BlackBerry PlayBook: Code Signing Process

UPDATES BELOW…

Since the documentation over at the BlackBerry developer site isn’t exactly crystal… I’m going to share my code signing experience here in the hopes of sharing some information and perhaps helping others along. This is not a comprehensive overview; just my experience.

I have 3 AIR based PlayBook applications approved up in AppWorld right now. These were submitted before RIM had a process for signing our .bar files for submission. Now that we can sign .bar files, I figured I should do so. I was running the Tablet OS SDK within Flash Builder when I originally compiled the .bar files. I no longer have my system configured for this so will be signing the existing .bar files from the command line tools and not from Flash Builder. I am doing all of this from a 64-bit Windows 7 OS.

Treacherous Code Signing Ahead!

Note that I have removed my PIN and PASSWORD from these examples. So when you see yourPINorPASShere …just plug yours in.

  1. Register as a Blackberry AppWorld vendor.
  2. Order a code signing key from RIM. Once you receive and email from RIM with a .csj file included, you can begin proceed.
  3. If you haven’t done so already, download and install the Tablet OS SDK. You can install within Flash Builder build i3 (MAX or Labs) or just install for command line. For reasons mentioned above, I chose the second option.
  4. Something a bit misleading with the docs; they start off talking about the location of barsigner.csk… which I was able to locate- probably from a previous attempt at signing using Flash Builder. This threw me off big time. Ignore it. We want to open up the Windows command prompt and change the directory to the bin folder of our Tablet OS installation. In my case: cd C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin
  5. The next step is to run the command blackberry-signer -csksetup -cskpass yourPINorPASShere which will create barsigner.csk for you. Since I already had one, I needed to run blackberry-signer -cskdelete to delete it first.
  6. The next step is to register with the RIM server though use of the .csj file that you received via email. Run the following command to perform this action: blackberry-signer -register -csjpin yourPINorPASShere -cskpass yourPINorPASShere client-RDK-3894601367.csj
  7. Now, we have to generate a code signing cert (.p12 file) through use of a command like: blackberry-keytool -genkeypair -keystore FVM_QNX.p12 -storepass yourPINorPASShere -dname “Fractured Vision Media, LLC” -alias author …you must replace the cert name and company name with your own. This created another stumbling point as I received the message “keytool error: java.io.IOException: Incorrect AVA format” back each time I attempted to generate a cert. Apparently, the company name cannot include a comma, so simply changing that portion to “Fractured Vision Media LLC” did the trick and generated my .p12 cert. A lot of company names have commas, no?
  8. The final step is to sign your previously (in my case) compiled .bar file with the freshly generated cert. In order to do this, run a similar command to: blackberry-signer -keystore FVM_QNX.p12 -storepass yourPINorPASShere SketchNSave.bar author …Again, I received an error! This time “manifest error:Invalid value ’0.0.0.0′ for Package-Version.”. I apparently never changed the <versionNumber>0.0.0</versionNumber> value in that particular application, as my two other .bar files signed no problem. I changed it to <versionNumber>1.0.0</versionNumber> in the AIR manifest.
  9. So… now that I changed the AIR manifest file, I also need to compile a fresh .bar from that project so that I can sign it properly. To compile a .bar, we can run the command blackberry-airpackager -package SketchNSave.bar “E:\QNX Apps\SketchNSave\src\SketchNSave-app.xml” “E:\QNX Apps\SketchNSave\bin-debug\SketchNSave.swf” including all image files needed as well just as you normally compile an .air file using command line tools. This threw an additional few errors. One was my bad, in that I had spaces in my directory name and needed to enclose all paths in quotes as you can see above. A secondary error was thrown as well: “error 105: application.initialWindow.content contains an invalid valueError: AIR validation failed” – The problem here is that I needed to add the swf specification within the AIR manifest since I was not relying on Flash Builder to fill this in for me. No big deal. Fixed that and it compiled. Running blackberry-signer -keystore FVM_QNX.p12 -storepass yourPINorPASShere SketchNSave.bar now results in a signed .bar file ready for submission.
  10. Now just go to the vendor portal and submit new versions of your apps. I added all 3 as version 1.0.1 and uploaded the signed .bar files for each with a comment that they were now properly signed.

Not a lot of steps… not terribly difficult once you understand the workflow… but there is a lot of room for error and I think RIM could do a better job with the docs for sure!

