WM 5.0, Digital ID, Authenticode Signing, etc.

TheMSsForum.com: The Microsoft Software Forum

The product I'm working on requires privileged certificates, which I have on
order from VeriSign. I currently have access to unprivileged certificates.
These are called the ACS certificates. Even though I'm using them on PPC
products, I was told to purchase the SmartPhone certificates. OK, cool.

I tried signing a CAB file with one of these via the web-based VeriSign
Account Manager, and was successful. However I found on a WM 5.0 device, a
prompt comes up that says something like "warning this software comes from an
unknown publisher". I was expecting to at least see something that said "this
software comes from My Corporation, Inc.".

Do I have to purchase a second kind of certificate so that this prompt will
at least say the name of my company when I install the CAB on a WM 5.0
device? And if yes, do I need to learn a really complicated command line for
the signing tool so that I can have two certificates on the same binaries? Is
the "Microsoft Authenticode Digital ID" that VeriSign sells, that you can
sign with for a year on any product you have, for $400, the one I need?

Thanks,

Gary
Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by Scott

Scott
Mon Aug 15 14:48:53 CDT 2005

If you're getting that prompt, it means the certificate does not chain up to
a root cert in one of the execution stores. Since we can't chain the
certificate up to a trusted source, we can't trust any info in the
certificate, so we don't show the user the publisher name.
If you have the right VeriSign certificates though, you shouldn't get that
prompt on most devices. I'm not sure if your ACS certs are the right ones or
not - did you go through the Mobile2Market program?

--
Scott Yost
Software Development Engineer/Test
Microsoft Corp.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
> The product I'm working on requires privileged certificates, which I have
> on
> order from VeriSign. I currently have access to unprivileged certificates.
> These are called the ACS certificates. Even though I'm using them on PPC
> products, I was told to purchase the SmartPhone certificates. OK, cool.
>
> I tried signing a CAB file with one of these via the web-based VeriSign
> Account Manager, and was successful. However I found on a WM 5.0 device, a
> prompt comes up that says something like "warning this software comes from
> an
> unknown publisher". I was expecting to at least see something that said
> "this
> software comes from My Corporation, Inc.".
>
> Do I have to purchase a second kind of certificate so that this prompt
> will
> at least say the name of my company when I install the CAB on a WM 5.0
> device? And if yes, do I need to learn a really complicated command line
> for
> the signing tool so that I can have two certificates on the same binaries?
> Is
> the "Microsoft Authenticode Digital ID" that VeriSign sells, that you can
> sign with for a year on any product you have, for $400, the one I need?
>
> Thanks,
>
> Gary


Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by GaryCuevas

GaryCuevas
Mon Aug 15 16:03:03 CDT 2005

Yes,

M2M infomed us that we needed to get the ACS cert for the existing
SmartPhone 2003 from VeriSign, and that was the right one for Windows Mobile
5.0 PPC.

We are using a beta ROM from Dell. Could this be part of the issue?

Thanks,

Gary

"Scott Yost [MSFT]" wrote:

> If you're getting that prompt, it means the certificate does not chain up to
> a root cert in one of the execution stores. Since we can't chain the
> certificate up to a trusted source, we can't trust any info in the
> certificate, so we don't show the user the publisher name.
> If you have the right VeriSign certificates though, you shouldn't get that
> prompt on most devices. I'm not sure if your ACS certs are the right ones or
> not - did you go through the Mobile2Market program?
>
> --
> Scott Yost
> Software Development Engineer/Test
> Microsoft Corp.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
> news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
> > The product I'm working on requires privileged certificates, which I have
> > on
> > order from VeriSign. I currently have access to unprivileged certificates.
> > These are called the ACS certificates. Even though I'm using them on PPC
> > products, I was told to purchase the SmartPhone certificates. OK, cool.
> >
> > I tried signing a CAB file with one of these via the web-based VeriSign
> > Account Manager, and was successful. However I found on a WM 5.0 device, a
> > prompt comes up that says something like "warning this software comes from
> > an
> > unknown publisher". I was expecting to at least see something that said
> > "this
> > software comes from My Corporation, Inc.".
> >
> > Do I have to purchase a second kind of certificate so that this prompt
> > will
> > at least say the name of my company when I install the CAB on a WM 5.0
> > device? And if yes, do I need to learn a really complicated command line
> > for
> > the signing tool so that I can have two certificates on the same binaries?
> > Is
> > the "Microsoft Authenticode Digital ID" that VeriSign sells, that you can
> > sign with for a year on any product you have, for $400, the one I need?
> >
> > Thanks,
> >
> > Gary
>
>
>
Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by Scott

