Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Compact Framework / May 2008

Tip: Looking for answers? Try searching our database.

How to deploy real cert in packaged .exe (VS 2005, .net cf 2.0 sp2,     WM 5.0)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
NET CF Questions - 20 May 2008 20:59 GMT
We are developing an application for a Windows Mobile 5.0 device using
VS 2005, .net cf 2.0 and currently when we deploy it to the device for
testing we get the following error;
"The program is from an unknown publisher ...(etc)"

When we go to package this for real use (not test), what are the steps
we need to follow so this warning doesn't appear on the device?

I have seen the instructions here:
http://ce4all.blogspot.com/2007/04/siging-windows-mobile-application-code.html

but is that for the real environment or just the test environment?

What certs and signings do I need to include how (the steps in VS 2005
please) to do this for a real app?
Reply to this Message
Jin Chang - 21 May 2008 06:39 GMT
> We are developing an application for a Windows Mobile 5.0 device using
> VS 2005, .net cf 2.0 and currently when we deploy it to the device for
[quoted text clipped - 10 lines]
> What certs and signings do I need to include how (the steps in VS 2005
> please) to do this for a real app?

I would like to bump this thread with an added question/issue.

First of all, there are plenty of information on the web and this
forum about certificates and code-signing, but the problem I'm facing
are the following:

1.  Why is it so difficult to use chained certificate for code-signing
with WM devices?  One of the source I ran across mentions that it's an
issue with WM 5 and 6.  Can someone confirm this so that I might get a
more appropriate certificate?

2.  How in the world can one sign a CAB file so that the certificate
is also deployed in one step without the "unknown publisher" message
being displayed?  Is it a catch-22 situation where the certificate
must be installed before the CAB can be run without the warning?

I must have read at least 20 different sources on this topic and the
solution still eludes me.  Why can't WM code-signing be as easy as
it's for normal PC's OS?  Are there reasons why the Cert Vendors make
it so difficult or are WM devices not quite ready-for-prime-time for
these processes to be in place?

- Jin
Reply to this Message
Peter Foot - 21 May 2008 09:51 GMT
To achieve no prompts on installation your package has to be signed with a
certificate already installed on the device. You have two options - sign
your app and cab file with a Mobile2Market certificate e.g. through
VeriSign, or create a cab file specifically to deploy your own
certificate(s) and have this signed with a Mobile2Market certificate - once
this has installed your own certificate correctly you can then deploy your
own application which is self signed.
The certificate vendors have been making the process easier, you can now
sign an entire cab file and all its contents in a single signing event,
previously each .exe and .dll within the cab would require its own signing
event.

Peter

Signature

Peter Foot
Microsoft Device Application Development MVP
peterfoot.net | appamundi.com | inthehand.com
APPA Mundi Ltd - Software Solutions for a Mobile World
In The Hand Ltd - .NET Components for Mobility

>> We are developing an application for a Windows Mobile 5.0 device using
>> VS 2005, .net cf 2.0 and currently when we deploy it to the device for
[quoted text clipped - 35 lines]
>
> - Jin
Reply to this Message
Jin Chang - 21 May 2008 17:06 GMT
On May 21, 3:51 am, "Peter Foot" <feedb...@nospam-inthehand.com>
wrote:
> To achieve no prompts on installation your package has to be signed with a
> certificate already installed on the device. You have two options - sign
[quoted text clipped - 56 lines]
>
> > - Jin

Thanks, Peter.

That pretty much confirms what I've been reading about the
Mobile2Market and Verisign.
I guess I'll have to go that route.

- Jin
Reply to this Message
NET CF Questions - 22 May 2008 05:23 GMT
This is probably a very silly question, but are there fees involved?
Is this something that will cost to do?

Is one scenario free?

I'm sorry, I really know nothing about this at all.

On May 21, 1:51 am, "Peter Foot" <feedb...@nospam-inthehand.com>
wrote:
> To achieve no prompts on installation your package has to be signed with a
> certificate already installed on the device. You have two options - sign
[quoted text clipped - 56 lines]
>
> > - Jin
Reply to this Message
SQL Server Questions - 22 May 2008 05:36 GMT
This is custom software for one client's WM 5 devices, not for open
resale.