I’m including my full Windows Command Prompt session log here:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Joseph>cd C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -csksetup -cskpass
 yourPINorPASShere
CSK file already exists.  Use -cskdelete to delete first.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -cskdelete
CSK file deleted.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -csksetup -cskpass
 yourPINorPASShere
CSK file created.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -register -csjpin
yourPINorPASShere -cskpass yourPINorPASShere client-RDK-3894601367.csj
Successfully registered with server.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-keytool -genkeypair -keys
tore FVM_QNX.p12 -storepass yourPINorPASShere -dname "Fractured Vision Media, LLC" -alias
author
keytool error: java.io.IOException: Incorrect AVA format

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-keytool -genkeypair -keys
tore FVM_QNX.p12 -storepass yourPINorPASShere -dname "cn=Fractured Vision Media LLC" -alia
s author

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -keystore FVM_QNX.
p12 -storepass yourPINorPASShere SketchNSave.bar author
manifest error:
Invalid value '0.0.0.0' for Package-Version.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -keystore FVM_QNX.
p12 -storepass yourPINorPASShere MyBlackList.bar author
bar signed.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -keystore FVM_QNX.
p12 -storepass yourPINorPASShere TransientRecorder.bar author
bar signed.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>E:\QNX Apps\SketchNSave\bin-debug\as
sets\images\icons\i128.pngblackberry-airpackager -package SketchNSave.bar E:\QNX
 Apps\SketchNSave\src\SketchNSave-app.xml E:\QNX Apps\SketchNSave\bin-debug\Sket
chNSave.swf E:\QNX Apps\SketchNSave\bin-debug\close.png E:\QNX Apps\SketchNSave\
bin-debug\assets\images\clear.png E:\QNX Apps\SketchNSave\bin-debug\assets\image
s\close.png E:\QNX Apps\SketchNSave\bin-debug\assets\images\save.png E:\QNX Apps
\SketchNSave\bin-debug\assets\images\splash.png E:\QNX Apps\SketchNSave\bin-debu
g\assets\images\title.png E:\QNX Apps\SketchNSave\bin-debug\assets\images\Writin
g.png E:\QNX Apps\SketchNSave\bin-debug\assets\images\icons\i128.png
'E:\QNX' is not recognized as an internal or external command,
operable program or batch file.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-airpackager -package SketchNSave.bar "E:\QNX Apps\SketchNSave\src\SketchNSave-app.xml" "E:\QNX Apps\Sketc
hNSave\bin-debug\SketchNSave.swf" "E:\QNX Apps\SketchNSave\bin-debug\close.png"
"E:\QNX Apps\SketchNSave\bin-debug\assets\images\clear.png" "E:\QNX Apps\SketchN
Save\bin-debug\assets\images\close.png" "E:\QNX Apps\SketchNSave\bin-debug\asset
s\images\save.png" "E:\QNX Apps\SketchNSave\bin-debug\assets\images\splash.jpg"
"E:\QNX Apps\SketchNSave\bin-debug\assets\images\title.png" "E:\QNX Apps\SketchN
Save\bin-debug\assets\images\Writing.png" "E:\QNX Apps\SketchNSave\bin-debug\ass
ets\images\icons\i128.png"
E:\QNX Apps\SketchNSave\src\SketchNSave-app.xml(49): error 105: application.init
ialWindow.content contains an invalid value
E:\QNX Apps\SketchNSave\src\SketchNSave-app.xml(49): error 105: application.init
ialWindow.content contains an invalid value
Error: AIR validation failed

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-airpackager -package Sket
chNSave.bar "E:\QNX Apps\SketchNSave\src\SketchNSave-app.xml" "E:\QNX Apps\Sketc
hNSave\bin-debug\SketchNSave.swf" "E:\QNX Apps\SketchNSave\bin-debug\close.png"
"E:\QNX Apps\SketchNSave\bin-debug\assets\images\clear.png" "E:\QNX Apps\SketchN
Save\bin-debug\assets\images\close.png" "E:\QNX Apps\SketchNSave\bin-debug\asset
s\images\save.png" "E:\QNX Apps\SketchNSave\bin-debug\assets\images\splash.jpg"
"E:\QNX Apps\SketchNSave\bin-debug\assets\images\title.png" "E:\QNX Apps\SketchN
Save\bin-debug\assets\images\Writing.png" "E:\QNX Apps\SketchNSave\bin-debug\ass
ets\images\icons\i128.png"
Using default icon: C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin\..\samples\icons
\blackberry-tablet-default-icon.png
The bar manifest file is valid.
Package created: SketchNSave.bar

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>blackberry-signer -keystore FVM_QNX.
p12 -storepass yourPINorPASShere SketchNSave.bar author
bar signed.

C:\TabletOS\blackberry-tablet-sdk-0.9.3\bin>

UPDATE #1
The process above only signs the application with the dev cert. You will need to sign with the registered RIM Signing Authority cert by using:

blackberry-signer -verbose -cskpass yourPINorPASShere -keystore FVM_QNX.p12 -storepass yourPINorPASShere SketchNSave.bar RDK

My apps were accepted… and a week later denied for this. They were also denied for not being compiled with Tablet OS 9.4 SDK as I had compiled them all with 9.3 (the only available SDK at the time).

UPDATE #2
This isn’t sufficient either, as I’m receiving a number of signing errors including:

barsigner error: server error: Code signing request failed because this file has
 been previously signed.

and

manifest error: Invalid value '3.0' for Package-Version.

