Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackBerry Code Signing Server Outage

Posted by Unknown on from the no-keys-for-you dept.

ThirdNormal writes "In a really painful move for most third party developers RIM's code signing servers have been down and having issues since the weekend started. This has caused a furor in the Blackberry Support Forum, and must surely exacerbate the defecting of developers from the Blackberry platform."

32 comments

  1. A little bit late by AnotherShep · · Score: 1

    The outage was resolved earlier today. But yeah, it's a bit of a pissoff.

    1. Re:A little bit late by zill · · Score: 4, Funny

      Great, I can't wait until the slashdot story tomorrow about the outage being resolved. The suspense is killing me.

    2. Re:A little bit late by idontgno · · Score: 1

      And after that, a dupe about this exact code signing server outage. And some bitcoin spam.

      I find the predictability comforting, TBH.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  2. When will they learn? by Normal+Dan · · Score: 1, Insightful

    The easier you make it for people to develop on your platform, the better it will be.

    Unless you're apple, then you can get away with anything it seems.

    --
    A unique way to learn a language: http://languageloom.com
    1. Re:When will they learn? by grub · · Score: 2


      Apple doesn't require access to their code signing servers to run an app-in-progress on development devices or the simulator.

      If this outage happened at Apple , it would have affected (only?) those uploading apps to the store.

      --
      Trolling is a art,
    2. Re:When will they learn? by Anonymous Coward · · Score: 1

      Where else can you get a closed source compiler for $5.00? Apple does have a strict review policy to get something through.

      In comparison, Microsoft wants $800 for their blessing to build on their platform. There are workarounds on the Express editions, but it's more trouble than it's worth.

      Android development is free. Also, there isn't a review process to worry about.

      Which platform is easiest?

    3. Re:When will they learn? by Lucky_Norseman · · Score: 1

      BlackBerry doesn't require signing on the simulator, only for running on the devices.
      And the reason for requiring it on the devices is that there are no dedicated development devices. All devices can be used for development.

    4. Re:When will they learn? by shutdown+-p+now · · Score: 1

      Where else can you get a closed source compiler for $5.00

      The compiler in Xcode is Clang, which is not closed source. $5 for the IDE though, that's neat.

      In comparison, Microsoft wants $800 [microsoftstore.com] for their blessing to build on their platform. There are workarounds on the Express editions, but it's more trouble than it's worth.

      What workarounds? If you develop for Windows Phone, you download VS Express for WP, and that's that.

      Which platform is easiest?

      It's a wrong kind of question to ask. WP is probably the easiest for a really simple, barely-above-Hello-World kind of app, but the major problem there is with platform limitations (lack of APIs, no native code etc). On the other hand, Android is clearly the hardest to work with, as tools are nowhere near as polished as either VS or Xcode, but you can do some nifty things there that are downright impossible on other platforms.

  3. DRM by Nom+du+Keyboard · · Score: 1

    DRM strikes again - and again and again and again...

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:DRM by Anonymous Coward · · Score: 0

      :OUCH: Thank you sir. May I please have another?

    2. Re:DRM by nurb432 · · Score: 1

      I agree, but code signing like this really has nothing to do with it.

      --
      ---- Booth was a patriot ----
    3. Re:DRM by Anonymous Coward · · Score: 0

      Yep, I wish my phones marketplace was full of malware-oh wait.

  4. Widespread Panic among the BB Dev Community by Revotron · · Score: 1

    All four remaining developers are considering switching to Android... oh, wait, if they're at all mindful of the future they're probably cross-compiling and porting everything anyway.

  5. Dihydrogen Monoxide by snikulin · · Score: 1

    You are not very technical, are you?
    Code signing is a malware protection feature, not HDCP.

    1. Re:Dihydrogen Monoxide by JMZero · · Score: 1

      It's not that simple. This outage also affected developers attempting to run their own code on their own development devices. That's not malware prevention (which can be served by limiting access to "App Stores" or something, like other competitors do). RIM is clearly concerned with platform control beyond any malware concerns - it's a kind of DRM.

      --
      Let's not stir that bag of worms...
    2. Re:Dihydrogen Monoxide by tepples · · Score: 2

      Code signing is a malware protection feature

      Sure, when your definition of "malware" includes everything developed by individuals working out of home offices. This is the case with, say, Nintendo.

    3. Re:Dihydrogen Monoxide by fuzzyfuzzyfungus · · Score: 1

      You are not very technical, are you? Code signing is a malware protection feature, not HDCP.

      Code signing is purely a mechanism for verifying that a given binary has not been modified since it left the hands of the party that also possesses a given private key. That's all it does, allows you to mathematically verify that a given series of bits has not been modified since it left the possession of somebody who knows a particular secret. Everything else depends on the infrastructure in which it is embedded.

      This capability has a number of uses:
      In concert with a system for authoritatively connecting keys with IDs(whether this be a CA that isn't a fuckup, or users who are willing to web-of-trust, or an internal institutional PKI setup), it does indeed have substantial anti-tampering/anti-trojan value.
      In concert with devices that forbid their users to override signature warnings, it does indeed have substantial platform-control/rent extraction value(see all current consoles and iDevices...).
      In concert with a system that refuses to play certain movies if there are any unsigned components in the "protected content path", you bet it's a DRM feature...

      It's sort of analogous to the conceptual confusion(or sometimes dishonesty) that causes people to talk about "security cameras". Cameras don't provide security, they collect photons and convert them into images or series' of images. That's all they do. In some contexts converting photons into images may improve security. In other contexts, it may increase risk. In others, it will have no security-related effects whatsoever, positive or negative.

