How to deploy real cert in packaged .exe (VS 2005, .net cf 2.0 sp2,WM 5.0)

[NET CF Questions]

We are developing an application for a Windows Mobile 5.0 device using
VS 2005, .net cf 2.0 and currently when we deploy it to the device for
testing we get the following error;
"The program is from an unknown publisher ...(etc)"

When we go to package this for real use (not test), what are the steps
we need to follow so this warning doesn't appear on the device?

I have seen the instructions here:
http://ce4all.blogspot.com/2007/04/siging-windows-mobile-application-code.html

but is that for the real environment or just the test environment?

What certs and signings do I need to include how (the steps in VS 2005
please) to do this for a real app?

 

[Jin Chang]

We are developing an application for a Windows Mobile 5.0 device using
VS 2005, .net cf 2.0 and currently when we deploy it to the device for
testing we get the following error;
"The program is from an unknown publisher ...(etc)"

When we go to package this for real use (not test), what are the steps
we need to follow so this warning doesn't appear on the device?

I have seen the instructions here:http://ce4all.blogspot.com/2007/04/siging-windows-mobile-application-...

but is that for the real environment or just the test environment?

What certs and signings do I need to include how (the steps in VS 2005
please) to do this for a real app?

I would like to bump this thread with an added question/issue.

First of all, there are plenty of information on the web and this
forum about certificates and code-signing, but the problem I'm facing
are the following:

1. Why is it so difficult to use chained certificate for code-signing
with WM devices? One of the source I ran across mentions that it's an
issue with WM 5 and 6. Can someone confirm this so that I might get a
more appropriate certificate?

2. How in the world can one sign a CAB file so that the certificate
is also deployed in one step without the "unknown publisher" message
being displayed? Is it a catch-22 situation where the certificate
must be installed before the CAB can be run without the warning?

I must have read at least 20 different sources on this topic and the
solution still eludes me. Why can't WM code-signing be as easy as
it's for normal PC's OS? Are there reasons why the Cert Vendors make
it so difficult or are WM devices not quite ready-for-prime-time for
these processes to be in place?

- Jin

 

[Peter Foot]

To achieve no prompts on installation your package has to be signed with a
certificate already installed on the device. You have two options - sign
your app and cab file with a Mobile2Market certificate e.g. through
VeriSign, or create a cab file specifically to deploy your own
certificate(s) and have this signed with a Mobile2Market certificate - once
this has installed your own certificate correctly you can then deploy your
own application which is self signed.
The certificate vendors have been making the process easier, you can now
sign an entire cab file and all its contents in a single signing event,
previously each .exe and .dll within the cab would require its own signing
event.

Peter

--
Peter Foot
Microsoft Device Application Development MVP
peterfoot.net | appamundi.com | inthehand.com
APPA Mundi Ltd - Software Solutions for a Mobile World
In The Hand Ltd - .NET Components for Mobility

 

[Jin Chang]

To achieve no prompts on installation your package has to be signed with a
certificate already installed on the device. You have two options - sign
your app and cab file with a Mobile2Market certificate e.g. through
VeriSign, or create a cab file specifically to deploy your own
certificate(s) and have this signed with a Mobile2Market certificate - once
this has installed your own certificate correctly you can then deploy your
own application which is self signed.
The certificate vendors have been making the process easier, you can now
sign an entire cab file and all its contents in a single signing event,
previously each .exe and .dll within the cab would require its own signing
event.

Peter

--
Peter Foot
Microsoft Device Application Development MVP
peterfoot.net | appamundi.com | inthehand.com
APPA Mundi Ltd - Software Solutions for a Mobile World
In The Hand Ltd - .NET Components for Mobility

Thanks, Peter.

That pretty much confirms what I've been reading about the
Mobile2Market and Verisign.
I guess I'll have to go that route.

- Jin

 

[NET CF Questions]

This is probably a very silly question, but are there fees involved?
Is this something that will cost to do?

Is one scenario free?

I'm sorry, I really know nothing about this at all.

 

[SQL Server Questions]

This is custom software for one client's WM 5 devices, not for open
resale.

We want to do it in a way that makes the "untrusted" prompt come up,
but don't need anything fancy.

 

[NET CF Questions]

This is custom software for one client's WM 5 devices, not for open
resale.

We want to do it in a way that makes the "untrusted" prompt come up,
but don't need anything fancy.

 

[NET CF Questions]

When I use the Security configuration manager, I see a "Microsoft
visual studio signing authority".

Is that not something i can use to prevent that warning message in an
application installed on a WM 5.0 device?

 

[NET CF Questions]

It will be installed on 100 to 200 devices.

How many devices are you installing it on?