Lovely.

UPDATE #3
I’ve recorded a video demonstrating the final process used to get true, verified signing of my BlackBerry PlayBook applications using Tablet OS 9.4 SDK.

UPDATE #4
Looks like RIM has finally developer a graphical interface tool for signing! Grab it over at:
http://supportforums.blackberry.com/t5/Testing-and-Deployment/BlackBerry-Tablet-OS-Graphical-Aid/ta-p/1207067?CPID=TWDResources&Date=11912

36 thoughts on “BlackBerry PlayBook: Code Signing Process”

  1. You’re not the only one who had a little problems getting the code signing to work. =] Had to read through the signing documentation more than a few times carefully to finally get it to work. (It’s relieving when it does!) haha

  2. Hey, do you know if the 480 x 480 image MUST to be the same as app icon ? or i can add a screenshot for the application ?

  3. Hi Joseph,
    Thank you for step by step instructions. I have the same situation as you do, but i still use Flash Builder Burrito. Can please provide some instruction on how to sign your app via Adobe Flash Builder Burrito. I have the .csj file.
    Thank you,
    Sukhrob

      1. Would you know by any chance why it gives me the following error in first step:
        Exception in thread “main” java.lang.UnsupportedClassVersionError: ….

  4. hi,
    at first great blog.

    personaly a got an issue with the command line explain in the rim documentation
    blackberry-signer -verbose -cskpass
    -keystore -storepass
    RDK

    i don’t find this line in you post , do you think it’s really neccesary?

    1. That option is to “Ask the RIM signing authority to sign your application” – I didn’t use it but opted for choice 2. I must have done it okay as all 3 app updates were approved yesterday :)

      1. thank you very much for your answer. i was thinking almost the same thing. i’ve take a look at your applications on the appworld, i hope i’ll be able to try them in real with the playbook.

  5. I think the correct dname parameter format is -dname “cn=”. For me worked like charmed.

    Regarding signing from Burrito – it doesn’t seem to work : it generates an empty bar.sig file…

  6. Nice walkthrough, the signing process has been a huge pain! Multiple errors, some of the same I’ve received. But I’m stuck on this one and can not seem to get around it.

    Application-Development-Mode in Manifest is present and is not set to [false]

    There is some docs in the forums about it, but I have not gotten anywhere. Maybe in the next release of the SDK, it will be better.

  7. I’m getting error when signing playbook app using command line in windows vista, it could’nt connect with RIM server. When using command line in windows xp, the signing process is works like charm.

  8. Yeah, I went through the whole mess and got it working, and I still have no idea what it’s doing. And that bugs me. The whole playbook signing thing inspired my comic of a couple of days ago http://angriestprogrammer.com/comic/magic_processes :)

    Anyway, one question. Did you generate a different .p12 file for each app? I have two apps in the store that I need to sign and update (as you did) and one signed app that I’m about to submit. I just don’t know if a .p12 file is local to the company or to each app.

    1. Nope. I used the same cert for each of the 3 apps that needed to be signed.

      With that said- my understanding is that you need a separate cert for Tablet OS than for Android, so you cannot use the same .p12 for everything. Just for the same platform.

  9. for those of you that got lost at what happened in step 9 with the error:
    //must update the in the -app.xml to InsertFileNameHere.swf

  10. Joseph,
    Thanks for the information on this. I was wondering where you acquired the .csi password? I only have the one “pin” password when I applied for the key.

    Thanks

    1. You use the initial PIN along with the .CSJ that RIM sends you. When you create a RIM authority cert based upon that .CSJ, you will need to define a password just as you would when creating a self-signed cert.

  11. Hi!
    I have been searching the answer for this error for 2 days and wasn’t able find a solution!
    I have an app developed in flash cs5, AIR 2.5 with 1.0.0 as the version… I have the certificate file generated without any problems. But for some reason, I am not able to generate the .bar file!!!!
    the blackberry-airpackager gives me the following error:
    error 102: Invalid namespace http://ns.adobe.com/air/application/2.5
    Error: AIR validation failed

    Please HELP!!!

  12. Hey Joseph;

    I am trying to sign my application, I got the BlackBerry BarSigner tool to register with the Signing Authority. When I try to execute command “blackberry-signer -csksetup -cskpass”. I got an error, ” ‘java’ is not recognized as an internal or external command, operable program or batch file.”

    Do you have an idea for the reason?

    Thanks in advance.

    ~Gorkem

      1. Thanks Joseph;

        Registering path environment variables actually worked great!!

        I have another problem with signing at last step. While I am “Generating Key-pair”, I execute command “blackberry-keytool -genkeypair -keystore QNX.p12 -storepass PIN -dname “cn=XXX” -alias author”.
        I got an interesting error
        Error: null

        Nothing else is written just Error: null

        Thanks for help again, I will be appreciated if you have some opinions about the last error.

        ~Gorkem

Comments are closed.