Signed .CAB results in "Unknown publisher" on windows mobile 6.5 - windows-mobile-6.5

I have purchased a certificate from http://www.ksoftware.net/ which I use to sign a .CAB file used for installation of our software on windows mobile 6.5 devices. However, even after signing the .CAB, when attempting to install the application on the device (via the CAB) the device alerts "Unknown publisher". These CAB files are downloaded from a webservice and are supposed to be installed automatically using wceload and its silent install options, but this fails since the CAB is not recognized as signed (once I have manually installed a particular CAB file, wceload will succeed for that CAB in the future).
Initially I only had the certificate set in the visual studio 2008 deployment properties, and the applications signing properties. I also tried using signtool.exe, and thereafter cabsigntool.exe to sign all the other files in the CAB too. None of these methods work. When checking the CAB's properties in Windows 7, the file does have a security certificate attached, but any attempt to install on the device gives the annoying "unknown publisher" popup box.
Is there anything I am missing? What could be causing the devices to still see the CAB files as unsigned? The signing does not seem to work with plain exe's either.
Please note I do know the security settings can be changed in order for the prompt not to come up, but I am interested in solving the security certificate problem.

I assume the root certificate of the sign is not know on the device:
Did you verify that the certs are WindowsMobile compatible?

Related

Windows MS signed filter driver doesn't load on Win 7 x64 after updating driver to build with VS2019 / WDK 22000

I recently took on a task to update our filter driver from building with Visual Studio 2015 -> 2019. I also moved to the latest SDK + WDK 22000 (Which is the new Windows 11 one).
Everything seemed to work except that on Win 7 x64 (with secure boot) boxes the driver no longer loads.. It get's:
Load failed with error: 0x80070241
Windows cannot verify the digital signature for this file. A recent hardware or
software change might have installed a file that is signed incorrectly or damaged,
or that might be malicious software from an unknown source.
Our driver was/is attestation signed by Microsoft via the MS Hardware portal and so it's joint signed by both our company and Microsoft with a SHA-2 signature each. Windows 7 doesn't support SHA-2 certs out of the box however, it was previously working provided:
Windows6.1-KB3033929-x64
Was installed. Something seems to have changed though and Windows 7 x64 boxes can't load the new driver even with the latest updates. They load the 2015 built driver just fine even though the certificates on both look identical. The new driver loads just fine on Windows 10 machines.
Is anyone aware of any other changes which might make this combination fail to load?
I had a similar issue a few months ago, when we decided to switch our certificate provider. I'll share my knowledge to you, hope that going to help.
A while ago, Microsoft used cross-certificates to validate trusted certificate authorities (CA), so the only thing you needed to sign a driver is a proper certificate bought from a trusted CA. But recently validating process had changed and starting from Windows 10 20H2 you are forced to sign your driver through Microsoft Partner Center and all the cross-certificates was deprecated. However, you still need to use cross sign process for all your drivers prior to Windows 10, actually cross signed driver will work up to Windows 10 20H1 if to be correct.
Now back to the Visual Studio. To properly sign driver, you had to set up production certificate to field Properties -> Driver Signing -> General -> Production Certificate, that causes Visual Studio to use signtool utility to sign driver after the build done. As I presume, Visual Studio 2019 process do not use cross-certificate and looks something like:
signtool sign /v <trusted_certificate> /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a <sys_driver_filepath>
But Visual Studio 2013 actually must use cross-certificate and the command it uses is:
signtool sign /v /ac <microsoft_cross_certificate> /tr http://timestamp.digicert.com /a <sys_driver_filepath>
So what is cross-certificate is? It's a special trusted Microsoft certificate that tied to certified CA. List of all the cross-certificates available can be found here https://learn.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing#cross-certificate-list. To take the correct one you need to check your company certificate first. Take a look into root of certification path of your cert, open View Properties -> Details and find Issuer, that's your CA. Now you need to find exact match on cross-certificate list and download it. Note the thumbprint doesn't need to match (revealed in related issue). After all use a proper signtool command to sign your file.
P.S. If your certificate issuer not present on the list, that means your CA inappropriate and you need to get/buy another certificate.

