When Good Signatures Go Bad – Part 1

  • Article

Okay, I promised this would be my next blog post, but had to push the security primer to help get us here. Hopefully that post will clarify some of the concepts that are important to this one. Seems like I get a lot of questions once people start signing code with dev or Mobile2Market signatures. It usually comes in the form of one of these key issues:

1) Trying to verify if a device has Mobile2Market or developer certificates installed on it

2) Is an application/CAB properly signed?

3) Does WM6, WM5, and WM2003 honor the same M2M signatures?

 

Let’s say you signed your code and are still getting “unsigned publisher” errors when you install or run it. This typically either means your code is not signed properly or else the it’s been signed with certificates that are not honored on the device.

 

How do I know Mobile2Market or developer certificates are installed on a device I’m testing with?

Mobile2Market certs are included on our emulators and nearly every retail Windows Mobile device out there with a few exceptions, so 99% of the time – it’s there. Our SDK Developer certificates are on all of our emulators images. If you are using a retail device, you have to manually install developer certs – typically using the SDKCERTS.CAB included with our WM SDKs. Pay attention make sure the install succeeds because you can’t provision some 2-tier devices (WM6 Standard Edition / WM5 Smartphone Platform).

 

Okay, so you know when the certs are supposed to be there. How to actually check the device (or emulator)? The easiest way to identify a cert is by its thumbprint. If you know the thumbprint of the cert you are looking for, it’s not that hard to verify. To make this easier, I've included the M2M cert thumbprints below (these should match to the M2M certs installed on a device) in the corresponding Privileged, Unprivileged, and SPC cert stores.

 

Verisign M2M Unpriv thumbprint is: C06E95210F109DA105B6AA4A8C9F04F3F7D10211

Verisign M2M Priv thumbprint is: 802F0BA13A4A3D362DA1CC348EFC59B92B5A9067

 

Geotrust M2M Unpriv thumbprint is: B2A44C4D48FD9516B46390B9F621289DA0F3A365

Geotrust M2M Priv thumbprint is: 531700A6149352AC4BABB4E0BED893926C5515E9

 

Baltimore M2M Unpriv thumbprint is: 140AFE42C7AE2A2DBFF67A3A59CD2C5262D84A1A

Baltimore M2M Priv thumbprint is: 4A5A4FBABABA1112D49FB0C28463C53CB111F9BE

 

In other words, if you query the cert stores using the CertificateStore CSP-you should find all the M2M certs in the data it hands back to you…

<wap-provisioningdoc>

         <characteristic type="CertificateStore">

   <characteristic-query type="Privileged Execution Trust Authorities" />

                  <characteristic-query type="Unprivileged Execution Trust Authorities" />

                  <characteristic-query type="SPC" />

         </characteristic>

</wap-provisioningdoc>

 

While CSP is probably the “best” way to validate the certificate against a thumbprint, it’s easier just to look in the registry in a few strategic places:

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Unprivileged Execution Trust Authorities\Certificates]

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\Privileged Execution Trust Authorities\Certificates]

[HKEY_LOCAL_MACHINE\Comm\Security\SystemCertificates\SPC\Certificates]

 

You will find a registry key in each of these locations with the thumbprint of the cert if they have been added to the device.

 

 

To be continued…