Scott
Tue Aug 16 13:23:13 CDT 2005

It all depends on whether or not your image ships with the M2M certs in the
code execution stores. You could use the Certificate CSP (documented in
MSDN) to query the stores to see if the VeriSign M2M roots are in there. If
the OEM/Operator has chosen to not ship the M2M roots, those devices will
not accept the signature on your app and the user will get prompted.
(assuming the device is configured to prompt)

--
Scott Yost
Software Development Engineer/Test
Microsoft Corp.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
news:90A55AA4-3ADE-4008-9503-8DE6D24D7060@microsoft.com...
> Yes,
>
> M2M infomed us that we needed to get the ACS cert for the existing
> SmartPhone 2003 from VeriSign, and that was the right one for Windows
> Mobile
> 5.0 PPC.
>
> We are using a beta ROM from Dell. Could this be part of the issue?
>
> Thanks,
>
> Gary
>
> "Scott Yost [MSFT]" wrote:
>
>> If you're getting that prompt, it means the certificate does not chain up
>> to
>> a root cert in one of the execution stores. Since we can't chain the
>> certificate up to a trusted source, we can't trust any info in the
>> certificate, so we don't show the user the publisher name.
>> If you have the right VeriSign certificates though, you shouldn't get
>> that
>> prompt on most devices. I'm not sure if your ACS certs are the right ones
>> or
>> not - did you go through the Mobile2Market program?
>>
>> --
>> Scott Yost
>> Software Development Engineer/Test
>> Microsoft Corp.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
>> news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
>> > The product I'm working on requires privileged certificates, which I
>> > have
>> > on
>> > order from VeriSign. I currently have access to unprivileged
>> > certificates.
>> > These are called the ACS certificates. Even though I'm using them on
>> > PPC
>> > products, I was told to purchase the SmartPhone certificates. OK, cool.
>> >
>> > I tried signing a CAB file with one of these via the web-based VeriSign
>> > Account Manager, and was successful. However I found on a WM 5.0
>> > device, a
>> > prompt comes up that says something like "warning this software comes
>> > from
>> > an
>> > unknown publisher". I was expecting to at least see something that said
>> > "this
>> > software comes from My Corporation, Inc.".
>> >
>> > Do I have to purchase a second kind of certificate so that this prompt
>> > will
>> > at least say the name of my company when I install the CAB on a WM 5.0
>> > device? And if yes, do I need to learn a really complicated command
>> > line
>> > for
>> > the signing tool so that I can have two certificates on the same
>> > binaries?
>> > Is
>> > the "Microsoft Authenticode Digital ID" that VeriSign sells, that you
>> > can
>> > sign with for a year on any product you have, for $400, the one I need?
>> >
>> > Thanks,
>> >
>> > Gary
>>
>>
>>


Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by Robert

Robert
Tue Aug 16 20:53:39 CDT 2005

You'll need to sign the CAB *and each EXE/DLL inside of it* in order for the
prompt to not appear.

--
-Robert Levy
Program Manager, Windows Mobile Developer Experience
http://blogs.msdn.com/windowsmobile


"Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
> The product I'm working on requires privileged certificates, which I have
> on
> order from VeriSign. I currently have access to unprivileged certificates.
> These are called the ACS certificates. Even though I'm using them on PPC
> products, I was told to purchase the SmartPhone certificates. OK, cool.
>
> I tried signing a CAB file with one of these via the web-based VeriSign
> Account Manager, and was successful. However I found on a WM 5.0 device, a
> prompt comes up that says something like "warning this software comes from
> an
> unknown publisher". I was expecting to at least see something that said
> "this
> software comes from My Corporation, Inc.".
>
> Do I have to purchase a second kind of certificate so that this prompt
> will
> at least say the name of my company when I install the CAB on a WM 5.0
> device? And if yes, do I need to learn a really complicated command line
> for
> the signing tool so that I can have two certificates on the same binaries?
> Is
> the "Microsoft Authenticode Digital ID" that VeriSign sells, that you can
> sign with for a year on any product you have, for $400, the one I need?
>
> Thanks,
>
> Gary


Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by GaryCuevas

GaryCuevas
Thu Aug 18 14:43:16 CDT 2005

Thanks, Robert.