    4. Re:Dihydrogen Monoxide by VortexCortex · · Score: 1

      Yep, and it's very telling about the competency of RIM -- App signing didn't have to be implemented this way.

      Look at the Web + SSL(TLS); Webmaster owner requests cert, CA creates cert for webmaster; Webmaster uses cert to sign their code. Different capabilities can be mentioned in certs in order to that allow the webmaster to perform different tasks such as create more certificates for others, or just sign/encrypt web pages for a given (sub)domain. (P.S. "webmaster" sounds dumb. I miss "SysOps".)

      Do that for devs & code signing -- The code is still signed and can run on the device. If bad code is used, revoke the app's signature or the dev's cert. For developers another type of cert could be granted that only runs on devices that have dev-enabled certs. Devices used for development could be registered with RIM who then adds a CA to the device that can validate apps signed by dev. certs.

      The dev-mode-device-cert and the dev-mode-app-cert pair would allow devs to create & sign apps that only registered dev devices could run, thus allowing developers to sign and run code while offline without worry that they will publish their debug-mode code to others (won't run on devices missing the dev-device-cert which is tied to the device serial, etc). Cert expiration dates can also be used to prevent perpetual dev-mode app usage.

      Really, what it amounts to is that RIM doesn't understand how PKI works, so they have you upload your code for signing...

      Headline: "Retarded Developers are Retarded by RIM"
      (in the slow sense of the word, though brain-damage may also apply to some).

    5. Re:Dihydrogen Monoxide by sjames · · Score: 1

      Code signing is only just malware protection when the device's owner has the power to do the signing. Otherwise, it's more akin to DRM even if the intentions are better.

  6. OK, SO LIKE, WHERE DO I GET THESE GROUPIES ?? by Anonymous Coward · · Score: 0

    I want Connie for sure. But where can I get them? I checked amazon and that's not at all what I need!

  7. The most painful (for RIM)... by Anonymous Coward · · Score: 0

    The most painful fact that is clear here on slashdot is the few that actually do care about this issue. I read all the articles that come up in my reader but OMG 8 or now 9 comments even on thes subject? That's gotta sting.

    1. Re:The most painful (for RIM)... by fuzzyfuzzyfungus · · Score: 1

      Maybe my coworkers and I are simply an anomalous use case; but I've seen exactly two third-party applications ever used on Blackberries: whatever the 'documents to go' or 'mobile documents' thing is that they bundle to give you some ability to read .doc and similar attachments, and the Citrix ICA client. All other use is either the built-in email application or the phone half of the device. How many BB developers are there?

    2. Re:The most painful (for RIM)... by Anonymous Coward · · Score: 0

      There is always the 17th revival of the Commodore Amiga ...

    3. Re:The most painful (for RIM)... by shutdown+-p+now · · Score: 1

      How many BB developers are there?

      You understand that you won't be getting any answers by asking a racy question like that in public, right? ~

  8. What device on which to test? by tepples · · Score: 2

    Android development is free.

    Development includes testing, which requires buying hardware on which to test. The last time I checked, Android-powered devices on which to test software were by and large more expensive because they tended to be $500 cell phones rather than $250 media players. People recommend the Archos 43 Internet Tablet as an Android-powered alternative to the iPod touch 4, but it doesn't come with access to Android Market. People recommend the Samsung Galaxy Player, but it wasn't even available for me to buy when I checked last week.

  9. Can't wait to hear about the security implications by Anonymous Coward · · Score: 0

    Too suspicious to be a regular outage, I can't wait to hear about the security implications for this, was this the result of hack for the code signing servers? Sounds like a reasonable target given all the recent similar hacking targets!!!!

  10. adb install by tepples · · Score: 1

    there are no dedicated development devices [for applications on the BlackBerry platform]. All devices can be used for development.

    This is true of Android as well, but it doesn't need any sort of signature (other than perhaps a self-signature) to adb install a homemade program.

    1. Re:adb install by yvajj · · Score: 1

      You can install apps on the playbook without requiring signing if you install a debug token on the device.

  11. Blackberry juice by skjolber · · Score: 2

    I must say that although I like Blackberry, but other FAILS and now this really disappoints me. And my customers. When people create sites like this:

    http://isthesigningserverdown.com/beta/

    then something is seriously wrong.

    A short summery of the issue at hand: An application is divided into multiple files for over-the-air install. Each files is signed individually and might require signatures from more than one server, all depending on what APIs are in use. So at the moment I need 15-20 signatures per application per build, even a fairly low chance of an unserved request still makes the system fail as a whole. And if one type of server is down, 100% of builds fail.

    1. Re:Blackberry juice by teh+kurisu · · Score: 1

      I once used that website to demonstrate to my boss why I'd missed a deadline. The low reliability of RIM's signing servers is definitely not a new problem.

    2. Re:Blackberry juice by ThePhilips · · Score: 1

      http://isthesigningserverdown.com/beta/

      OMG. Most latencies are in "seconds" range. No comments.

      --
      All hope abandon ye who enter here.
  12. Company is a required field by tepples · · Score: 1

    According to this page, to create a debug token, one must first sign up for signing keys. According to this page, signing keys are without charge, but "Company" is marked as a required field in the form, which appears to imply that all developers must request keys on behalf of a company. Did RIM intend this to exclude individual hobbyists?