A concerned reader asked me about how to sign his BlackBerry application. In this post I will try to provide you with information on the following topics:
- Why the need to sign your BlackBerry code
- Registering and obtaining signature keys
- Signing your application
Why You Need to Sign Your Code
The concept of “controlled” API’s has existed since BlackBerry 3.6 as a way for Research In Motion (RIM) to track the use of some API’s for security and export control reasons. In practical terms, this means that in order to run an application on a handheld, you need to register and sign the application. Signing of applications is not required to run applications using the BlackBerry device simulator.
The BlackBerry API is divided into five groups. The first group includes all standard Java API’s from MIDP and CLDC and some BlackBerry-specific API’s. This group is open for all developers, and applications that use only these open API’s require no signatures. The remaining four groups are all controlled API’s: RIM Runtime API’s, some BlackBerry API’s, RIM Cryptography and Certicom Cryptography.
Registering and Obtaining Signature Keys
The registration process serves to verify the developer’s identity. It involves downloading and filling out a registration form that you need to fax to RIM. There’s also a one-time processing fee associated with it. RIM will send you a set of signature keys after the registration form and fee are received.
Signing Your Application
Once you receive the signature keys from RIM, you need to install them on your development environment. The detailed instructions on how to do this can be found in the BlackBerry Java Developer Guide, Volume 2 – Advanced Topics. I recommend that you study this procedure, since installing the keys incorrectly will cause the signing process to fail.
Signing the application is very easy once the keys are installed. You need to manually start the Signature Tool from the Build menu in the JDE:
The tool displays a list of necessary signatures:
When you press the Request button, the Signature Tool submits a hash of the application to RIM’s signing authority. The signing authority automatically returns the required signature, that is automatically appended to the application. The application can be loaded onto a device after this step.
Note that RIM does not receive a copy of your application, only a hash of the file(s). This allows them to determine the author of the application by matching the hash of the application against records of the hash kept by the signing authorities.
Where to Find More Information
You can find more information on this topic in the BlackBerry Java Developer Guide, Volume 2 – Advanced Topics.