BlackBerry Code Signing Server Outage

ThirdNormal writes "In a really painful move for most third party developers RIM's code signing servers have been down and having issues since the weekend started. This has caused a furor in the Blackberry Support Forum, and must surely exacerbate the defecting of developers from the Blackberry platform."

A little bit late

[AnotherShep]

The outage was resolved earlier today. But yeah, it's a bit of a pissoff.

Re:A little bit late

[zill]

Great, I can't wait until the slashdot story tomorrow about the outage being resolved. The suspense is killing me.

Re:

[idontgno]

And after that, a dupe about this exact code signing server outage. And some bitcoin spam.

I find the predictability comforting, TBH.

When will they learn?

[Normal Dan]

The easier you make it for people to develop on your platform, the better it will be.

Unless you're apple, then you can get away with anything it seems.

Re:

[grub]

Apple doesn't require access to their code signing servers to run an app-in-progress on development devices or the simulator.

If this outage happened at Apple , it would have affected (only?) those uploading apps to the store.

Re:

[Lucky_Norseman]

BlackBerry doesn't require signing on the simulator, only for running on the devices.
And the reason for requiring it on the devices is that there are no dedicated development devices. All devices can be used for development.

adb install

[tepples]

there are no dedicated development devices [for applications on the BlackBerry platform]. All devices can be used for development.

This is true of Android as well, but it doesn't need any sort of signature (other than perhaps a self-signature) to adb install a homemade program.

Re:

[yvajj]

You can install apps on the playbook without requiring signing if you install a debug token on the device.

Company is a required field

[tepples]

According to this page [deleteaso.com], to create a debug token, one must first sign up for signing keys. According to this page [blackberry.com], signing keys are without charge, but "Company" is marked as a required field in the form, which appears to imply that all developers must request keys on behalf of a company. Did RIM intend this to exclude individual hobbyists?

Re:

[Anonymous Coward]

Where else can you get a closed source compiler for $5.00 [apple.com]? Apple does have a strict review policy to get something through.

In comparison, Microsoft wants $800 [microsoftstore.com] for their blessing to build on their platform. There are workarounds on the Express editions, but it's more trouble than it's worth.

Android development is free [android.com]. Also, there isn't a review process to worry about.

Which platform is easiest?

What device on which to test?

[tepples]

Android development is free.

Development includes testing, which requires buying hardware on which to test. The last time I checked, Android-powered devices on which to test software were by and large more expensive because they tended to be $500 cell phones rather than $250 media players. People recommend the Archos 43 Internet Tablet as an Android-powered alternative to the iPod touch 4, but it doesn't come with access to Android Market. People recommend the Samsung Galaxy Player, but it wasn't even available for me to buy when I che

Re:

[shutdown -p now]

Where else can you get a closed source compiler for $5.00

The compiler in Xcode is Clang, which is not closed source. $5 for the IDE though, that's neat.

In comparison, Microsoft wants $800 [microsoftstore.com] for their blessing to build on their platform. There are workarounds on the Express editions, but it's more trouble than it's worth.

What workarounds? If you develop for Windows Phone, you download VS Express for WP [google.com], and that's that.

Which platform is easiest?

It's a wrong kind of question to ask. WP is probably the easiest for a really simple, barely-above-Hello-World kind of app, but the major problem there is with platform limitations (lack of APIs, no native code etc). On the other hand, Android is clearly the hardest to work with, as tools are nowhere near as polishe

DRM

[Nom du Keyboard]

DRM strikes again - and again and again and again...

Dihydrogen Monoxide

[snikulin]

You are not very technical, are you?
Code signing is a malware protection feature, not HDCP.

Re:

[JMZero]

It's not that simple. This outage also affected developers attempting to run their own code on their own development devices. That's not malware prevention (which can be served by limiting access to "App Stores" or something, like other competitors do). RIM is clearly concerned with platform control beyond any malware concerns - it's a kind of DRM.

Re:

[VortexCortex]

Yep, and it's very telling about the competency of RIM -- App signing didn't have to be implemented this way.

Look at the Web + SSL(TLS); Webmaster owner requests cert, CA creates cert for webmaster; Webmaster uses cert to sign their code. Different capabilities can be mentioned in certs in order to that allow the webmaster to perform different tasks such as create more certificates for others, or just sign/encrypt web pages for a given (sub)domain. (P.S. "webmaster" sounds dumb. I miss "SysOps".)

Do

Re:

[tepples]

Code signing is a malware protection feature

Sure, when your definition of "malware" includes everything developed by individuals working out of home offices. This is the case with, say, Nintendo.

Re:

[fuzzyfuzzyfungus]

You are not very technical, are you? Code signing is a malware protection feature, not HDCP.

Code signing is purely a mechanism for verifying that a given binary has not been modified since it left the hands of the party that also possesses a given private key. That's all it does, allows you to mathematically verify that a given series of bits has not been modified since it left the possession of somebody who knows a particular secret. Everything else depends on the infrastructure in which it is embedded.

This capability has a number of uses:
In concert with a system for authoritatively connecti

Re:

[sjames]

Code signing is only just malware protection when the device's owner has the power to do the signing. Otherwise, it's more akin to DRM even if the intentions are better.

Re:

[nurb432]

I agree, but code signing like this really has nothing to do with it.

Widespread Panic among the BB Dev Community

[Revotron]

All four remaining developers are considering switching to Android... oh, wait, if they're at all mindful of the future they're probably cross-compiling and porting everything anyway.

Re:

[fuzzyfuzzyfungus]

Maybe my coworkers and I are simply an anomalous use case; but I've seen exactly two third-party applications ever used on Blackberries: whatever the 'documents to go' or 'mobile documents' thing is that they bundle to give you some ability to read .doc and similar attachments, and the Citrix ICA client. All other use is either the built-in email application or the phone half of the device. How many BB developers are there?

Re:

[shutdown -p now]

How many BB developers are there?

You understand that you won't be getting any answers by asking a racy question like that in public, right? ~

Blackberry juice

[skjolber]

I must say that although I like Blackberry, but other FAILS and now this really disappoints me. And my customers. When people create sites like this:

http://isthesigningserverdown.com/beta/ [isthesigni...erdown.com]

then something is seriously wrong.

A short summery of the issue at hand: An application is divided into multiple files for over-the-air install. Each files is signed individually and might require signatures from more than one server, all depending on what APIs are in use. So at the moment I need 15-20 signatures p

Re:

[teh kurisu]

I once used that website to demonstrate to my boss why I'd missed a deadline. The low reliability of RIM's signing servers is definitely not a new problem.

Re:

[ThePhilips]

http://isthesigningserverdown.com/beta/ [isthesigni...erdown.com]

OMG. Most latencies are in "seconds" range [isthesigni...erdown.com]. No comments.