Click here to Skip to main content
Click here to Skip to main content

Sign Code

By , 15 Nov 2006
Rate this:
Please Sign up or sign in to vote.

Introduction

This article is for test purposes only, the best way to sign code is Mobile2Market, Verisign, etc...
With WM5, Microsoft has implemented a new security schema on PocketPC too.
The new schema requires that the applications be signed with a valid certificate to run without problems on devices. 

For simple applications, the schema is not a problem. You'll get some boring popups to run the applications or to install cabs the first time. We have more problems when we try to deploy services or drivers, our DLLs or applications will not run because the schema is loaded after service.exe and device.exe processes!

In this article, I'll explain how we can deploy our own certificate on device and sign our code.

Step 1 - Create the Certificate

The first step is to create our certificate. To do this, we'll use the utility makecert.exe:

makecert -r -sv MyCert.pvk -n "CN=MyCert" -b 01/01/2000 -e 01/01/2099 MyCert.cer 

For more information about makecert.exe parameters, refer to MSDN library.
Now we have our certificate (MyCert.cer) and private key (MyCert.pvk), but we need .pfx to pass it to signtool.exe, so go on to step 2.

Step 2 - Create .pfx from the .cer

To create .pfx file from .cer file, we've to run pvk2pfx.exe tool:

pvk2pfx.exe -pvk MyCert.pvk -spc MyCert.cer -pfx MyCert.pfx

The command will create a .pfx file (MyCert.pfx).

Step 3 - Create the provisioningdoc XML

Ok, now we are ready to build our cab which will install our certificate on devices. To do this, we've to create our wap-provisioningdoc XML.

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="CertificateStore">
    <characteristic type="Privileged Execution Trust Authorities">
        <characteristic type="[cert_sha1]">
            <parm name="EncodedCertificate" value="[cert_base64]" />
        </characteristic>
    </characteristic>
</characteristic>
<characteristic type="CertificateStore">
    <characteristic type="SPC">
        <characteristic type="[cert_sha1]">
            <parm name="EncodedCertificate" value="[cert_base64]" />
            <parm name="Role" value="222" />
        </characteristic>
    </characteristic>
</characteristic>
</wap-provisioningdoc>

This is the standard schema for our provisioningdoc.
We've to fill [cert_sha1] and [cert_base64] with our values got from MyCert.cer. To obtain these values, we've to use openssl.exe tool:

openssl sha1 MyCert.cer > MyCert_sha1.txt
openssl base64 -in MyCert.cer > MyCert_base64.txt
With these commands, we get two files with sha1 and base64 values of our certificate. So create an empty file '_setup.xml' and pass the content into:

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="CertificateStore">
    <characteristic type="Privileged Execution Trust Authorities">
        <characteristic type="30bc827f441fa4437b645163e49ade7226b362c3">
            <parm name="EncodedCertificate" 
	    value="MIIB7zCCAVigAwIBAgIQSZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFADAR
MQ8wDQYDVQQDEwZNeUNlcnQwIBcNOTkxMjMxMjMwMDAwWhgPMjA5ODEyMzEyMzAw
MDBaMBExDzANBgNVBAMTBk15Q2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAx6QQIhONxvNHrK+p1qgy/AY3/Q/rf7XGvMYmxENAdQFjgP2CpH/1Bgsa8MwK
XxViZqW2DbixDas77M+cG3BnxtdK42xuhBlzVCq8wiOh7/q9SZp9wKj94c7k5jok
L1BgHT2dH2DHUgnxG6Y9mvowX/DJ8gvbNKR1p4FQpK74NvUCAwEAAaNGMEQwQgYD
VR0BBDswOYAQfyce0/6l1q4oeResHzIEZ6ETMBExDzANBgNVBAMTBk15Q2VydIIQ
SZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFAAOBgQAEqy6rTbjmV/6zgYBY
+gQQqBHf4GMvyEUR9g5+p/esG7GDve/qbZ4bm1BOSdRfgzMsda2guciMD54QPHNp
k+wdE0tSuQN90Dla8109GmTdFyZkVezSDmuCkbX0BjQW2dJ6egvGG2mnA7Q6/5yt
4ftcV6hExesZviGUKXdBhBM2Dg==" />
        </characteristic>
    </characteristic>
</characteristic>
<characteristic type="CertificateStore">
    <characteristic type="SPC">
        <characteristic type="30bc827f441fa4437b645163e49ade7226b362c3">
            <parm name="EncodedCertificate" 
	    value="MIIB7zCCAVigAwIBAgIQSZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFADAR
MQ8wDQYDVQQDEwZNeUNlcnQwIBcNOTkxMjMxMjMwMDAwWhgPMjA5ODEyMzEyMzAw
MDBaMBExDzANBgNVBAMTBk15Q2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAx6QQIhONxvNHrK+p1qgy/AY3/Q/rf7XGvMYmxENAdQFjgP2CpH/1Bgsa8MwK
XxViZqW2DbixDas77M+cG3BnxtdK42xuhBlzVCq8wiOh7/q9SZp9wKj94c7k5jok
L1BgHT2dH2DHUgnxG6Y9mvowX/DJ8gvbNKR1p4FQpK74NvUCAwEAAaNGMEQwQgYD
VR0BBDswOYAQfyce0/6l1q4oeResHzIEZ6ETMBExDzANBgNVBAMTBk15Q2VydIIQ
SZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFAAOBgQAEqy6rTbjmV/6zgYBY
+gQQqBHf4GMvyEUR9g5+p/esG7GDve/qbZ4bm1BOSdRfgzMsda2guciMD54QPHNp
k+wdE0tSuQN90Dla8109GmTdFyZkVezSDmuCkbX0BjQW2dJ6egvGG2mnA7Q6/5yt
4ftcV6hExesZviGUKXdBhBM2Dg==" />
            <parm name="Role" value="222" />
        </characteristic>
    </characteristic>
</characteristic>
</wap-provisioningdoc>

