HI
I have created an application for my windows mobile 6.0 device and I need to sign it so that the user can download updates without having to select that they trust the publisher
I'm not entirely sure what I'm doing here but I created the following files on the command line
.pfx using pvk2pfx
.spc using cert2spc
.cer using makecert
.pvk using makecert
and signed all the dll's and exe in my application using signtool sign
I then copied the certificates to my mobile device clicked on them and installed them
then copied my signed assemblies to the device but when I run the application I'm still being asked if I wish to run the application from an unknown and untrusted publisher
if anybody has any suggestions on how to get this working I'd be very grateful
Thanks
colm
Take the certificate that you've signed the application with and place it in the trusted store on the device.
Assuming you're using Visual Studio you can run the Device Security Manager, which will allow you to easily install the certificate on the device.
Note that you only need to place the .cer file, not the entire .pfx on the device.
Related
I want to add a desktop (WPF) application to the Windows Store using the Desktop Bridge (MakePri, MakeAppx). I have tested my build process using a self-sign certificate and all is well.
However, I cannot find any information stating whether I need an Extended Validation (EV) certificate or if an Organization validated (OV) certificate is sufficient. I know an OV certificate can cause SmartScreen warnings for installer .msi packages.
I also found old links (relating to Windows 8 apps) which say that the store does not use SmartScreen. But I cannot find anything relating to Windows 10 desktop apps packaged via the Desktop Bridge.
Will an OV certificate cause SmartScreen warnings when my converted application is downloaded from the store?
You don't need to use a valid certificate to publish your app to the Store. You just need to sign it with a test certificate. When you upload it to dev. center, it will be signed by Microsoft to be distributed through the Store.
I couldn't find a documentation that clarifies this, just saying it by my own experience. There are some notes here:
To test your app in a realistic setting as you prepare for
distribution, it's best to sign your app and then install it.
Visual Studio signs your app by using a test certificate. You'll find
that certificate in the output folder that the Create App Packages
wizard generates. The certificate file has the .cer extension and
you'll have to install that certificate into the Trusted Root
Certification Authorities store on the PC that you want to test your
app on.
Also if you use the new update of Visual Studio, you can create Desktop Bridge apps and publish them to the Store entirely through Visual Studio using the Windows Application Package project. It means you don't need to manually pack and sign it, VS does it for you.
Edit
Your users do not see an Smart Screen anyways. It makes sense since your app cannot run with administrator privileges. If your app needs a functionality that requires admin privileges, you need to consider it before moving forward.
Using VS2013 and Windows 8.1
I have a .cer and .pfx file bought from Verisign. I am new to store apps. I have couple of questions
What is the difference between signing the package and code signing (done using the VS 2013 packaging tab of Package.appxmanifest) -
my understanding so far
(a) I guess this is similar to using signtool.exe tool right?
(b) both will install the public key(.cer) to certificate store(mmc) and sign the appx with private key(.pfx) so i would need to manually install .cer file in the live machines inorder to install my app?
(c) Code is signing is done in order to ensure the code has not been tampered with but do we need to do this for all main store app and other components used part of dfferent project (.dll)
Do we need both package and code signing inorder to publish store apps on client machine?
I can't use the same .pfx used for package signing for code signing because of some chaining information. Is this how it is supposed to used different .pfx for both is this a normal way?
For the regular Windows Store apps:
You don't need to sign windows store apps manually.
No. Windows Store will sign the package automatically.
Code signing is for Windows Classic apps or drivers and not for Windows Store apps.
For the sideloaded apps:
Windows store enterprise apps can be signed by any certification authority that is trusted on your PCs (where the app will be installed). It's better to sign with visual studio. There is documantation for an exact procedure.
If you will sign with Verisign certificate, you don't need to install anything except the app, because verisign root is already trusted in Windows. Visual studio signs only application package.
We are developing the Windows Phone 8.1 app.
The Hockeyapp was chosen for app distribution. To be able to distribute a Windows Phone 8.1 app, it requires to upload the company profile file (.aetx). Which then should be downloaded on Windows Phone and only after that the .xib file signed with the company certificate can be installed.
The problem is that the phone reports the error when trying to install the .aetx file:
Can't add workplace account
We weren't able to set up the workplace account.
