Code Signing

[Guest]

Hi All,

I want to sign my Assemblies for release to a client that will use only my
application and I dont want to buy standard certificates.
How can i create a private certificate that I can install manually and sign
all my Assemblies to use this private certificate?

Cheers,
James.

 

[Guest]

Help anyone...

 

[Joseph Byrns]

You can use the sn.exe from the command line, (sn.exe -k c:\test.snk). You
can then use this file to sign your assembly by (in VS 2005, can't remember
where in VS2003) clicking Project->'ProjectName' Properties->Signing then
check the 'Sign Assembly' check box and select the relevant file.

 

[Guest]

Sorry I should have been more clear.
I want to sign the CAB and assemblies using a privately created certficate
rather than a Mobile2Market or Verisign Code signing service.

Do the devices only have certain Root certs and cannot add others?
What are the test certificates and can I use them for release?

Cheers,
James

 

[Nino Benvenuti]

sn.exe is the Strong Name tool and is used for signing an assembly with
a strong name. Strong Name signing helps to ensure that an assembly is
globally unique and it helps to protect the version lineage of an
assembly. They also provide guarantees that the assembly has not been
changed since it has been built. Strong name signing of assemblies is
required if you are going to install them into the GAC.

What you are after, James, is Authenticode signing. This will ensure
the integrity and authenticity of your assemblies and your CAB. If you
choose do sign your assemblies outside of Visual Studio, you will need
to use the SignTool.exe tool.

The Windows Mobile SDK certs exist for developers to test their bits
under the different privilege levels. For WM5 PPC, the certs may be
found at C:\Program Files\Windows CE Tools\wce500\Windows Mobile 5.0
Pocket PC SDK\Tools In that directory, you will find the certs as well
as a CAB for you install the certs on your device for testing. The
certs are already installed on the emulator.

These certs are *not* for release and you cannot use them as such as the
devices will not the certificate on them.

You can sign your CABs and your assemblies with a private cert; however,
you would need to install that cert on the device so that the assemblies
and CAB could be verified. Also note that the signature on the CAB will
be ignored unless the EXEs and DLLs in the CAB are also signed.

If you haven't read the following, I would suggest them:
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnppcgen/html/wmsecurity.asp

http://blogs.msdn.com/windowsmobile/archive/2005/12/17/491167.aspx

Most my reply here (as I'm sure you've noted) assumes WM5.0 - what
version of the .NET CF are you using and what is your target platform?

 

[Simon Hart]

What you are after, James, is Authenticode signing. This will ensure the
integrity and authenticity of your assemblies and your CAB. If you choose
do sign your assemblies outside of Visual Studio, you will need to use the
SignTool.exe tool.

Don't you mean signcode.exe?

 

[Nino Benvenuti]

Don't you mean signcode.exe?

No; SignTool.exe has replaced Signcode.exe in the latest SDK.

 

[Guest]

Hi Nino,

I am moving an existing .NET CF 1.0 Application to Mobile 5.0.
Thanks for your answer and I will try it today!

Cheers,
James.

 

[Guest]

Hi Nino,

Well, i used the Test Certificates from MS by copying the 'SdkCerts.cab' CAB
file to the PDA and executing it, and all worked fine.

But generating my own CER using the makecert and installing and signing,
does not work. It still asks for user to allow the app to run. Is it not
possible to create your own cert, sign your app and run it?

Cheers,
James

 

[Nino Benvenuti]

Hi Nino,

Well, i used the Test Certificates from MS by copying the 'SdkCerts.cab' CAB
file to the PDA and executing it, and all worked fine.

But generating my own CER using the makecert and installing and signing,
does not work. It still asks for user to allow the app to run. Is it not
possible to create your own cert, sign your app and run it?

Cheers,
James

Hi James,

As Scott Yost said in reply to your other post, you need to provision
the certificate to the device.

-Nino

 

[neel]

Hi Nino,

I've been following this discussion thread, I actually have somewhat of
a similar problem. I'm creating signed executables,etc. for Windows
Mobile 5.0 in Visual Studio 2005 environment. I've been able to enable
provisioning of device using the GUI interface of Visual Studio 2005.
Its working. Perfectly.

The problem is, my actual building process involves building from the
command line. To this end, I located the "signtool.exe" which does the
job of signing with valid certificates, etc. However, I can't seem to
find any option by which I can enable provisioning of the device from
the command line (using the signtool.exe tool). Could you please let me
know if there is some switch that exists with the tool, or a separate
executable that handles the provisioning of device in the command line?
Thanks,

-Neel.

 

[Nino Benvenuti]

Hi Nino,

I've been following this discussion thread, I actually have somewhat of
a similar problem. I'm creating signed executables,etc. for Windows
Mobile 5.0 in Visual Studio 2005 environment. I've been able to enable
provisioning of device using the GUI interface of Visual Studio 2005.
Its working. Perfectly.

The problem is, my actual building process involves building from the
command line. To this end, I located the "signtool.exe" which does the
job of signing with valid certificates, etc. However, I can't seem to
find any option by which I can enable provisioning of the device from
the command line (using the signtool.exe tool). Could you please let me
know if there is some switch that exists with the tool, or a separate
executable that handles the provisioning of device in the command line?
Thanks,

Hi neel,

SignTool.exe has no facilities for provisioning a certificate to a
device, so your observations in that regard were correct.

With regards to provisioning a certificate to the device, I think that
your options are:

1) Use RapiConfig.exe (in WM5 SDK). You would need to change the
default RAPI policy[1][2] on the device before you could leverage this

2) Create a CAB file that contains[3] the same certificate that you are
signing your assemblies with and load that on the device as a separate
step (or write an automated installer to do it via RAPI)

There may be other ways, but that's what comes to mind at this time...


[1]http://groups.google.com/group/micr...onfig+++access+denied&rnum=3#bbe5f0ed49c48e9f
[2]http://groups.google.com/group/micr...onfig+++access+denied&rnum=1#ebf7c2ef70703637
[3]http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx