Code Signing
James
I want to sign my Assemblies for release to a client that will use only my
application and I dont want to buy standard certificates.
How can i create a private certificate that I can install manually and sign
all my Assemblies to use this private certificate?
Cheers,
James.
James
Joseph Byrns
can then use this file to sign your assembly by (in VS 2005, can't remember
where in VS2003) clicking Project->'ProjectName' Properties->Signing then
check the 'Sign Assembly' check box and select the relevant file.
"James" <Ja...@discussions.microsoft.com> wrote in message
news:0306548F-3D8B-4268...@microsoft.com...
James
I want to sign the CAB and assemblies using a privately created certficate
rather than a Mobile2Market or Verisign Code signing service.
Do the devices only have certain Root certs and cannot add others?
What are the test certificates and can I use them for release?
Cheers,
James
Nino Benvenuti
sn.exe is the Strong Name tool and is used for signing an assembly with
a strong name. Strong Name signing helps to ensure that an assembly is
globally unique and it helps to protect the version lineage of an
assembly. They also provide guarantees that the assembly has not been
changed since it has been built. Strong name signing of assemblies is
required if you are going to install them into the GAC.
What you are after, James, is Authenticode signing. This will ensure
the integrity and authenticity of your assemblies and your CAB. If you
choose do sign your assemblies outside of Visual Studio, you will need
to use the SignTool.exe tool.
The Windows Mobile SDK certs exist for developers to test their bits
under the different privilege levels. For WM5 PPC, the certs may be
found at C:\Program Files\Windows CE Tools\wce500\Windows Mobile 5.0
Pocket PC SDK\Tools In that directory, you will find the certs as well
as a CAB for you install the certs on your device for testing. The
certs are already installed on the emulator.
These certs are *not* for release and you cannot use them as such as the
devices will not the certificate on them.
You can sign your CABs and your assemblies with a private cert; however,
you would need to install that cert on the device so that the assemblies
and CAB could be verified. Also note that the signature on the CAB will
be ignored unless the EXEs and DLLs in the CAB are also signed.
If you haven't read the following, I would suggest them:
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnppcgen/html/wmsecurity.asp
http://blogs.msdn.com/windowsmobile/archive/2005/12/17/491167.aspx
Most my reply here (as I'm sure you've noted) assumes WM5.0 - what
version of the .NET CF are you using and what is your target platform?
--
Nino Benvenuti
http://nino.net/blog
Simon Hart
> What you are after, James, is Authenticode signing. This will ensure the
> integrity and authenticity of your assemblies and your CAB. If you choose
> do sign your assemblies outside of Visual Studio, you will need to use the
> SignTool.exe tool.
>
Nino Benvenuti
James
I am moving an existing .NET CF 1.0 Application to Mobile 5.0.
Thanks for your answer and I will try it today!
Cheers,
James.
James
Well, i used the Test Certificates from MS by copying the 'SdkCerts.cab' CAB
file to the PDA and executing it, and all worked fine.
But generating my own CER using the makecert and installing and signing,
does not work. It still asks for user to allow the app to run. Is it not
possible to create your own cert, sign your app and run it?
Cheers,
James
James
I want to sign my application using a privately created Certificate so that
I dont have to buy one.
I tried using the MAKECERT utility and then PVK2PFX and then the SIGNTOOL
and it all worked fine. But after installing my CER file on the PDA it still
prompts me to trust the APP or not.
I tried the stuff in this article
http://www.codeproject.com/useritems/signcode.asp#xx1327891xx
and all was fine but is this the only way to create and use a private
certificate?
Cheers,
James.
Scott Yost [MSFT]
it. That's what that article is showing you how to do.
--
Scott Yost
Software Development Engineer/Test
Microsoft Corp.
This posting is provided "AS IS" with no warranties, and confers no rights.
"James" <Ja...@discussions.microsoft.com> wrote in message
news:B09447F0-4034-4485...@microsoft.com...
Nino Benvenuti
Hi James,
As Scott Yost said in reply to your other post, you need to provision
the certificate to the device.
-Nino
neel
I've been following this discussion thread, I actually have somewhat of
a similar problem. I'm creating signed executables,etc. for Windows
Mobile 5.0 in Visual Studio 2005 environment. I've been able to enable
provisioning of device using the GUI interface of Visual Studio 2005.
Its working. Perfectly.
The problem is, my actual building process involves building from the
command line. To this end, I located the "signtool.exe" which does the
job of signing with valid certificates, etc. However, I can't seem to
find any option by which I can enable provisioning of the device from
the command line (using the signtool.exe tool). Could you please let me
know if there is some switch that exists with the tool, or a separate
executable that handles the provisioning of device in the command line?
Thanks,
-Neel.
Nino Benvenuti
> Hi Nino,
>
> I've been following this discussion thread, I actually have somewhat of
> a similar problem. I'm creating signed executables,etc. for Windows
> Mobile 5.0 in Visual Studio 2005 environment. I've been able to enable
> provisioning of device using the GUI interface of Visual Studio 2005.
> Its working. Perfectly.
>
> The problem is, my actual building process involves building from the
> command line. To this end, I located the "signtool.exe" which does the
> job of signing with valid certificates, etc. However, I can't seem to
> find any option by which I can enable provisioning of the device from
> the command line (using the signtool.exe tool). Could you please let me
> know if there is some switch that exists with the tool, or a separate
> executable that handles the provisioning of device in the command line?
> Thanks,
>
SignTool.exe has no facilities for provisioning a certificate to a
device, so your observations in that regard were correct.
With regards to provisioning a certificate to the device, I think that
your options are:
1) Use RapiConfig.exe (in WM5 SDK). You would need to change the
default RAPI policy[1][2] on the device before you could leverage this
2) Create a CAB file that contains[3] the same certificate that you are
signing your assemblies with and load that on the device as a separate
step (or write an automated installer to do it via RAPI)
There may be other ways, but that's what comes to mind at this time...
[1]http://groups.google.com/group/microsoft.public.pocketpc.developer/browse_frm/thread/6fe1649484a08d6d/bbe5f0ed49c48e9f?q=rapiconfig+%2B+access+denied&rnum=3#bbe5f0ed49c48e9f
[2]http://groups.google.com/group/microsoft.public.pocketpc.developer/browse_frm/thread/aee9a7819d2d43d3/ebf7c2ef70703637?q=rapiconfig+%2B+access+denied&rnum=1#ebf7c2ef70703637
[3]http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx