Sign code

• Download source files - 706 Kb

Introduction

This article is for tests purpose only, the best way to sign code is Mobile2Market, Versign etc...
With WM5 Microsoft has implements a new security schema on PocketPC too.
The new schema requires that the applications must be signed with a valid certificate to run without problems on devices. 
For simple applications the schema is not a problem, you'll get some borings popup to run the applications or to install cabs the first time. We have more problems when we try to deploy services or drivers, our dlls or applications will not run because the schema is loaded after service.exe and device.exe processes!
In this article i'll explain how we can deploy our own certificate on device and sign our code.

Step 1 - Create the certificate

The first step is create our certificate.  To do this we'll use the utility makecert.exe:

makecert -r -sv MyCert.pvk -n "CN=MyCert" -b 01/01/2000 -e 01/01/2099 MyCert.cer 

For more information about makecert.exe parameters refer to MSDN library.
Now we have our certificate (MyCert.cer) and private key (MyCert.pvk) but we need of .pfx to pass it to signtool.exe, so go on step 2.

Step 2 - Create .pfx from the .cer

To create .pfx file from .cer file we've to run pvk2pfx.exe tool:

pvk2pfx.exe -pvk MyCert.pvk -spc MyCert.cer -pfx MyCert.pfx

The command will creates .pfx file (MyCert.pfx).

Step 3 - Create the provisioningdoc xml

Ok, now we are ready to build our cab which will installs our certificate on devices. To do this we've to create our wap-provisioningdoc xml.

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="CertificateStore">
    <characteristic type="Privileged Execution Trust Authorities">
        <characteristic type="[cert_sha1]">
            <parm name="EncodedCertificate" value="[cert_base64]" />
        </characteristic>
    </characteristic>
</characteristic>
<characteristic type="CertificateStore">
    <characteristic type="SPC">
        <characteristic type="[cert_sha1]">
            <parm name="EncodedCertificate" value="[cert_base64]" />
            <parm name="Role" value="222" />
        </characteristic>
    </characteristic>
</characteristic>
</wap-provisioningdoc>

This is the standard schema for our provisioningdoc.
We've to fill [cert_sha1] and [cert_base64] with our values get from MyCert.cer. To obtain these values we've to use openssl.exe tool:

openssl sha1 MyCert.cer > MyCert_sha1.txt
openssl base64 -in MyCert.cer > MyCert_base64.txt

With these commands we get two files with sha1 and base64 values of our certificate. So create an empty file '_setup.xml' and past the content into:

<?xml version="1.0" encoding="utf-8" ?>
<wap-provisioningdoc>
<characteristic type="CertificateStore">
    <characteristic type="Privileged Execution Trust Authorities">
        <characteristic type="30bc827f441fa4437b645163e49ade7226b362c3">
            <parm name="EncodedCertificate" value="MIIB7zCCAVigAwIBAgIQSZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFADAR
MQ8wDQYDVQQDEwZNeUNlcnQwIBcNOTkxMjMxMjMwMDAwWhgPMjA5ODEyMzEyMzAw
MDBaMBExDzANBgNVBAMTBk15Q2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAx6QQIhONxvNHrK+p1qgy/AY3/Q/rf7XGvMYmxENAdQFjgP2CpH/1Bgsa8MwK
XxViZqW2DbixDas77M+cG3BnxtdK42xuhBlzVCq8wiOh7/q9SZp9wKj94c7k5jok
L1BgHT2dH2DHUgnxG6Y9mvowX/DJ8gvbNKR1p4FQpK74NvUCAwEAAaNGMEQwQgYD
VR0BBDswOYAQfyce0/6l1q4oeResHzIEZ6ETMBExDzANBgNVBAMTBk15Q2VydIIQ
SZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFAAOBgQAEqy6rTbjmV/6zgYBY
+gQQqBHf4GMvyEUR9g5+p/esG7GDve/qbZ4bm1BOSdRfgzMsda2guciMD54QPHNp
k+wdE0tSuQN90Dla8109GmTdFyZkVezSDmuCkbX0BjQW2dJ6egvGG2mnA7Q6/5yt
4ftcV6hExesZviGUKXdBhBM2Dg==" />
        </characteristic>
    </characteristic>
</characteristic>
<characteristic type="CertificateStore">
    <characteristic type="SPC">
        <characteristic type="30bc827f441fa4437b645163e49ade7226b362c3">
            <parm name="EncodedCertificate" value="MIIB7zCCAVigAwIBAgIQSZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFADAR
MQ8wDQYDVQQDEwZNeUNlcnQwIBcNOTkxMjMxMjMwMDAwWhgPMjA5ODEyMzEyMzAw
MDBaMBExDzANBgNVBAMTBk15Q2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAx6QQIhONxvNHrK+p1qgy/AY3/Q/rf7XGvMYmxENAdQFjgP2CpH/1Bgsa8MwK
XxViZqW2DbixDas77M+cG3BnxtdK42xuhBlzVCq8wiOh7/q9SZp9wKj94c7k5jok
L1BgHT2dH2DHUgnxG6Y9mvowX/DJ8gvbNKR1p4FQpK74NvUCAwEAAaNGMEQwQgYD
VR0BBDswOYAQfyce0/6l1q4oeResHzIEZ6ETMBExDzANBgNVBAMTBk15Q2VydIIQ
SZfc9OLump1HzDNpsZ2edTANBgkqhkiG9w0BAQQFAAOBgQAEqy6rTbjmV/6zgYBY
+gQQqBHf4GMvyEUR9g5+p/esG7GDve/qbZ4bm1BOSdRfgzMsda2guciMD54QPHNp
k+wdE0tSuQN90Dla8109GmTdFyZkVezSDmuCkbX0BjQW2dJ6egvGG2mnA7Q6/5yt
4ftcV6hExesZviGUKXdBhBM2Dg==" />
            <parm name="Role" value="222" />
        </characteristic>
    </characteristic>
</characteristic>
</wap-provisioningdoc>

We're ready to build our cab to deploy on our devices.

Step 4 - Build the .cab

This is the most simple step, we've to run makecab.exe tool:

makecab.exe _setup.xml mycert_cert.cab

Our certificate is now ready to install on devices!

Step 5 - Sing our application code

After we installed the certificate on our devices we can sign our code with MyCert.pfx our code to run as trusted.
We've to use signtool.exe tool:

signtool.exe sign /f MyCert.pfx *.exe *.cab

or

signcode -v MyCert.pvk -spc MyCert.cer *.exe 

With these simple five steps we've our certificate applications!

History

19/12/2005 - Initial article.
30/12/2005 - Corrected the command line on Step 5
31/12/2005 - Regenerated the certificate and updated zip file
15/11/2006 - Added command line in Step 5 and updated zip file with signcode.exe tool.

Related links

Windows Mobile 5.0 Application Security
Secure Windows Mobile Development and Deployment
A Practical Guide to the Smartphone Application Security and Code Signing Model for Developers

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 25 of 51 (Total in Forum: 51) (Refresh) FirstPrevNext

Launch certificate registration CAB without user intervention Gaspard 0:04 3 Apr '09   Hello, I need to install our WM5 service application. To allow the start-up of this service after the reboot I have to sign the service and add the same certificate to PETA and SPC store. I have created CAB file which contains _setup.xml with the certificate and signed this CAB. When I launch this CAB manually on the handheld, the prompt screen appears and requires the user confirmation by click on OK button. If the user doesn't confim it within 10 minutes, the certificate installation rolls back. I have also tried to use wceload.exe /silent myCert.CAB, but it doesn't work. Do you have any ide how to skip the prompt screen? I need to distribute the installation over the night to the thousands handhelds and there will be nobody who can click on the OK button on every handhelds. Thanks Gaspard Sign In·View Thread·PermaLink PFX password chmod2222 22:41 20 Jul '08   It says to me that the private key password for the PFX file is wrong, but I'm sure I'm using the same one I was using when creating the CER and PVK file? Why is that? -- www.domagoj.net Sign In·View Thread·PermaLink Re: PFX password chmod2222 22:57 20 Jul '08   I solved the password problem by specifying the password when creating the PFX file like this: pvk2pfx -pvk d:\CERT\mycert.pvk -spc d:\CERT\mycert.cer -pfx d:\CERT\mycert.pfx -pi mycertPASS1 -po mycertPASS1 -f -- www.domagoj.net Sign In·View Thread·PermaLink Vb.Net [modified] hitesh sojitra 22:25 7 May '08   how to set folder permission in VB.Net so that user can not delete or modify ,and can't change folder permission by property option Hitesh sojitra modified on Thursday, May 8, 2008 4:07 AM Sign In·View Thread·PermaLink 2.00/5 (1 vote) when I generate the cab file, and check it's contents, the xml data is missing? Member 2159554 5:10 12 Dec '07   I followed the steps, and it builds the cab file ok. But, when I inspect the contents of the cab file, the xml data is missing? Sign In·View Thread·PermaLink 1.00/5 (1 vote) Simple EXE signing...? VitalyTomilov 2:52 10 Jan '07   How do i sign a simple EXE written in C++ for Windows XP, so it would also work under Vista? Sign In·View Thread·PermaLink 1.00/5 (1 vote) signing solution with several projects donkaiser 7:55 5 Dec '06   What should i do if I want so sign a solution with several projects? Donkaiser Sign In·View Thread·PermaLink Re: signing solution with several projects crino 8:10 5 Dec '06   don't change anything just use the same code to sign all what you want Sign In·View Thread·PermaLink what does the value 222 means? donkaiser 5:00 28 Nov '06   in the xml code: What does the string "222" signify? Regards, Donkaiser Sign In·View Thread·PermaLink Re: what does the value 222 means? crino 8:11 5 Dec '06   All PRIV Certs must have role 222 and All UNPRIV Certs must have role 16 Sign In·View Thread·PermaLink Deploy application in Debug mode Drca 7:32 15 Nov '06   I want to deploy application to WM5 pocketPC and step through code on my desktop PC (development platform). I have conected WM5 device over USB cable and ActiveSync, but when I try to debug the application I get error which says that I don't have appropriate certificates to do that. Can I use the same procedure you presented here in this case? If not, what can you recomend? Thx