We're ready to build our cab to deploy on our devices.

Step 4 - Build the .cab

This is the most simple step. We've to run makecab.exe tool:

makecab.exe _setup.xml mycert_cert.cab

Our certificate is now ready to install on devices!

Step 5 - Sign our Application Code

After we installed the certificate on our devices, we can sign our code with MyCert.pfx for our code to run as trusted.
We've to use signtool.exe tool:

signtool.exe sign /f MyCert.pfx *.exe *.cab

or

signcode -v MyCert.pvk -spc MyCert.cer *.exe 

With these five simple steps, we've our certificate applications!

Related Links

History

  • 19/12/2005 - Initial article
  • 30/12/2005 - Corrected the command line on Step 5
  • 31/12/2005 - Regenerated the certificate and updated zip file
  • 15/11/2006 - Added command line in Step 5 and updated zip file with signcode.exe tool

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author


Comments and Discussions

 
QuestionWhat I needed to do Pinmemberajhuddy31-Mar-10 6:50 
GeneralLaunch certificate registration CAB without user intervention PinmemberGaspard2-Apr-09 23:04 
QuestionPFX password Pinmemberchmod222220-Jul-08 21:41 
AnswerRe: PFX password Pinmemberchmod222220-Jul-08 21:57 
QuestionVb.Net [modified] Pinmemberhitesh sojitra7-May-08 21:25 
Questionwhen I generate the cab file, and check it's contents, the xml data is missing? PinmemberMember 215955412-Dec-07 4:10 
QuestionSimple EXE signing...? PinmemberVitalyTomilov10-Jan-07 1:52 
Questionsigning solution with several projects Pinmemberdonkaiser5-Dec-06 6:55 
AnswerRe: signing solution with several projects Pinmembercrino5-Dec-06 7:10 
Questionwhat does the value 222 means? Pinmemberdonkaiser28-Nov-06 4:00 
AnswerRe: what does the value 222 means? Pinmembercrino5-Dec-06 7:11 
QuestionDeploy application in Debug mode PinmemberDrca15-Nov-06 6:32 
AnswerRe: Deploy application in Debug mode Pinmembercrino15-Nov-06 8:25 
GeneralI can't install certificate PinmemberRikardo15-Nov-06 2:01 
GeneralRe: I can't install certificate Pinmembercrino15-Nov-06 5:09 
GeneralRe: I can't install certificate PinmemberRikardo16-Nov-06 6:08 
GeneralRe: I can't install certificate Pinmembercrino16-Nov-06 8:39 
NewsDownload for CAPICOM Pinmemberivarklung1-Nov-06 21:54 
QuestionStill getting prompted? Pinmemberbobnob19-Jun-06 9:55 
AnswerRe: Still getting prompted? Pinmembergregariousgary23-Mar-09 2:07 
GeneralPassword error [modified] Pinmemberthomasthethomas22-May-06 4:22 
GeneralRe: Password error Pinmemberbuchser10-Aug-06 4:17 
GeneralRe: Password error [modified] Pinmembercrino15-Nov-06 5:13 
GeneralRe: Password error PinmemberMartinFa16-Jun-11 10:49 
GeneralThanks!! PinmemberNarin22-Apr-06 13:28 
GeneralSigned files dont work Pinmemberaxbl31-Mar-06 23:28 
GeneralRe: Signed files dont work Pinmembercrino31-Mar-06 23:39 
GeneralRe: Signed files dont work Pinmemberaxbl1-Apr-06 1:02 
GeneralRe: Signed files dont work Pinmembercrino1-Apr-06 1:11 
GeneralRe: Signed files dont work Pinmemberaxbl1-Apr-06 1:41 
GeneralRe: Signed files dont work Pinmembercrino1-Apr-06 2:14 
GeneralRe: Signed files dont work Pinmemberaxbl1-Apr-06 22:27 
GeneralRe: Signed files dont work Pinmembercrino1-Apr-06 23:22 
GeneralRe: Signed files dont work Pinmemberaxbl2-Apr-06 0:58 
GeneralRe: Signed files dont work Pinmemberaxbl2-Apr-06 1:14 
GeneralRe: Signed files dont work Pinmembercrino10-May-06 9:35 
GeneralRe: Signed files dont work Pinmembercrino10-May-06 9:34 
GeneralRe: Signed files dont work [modified] Pinmemberparatracker31-Mar-07 16:07 
First, verify that the signed EXE runs on the target without complaint. If the signed EXE is not okay, look at your signing process.
 