Contact your company's support person for help.
The specifics is that the Enterprise Mobile Code Signing Certificate was requested from Symantec from the Mac computer, and the certificates were exported to .p12 format but not .pfx as in case of Windows OS. But the AETGenerator.exe didn't show any error and successfully created the .aet, .aetx and .xml files.
I followed the Company app distribution for Windows Phone, and the steps I have done:
Registered the Company account on Windows Phone Dev Center
On Mac computer applied for Symantec Enterprise Mobile Code Signing
Certificate
On Mac picked up Enterprise Certificate from Symantec
On Mac exported the Enterprise Certificate to .p12 file
On Windows installed the Symantec_Enterprise_Mobile_Root_for_Microsoft.cer
On Windows installed the Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert.cer
On Windows development computer generated the .aetx file using the AETGenerator.exe of the Windows Phone 8.1 SDK tools
Now either installing the .aetx file from email or through Hockeyapp the phone shows the same error and doesn't install the certificate.
I tried installing the .p12 from Mac to Windows, then exporting the .pfx file on Windows with included private certificate, and then generating the .aetx file from this .pfx, the result is the same; phone shows the same error.
If I install all certificates on Windows (downloading Symantec certificates and installing private and public Enterprise certificates from .p12 file), and then trying to pick up the Enterprise Certificate from Symantec on Windows, the browser shows:
Your certificate cannot be installed. Either it has already been installed, or you have removed your private key.
It seems this error is shown when trying to install the public key of certificate not on the same computer from where it was requested.
Can applying for Symantec Enterprise Mobile Code Signing Certificate from Mac and then exporting the certificate be the reason of this problem?
If the Enterprise Mobile Code Signing Certificate was once acquired for the company, is there a way to apply for another certificate for same company from another computer? When enrolling for a certificate, the private key is being created in the browser on the back end, and I am thinking if it is possible to pass the same procedure from Windows but not paying for extra certificate.
This should help.
When we try to generate AET token, it fails with following error? What is cause for this failure?
Unknown Error while generating AET
StartIndex cannot be larger than length of string
Parameter name: StartIndex
http://blogs.msdn.com/b/wsdevsol/archive/2014/04/21/frequently-asked-questions-about-windows-phone-company-hub-apps.aspx
I have purchased a certificate from http://www.ksoftware.net/ which I use to sign a .CAB file used for installation of our software on windows mobile 6.5 devices. However, even after signing the .CAB, when attempting to install the application on the device (via the CAB) the device alerts "Unknown publisher". These CAB files are downloaded from a webservice and are supposed to be installed automatically using wceload and its silent install options, but this fails since the CAB is not recognized as signed (once I have manually installed a particular CAB file, wceload will succeed for that CAB in the future).
Initially I only had the certificate set in the visual studio 2008 deployment properties, and the applications signing properties. I also tried using signtool.exe, and thereafter cabsigntool.exe to sign all the other files in the CAB too. None of these methods work. When checking the CAB's properties in Windows 7, the file does have a security certificate attached, but any attempt to install on the device gives the annoying "unknown publisher" popup box.
Is there anything I am missing? What could be causing the devices to still see the CAB files as unsigned? The signing does not seem to work with plain exe's either.
Please note I do know the security settings can be changed in order for the prompt not to come up, but I am interested in solving the security certificate problem.
I assume the root certificate of the sign is not know on the device:
Did you verify that the certs are WindowsMobile compatible?
I have a VS 2008 Setup Project created. I am trying to install this on a Windows 7 machine as a Standard User. I am getting a warning during install about an unknown publisher. I have used makecert to create a certificate, then converted it to a password pfx file. I have digitally signed the msi and setup.exe with the pfx file. When I go into the file properties, I can see the digital certificate attached. On the Windows 7 machine, I imported the pfx file to "Trusted Publishers". What do I need to do to get rid of the warning? I can't have the admin user and password required to install the app. I can't change the UAC settings. I need to make the change to the certificate / setup files to get this to work.
Makecert creates certificates only for testing purposes. To sign your installer you need a real certificate purchased from an official authority. You can try purchasing one from Verisign or Comodo.
Windows UAC recognizes only real certificates.