Email a FriendBookmark & SharePrint

Code Signing Credentials for Windows Mobile FAQ

See also:
Questions:

  1. Do I need to have my code signed? Why?
  2. Why do I need to sign the code I send to GeoTrust?
  3. Why can't I just sign my code with the token I get from GeoTrust?
  4. What file suffixes do I need to sign?
  5. How do I sign code with my token?
  6. Why does the CAB need to be signed, too?
  7. Do I need to sign the EXE I use for ActiveSync?
  8. What if I run out of events?
  9. What if I lose my token?
  10. What if I forget my token password?
  11. Does GeoTrust test my software to make sure it works and doesn't have a virus?
  12. Does my GeoTrust-signed application allow me to use Microsoft's Designed for Windows Smartphone designation?
  13. Someone said this is going to cost $600 per application, is that true?
  14. What is the difference between code signing and certification?
  15. What if my CAB just contains files that do not need to be signed?
  16. What do I do if my software has a bug and I want to disable it from affecting user phones?
  17. How does certificate revocation work?
  18. When GeoTrust revokes a certificate, does that mean my application will stop running on the phones immediately?
  19. Can I call someone at GeoTrust to walk me through this?
  20. What is a Signing Set ID?
  21. 21. Do I have a expiration period before I have to upload all files related for an application?
  22. What is the "Application/File Name"?
  23. What is the "Application/File Version"?
  24. Do I need Comments?
  25. How do I configure my system to use the USB Token that contains my signing ID?
  26. If I lose my drivers, where can I go to download them again?
  27. What is the size limitation for files?
  28. What if I haven't used up all my signings before my Administrator Access certificate expires?
  29. Which Carriers have Smartphones? What are their security models?
  30. How do I obtain authorization for Privileged Microsoft Mobile to Market Root signing services?
  31. How can I sign code for the Microsoft Mobile2Market Program?
  32. How do I sign my files with the signing services I have been authorized for?
  33. What are the technology requirements for Microsoft privileged signings?
  34. How do I obtain authorization for Nextel-Sprint Root signing services?
  35. Can I sign my applications for the Windows Mobile 5 operating system with your signing service?

 