Doctor Celic Sign In·View Thread·PermaLink Re: Deploy application in Debug mode crino 9:25 15 Nov '06   yes, you can. Install certificate on your device and configure your project to sign code with the same certificate (i'm assuming that you use VS for developement) Sign In·View Thread·PermaLink I can't install certificate Rikardo 3:01 15 Nov '06   I try to install my own certificate but it doesn't work. I try to install your certificate but it doesn't work too. My PDa is a QTEK 9100. Sign In·View Thread·PermaLink 1.50/5 (2 votes) Re: I can't install certificate crino 6:09 15 Nov '06   What is the error message? Should be blocked by provider your device? Sign In·View Thread·PermaLink Re: I can't install certificate Rikardo 7:08 16 Nov '06   Ok, certificate is installed, but you can't see it. But, How can I sign 3rd party components that I have in a cab file? Sign In·View Thread·PermaLink Re: I can't install certificate crino 9:39 16 Nov '06   no you can't see it. To sign other files you've to extract from cab sign and rebuild cab. Sign In·View Thread·PermaLink Download for CAPICOM ivarklung 22:54 1 Nov '06   I found this download which solved the missing CAPICOM files: http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en Currently testing your solution. Thanx for all the info! regards, ivarklung Sign In·View Thread·PermaLink Still getting prompted? bobnob 10:55 19 Jun '06   Hey, I've got a TMobile MDA, and I've been testing your cert. I have run your CAB, and it has installed fine. I've even run the .cer file directly, which has been imported and is now viewable in the certificates list. Yet, I've got a signed cab and I'm still getting a prompt that my CAB is from an "unknown publisher" and I have to accept it. Is there anyway to avoid this - I would have thought as the certificate is present it wouldn't have happened?! Thanks! Sign In·View Thread·PermaLink Re: Still getting prompted? gregariousgary 3:07 23 Mar '09   I am also facing the same problem on the emulator. I have configured the emulator with the security policy "One tier Prompt" using the Security configuration manager. I signed the cab file with the certificate provided by crono and then installed the .pfx on the emulator. Now when I try to install the signed cab file the emulator still prompts me that an untrusted application is trying to install. I thought that now my cab file would be considered trusted. Don't know what wrong did I do here. Sign In·View Thread·PermaLink Password error [modified] thomasthethomas 5:22 22 May '06   Hello, I tried to do step 1 to 5 but I get an error on step 5: "SignTool Error: The specified PFX password is not correct." I have NOT given a password in the first step! Then I tried to give a password (mypwd) in the first step and repeated it in step 2 and then using this with signtool.exe sign /p mypwd /f MyCert.pfx *.exe *.cab but with the same result: The specified PFX password is not correct. Any ideas what to do? Thanks Thomas -- modified at 10:28 Monday 22nd May, 2006 Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: Password error buchser 5:17 10 Aug '06   I have exactly the same Problem! btw, i run it on Windows 2k, could this be a problem? Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: Password error [modified] crino 6:13 15 Nov '06   try to use this command line: signcode -v MyCert.pvk -spc MyCert.cer *.exe i've updated the article and zip file with signcode.exe tool -- modified at 11:23 Wednesday 15th November, 2006 Sign In·View Thread·PermaLink Thanks!! Narin 14:28 22 Apr '06   This is the only document that correctly documents all the procedures necessary to install certs and sign apps on Windows Mobile. It's shocking how tough it was to find this but thank god I did because it works. I can't express enough gratitude! Sign In·View Thread·PermaLink 5.00/5 (1 vote) Signed files dont work axbl 0:28 1 Apr '06   Hi, I have made my own certificate as desribed and installed it on my WM5 Pocketpc. So far it works. Then I signed some files (EXE,CAB) and tried to execute on the PocketPC. But I get the Warning that the files are from an unkown distributor. What is wrong ? Sign In·View Thread·PermaLink Re: Signed files dont work crino 0:39 1 Apr '06   hi, it's strange if the cerficate installed on device it's the same used to sing cab or exe you don't have to get the warning!? Sign In·View Thread·PermaLink 2.00/5 (1 vote)

Last Visit: 1:15 8 Nov '09     Last Update: 1:15 8 Nov '09 123 Next »