Maybe I'm an idiot.

Is that prompt that says the software comes from an "unknown publisher" not
designed to ever say anything else besides just that?

In other words, if I do it right, the result is always there is never any
prompt at all??? And if I do it wrong, it always says "unknown publisher"???

I apparently got that prompt to vanish entirely when the CAB and everything
inside was signed. Costs $$$ each time I try an experiment, doesn't it?

Is it possible to achieve the same using the less-costly Microsoft
Authenticode Digital ID, or is the ACS cert the only thing that does the
trick, assuming I don't need privileged access?

Gary

"Robert Levy [MS]" wrote:

> You'll need to sign the CAB *and each EXE/DLL inside of it* in order for the
> prompt to not appear.
>
> --
> -Robert Levy
> Program Manager, Windows Mobile Developer Experience
> http://blogs.msdn.com/windowsmobile
>
>
> "Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
> news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
> > The product I'm working on requires privileged certificates, which I have
> > on
> > order from VeriSign. I currently have access to unprivileged certificates.
> > These are called the ACS certificates. Even though I'm using them on PPC
> > products, I was told to purchase the SmartPhone certificates. OK, cool.
> >
> > I tried signing a CAB file with one of these via the web-based VeriSign
> > Account Manager, and was successful. However I found on a WM 5.0 device, a
> > prompt comes up that says something like "warning this software comes from
> > an
> > unknown publisher". I was expecting to at least see something that said
> > "this
> > software comes from My Corporation, Inc.".
> >
> > Do I have to purchase a second kind of certificate so that this prompt
> > will
> > at least say the name of my company when I install the CAB on a WM 5.0
> > device? And if yes, do I need to learn a really complicated command line
> > for
> > the signing tool so that I can have two certificates on the same binaries?
> > Is
> > the "Microsoft Authenticode Digital ID" that VeriSign sells, that you can
> > sign with for a year on any product you have, for $400, the one I need?
> >
> > Thanks,
> >
> > Gary
>
>
>
Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by Robert

Robert
Thu Aug 18 18:48:36 CDT 2005

That's right - the prompt either says "unknown publisher" or doesn't appear
at all.

For development purposes, you should use the test certs included in the SDK.
You only need to pay for signing when you're ready to deploy to end users.
Check out
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnppcgen/html/wmsecurity.asp
for details.

--

-Robert Levy
Program Manager, Windows Mobile Developer Experience
http://blogs.msdn.com/windowsmobile


"Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
news:A24E2A27-C05F-4B12-AA70-F1B60A12967E@microsoft.com...
> Thanks, Robert.
>
> Maybe I'm an idiot.
>
> Is that prompt that says the software comes from an "unknown publisher"
> not
> designed to ever say anything else besides just that?
>
> In other words, if I do it right, the result is always there is never any
> prompt at all??? And if I do it wrong, it always says "unknown
> publisher"???
>
> I apparently got that prompt to vanish entirely when the CAB and
> everything
> inside was signed. Costs $$$ each time I try an experiment, doesn't it?
>
> Is it possible to achieve the same using the less-costly Microsoft
> Authenticode Digital ID, or is the ACS cert the only thing that does the
> trick, assuming I don't need privileged access?
>
> Gary
>
> "Robert Levy [MS]" wrote:
>
>> You'll need to sign the CAB *and each EXE/DLL inside of it* in order for
>> the
>> prompt to not appear.
>>
>> --
>> -Robert Levy
>> Program Manager, Windows Mobile Developer Experience
>> http://blogs.msdn.com/windowsmobile
>>
>>
>> "Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
>> news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
>> > The product I'm working on requires privileged certificates, which I
>> > have
>> > on
>> > order from VeriSign. I currently have access to unprivileged
>> > certificates.
>> > These are called the ACS certificates. Even though I'm using them on
>> > PPC
>> > products, I was told to purchase the SmartPhone certificates. OK, cool.
>> >
>> > I tried signing a CAB file with one of these via the web-based VeriSign
>> > Account Manager, and was successful. However I found on a WM 5.0
>> > device, a
>> > prompt comes up that says something like "warning this software comes
>> > from
>> > an
>> > unknown publisher". I was expecting to at least see something that said
>> > "this
>> > software comes from My Corporation, Inc.".
>> >
>> > Do I have to purchase a second kind of certificate so that this prompt
>> > will
>> > at least say the name of my company when I install the CAB on a WM 5.0
>> > device? And if yes, do I need to learn a really complicated command
>> > line
>> > for
>> > the signing tool so that I can have two certificates on the same
>> > binaries?
>> > Is
>> > the "Microsoft Authenticode Digital ID" that VeriSign sells, that you
>> > can
>> > sign with for a year on any product you have, for $400, the one I need?
>> >
>> > Thanks,
>> >
>> > Gary
>>
>>
>>


