Bypass code signing requirements on Windows Mobile 5/6

Question

Is there a way to bypass the code signing requirements for cabs and exe's on Windows Mobile 5 and 6? I want to install my own applications without having to pay Verisign or Geotrust for code signing. Is there a registry key that needs to be changed?

Answer 1

In general you only need signed apps if

i) you are attempting to use API's/functionality that is protected/restricted to apps that are signed

and/or

ii) the distribution mechanism you choose to use requires signed apps.

So for WM 5+6 
If you want to distribute your own apps there is no requirement to code sign. Users will get the 'This apps is untrusted' on install

However
If you want to use the Microsoft WM MarketPlace to distribute apps, MS have mandated apps be signed.

As it happens, part of the WM 6.5 functionality a WM MarketPlace app is required to have is a big PNG based icon. For this icon to be displayed correctly you have to set a 'protected' registry entry. Apps need to be signed for this to work. But since apps need to be signed to be in WM MarketPlace it does not really make much difference.

Answer 2

Thanks for the reply. But if I have a cab file that is installed by another setup program the user will never see that 'untrusted app' message. I was hoping that there's an easy way to disable the code signing requirement.

Answer 3

There are few ways to accomplish this.

First one is through hex editor. You just need one certified cab, bit of hex reading abilities and an ability to fix checksums.

All You need to do is to copy and paste a bit of hex code from one cab to another.

After You manage to do it, You need to fix cab checksums or WM will see it as an invalid file (size written is not equal to it's real size).

Second approach is to certify one app that will just make few basic registry changes in HKLM\Security\Policies\Policies and install cab which name is placed in apps resources. You can edit resource via ResHack program, so that it will install every cab needed :).

There are a lot of holes in this naive security system. 

You just need to have more experience with WM.

---

If You'll find my answer satisfactory or helpful - mark it as answered or vote for it! Thank You.
"If You think You know better then me, why is Your code not working, then don't waste my time at this forum. Otherwise - do as I'm suggesting."

Answer 4

so is there any difference between code signing & Marketplace signing. can i go for Marketplace signing without doing code signing .

Answer 5

In answer to your original question, Windows Marketplace for Mobile takes care of your code signing. If your app is approved, provided you paid the $99 subscription fee, you do not need to have your cab signed by Geo Trust, VeriSign or anyone else. This is true for Windows Mobile 6/6.1/6.5

The Windows Marketplace for Mobile does not and will not (according to documentation) support Windows Mobile 5.0  If you intend to create and sell Windows Mobile 5.0 applications, you will need to have them signed independently for your own protection, but you can sell them at the usual channels that you have been using. Also code signing under this scenario is beneficial for the reasons stated by bbjbbj.

Since this thread is under Windows Marketplace I am deducing that this may be your intention. Hope this helps.

Answer 6

Hi Dribblegirl, i was looking for Windows Mobile 6/6.1/6.5 only. thanks for clarification.

Answer 7

So, Dribblegirl. I have a few questions:

What does it take for an app to be approved?
Is the $99 subscription fee annual or monthly?
Is it the whole app that would be covered under this cost, including the dll's?

Answer 8

Hi RaduAdrian,


1)

• Testing to ensure that the application meets the technical standards of the Marketplace Application Submission Criteria .
• Code signing with a normal or privileged mode Microsoft Windows Mobile certificate.
• Policy checking, which includes validating that the application fits into an approved application category.
• Geographic market validation to ensure that the app can be sold in the selected market.

Once these four criteria are met, your application has passed the certification process and can be sold through Windows Marketplace for Mobile .

2) Annual .

3)  Your annual subscription allows you to access and manage your account with Windows Marketplace for Mobile , which includes access to your Developer Dashboard and the sales processing of your apps. If you cancel your subscription, your applications would be removed from Windows Marketplace for Mobile since you would be without the ability to manage your account, submissions, and sales.

 

Thanks,

Gouse