We want to do it in a way that makes the "untrusted" prompt come up,
but don't need anything fancy.

On May 21, 9:23 pm, NET CF Questions <dotnetcfquesti...@gmail.com>
wrote:
> This is probably a very silly question, but are there fees involved?
> Is this something that will cost to do?
[quoted text clipped - 70 lines]
>
> > > - Jin
Reply to this Message
NET CF Questions - 22 May 2008 05:41 GMT
This is custom software for one client's WM 5 devices, not for open
resale.

We want to do it in a way that makes the "untrusted" prompt come up,
but don't need anything fancy.

On May 21, 9:23 pm, NET CF Questions <dotnetcfquesti...@gmail.com>
wrote:
> This is probably a very silly question, but are there fees involved?
> Is this something that will cost to do?
[quoted text clipped - 70 lines]
>
> > > - Jin
Reply to this Message
NET CF Questions - 22 May 2008 06:01 GMT
When I use the Security configuration manager, I see a "Microsoft
visual studio signing authority".

Is that not something i can use to prevent that warning message in an
application installed on a WM 5.0 device?

On May 21, 9:41 pm, NET CF Questions <dotnetcfquesti...@gmail.com>
wrote:
> This is custom software for one client's WM 5 devices, not for open
> resale.
[quoted text clipped - 79 lines]
>
> > > > - Jin
Reply to this Message
Hosmerica - 22 May 2008 06:33 GMT
> When I use the Security configuration manager, I see a "Microsoft
> visual studio signing authority".
>
> Is that not something i can use to prevent that warning message in an
> application installed on a WM 5.0 device?

How many devices are you installing it on?
Reply to this Message
NET CF Questions - 22 May 2008 06:41 GMT
It will be installed on 100 to 200 devices.

> > When I use the Security configuration manager, I see a "Microsoft
> > visual studio signing authority".
[quoted text clipped - 3 lines]
>
> How many devices are you installing it on?
Reply to this Message
NET CF Questions - 22 May 2008 06:44 GMT
On May 21, 10:41 pm, NET CF Questions <dotnetcfquesti...@gmail.com>
wrote:
> It will be installed on 100 to 200 devices.
>
[quoted text clipped - 5 lines]
>
> > How many devices are you installing it on?

I have been reading this;
http://blogs.msdn.com/windowsmobile/archive/2005/12/17/security_model_faq.aspx

and it seems impossible that it's that hard.

Do we really need to get some kind of account, pay for a certificate,
upload my software, have it "signed", then have something that will no
longer work if modified?

(Am i just reading it incorrectly?)
What happens if we do a bug fix and alter the install?
Would we need to pay and upload and get it resigned over and over?

Sorry to be so slow here, it's just seeming to confuse me.
Reply to this Message
Hosmerica - 22 May 2008 06:51 GMT
> On May 21, 10:41 pm, NET CF Questions <dotnetcfquesti...@gmail.com>
> wrote:
[quoted text clipped - 22 lines]
>
> Sorry to be so slow here, it's just seeming to confuse me.

I've used certificates for signing from Verisign.  The way it works for
those projects is I have an executable(sent from Verisign) , a certificate
and a key.  I run a batch file that calls Verisign's timestmp server sending
them credentials of my certificate and key, and signs the targeted
executable everytime I finish building (I have build events set to sign
after the output has changed).  I'm not sure it would be different for your
situation, but I wouldn't think you'd have to send them your file to get it
signed, rather I think they'd send you the tools to do it yourself.  Thus,
if you had a bug fix and needed an update package or fresh install then
you'd be able to do so anytime until your subscription with them runs out.
This is, of course, using Verisign as opposed to others.
Reply to this Message
NET CF Questions - 22 May 2008 07:30 GMT
Thank you so much for your help.
I'm sorry I'm so clueless here.
(This of course is always what clueless people say before they take up
even more of your time..)