Top

Re: WM 5.0, Digital ID, Authenticode Signing, etc. by GaryCuevas

GaryCuevas
Thu Aug 18 19:14:02 CDT 2005

Thanks much - I understand now!

Gary

"Robert Levy [MS]" wrote:

> That's right - the prompt either says "unknown publisher" or doesn't appear
> at all.
>
> For development purposes, you should use the test certs included in the SDK.
> You only need to pay for signing when you're ready to deploy to end users.
> Check out
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnppcgen/html/wmsecurity.asp
> for details.
>
> --
>
> -Robert Levy
> Program Manager, Windows Mobile Developer Experience
> http://blogs.msdn.com/windowsmobile
>
>
> "Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
> news:A24E2A27-C05F-4B12-AA70-F1B60A12967E@microsoft.com...
> > Thanks, Robert.
> >
> > Maybe I'm an idiot.
> >
> > Is that prompt that says the software comes from an "unknown publisher"
> > not
> > designed to ever say anything else besides just that?
> >
> > In other words, if I do it right, the result is always there is never any
> > prompt at all??? And if I do it wrong, it always says "unknown
> > publisher"???
> >
> > I apparently got that prompt to vanish entirely when the CAB and
> > everything
> > inside was signed. Costs $$$ each time I try an experiment, doesn't it?
> >
> > Is it possible to achieve the same using the less-costly Microsoft
> > Authenticode Digital ID, or is the ACS cert the only thing that does the
> > trick, assuming I don't need privileged access?
> >
> > Gary
> >
> > "Robert Levy [MS]" wrote:
> >
> >> You'll need to sign the CAB *and each EXE/DLL inside of it* in order for
> >> the
> >> prompt to not appear.
> >>
> >> --
> >> -Robert Levy
> >> Program Manager, Windows Mobile Developer Experience
> >> http://blogs.msdn.com/windowsmobile
> >>
> >>
> >> "Gary Cuevas" <GaryCuevas@discussions.microsoft.com> wrote in message
> >> news:FB223754-2166-454C-9DDA-9D05C6245D0E@microsoft.com...
> >> > The product I'm working on requires privileged certificates, which I
> >> > have
> >> > on
> >> > order from VeriSign. I currently have access to unprivileged
> >> > certificates.
> >> > These are called the ACS certificates. Even though I'm using them on
> >> > PPC
> >> > products, I was told to purchase the SmartPhone certificates. OK, cool.
> >> >
> >> > I tried signing a CAB file with one of these via the web-based VeriSign
> >> > Account Manager, and was successful. However I found on a WM 5.0
> >> > device, a
> >> > prompt comes up that says something like "warning this software comes
> >> > from
> >> > an
> >> > unknown publisher". I was expecting to at least see something that said
> >> > "this
> >> > software comes from My Corporation, Inc.".
> >> >
> >> > Do I have to purchase a second kind of certificate so that this prompt
> >> > will
> >> > at least say the name of my company when I install the CAB on a WM 5.0
> >> > device? And if yes, do I need to learn a really complicated command
> >> > line
> >> > for
> >> > the signing tool so that I can have two certificates on the same
> >> > binaries?
> >> > Is
> >> > the "Microsoft Authenticode Digital ID" that VeriSign sells, that you
> >> > can
> >> > sign with for a year on any product you have, for $400, the one I need?
> >> >
> >> > Thanks,
> >> >
> >> > Gary
> >>
> >>
> >>
>
>
>
Top