Re: Signing corporate applications .. problem again

On Jun 14, 10:43 am, "Steve B." <steve_bea...@xxxxxxxxxxxx> wrote:
Hi,

According one of my previous post, I have to add certificates to stores in
the device using an autorun.exe.

using this autorun.exe, I added a custom corporate certificate in the Root,
CA, SPC, Unpriviledge and Priviledge stores (not sure if all are required).

Later in the execution of the autorun.exe process, I run wceload.exe /silent
/noaskdest /delete 0 "mycabfile.cab" in order to deploy the app.
This cab file is signed with the certificate that is added in the stores.
However, when the wceload.exe command is ran, nothing happen and the
ExitCode result of this execution is 0x80070005.
If I manually execute the cab file, I get the warning prompt about the
not-known publisher. If I accept to install the cab file here, and I run the
autorun.exe again, the file installs this time, the exit code is 0 (ok).

Theses clues let me think that even if my certificate is in the correct
stores, it is still not recognized correctly...

Does anyone have an idea how can I correct this ?
Thanks,

Steve

Hi Steve,

I'm not sure if this will help, but I'll describe how I've done this
in the past. Our methods differ a little in that I used a CAB file to
install my custom certificate and I used ActiveSync's ceappmgr.exe
(which in turn kicks off wceload.exe on the handheld) to unpack my CAB
files (I had two CAB files, one with my custom cert and one with my
application.)

You should only need to add your custom certificate to the "Privileged
Execution Trust Authorities" certificate store and the Software
Provider (SPC) certificate store.


First, in order to add my custom cert to the PETA cert store and the
SPC cert store I created a CAB that contained my custom certificate. I
added my custom certificate to the cab by using provision xml (the
provisiona xml file must be named _setup.xml). Unfortunately cabwiz
won;t let you create and empty CAB without and files, so I had to add
a dummy text file to this CAB. The steps for doing this are outlined
in this document:

http://www.codeproject.com/useritems/signcode.asp

Microsoft's site has another example of what the provisional xml would
look like, but use the format in the Code Project link above instead:
http://msdn2.microsoft.come/en-us/library/ms834686.aspx

I then created another CAB file which held my application and
libraries. I signed each binary in the CAB file with my custom
certificate and then sign the actual CAB file with my custom
certificate. You must sign each binary within the CAB file *and* the
CAB file using singcode.exe in order to avoid the "Unknown Publisher"
message.

I then wrote a custom install that kicked off ceappmgr on the desktop
to install my custom cert CAB. When the CAB file in unpacked on the
handheld wceload looks for the provisional _setup.xml in the CAB and
kicks it off, installing my custom cert to the PETA and the SPC. If
your CAB is signed with a Root certificate authority then you will not
get an "Unknown Publiher" warning when you do this, however if it is
not singed then you will get the message; this will be the only time
you will get that message though.

I then call ceappmgr again (you can actually pass in both CAB files to
ceappmgr in one call, but you have to make sure that your custom cert
CAB's name is alapbetically ordered to be before the name of your
application CAB, this is becasue wceload ont he handhel install the
CAB's in alphabetical order and you want your cert CAB to be isntalled
before your application CAB... anyway, I wouldn't recommened relying
on that since you never know when they might change wceloads
behavior.) Anyway, I call ceappmgr again and pass in my application
CAB. This CAB does not display the message since it and all of it's
binaries have been signed with your custom cert.

Ok, that said, your autorun.exe should work the same way, except
you're using an exe and not a CAB to install your custom cert. I'm not
sure why wceload isn't doing anything when you call it, but maybe this
will give you some ideas.

-Scott


.

Relevant Pages

  • Sign a activex control
    ... I created a cab file that contains a activex control. ... certificate) both the ocx file and the cab with Microsoft tools: ... Shouldn't it show the certificate? ...
    (microsoft.public.platformsdk.security)
  • singncode and certificate expiration
    ... I create a CAB file and digitally sign it using signcode tool with a valid ... The certificate I used is about to expired next month. ... will expired whether I'll need to re-sign the CAB with a new valid ...
    (microsoft.public.platformsdk.security)
  • Re: Code Signing
    ... Well, i used the Test Certificates from MS by copying the 'SdkCerts.cab' CAB file to the PDA and executing it, and all worked fine. ... the integrity and authenticity of your assemblies and your CAB. ... The Windows Mobile SDK certs exist for developers to test their bits ... devices will not the certificate on them. ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: n. stiff, the antonym?
    ... the included tip was the cab that I just ... the amount is clearly too high or too low, or extra services were ... That is a custom that I like. ... She doesn't want things brought in on shoes that the ...
    (alt.usage.english)
  • Re: n. stiff, the antonym?
    ... the tip was included (it was itemised on the bill). ... the included tip was the cab that I just ... the amount is clearly too high or too low, or extra services were ... That is a custom that I like. ...
    (alt.usage.english)
Quantcast