in the form, which appears to imply that all developers must request keys on behalf of a company. Did RIM intend this to exclude individual hobbyists?

Re:When will they learn? (1)

Anonymous Coward | more than 3 years ago | (#36739938)

Where else can you get a closed source compiler for $5.00 [apple.com] ? Apple does have a strict review policy to get something through.

In comparison, Microsoft wants $800 [microsoftstore.com] for their blessing to build on their platform. There are workarounds on the Express editions, but it's more trouble than it's worth.

Android development is free [android.com] . Also, there isn't a review process to worry about.

Which platform is easiest?

What device on which to test? (2)

tepples (727027) | more than 3 years ago | (#36740514)

Android development is free.

Development includes testing, which requires buying hardware on which to test. The last time I checked, Android-powered devices on which to test software were by and large more expensive because they tended to be $500 cell phones rather than $250 media players. People recommend the Archos 43 Internet Tablet as an Android-powered alternative to the iPod touch 4, but it doesn't come with access to Android Market. People recommend the Samsung Galaxy Player, but it wasn't even available for me to buy when I checked last week.

Re:When will they learn? (1)

shutdown -p now (807394) | more than 3 years ago | (#36742626)

Where else can you get a closed source compiler for $5.00

The compiler in Xcode is Clang, which is not closed source. $5 for the IDE though, that's neat.

In comparison, Microsoft wants $800 [microsoftstore.com] for their blessing to build on their platform. There are workarounds on the Express editions, but it's more trouble than it's worth.

What workarounds? If you develop for Windows Phone, you download VS Express for WP [google.com] , and that's that.

Which platform is easiest?

It's a wrong kind of question to ask. WP is probably the easiest for a really simple, barely-above-Hello-World kind of app, but the major problem there is with platform limitations (lack of APIs, no native code etc). On the other hand, Android is clearly the hardest to work with, as tools are nowhere near as polished as either VS or Xcode, but you can do some nifty things there that are downright impossible on other platforms.

DRM (1)

Nom du Keyboard (633989) | more than 3 years ago | (#36739644)

DRM strikes again - and again and again and again...

Re:DRM (0)

Anonymous Coward | more than 3 years ago | (#36739762)

:OUCH: Thank you sir. May I please have another?

Dihydrogen Monoxide (1)

snikulin (889460) | more than 3 years ago | (#36739828)

You are not very technical, are you?
Code signing is a malware protection feature, not HDCP.

Re:Dihydrogen Monoxide (1)

JMZero (449047) | more than 3 years ago | (#36740340)

It's not that simple. This outage also affected developers attempting to run their own code on their own development devices. That's not malware prevention (which can be served by limiting access to "App Stores" or something, like other competitors do). RIM is clearly concerned with platform control beyond any malware concerns - it's a kind of DRM.

Re:Dihydrogen Monoxide (1)

VortexCortex (1117377) | more than 3 years ago | (#36743300)

Yep, and it's very telling about the competency of RIM -- App signing didn't have to be implemented this way.

Look at the Web + SSL(TLS); Webmaster owner requests cert, CA creates cert for webmaster; Webmaster uses cert to sign their code. Different capabilities can be mentioned in certs in order to that allow the webmaster to perform different tasks such as create more certificates for others, or just sign/encrypt web pages for a given (sub)domain. (P.S. "webmaster" sounds dumb. I miss "SysOps".)

Do that for devs & code signing -- The code is still signed and can run on the device. If bad code is used, revoke the app's signature or the dev's cert. For developers another type of cert could be granted that only runs on devices that have dev-enabled certs. Devices used for development could be registered with RIM who then adds a CA to the device that can validate apps signed by dev. certs.

The dev-mode-device-cert and the dev-mode-app-cert pair would allow devs to create & sign apps that only registered dev devices could run, thus allowing developers to sign and run code while offline without worry that they will publish their debug-mode code to others (won't run on devices missing the dev-device-cert which is tied to the device serial, etc). Cert expiration dates can also be used to prevent perpetual dev-mode app usage.

Really, what it amounts to is that RIM doesn't understand how PKI works, so they have you upload your code for signing...

Headline: "Retarded Developers are Retarded by RIM"
(in the slow sense of the word, though brain-damage may also apply to some).

Re:Dihydrogen Monoxide (2)

tepples (727027) | more than 3 years ago | (#36740540)

Code signing is a malware protection feature

Sure, when your definition of "malware" includes everything developed by individuals working out of home offices. This is the case with, say, Nintendo.