So I get a certificate from Verisign.
Do I also need to sign up for the M2M thing through Microsoft?

Then I install it on my development computer?
(I'm not the developer or a developer, I just look up issues for them
and bother kind usenet folks with my n00bish and incorrectly phrased
questions.. )

Am I then ready to package the app via Visual Studio?
Is there something special I need to do during this process?

Or do I do the signing using the the tools they send me?

And about how long does the signing up, installing, etc. take before I
have a signed app?

Is it still a case of having to pay for each .exe. or .dll etc that
needs signing?
Or was that never the case for WM 5.0?

I've read so much tonight that it's all just a scary blur to me right
now..

> > On May 21, 10:41 pm, NET CF Questions <dotnetcfquesti...@gmail.com>
> > wrote:
[quoted text clipped - 34 lines]
> you'd be able to do so anytime until your subscription with them runs out.
> This is, of course, using Verisign as opposed to others.
Reply to this Message
Hosmerica - 22 May 2008 07:51 GMT
> Thank you so much for your help.
> I'm sorry I'm so clueless here.
> (This of course is always what clueless people say before they take up
> even more of your time..)

I've asked many, many questions so it's only fair that I contribute
something back.

> So I get a certificate from Verisign.

That's at least one option, but probably not the only one.  It just happens
to be the only one that I know.

> Do I also need to sign up for the M2M thing through Microsoft?

Fair question...I don't have the answer to that one as I didn't sign the
.exe for the mobile device I developed an app for.  That's kinda why I asked
how many devices you were deploying this to.  If it were only a couple then
some of this may not be worth the headache of trying to figure it out.  I
developed an app for 1 device, so how far and creative I went with a setup
and deployment package was a no-brainer for me.  I probably didn't do it the
Microsoft way, but hey...I had to get the project done and it works.  :-)

> Then I install it on my development computer?

Not really.  There isn't really an installation package.  They sent us an
.exe that does the signing, a cert and a key.  I use the batch file that
calls on the .exe they sent us with the key, cert and the target .exe
as parameters.  Their program calls their own timestmp server and verifies
your key and cert...and VIOLA!!!   Your .exe is signed.

> (I'm not the developer or a developer, I just look up issues for them
> and bother kind usenet folks with my n00bish and incorrectly phrased
> questions.. )

No prob.  Nobody became an expert without asking some questions.

> Am I then ready to package the app via Visual Studio?

You can run a batch file after you've built your project/solution or as part
of the post build events.  There is a post build-events button on the
compile tab of your projects properties.

> Is there something special I need to do during this process?

Not really.  It's so simple you wouldn't believe it.

> Or do I do the signing using the the tools they send me?

Whether you run a batch file or add this portion to the post build-events,
they'll both use the .exe, cert and key they sent you.

> And about how long does the signing up, installing, etc. take before I
> have a signed app?

I think it took a week or so to sign up.  They have to verify your company
and who you are, yada, yada, yada.  As soon as they send you the stuff, it
can take as little as 5 mintues to set it up and start signing files.

> Is it still a case of having to pay for each .exe. or .dll etc that
> needs signing?

Nope.  You pay for a subscription from them.  After your subscription is
up...they won't sign your files anymore.  Ours lapsed by 3 days and it
wasn't pretty.
http://www.verisign.com/products-services/security-services/code-signing/digital
-ids-code-signing/index.html

> Or was that never the case for WM 5.0?

I'm unsure about signing files for mobile devices.  You've tapped me for all
my knowledge on that subject.

> I've read so much tonight that it's all just a scary blur to me right
> now..

Been there...done that...
Reply to this Message
Paul G. Tobey [eMVP] - 22 May 2008 16:35 GMT
No, you don't *also* need M2M.  That's just an alternative to using a
Verisign certificate.  The only case I can think of where you might want
both a certificate authority certificate and a M2M certificate is where your
certificate authority is not in the trusted store on the mobile device to
begin with.  That is, the code is signed, but the device doesn't recognize
the certificate as having come from someone that it trusts, so you probably
still get the user warning.  To work around that, you could have your
installer signed with a M2M cerificate and have that installer, in turn,
arrange for the other certificate to be trusted, as part of the
installation.