Answers:
  1. Do I need to have my code signed? Why?
    Yes. Many carriers require Code to be signed in order to both install and execute on the Windows Mobile-based Smartphones. Go to http://msdn.microsoft.com/en-us/windowsmobile/bb250551.aspx to review specific mobile operator and configuration details available.
  2. Why do I need to sign the code I send to GeoTrust?
    The code you send to GeoTrust must be signed for the following reasons. First, GeoTrust must verify the files submitted were signed with a certificate ingood standing. Second, GeoTrust must validate the data integrity of the file(s)submitted. Performing a signature verification test insures the file(s) havenot been altered between the time you signed the file and the time it was submitted to GeoTrust.
  3. Why can't I just signmy code with the token I get from GeoTrust?
    The token you get from GeoTrust contains a certificatethat is recognized by GeoTrust only. This certificateis not trusted in the Smartphone applicationenvironment. GeoTrust uses this certificate to recognize and grant accessto your Windows Mobile Code Signing Credentials account; in additionwe insure files submittedin your account were signed by this same certificate (Your certificate).
  4. What file suffixes do I need to sign?
    .exe, .dll, .mui, .cab and .cpl files must be signed. Also, a change in Windows Mobile 5 requires you to sign resource-only DLLs.
  5. How do I sign code withmy token?
    You will sign your code with the signcode.exe application in the SDKs for use in mobile and embedded application development. The SDKs for Microsoft Smartphone 2003, and Windows Mobile 5.0 can be obtained by visiting the following URL: http://msdn.microsoft.com/mobility/downloads/sdks/default.aspx
  6. Why does the CAB need to be signed, too?
    The CAB needs to be signed for applications to install.
  7. Do I need to sign the EXE I use for ActiveSync?
    No, but the application files delivered within the ActiveSync self-extracting bundle must be signed if they are suffixed .exe, .dll, or .mui.
  8. What if I run out ofevents?
    You can purchase more within your Windows Mobile Code Signing Credentials management application.
  9. What if I lose my token?
    If your token is lost, you must report this to GeoTrust. We will make the associated certificate unusable immediately. In addition, you must request a new certificate. Fees will apply for labor, materials, and postage associated with the new request.
  10. What if I forget my token password?
    If you forget your token password you should contact GeoTrust customer support. An email can be sent to the email address on file for the token.
  11. Does GeoTrust test my software to make sure it works and doesn't have a virus?
    No, GeoTrust does not test the software submitted for signing in your Smartphone Credentials environment.
  12. Does my GeoTrust-signed application allow me to use Microsoft's Designed for Windows Smartphone designation?
    No. GeoTrust offers a code signing service that allows your application to run on the Smartphone. Only a Microsoft Certified Testing Partner can grant you the authority to use the Designed For Windows-Powered Mobile Devices logo in your packaging and advertising. GeoTrust is not a Testing Partner; such a service can be obtained from Veritest (http://www.veritest.com) or QualityLogic (http://www.qualitylogic.com).
  13. Someone said this is going to cost $600 per application, is that true?
    The $600 cost people are referring to here is the possible costs of having your application receive the "Designed for Windows-Powered Mobile Devices" designation. This process is performed by independent application testing/approval organizations and is not related to GeoTrust.
  14. What is the difference between code signing and certification?
    Code signing is a term used for generic file/application signing. In the Smartphone environment, this would be the signing process performed on individual files and applications by both you and GeoTrust. Certification is a term typically used when referring to third-party validation services. In the scope of Smartphone code signing service signup, GeoTrust validates your business identity by obtaining and checking certain business registration documents for your company in addition to validating individuals with your company. During the use of your service GeoTrust continually insures files and applications have been submitted by the validated company.
  15. What if my CAB just contains files that do not need to be signed?
    You can submit the .cab alone for signing.
  16. What do I do if my software has a bug and I want to disable it from affecting user phones?
    You request from GeoTrust that the certificate used for signing be revoked. This would render the application unusable. Please use the information below to contact the GeoTrust Customer Support Center http://www.geotrust.com/support/
  17. How does certificate revocation work?
    If a certificate that was used for an application signing has been revoked, the serial number and other relevant information will be placed in a file used in revocation checking. If the Smartphone environment detects a signing certificate serial number in this file the application will not be able to install or execute.
  18. When GeoTrust revokes a certificate, does that mean my application will stop running on the phones immediately?
    This depends on the phone and carrier's configurations. If revocation checking is configured optimally, then applications will stop running immediately. Please check with your phone service provider.
  19. Can I call someone at GeoTrust to walk me through this?
    Yes, you can contact GeoTrust customer support. http://www.geotrust.com/support/
  20. What is a Signing Set ID?
    The SIGNING SET ID is an ID used to associate individual signed files to the final signed application file which is uploaded. When uploading a file for the first time which has not yet been associated with and application, a new SIGNING SET ID will be assigned. You must reference this SIGNING SET ID each time you upload another signed file which will be packaged in the same final signed application submitted for re-signing.
  21. Do I have a expiration period before I have to upload all files related for an application?
    Yes, the time between uploading a signed application file, such as a .dll or .exe for a new SIGNING SET and the time the final signed application is received for re-signing (.cab), must not exceed four (4) days.
  22. What is the "Application/FileName"?
    The "Application/File Name" is a name descriptor for the individual file or final application being uploaded for re-signing.
  23. What is the "Application/FileVersion"?
    The "Application/File Version" is the version of the individual signed file or final signed application being uploaded for re-signing. Typically a numeric value, i.e. 1.0
  24. Do I need Comments?
    No. Comments are not required, but can be helpful in identifying specific information about an individual signed file or final signed application that has been uploaded for re-signing.
  25. How do I configure my system to use the USB Token that contains mysigning ID?
    Please refer to the installation instructions. Click here for more information.
  26. What is the size limitation for files?
    Files can not exceed 8MB.
  27. What if I haven't used up all my signings before my Administrator Access certificate expires?
    An auto-generated email will be sent to the email address supplied during service enrollment informing you that your Administrator certificate is about to expire. If you proceed with the instructions prior to certificate expiration, you will not need to ship your token back to GeoTrust. If you neglect to respond prior to certificate expiration, you will need to ship your token back to GeoTrust to obtain a new Administrator certificate. Processing and shipping fees will apply depending upon your address. Please note, unused signing events can not be utilized without proper access to the Smartphone signing portal.
  28. Which Carriers have Smartphones? What are their security models?
    Click here for further information on mobile carrier security models.
  29. How do I obtain authorization for Privileged Microsoft Mobile to Market Root signing services?
    To obtain privileged signing for Windows Mobile Smartphone platform you will need to contact Microsoft at: M2M@microsoft.com and let them know you have enrolled for GeoTrust's Code Signing Credentials for Windows Mobile and would like to gain access to the Microsoft Privileged signing service. It is important that you first enroll for the GeoTrust Windows Mobile signing service as Microsoft will require you to submit the order ID number we assign to you.

    Microsoft will supply prospective developers with instructions on how to submit an application which will be evaluated for compliance with the Microsoft Privileged Certificate Technology Requirements. Proper permission from Microsoft is required before any SmartPhone Credential's Account can be updated and assigned Root signing access.
  30. How can I sign code for the Microsoft Mobile2Market Program?
    If you are participating in the Microsoft Mobile2Market program and looking to getting your applications signed, note that we support both Unprivileged and Privileged mode signing. Unprivileged signing is available for all developers through the signing portal by default. However, to access the MS Windows Mobile for Smartphone Privileged signing, you need to get pre-authorized by Microsoft after meeting certain Technology Requirements.

    Please contact your Microsoft Mobile2Market contact or send an e-mail to M2M@microsoft.com alias for details and to be authorized to access the MS Privileged root. More details on operator support for Mobile2Market privileged signing is available here.
  31. How do I sign my files with the signing services I have been authorized for?
    First, you must signup for and obtain Smartphone Credentials. Upon doing this you will receive a hardware token with a digital certificate on it. This certificate is used to gain administrative access to your Smartphone Credentials environment as well as to digitally sign your files and applications prior to upload. Typical steps after Smartphone Credentials service setup:

    a. Digitally sign .exe, .dll, .cpl, .cab and .mui files of application. This step is performed utilizing signcode.exe from Microsoft's Smartphone SDK and your certificate which has been issued by GeoTrust and is located on your token. You do not have to access your Smartphone service to perform this step.

    b. Go to the Smartphone signing portal. By default, you will have access to the Microsoft Mobile2Market (M2M) Unprivileged Root signing, that service plus any other signing service you have been authorized for will be listed in the drop down list of the signing portal. Choose the signing service you want to sign your files.

    c. Upload each digitally signed file to your Smartphone Credentials service.

    d. GeoTrust verifies the file(s) were submitted by you and not altered. GeoTrust then generates a code-confirmation certificate to re-sign your file. The code-confirmation certificate used here will be trusted by the Smartphone environment, allowing execution of correctly signed files.

    e. Newly re-signed files will be made available to you for .cab packaging.

    f. You will need to bundle all digitally re-signed files into a .cab.

    g. Digitally sign the created .cab. This step is performed utilizing signcode.exe and your certificate which has been issued by GeoTrust and is located on your token. You do not have to access your Smartphone service to perform this step.

    h. Upload digitally signed final application (.cab) to your Smartphone Credentials service.

    i. GeoTrust verifies the .cab was submitted by you and not altered. GeoTrust then generates a code-confirmation certificate to re-sign your .cab. The code-confirmation certificate used here will be trusted by the Smartphone environment, allowing installation of correctly signed application.
  32. What are the technology requirements for Microsoft privileged signings?
    If you are using the Code Signing Credentials for Windows Mobile to sign code with the Microsoft Privileged Certificate, your application must comply with the Microsoft Privileged Certificate Technology Requirements below. These are Microsoft's additional requirements. Please contact the Microsoft Mobile2Market team at M2M@microsoft.com directly if you have any questions on them.
    1. Publisher shall not:
      1. Modify the value or function of any security policy, including without limitation, any of the security policies accessible through the Security Policy CSP
      2. Modify any keys or name/value pairs in the following registry locations:
        1. HKLM\Drivers
        2. HKLM\Hardware
        3. HKLM\Init
        4. HKLM\Comm
        5. HKLM\Security
        6. HKLM\System
      3. Modify, add, or remove any certificates in the following CAPI stores:
        1. Privileged Execution Trust Authorities
        2. Unprivileged Execution Trust Authorities
        3. Software Publisher Certificate
      4. Modify the application and certification revocation lists
      5. Send any device configuration messages to the CM, block any device configuration messages being sent to the device, or modify the device configuration system
      6. Access or modify the Metabase, the Metabase CSP and the underlying database
      7. Modify or circumvent any DRM protection of any device, content, or applications
      8. Overwrite or shadow any system files
      9. Modify any part of the ROM image
      10. Modify the boot sequence
      11. Access any part of the device hardware through any means other than the APIs published in the Software Development SDK for the particular version of the MS Smartphone software.
    2. Publisher shall only:
      1. access and use those APIs that are listed in the Software Development Kit ("SDK") for the particular version of Microsoft Smartphone Software (e.g., 2003, Windows Mobile 5.0, etc.);
      2. access and use DeviceIDs and other device information only through system APIs listed in the SDK for the particular version of the Smartphone Software;
      3. access and use file systems through the file system APIs listed in the SDK for the particular version of such Microsoft Smartphone Software.

      Notwithstanding the limitations set forth in A and B above, hardware developers that are Publishers of device drivers may:
      1. Modify the keys or name/value pairs in Modify any keys or name/value pairs in the following registry locations: HKLM\Drivers, HKLM\Hardware, HKLM\Init during the installation of a hardware device or within a device driver solely as necessary for making the hardware peripheral device functional.
      2. Access and use any of the Smartphone Software APIs solely to the extent necessary for the development of the device driver.
      3. Access the device hardware directly using means such as assembly code or direct memory manipulation solely to the extent necessary to make the hardware peripheral device functional.
  33. How do I obtain authorization for Nextel-Sprint Root signing services?
    To obtain privileged signing for the Nextel-Sprint signing service you will first need to enroll for SmartPhone Credentials. Once enrolled, you will then need to contact Nextel at: nextel@custhelp.com.

    Nextel-Sprint will supply prospective developers with instructions on how to submit an application which will be evaluated for authorization to their signing services. Proper permission from Nextel-Sprint is required before any SmartPhone Credential's Account can be updated and assigned Root signing access. For more information on their program, visit http://developer.sprint.com.
  34. Can I sign my applications for the Windows Mobile 5 operating system with your signing service?
    Yes, our Code Signing Credentials for Windows Mobile will allow you to sign applications for the Windows Mobile 5 OS on both Pocket PCs and Smartphones.