If the signed EXE is okay, look at the unsigned CAB file. If the unsigned CAB is not okay, are you targeting Pocket PC 2002? The version of wceload that is burned into ROM on PPC'02 doesn't support compression. Look at your CabWiz.ddf and see if you have a line that looks like:
 
.Set Compress=ON
 
If you are targeting PPC'02, change your Compress setting to OFF. If wceload is not complaining about the unsigned CAB, you can focus on the CAB file signing process.
 
CabWiz also has a way to preallocate space for the signature/timestamp. Look in your CabWiz.DDF control file for a line like:
 
.Set ReservePerCabinetSize=
 
If you don't have one, you may need one. My time-stampted signatures add 3876 bytes to the CAB file size, so I have
 
.Set ReservePerCabinetSize=3876
 
Look at your pre-signed CAB file size (using ReservePerCabinetSize=0) and post- signed/timestamped file sizes to get the difference - it won't necessarily be 3876. If that doesn't solve your problem, then I'm getting even more confident that your test device is running PoketPC 2002, because I'm having a problem with my PPC'02 CAB signing, using a process that does recognize 2002 wceload's Compress capabilities and preallocates space for signing/timestamping (and works just fine with WM5's cabwiz and wceload).
 
If you're deploying your CAB to a 2002 device, then we're chasing the same rainbow. If you're not targeting a PPC'02 device, I still recommend looking into the capabilities of wceload on your test platform and reviewing the CabWiz.ddf (if you're not using CabWiz, I'm not sure how to twiddle the settings).
 
-Mike
 
http://pnmx.com/
GeneralRe: Signed files dont work Pinmembergregariousgary23-Mar-09 0:00 
GeneralRe: Signed files dont work PinmemberJake F5-May-07 11:35 
QuestionDont work? Pinmembershin_japan22-Jan-06 20:53 
AnswerRe: Dont work? Pinmembercrino25-Jan-06 3:44 
GeneralRe: Dont work? Pinmembershin_japan25-Jan-06 15:12 
GeneralRe: Dont work? Pinmembercrino25-Jan-06 19:42 
GeneralRe: Dont work? Pinmembershin_japan25-Jan-06 21:45 
GeneralRe: Dont work? Pinmembercrino25-Jan-06 21:59 
GeneralRe: Dont work? Pinmembershin_japan26-Jan-06 6:38 
GeneralRe: Dont work? Pinmembercrino26-Jan-06 6:49 
GeneralRe: Dont work? PinmemberCobden110-May-06 2:27 
GeneralRe: Dont work? Pinmembercrino10-May-06 9:42 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140415.2 | Last Updated 15 Nov 2006
Article Copyright 2005 by crino
Everything else Copyright © CodeProject, 1999-2014
Terms of Use
Layout: fixed | fluid