locked
Windows CE 6.0 security and signed cab files RRS feed

  • Question

  • I have a CE 6.0 device that will be operating without user intervention - effectively headless. There is an auto-updater application that downloads an update cab file and then calls wceload.exe to install with all command line switches for a silent install (/noaskdest /noui). If I run the installer from a command prompt it works fine and the application is overwritten but if the installer is called by the application it will not install. The application being updated is not running when the update is attempted.

    From everything I have read, there is a possibility that the /noui switch will not automatically answer "yes" if the cab file is unsigned. I am therefore trying to sign the cab file using one of the development certificates supplied with Visual Studio but I am completely stumped when it comes to getting the certificate loaded onto the device. I have the Cryptography Services including Personal Information Exchange Standard included in the build but the Control Panel Certificate application is of no use and the Device Security Manager in VS2008 is unable to  provision the device ("Target Device Platform does not support configuration management").

    Can anyone confirm that wceload (or CE 6.0) is smart
    enough to know that the installer was called from an application and invoke security measures to prevent the installation and/or suggest a way around this problem?
    Wednesday, July 30, 2008 8:57 PM

Answers

  • Update:

    I found the source of the problem. The updater application uses system.reflection to get the version of the file to be updated but does not release the file until the updater terminates, even though the references to the file are dropped before wceload is called. wceload thinks that the application (to be updated) is in use and will not overwrite.

    I have changed things around so that the updater can terminate before wceload is called and this has resolved the problem.

    Thanks for your assistance, I would probably still be chasing down security issues if not for your help!
    Thursday, July 31, 2008 3:42 PM

All replies

  • Window CE does not support signed CAB files and would refuse to install them as it considers them invalid.

     

    There are also no security prompts on CE device, it's WM only feature (though it can be implemented on CE by OEM for EXEs).

    Wednesday, July 30, 2008 9:33 PM
  • Thanks, I had found that it would not install a signed cab though I assumed it was because there was no corresponding certificate installed.

    Do you have any idea why the installation fails when called from an application but succeeds when run from a command line - using the same switches?
    Wednesday, July 30, 2008 9:59 PM
  • I would guess these command lines are not actually the same.

    Wednesday, July 30, 2008 10:14 PM
  • As entered at command prompt:

    wceload /noaskdest /delete 1 /noui \download.cab     

    As called from application:

    cabfile = @"\download.cab";

    ProcessInfo pi = new ProcessInfo();
    int r = CreateProcess("wceload.exe","/noaskdest /delete 1 /noui " + cabfile, IntPtr.Zero, IntPtr.Zero, 0, 0, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, pi);

    I can't see the difference.... so I remain stumped. Strangely, when the cab file installed to a different folder (that was not the real application so it just tested the process of checking for update, closing and restarting application afterwards) it worked. The only difference is the installation folder has changed.

    Thanks
    Wednesday, July 30, 2008 10:36 PM
  • Do you wait for WCELOAD to exit in your code? Is updater application in the CAB?

    Wednesday, July 30, 2008 11:21 PM
  • Yes and no. The updater application waits for wceload to exit before continuing. The cab file does not include the updater files so it does not attempt to update a running process.

    I'm trying to change this to use system.diagnostics.process to run a batch file to see if this works but it will be harder to know if the updater succeeded or not.
    Wednesday, July 30, 2008 11:30 PM
  • Update:

    I found the source of the problem. The updater application uses system.reflection to get the version of the file to be updated but does not release the file until the updater terminates, even though the references to the file are dropped before wceload is called. wceload thinks that the application (to be updated) is in use and will not overwrite.

    I have changed things around so that the updater can terminate before wceload is called and this has resolved the problem.

    Thanks for your assistance, I would probably still be chasing down security issues if not for your help!
    Thursday, July 31, 2008 3:42 PM
  •  

    Hi Sir,

     

    I am trying to do same thing for my roject. I have CAB file of my application. i need to install into windows CE device.

     

    Can you please send me your updater Application to my id ramak.reddy@hotmail.com.

     

     

    Regards,

    Rama

     

     

    Monday, September 15, 2008 8:29 PM