Mobile Apps - Code Signing Hell.

Asked By Gary Crean

06-Nov-09 04:12 AM

After a long day yesterday playing telephone tennis with VeriSign / Geotrust.
I found another signing provider that can sign Microsoft Windows Mobile Code.
(So They Say).

??399 later. It does not. I seems the only provider that can sign code for
Window Mobile is Verisign / Geotrust.

FYI. Same company.

My comment is.

1. No-body else does it. (Seems many company's have been court by this)

2. Come on Microsoft. What the hell is going on. 1 Provider for code signing
and $5 to sign the code each time is
punishment. Doesn't fit into a nightly build process and no wonder people
are moving to IPhone and Android.

07-Nov-09 03:29 AM

...
...

I have been developer for PocketPC since version 2.0 (windowsce). and year
ago, I have started developing for IPhone but now almost put in in 'idle'
state, after developed some community App on IPhone, below is some comments.

If your think develop for Windows Mobile is hard, and IPhone is easy, let
see...

To develop for IPhone, and publish / distribute it , there is no less
headache.

1. Register to Apple, and if your application is going to distribute to
IPhone, you must apply from Apple and Paid at least 100 (for free program
like community services) and if you are collecting fee from your program,
your have to paid much more fee (and the lengthly approval time). Also, you
subscription (certificate) is going to last for about 2 years only.

2. You can only use certain MAC machine as development platfirom. totally
unsupported on PC.
ie, you cannot use PC as development machine (the SDK, XCode and Objective-C
is MAC only .dmg)
So, you need some spend $$$ to buy new machine for it.

Come on Apple, didnt you know that more than 90% of the Computer on the
market is PC ?

3. To deploy to IPhone, you must be registered and get the development
certificate, which then your development tools (XCode) able to deploy to
IPhone. But before that, you need to register your IPhone serial code to
Apple Portal, generate a key, download the key, and then only that
particular IPhone is recognized by XCode (development tools), but not to
other IPhone with different ID, unless you put it on Apple Store.

4. Every OS upgrade, you need to re download the whole SDK, for example, if
your existing SDK only up to OS2.2 but you need to develop for 3.1, you need
to redownload the new SDK, which is 2.4GB !!! there is no small 'patch',
platform SDK download like WindowsCE (PocketPC SDK, WM5 SDK, etc, which is
only at most few ten MB, the Embedded tools, seldom need to upgrade)
Note that there is no progressing download, individual patch, any upgrade -
your need to redownload the GB SDK.

Come on Apple, cant you just provide a small 'patch' or that particular SDK
update instead of everytime OS upgrade, need to re-download the HUGE SDK ?
At least for most country, how many provide such a reliable and fast
connection ? (also the time, halfway connetion drop have to restart again).

5. Not tired enough for yet another language, another framework ? To your
suprise, it is yet another language, Objective-C, solely used by MAC.and
'Cocoa' framework.

6. etc...

X5425

07-Nov-09 03:51 AM

Some more,
1 - you need to upgrade the MAC OS also, just to support the new SDK....
2 - you need to download the SDK also if you do not publish on Apple store,
your SDK up to 2.2, but to deploy to 3.x OS phone, ,
even your plan to deploy our program in OS2.2 binaries.

There is no .msi, .cab or setup.exe equivalent, jail-breaking (hacked code)
might be answer, but carefull cause every OS update, all your thing in
IPhone is washed unless you use the telco / unlocked IPhone.

07-Nov-09 04:50 AM

Wow; I used Objective-C as the 1st object-oriented language I had come
across well over a decade (perhaps two) ago. It was (then) nothing to do
with Apple or phones, of course. Was unimpressed with the level of support
but a lot must have happened since then!

Mike.
--
If reply address is invalid, remove spurious "@" and substitute "plus"
where needed.

08-Nov-09 01:36 PM

You should not be signing every build so $5 for each nightly build should
never be an option. You only need to sign builds that you release. You can
build, debug and test without signing or you can use the development
certificates - you just need to configure your test device by deploying the
development certificates package (there is a cab file in the Windows Mobile
SDK) and you can use the Device Security Manager (Tools menu in Visual
Studio 2008) to set the security mode on the connected device. You can
either turn off security completely or have it operate in One-Tier or
Two-tier with your code signed with either the privileged or unprivileged
development certificate.

Peter

--
Peter Foot
Microsoft Device Application Development MVP
peterfoot.net | appamundi.com | inthehand.com
APPA Mundi Ltd - software solutions for a mobile world
In The Hand Ltd - .NET Components for Mobility

09-Nov-09 02:51 AM

Hi Gary,

You missed one.  Thawte.

Their customer service stinks  (particularly if anything goes wrong when
enrolling with them), but for $299 USD a year you can sign as many files as
you want  *IF*  you are running XP.

If you are running Vista or, errrm, 7, then you are stuck with Microsoft's
ridiculous money-making pay-per-signing Bill-Gates-retirement fund.

We developer PocketPC/Desktop applications in XP, sign them in XP, and
then test & deploy them to Vista/7 environments.


Hope this helps,


Marc

15-Nov-09 06:05 PM

Hi Gary,


VeriSign have been the sole providers of Mobile2Market code signing accounts
for a number of years.

it is important to differentiate between generic Authenticode signing
certificates (where there are numerious providers), and the ones accepted by
Windows Mobile devices out of the box. If talking to another provider ask
them explictly if they support Mobile2Market
(http://msdn.microsoft.com/en-us/windowsmobile/dd569931.aspx), as that may
clarify what they think your asking for.


I equally have always wondered (for unpriviledged certificates atleast) why
Windows Mobile certificates are "accounts" with fixed numbers of signing
events, vs desktop Authenticode certificates which are timeframe based and
can be signed locally.

It has however improved over the years. I still remember a time when a code
signing "event" was considered a individual dll, exe or cab file rather than
one "event" per CAB, no matter how many executable files it contains
(http://blogs.msdn.com/hegenderfer/archive/2007/05/19/mobile2market-updates-for-signing-and-certification.aspx).
That truely did start adding up quickly if your application was rather
modularised, not to mention a pain in the neck, especially when there was no
tooling support.

It may not fit your required use case, but have you considered the Windows
Marketplace for Mobile as an alternative? It has an alternative set of fees
and constraints etc, but may suit some applications better than
Mobile2Market these days.

Details can be found at http://developer.windowsphone.com/Default.aspx

Hope this helps,
Christopher Fairbairn