Mobile2Market updates for Signing and Certification


For those of you who didn’t catch this at MEDC 2007 in Vegas, there were some significant announcements around Mobile2Market in Dan Bouie’s Session.


 


First off, we announced an updated Designed for Windows Mobile logo program for WM5 and WM6.  The logo criteria had not been formally revised since the 2003SE release, so it’s great to see the program and logo criteria get a much needed makeover.  Do you have to get logo certified?  No.  But there are some great reasons to do it in order to make your application stand out in the market.  Find out more here.


 


Another important announcement– major improvements in the signing arrangements with VeriSign.  For those of you signing today, you know that every file (EXE, MUI, DLL, etc.) was a unique signing event.  It was also a rather “manual” process to sign all the components, push through the signing partner, then sign the CAB, repeat, etc.  If you had a very componentized application (lots of dlls) and/or maintained multiple versions, and did a quarterly release, etc…then you know where I’m going with this. 


 


Make it easier…  Our WM6 includes CabSignTool.exe which was the first step in simplifying a complex process.   Point it at your CAB and it cracks the CAB apart, signs everything, packages the CAB back up, and then signs the CAB.   Now, if that approach could also be used with, oh I don’t know—VeriSign, wouldn’t that be sweet?


 


We heard a lot of feedback from customers around the current process and have been working to make this better.  This has to be somewhat of a “teaser” post as we’re still waiting on some of the work to be finalized (and I don’t want to steal their thunder)…but– things ARE about to get much, much better.  If you sat in on Dan’s session, you know what I’m talking about.  Stay tuned and I’ll post more on this as soon as it’s all final.  This is really great news for anyone signing with M2M today (really, really).  It will simplify your life and save you a lot of money. 


 


This also segues into my next blog post… I think I’ll call it “when good signatures go bad”. 


 


 -Reed


Comments (8)

  1. rudrac says:

    Hello ,

     If some files in cab are signed and some are not,

     will signing of signed files will cost any thing if verisign like entity uses cabsigntool.exe.

    regards,

    –rc

  2. ReedR says:

    If you sign a CAB, you also have to sign all the executable content in order for that CAB to pass security checks — so I think you would want to sign all those components anyway.  Hopefully we’ll have some details to share pretty soon about the new support and I think you will be pleased.  If anything, it will save you money and reduce the number of signing events you deal with today.

    -Reed

  3. NoelDillabough says:

    Any news on this?  I’m also wondering if GeoTrust is going to follow suit and use signcabtool as well?  (I have my signing events through them)

  4. rudrac says:

    Hello Reed,

       I understand that we need to sign all executable in the cab to pass security check’s.

    But what I want to know is

    "If I make a cab file which has some files signed and some files not signed. And summit this cab file for signing. How will signing process treat this cab file.

    Will it count already signed files insigned cab  as not signed and sign them again and charge for it" .

    regards,

    –rc

  5. mdavis says:

    Hi Reed,

    With all due respect, I really don’t see how mandatory Code Signing is anything short of racketeering.  While I understand and appreciate the protection that code signing affords, if my users and I enter into a trust agreement, it is entirely unnecessary for any third parties to be involved.  

    It cost me hundreds of dollars and great headaches for each release.  To anyone who even looks at this on the surface it is clear that Microsoft, VeriSign and GeoTrust are cohorts in a "user protection" racket which extorts great sums of money from developers.

    If it were truly for the protection of users, code signing should be supplied by Microsoft at no cost to developers.  Might be time for a class action, huh???

  6. ReedR says:

    Code signing is not mandatory.  You can choose not to sign your code and it will still run just fine on most devices.  The operator actually decides whether they set the policy that warns users when they try to execute unsigned code.  Some choose to do this, some don’t.  If they want to, they can completely turn these checks off.  Operators control the final security policy.  Code signing, paired with security policies is a great way to provide a configurable security layer that can be tightened down or completely turned off depending on the needs – and it’s something that can be done without taking the device under central (domain) management because it’s all cert based.  It’s a very power and flexible model that was driven by operator needs, industry signing standards, and established signing partners.

    The goal with Mobile2Market was to provide a single signature that would work across operators and networks so you wouldn’t have to maintain multiple app versions and deal with multiple signing programs, operator requirements, fees, etc.  Is signing free?  No.  Is it competitive with other mobile platforms – VERY.  Do ISVs have to sign code to work on WM?  No.  We’ve worked very hard to provide a platform that is still easy for developers to build on and yet provide operators with the security layers they expect to help mitigate the risk of malicious code on their devices and networks.

    By signing code, you ensure 1) your users never see annoying untrusted publisher prompts 2) you get a consistent level of execution on the widest array of devices and 3) your code is protected against tampering and can be verified to a publishing source.  In a nutshell, your users get the best predicable, experience when they run your app.

    -Reed

  7. swiftflyte19 says:

    This sounds great IF you are using Verisign, but what if you are signing via GeoTrust?

    And when will we have more choices rather than just Verisign and GeoTrust (knowing full well that Verisign owns GeoTrust)?