Paul T.

>> Do I also need to sign up for the M2M thing through Microsoft?
>
[quoted text clipped - 6 lines]
> didn't do it the Microsoft way, but hey...I had to get the project done
> and it works.  :-)
Reply to this Message
SQL Server Questions - 22 May 2008 17:32 GMT
I think i understand what you're saying Paul, but just to check.

When I view my device from the Security Configuration Manager, I see
the following;
(M2M) Baltimore Mobile device Privileged Root
(M2M) Geotrust Mobile Device Root
(M2M) Verisign Authorized Code signing (Privileged) Root for Microsoft

These made me assume? wonder? if I need both.
I'll check their sites as well, just wondering what the whole (M2M) in
the certificate name meant.

On May 22, 8:35 am, "Paul G. Tobey [eMVP]" <p space tobey no spam AT
no instrument no spam DOT com> wrote:
> No, you don't *also* need M2M.  That's just an alternative to using a
> Verisign certificate.  The only case I can think of where you might want
[quoted text clipped - 19 lines]
> > didn't do it the Microsoft way, but hey...I had to get the project done
> > and it works.  :-)
Reply to this Message
NET CF Questions - 22 May 2008 17:34 GMT
On May 22, 8:35 am, "Paul G. Tobey [eMVP]" <p space tobey no spam AT
no instrument no spam DOT com> wrote:
> No, you don't *also* need M2M.  That's just an alternative to using a
> Verisign certificate.  The only case I can think of where you might want
[quoted text clipped - 19 lines]
> > didn't do it the Microsoft way, but hey...I had to get the project done
> > and it works.  :-)

I think I understand what you're saying Paul, but just to check.

When I view my device from the Security Configuration Manager, I see
the following;
(M2M) Baltimore Mobile device Privileged Root
(M2M) Geotrust Mobile Device Root
(M2M) Verisign Authorized Code signing (Privileged) Root for Microsoft

These made me assume? wonder? if I need both.
I'll check their sites as well, just wondering what the whole (M2M) in
the certificate name meant.
Reply to this Message
Paul G. Tobey [eMVP] - 22 May 2008 17:47 GMT
Mobile2Market.  I'm not sure how to define what it is, but maybe you can
find some information on it from that...

Paul T.

> On May 22, 8:35 am, "Paul G. Tobey [eMVP]" <p space tobey no spam AT
> no instrument no spam DOT com> wrote:
[quoted text clipped - 40 lines]
> I'll check their sites as well, just wondering what the whole (M2M) in
> the certificate name meant.
Reply to this Message
Jin Chang - 22 May 2008 17:49 GMT
On May 22, 11:34 am, NET CF Questions <dotnetcfquesti...@gmail.com>
wrote:
> On May 22, 8:35 am, "Paul G. Tobey [eMVP]" <p space tobey no spam AT
> no instrument no spam DOT com> wrote:
[quoted text clipped - 34 lines]
> I'll check their sites as well, just wondering what the whole (M2M) in
> the certificate name meant.

I'm also trying to digest all this as I go, but here's how I
understand it.
It's crucial to make sure that the certificate you get matches the one
pre-installed on the device if you want to bypass the "unknown
publisher" message during the install or launching of the
application(s).  In my case, I got one of those "chained certificate"
that chains back to one of the pre-installed root certificate, so I
ended up getting the message.  Before facing this situation, I was
under the impression that "chained certificate" (which basically
chains back to the root certificate) will be recognized by the OS, but
this apparently is not the case with WM.  Given this, I believe the
solution to my problem is to get the proper certificate that is not
chained.  Although installing the certificate on the device should
resolve the issue, it wasn't an option for me to do this since I need
to avoid the "unknown publisher" message from the get-go.

If my assumptions are incorrect in any way, please point it out.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.