 

[NET CF Questions]

It will be installed on 100 to 200 devices.

I have been reading this;
http://blogs.msdn.com/windowsmobile/archive/2005/12/17/security_model_faq.aspx

and it seems impossible that it's that hard.

Do we really need to get some kind of account, pay for a certificate,
upload my software, have it "signed", then have something that will no
longer work if modified?

(Am i just reading it incorrectly?)
What happens if we do a bug fix and alter the install?
Would we need to pay and upload and get it resigned over and over?

Sorry to be so slow here, it's just seeming to confuse me.

 

[NET CF Questions]

Thank you so much for your help.
I'm sorry I'm so clueless here.
(This of course is always what clueless people say before they take up
even more of your time..)

So I get a certificate from Verisign.
Do I also need to sign up for the M2M thing through Microsoft?

Then I install it on my development computer?
(I'm not the developer or a developer, I just look up issues for them
and bother kind usenet folks with my n00bish and incorrectly phrased
questions.. )

Am I then ready to package the app via Visual Studio?
Is there something special I need to do during this process?

Or do I do the signing using the the tools they send me?

And about how long does the signing up, installing, etc. take before I
have a signed app?

Is it still a case of having to pay for each .exe. or .dll etc that
needs signing?
Or was that never the case for WM 5.0?

I've read so much tonight that it's all just a scary blur to me right
now..

 

[Paul G. Tobey [eMVP]]

No, you don't *also* need M2M. That's just an alternative to using a
Verisign certificate. The only case I can think of where you might want
both a certificate authority certificate and a M2M certificate is where your
certificate authority is not in the trusted store on the mobile device to
begin with. That is, the code is signed, but the device doesn't recognize
the certificate as having come from someone that it trusts, so you probably
still get the user warning. To work around that, you could have your
installer signed with a M2M cerificate and have that installer, in turn,
arrange for the other certificate to be trusted, as part of the
installation.

Paul T.

 

[SQL Server Questions]

I think i understand what you're saying Paul, but just to check.

When I view my device from the Security Configuration Manager, I see
the following;
(M2M) Baltimore Mobile device Privileged Root
(M2M) Geotrust Mobile Device Root
(M2M) Verisign Authorized Code signing (Privileged) Root for Microsoft

These made me assume? wonder? if I need both.
I'll check their sites as well, just wondering what the whole (M2M) in
the certificate name meant.

 

[NET CF Questions]

No, you don't *also* need M2M. That's just an alternative to using a
Verisign certificate. The only case I can think of where you might want
both a certificate authority certificate and a M2M certificate is where your
certificate authority is not in the trusted store on the mobile device to
begin with. That is, the code is signed, but the device doesn't recognize
the certificate as having come from someone that it trusts, so you probably
still get the user warning. To work around that, you could have your
installer signed with a M2M cerificate and have that installer, in turn,
arrange for the other certificate to be trusted, as part of the
installation.

Paul T.

I think I understand what you're saying Paul, but just to check.

When I view my device from the Security Configuration Manager, I see
the following;
(M2M) Baltimore Mobile device Privileged Root
(M2M) Geotrust Mobile Device Root
(M2M) Verisign Authorized Code signing (Privileged) Root for Microsoft

These made me assume? wonder? if I need both.
I'll check their sites as well, just wondering what the whole (M2M) in
the certificate name meant.

 

[Paul G. Tobey [eMVP]]

Mobile2Market. I'm not sure how to define what it is, but maybe you can
find some information on it from that...

Paul T.

 

[Jin Chang]

I think I understand what you're saying Paul, but just to check.

When I view my device from the Security Configuration Manager, I see
the following;
(M2M) Baltimore Mobile device Privileged Root
(M2M) Geotrust Mobile Device Root
(M2M) Verisign Authorized Code signing (Privileged) Root for Microsoft

These made me assume? wonder? if I need both.
I'll check their sites as well, just wondering what the whole (M2M) in
the certificate name meant.

I'm also trying to digest all this as I go, but here's how I
understand it.
It's crucial to make sure that the certificate you get matches the one
pre-installed on the device if you want to bypass the "unknown
publisher" message during the install or launching of the
application(s). In my case, I got one of those "chained certificate"
that chains back to one of the pre-installed root certificate, so I
ended up getting the message. Before facing this situation, I was
under the impression that "chained certificate" (which basically
chains back to the root certificate) will be recognized by the OS, but
this apparently is not the case with WM. Given this, I believe the
solution to my problem is to get the proper certificate that is not
chained. Although installing the certificate on the device should
resolve the issue, it wasn't an option for me to do this since I need
to avoid the "unknown publisher" message from the get-go.

If my assumptions are incorrect in any way, please point it out.