boxee :: forums  

Go Back   boxee :: forums > boxee developers > boxee applications

Reply
 
Thread Tools Display Modes
  #11  
Old February 7th, 2011, 09:59 PM
neveroffline neveroffline is offline
Senior Member
 
Join Date: Sep 2010
Posts: 345
Default

Quote:
Originally Posted by Lilo View Post
@viljoviitanen - I agree, What automating method you prefer:

1) A web service (authenticated)

OR

2) A keytool (+ a personalized key you download)

All app developers are encouraged to answer this and I'll try to add it to the long list of to-do(s) I've got going regarding app signing
Some sort of key we can use to trigger on your end the new updated app without having to go through A-C repeatedly.

We have:
A. Upload app.
B. Download sig.
C. Upload Sig.

Can we have D, authenticate update, no need for A-C (on 3rd party repos) if you already have the xml sig for a prev version?

IE: newverison=1.03&repo=url&auth=token - token can be based on our pwds already or something else other than our key.

EDIT: This way you would know it's us, can authenticate, grab the new zip, gen a new sig if you have to, and keep it internally on record.

Last edited by neveroffline; February 7th, 2011 at 10:06 PM.
Reply With Quote
  #12  
Old February 8th, 2011, 01:57 AM
viljoviitanen viljoviitanen is offline
Member
 
Join Date: Nov 2010
Location: Jyväskylä, Finland
Posts: 60
Default

Quote:
Originally Posted by Lilo View Post
@viljoviitanen - I agree, What automating method you prefer:

1) A web service (authenticated)

OR

2) A keytool (+ a personalized key you download)

All app developers are encouraged to answer this and I'll try to add it to the long list of to-do(s) I've got going regarding app signing
I prefer whichever is the easiest to automate in a shell script So maybe #2, depending on what kind of a tool you have in mind. I'd be comfortable with just a private key and instructions on how to make a signature with openssl but I'm sure not many developers would like that. But there's always the current manual method. I suppose this would be easier for you to implement as well. Just give me the key you already created for me and describe the process you make the sigs with...

Btw if you mean by web service a "real" web service with a soap interface, wsdl etc, then no thanks. I get to deal with that crap with my day job more than I'd like to.
Reply With Quote
  #13  
Old February 8th, 2011, 03:39 AM
Lilo's Avatar
Lilo Lilo is offline
team boxee
 
Join Date: Nov 2010
Posts: 86

@neveroffline - application signatures are a result of a signed zip file, we can't skip the upload process - I'll think about the implications of providing a url for the source but this will not solve the fact that you'll need to get a new signature and upload it to you app location.

Quote:
Originally Posted by viljoviitanen View Post
Btw if you mean by web service a "real" web service with a soap interface, wsdl etc, then no thanks. I get to deal with that crap with my day job more than I'd like to.
rofl.

I thought more about a URL which you can post you zip file to and the response will be the signature (assuming it passed validation). Something that can be done with one line of curl.
__________________
-------------------------------------
Liel is a PHP Ninja that is fighting
bugs on boxee servers
liel ( @ ) boxee.tv
Reply With Quote
  #14  
Old February 8th, 2011, 10:06 AM
viljoviitanen viljoviitanen is offline
Member
 
Join Date: Nov 2010
Location: Jyväskylä, Finland
Posts: 60
Default

Quote:
Originally Posted by Lilo View Post

I thought more about a URL which you can post you zip file to and the response will be the signature (assuming it passed validation). Something that can be done with one line of curl.
Super! I'll change my pick to this one.
Reply With Quote
  #15  
Old February 10th, 2011, 05:46 PM
neveroffline neveroffline is offline
Senior Member
 
Join Date: Sep 2010
Posts: 345
Default

Quote:
Originally Posted by Lilo View Post
@neveroffline - application signatures are a result of a signed zip file, we can't skip the upload process - I'll think about the implications of providing a url for the source but this will not solve the fact that you'll need to get a new signature and upload it to you app location.



rofl.

I thought more about a URL which you can post you zip file to and the response will be the signature (assuming it passed validation). Something that can be done with one line of curl.
I agree, that's kind of what I was expecting. I know you have to go through A-C first. Not sure you read my post edit. My option, D, is to hit your end with the URL of our Application with our credentials, w/e those are, and you curl out on your end, grab the app, sign it, and reply with that sig file. Uploading the app via POST to a URL (with some sort of credentials) and then you signing it works in the exact same way, only you aren't grabbing the file (which I think you should).

Either way, I think this is the kind of automation we need if we just want to hit a button/run a script to upload app, sign it, download sig, upload sig to repo internally.
Reply With Quote
  #16  
Old April 7th, 2011, 06:15 AM
dotsa dotsa is offline
Junior Member
 
Join Date: Mar 2011
Posts: 4
Thumbs down

Quote:
Originally Posted by RobSpectre View Post
Yesterday we opened up signups for API keys at http://boxee.tv/developer and invited all Boxee developers to hop on the train. The introduction of API keys has raised a lot of questions - I thought it would be prudent to kick up a forum thread to answer the most common ones and keep it updated over time.
How close are we to ability to send the zip and get sig or error back through some sort of automate-able API? Curl-based upload or a webservice or something like that...

Did this ever happen?

Build automation / deployment for Boxee development is a no go without this. This guy (https://github.com/tommysqueak/GreatBoxee) is stuck with his Ant build script. I am stuck with WAF automation script.
Reply With Quote
  #17  
Old April 7th, 2011, 07:19 AM
Lilo's Avatar
Lilo Lilo is offline
team boxee
 
Join Date: Nov 2010
Posts: 86
Default

Quote:
Originally Posted by dotsa View Post
How close are we to ability to send the zip and get sig or error back through some sort of automate-able API? Curl-based upload or a webservice or something like that...

Did this ever happen?.
This is currently planned as part of the server api, it will be done in the near future (sorry, but I can't give you an exact date).

There is a thread for community feedback and request for the new server api here:

http://forums.boxee.tv/showthread.php?t=32102

This point is already listed but you might want to take a look anyway.
__________________
-------------------------------------
Liel is a PHP Ninja that is fighting
bugs on boxee servers
liel ( @ ) boxee.tv
Reply With Quote
  #18  
Old April 8th, 2011, 01:47 PM
dotsa dotsa is offline
Junior Member
 
Join Date: Mar 2011
Posts: 4
Lightbulb Possible way to simplify the app signing.

Quote:
Originally Posted by Lilo View Post
This is currently planned as part of the server api, it will be done in the near future (sorry, but I can't give you an exact date).

There is a thread for community feedback and request for the new server api here:

http://forums.boxee.tv/showthread.php?t=32102

This point is already listed but you might want to take a look anyway.
Just a thought on that... If the sig is derived by hashing the zip in some way that can be duplicated by dev, just sending a hash as text + contents of descriptor.xml by dev to you over plain form-encoded HTTP Post and having a sig sent back might be easier to implement as simple API.

I can sort of understand the difficulty of wrapping an ability to "send a potentially-large file" into a manageable API. You have to unzip the package, look at contents...
Sending a hash + meta to you for signing, and Boxee app, later, deriving the same hash from the zip might be a more manageable approach for your server API implementation. I, as a dev, certainly don't mind doing more work on my side, as long as I can automate the steps.

Daniel.

Last edited by dotsa; April 8th, 2011 at 01:51 PM. Reason: added mention of descriptor.xml
Reply With Quote
  #19  
Old April 11th, 2011, 07:59 AM
viljoviitanen viljoviitanen is offline
Member
 
Join Date: Nov 2010
Location: Jyväskylä, Finland
Posts: 60
Default

Quote:
Originally Posted by dotsa View Post
Just a thought on that... If the sig is derived by hashing the zip in some way that can be duplicated by dev, just sending a hash as text + contents of descriptor.xml by dev to you over plain form-encoded HTTP Post and having a sig sent back might be easier to implement as simple API.

I can sort of understand the difficulty of wrapping an ability to "send a potentially-large file" into a manageable API. You have to unzip the package, look at contents...
Sending a hash + meta to you for signing, and Boxee app, later, deriving the same hash from the zip might be a more manageable approach for your server API implementation. I, as a dev, certainly don't mind doing more work on my side, as long as I can automate the steps.

Daniel.
But then boxee would not know what was signed. I would guess boxee wants a copy of the code being signed, even though they do not check the code "online", they can investigate later and if needs be, invalidate the signature.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:42 AM.


skin based on greenzero from vBSkins.com

 
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2011, vBulletin Solutions, Inc.