Microsoft PocketPC Developer Discussions
 
DLLs
(1)
Mobile2Market
(1)
Comodo
(1)
Windowsmobile
(1)
Authenticode
(1)
Authorities
(1)
Remembers
(1)
Windows
(1)

Is there a way to install more root certificates on a phone

Asked By Anthony Wieser
09-Nov-09 05:03 AM
Reply
I have just started developing for WM 6.5 on an HTC Touch2, and every time I
deploy for debugging, I get a warning about an unknown publisher.

My program is signed with a Comodo Code Signing certificate issued to my
company.

Is there a way to add to the trusted root authorities on a device, so the
device can recognize my signed code?  Pointers to documentation on this
greatly appreciated, as I have not had any luck on google.


--
Anthony Wieser
Wieser Software Ltd

Hi,It is possible to add new root certificates to the certificate

Christopher Fairbairn [MVP] replied to Anthony Wieser
15-Nov-09 05:45 PM
Reply
Hi,


It is possible to add new root certificates to the certificate store,
however if your devices are prompting you when you install "unsigned" or
unpriviledged code it is possible you may also not have enough permissions
on the device to install certificates to the appropriate store. You also
have the chicken and egg scenario of how to install the certificate without
prompting the user.

See http://support.microsoft.com/default.aspx/kb/915840 or
http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html for
details on how to install custom certificates.

If you want your application/cab files to install without prompts on
customer devices to my knowledge the only practical way is to purchase a
Mobile2Market code signature
(http://www.verisign.com/code-signing/content-signing-accounts/microsoft-windows-mobile/index.html).
Or release your software via the new Windows Mobile marketplace...

If this is just your development device, you may like to use the Device
Security Manager utility (found in VS2008's Tools menu) to alter your
device's security policy to one which does not prompt for unsigned code.
Documentation is at http://msdn.microsoft.com/en-us/library/bb384149.aspx

Hope this helps,
Christopher Fairbairn

Thanks for your suggestions.

Anthony Wieser replied to Christopher Fairbairn [MVP]
29-Nov-09 02:56 AM
Reply
Thanks for your suggestions.  I did eventually figure this out and it went
something like this, as my phone was not locked.

1.  Export the root certificate from certificate manager on your PC that
corresponds to your authenticode signature
2.  Copy the certificate to your device, which should be installed
automatically.

The problem was that I was seeing a message that "this program depends on a
component from an unknown publisher".  Eventually I figured out that that
means that the debug MFC DLLs are not signed.  A release build just works.
It also implies that I need to sign my DLL's as well as exes.

When I do sign my code, I timestamp it and countersign.

Does anyone know how loader works when the original certificate expires?
On a PC there istill is no warning, but on this device, I am not so sure.

Also, it seems that the device somehow remembers that I allowed the code
once, and then does not complain again. Any idea how that is achieved?

Anthony Wieser
Wieser Software Ltd
Previous Discussion:  Code Signing Hell.
Post Question To EggHeadCafe