Compartilhar via


When Good Signatures Go Bad – Part 1

Okay, I promised this would be my next blog post, but had to push the security primer to help get us here. Hopefully that post will clarify some of the concepts that are important to this one. Seems like I get a lot of questions once people start signing code with dev or Mobile2Market signatures. It usually comes in the form of one of these key issues:

1) Trying to verify if a device has Mobile2Market or developer certificates installed on it

2) Is an application/CAB properly signed?

3) Does WM6, WM5, and WM2003 honor the same M2M signatures?

 

Let’s say you signed your code and are still getting “unsigned publisher” errors when you install or run it. This typically either means your code is not signed properly or else the it’s been signed with certificates that are not honored on the device.

 

How do I know Mobile2Market or developer certificates are installed on a device I’m testing with?

Mobile2Market certs are included on our emulators and nearly every retail Windows Mobile device out there with a few exceptions, so 99% of the time – it’s there. Our SDK Developer certificates are on all of our emulators images. If you are using a retail device, you have to manually install developer certs – typically using the SDKCERTS.CAB included with our WM SDKs. Pay attention make sure the install succeeds because you can’t provision some 2-tier devices (WM6 Standard Edition / WM5 Smartphone Platform).

 

Okay, so you know when the certs are supposed to be there. How to actually check the device (or emulator)? The easiest way to identify a cert is by its thumbprint. If you know the thumbprint of the cert you are looking for, it’s not that hard to verify. To make this easier, I've included the M2M cert thumbprints below (these should match to the M2M certs installed on a device) in the corresponding Privileged, Unprivileged, and SPC cert stores.

 

Verisign M2M Unpriv thumbprint is: C06E95210F109DA105B6AA4A8C9F04F3F7D10211

Verisign M2M Priv thumbprint is: 802F0BA13A4A3D362DA1CC348EFC59B92B5A9067

 

Geotrust M2M Unpriv thumbprint is: B2A44C4D48FD9516B46390B9F621289DA0F3A365

Geotrust M2M Priv thumbprint is: 531700A6149352AC4BABB4E0BED893926C5515E9

 

Baltimore M2M Unpriv thumbprint is: 140AFE42C7AE2A2DBFF67A3A59CD2C5262D84A1A

Baltimore M2M Priv thumbprint is: 4A5A4FBABABA1112D49FB0C28463C53CB111F9BE

 

In other words, if you query the cert stores using the CertificateStore CSP-you should find all the M2M certs in the data it hands back to you…

<wap-provisioningdoc>

         <characteristic type="CertificateStore">

   <characteristic-query type="Privileged Execution Trust Authorities" />

                  <characteristic-query type="Unprivileged Execution Trust Authorities" />

                  <characteristic-query type="SPC" />

         </characteristic>

</wap-provisioningdoc>

 

While CSP is probably the “best” way to validate the certificate against a thumbprint, it’s easier just to look in the registry in a few strategic places:

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Unprivileged Execution Trust Authorities\Certificates]

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Privileged Execution Trust Authorities\Certificates]

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\SPC\Certificates]

 

You will find a registry key in each of these locations with the thumbprint of the cert if they have been added to the device.

 

 

To be continued…

Comments

  • Anonymous
    September 10, 2007
    WindowsMobile开发人员可以使用设备安全管理器配置设备的安全设置。当应用程序在WindowsMobile设备或仿真器上安装和执行时,将会应用这些安全设置。这些设置将决定一个未签名的...

  • Anonymous
    September 10, 2007
    Windows Mobile 开发人员可以使用设备安全管理器配置设备的安全策略。当应用程序在 Windows Mobile 设备或仿真器上安装和执行时,将会应用这些安全策略。本文介绍了 Visual Studio 2008 Beta2 自带的设备安全管理器的使用方法。

  • Anonymous
    September 10, 2007
    Windows Mobile 开发人员可以使用设备安全管理器配置设备的安全策略。当应用程序在 Windows Mobile 设备或仿真器上安装和执行时,将会应用这些安全策略。本文介绍了 Visual Studio 2008 Beta2 自带的设备安全管理器的使用方法。

  • Anonymous
    June 23, 2008
    Over the years, I&#8217;ve delivered several &#8220;Top 10&#8221; sessions and called them different