Strange Clickonce signing behaviour

So I built an Outlook VSTO Add-in, and in visual studio on the signing page selected a valid certificate which was bought from a Cert Authority. When I publish the add-in, it all works fine and the installer is trusted.
Here's where it gets weird - When I zipped and emailed it to a colleague they found that the application had an unknown publisher. So I downloaded it from the email I sent them on my pc (the one I built the app with) and sure enough the certificate seemed to be untrusted. Zipping and unzipping the files that I already had locally worked fine and the app was trusted, but the exact same file taken from my email is untrusted.
I'm completely baffled, don't even know how to start googling this issue - anyone got any ideas?
Figured out the answer for anyone else that runs into this problem.
The hash used by VS when creating a clickonce application is SHA1 (yes, even with VS2019), but SHA1 was depreciated by MS in 2017, meaning anything signed using it is not trusted by later versions of office. Thus you have to publish an unsigned clickonce application with Visual Studio, and then use the "Developer Command Prompt for VS" to sign the .exe with the cert using SHA265.

Do I need OV or EV code signing certificate when packaging a classic desktop application for the Windows Store?

I want to add a desktop (WPF) application to the Windows Store using the Desktop Bridge (MakePri, MakeAppx). I have tested my build process using a self-sign certificate and all is well.
However, I cannot find any information stating whether I need an Extended Validation (EV) certificate or if an Organization validated (OV) certificate is sufficient. I know an OV certificate can cause SmartScreen warnings for installer .msi packages.
I also found old links (relating to Windows 8 apps) which say that the store does not use SmartScreen. But I cannot find anything relating to Windows 10 desktop apps packaged via the Desktop Bridge.
Will an OV certificate cause SmartScreen warnings when my converted application is downloaded from the store?
You don't need to use a valid certificate to publish your app to the Store. You just need to sign it with a test certificate. When you upload it to dev. center, it will be signed by Microsoft to be distributed through the Store.
I couldn't find a documentation that clarifies this, just saying it by my own experience. There are some notes here:
To test your app in a realistic setting as you prepare for
distribution, it's best to sign your app and then install it.
Visual Studio signs your app by using a test certificate. You'll find
that certificate in the output folder that the Create App Packages
wizard generates. The certificate file has the .cer extension and
you'll have to install that certificate into the Trusted Root
Certification Authorities store on the PC that you want to test your
app on.
Also if you use the new update of Visual Studio, you can create Desktop Bridge apps and publish them to the Store entirely through Visual Studio using the Windows Application Package project. It means you don't need to manually pack and sign it, VS does it for you.
Edit
Your users do not see an Smart Screen anyways. It makes sense since your app cannot run with administrator privileges. If your app needs a functionality that requires admin privileges, you need to consider it before moving forward.

Certificate is not trusted. Application's installer sometimes works correctly and others fails

I have an application in a test environment and when I install it in my computer all work correctly, but when others users installs it some of them works and others fails. When it fails, it displays this error: customized functionality in this application will not work because the certificate used to sign the deployment manifest for appname o its locations is not trusted. Contact your administrators for further assistance.
In addition, I created a test certificate, using visual studio 2015, to sing the application. The application is an add-in using VSTO.
The app is downloaded from a web server into my company, also it uses two web services.
Here is a photo of the error
Get a proper certificate or install the certificate you used onto the computers that you want this app to trust. The whole concept of having to sign the cert is to prevent accidental installations of untrusted applications. In order for that to work the machines you're installing to need to first trust the cert.
You will need a Code Signing certificate and sign the Click-Once package using that cert. You may still need to distribute the trusted cert to the machines somehow (depending on how those are setup).

signing assemblies on windows mobile device

HI
I have created an application for my windows mobile 6.0 device and I need to sign it so that the user can download updates without having to select that they trust the publisher
I'm not entirely sure what I'm doing here but I created the following files on the command line
.pfx using pvk2pfx
.spc using cert2spc
.cer using makecert
.pvk using makecert
and signed all the dll's and exe in my application using signtool sign
I then copied the certificates to my mobile device clicked on them and installed them
then copied my signed assemblies to the device but when I run the application I'm still being asked if I wish to run the application from an unknown and untrusted publisher
if anybody has any suggestions on how to get this working I'd be very grateful
Thanks
colm
Take the certificate that you've signed the application with and place it in the trusted store on the device.
Assuming you're using Visual Studio you can run the Device Security Manager, which will allow you to easily install the certificate on the device.
Note that you only need to place the .cer file, not the entire .pfx on the device.

Resources