Re:Dihydrogen Monoxide (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36742038)

You are not very technical, are you? Code signing is a malware protection feature, not HDCP.

Code signing is purely a mechanism for verifying that a given binary has not been modified since it left the hands of the party that also possesses a given private key. That's all it does, allows you to mathematically verify that a given series of bits has not been modified since it left the possession of somebody who knows a particular secret. Everything else depends on the infrastructure in which it is embedded.

This capability has a number of uses:
In concert with a system for authoritatively connecting keys with IDs(whether this be a CA that isn't a fuckup, or users who are willing to web-of-trust, or an internal institutional PKI setup), it does indeed have substantial anti-tampering/anti-trojan value.
In concert with devices that forbid their users to override signature warnings, it does indeed have substantial platform-control/rent extraction value(see all current consoles and iDevices...).
In concert with a system that refuses to play certain movies if there are any unsigned components in the "protected content path", you bet it's a DRM feature...

It's sort of analogous to the conceptual confusion(or sometimes dishonesty) that causes people to talk about "security cameras". Cameras don't provide security, they collect photons and convert them into images or series' of images. That's all they do. In some contexts converting photons into images may improve security. In other contexts, it may increase risk. In others, it will have no security-related effects whatsoever, positive or negative.

Re:Dihydrogen Monoxide (1)

sjames (1099) | more than 3 years ago | (#36744320)

Code signing is only just malware protection when the device's owner has the power to do the signing. Otherwise, it's more akin to DRM even if the intentions are better.

Re:DRM (1)

nurb432 (527695) | more than 3 years ago | (#36741094)

I agree, but code signing like this really has nothing to do with it.

Re:DRM (0)

Anonymous Coward | more than 3 years ago | (#36743728)

Yep, I wish my phones marketplace was full of malware-oh wait.

Widespread Panic among the BB Dev Community (1)

Revotron (1115029) | more than 3 years ago | (#36739738)

All four remaining developers are considering switching to Android... oh, wait, if they're at all mindful of the future they're probably cross-compiling and porting everything anyway.

OK, SO LIKE, WHERE DO I GET THESE GROUPIES ?? (0)

Anonymous Coward | more than 3 years ago | (#36739958)

I want Connie for sure. But where can I get them? I checked amazon and that's not at all what I need!

The most painful (for RIM)... (0)

Anonymous Coward | more than 3 years ago | (#36740024)

The most painful fact that is clear here on slashdot is the few that actually do care about this issue. I read all the articles that come up in my reader but OMG 8 or now 9 comments even on thes subject? That's gotta sting.

Re:The most painful (for RIM)... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36742094)

Maybe my coworkers and I are simply an anomalous use case; but I've seen exactly two third-party applications ever used on Blackberries: whatever the 'documents to go' or 'mobile documents' thing is that they bundle to give you some ability to read .doc and similar attachments, and the Citrix ICA client. All other use is either the built-in email application or the phone half of the device. How many BB developers are there?

Re:The most painful (for RIM)... (1)

shutdown -p now (807394) | more than 3 years ago | (#36742726)

How many BB developers are there?

You understand that you won't be getting any answers by asking a racy question like that in public, right? ~

Re:The most painful (for RIM)... (0)

Anonymous Coward | more than 3 years ago | (#36742102)

There is always the 17th revival of the Commodore Amiga ...

Can't wait to hear about the security implications (0)

Anonymous Coward | more than 3 years ago | (#36740564)

Too suspicious to be a regular outage, I can't wait to hear about the security implications for this, was this the result of hack for the code signing servers? Sounds like a reasonable target given all the recent similar hacking targets!!!!

Blackberry juice (2)

skjolber (933754) | more than 3 years ago | (#36743064)

I must say that although I like Blackberry, but other FAILS and now this really disappoints me. And my customers. When people create sites like this:

http://isthesigningserverdown.com/beta/ [isthesigni...erdown.com]

then something is seriously wrong.

A short summery of the issue at hand: An application is divided into multiple files for over-the-air install. Each files is signed individually and might require signatures from more than one server, all depending on what APIs are in use. So at the moment I need 15-20 signatures per application per build, even a fairly low chance of an unserved request still makes the system fail as a whole. And if one type of server is down, 100% of builds fail.

Re:Blackberry juice (1)

teh kurisu (701097) | more than 3 years ago | (#36746096)

I once used that website to demonstrate to my boss why I'd missed a deadline. The low reliability of RIM's signing servers is definitely not a new problem.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?