Workaround for signed cab files on PPC 2003


History question of the day: Why can’t PPC 2003 load signed cabs?


Two cab installers?


Set the wayback machine to pre-2001. We forked the Pocket PC codebase and started work on the first Smartphone release. Several components were rewritten or created from scratch because of the design requirements of the platform, including one handed navigation, a phone-first experience, no touch screen, and a more comprehensive security model. One of those components was the CAB installer (WCEload).  For Smartphone, CAB files contained a _setup.xml file which fed into our XML-based configuration format and also could be Authenticode signed to integrate with our new security model. So we now had two versions of wceload.exe. We’ve been working on bringing the platforms closer into alignment since then and one example of that is the unified installer in WM5 – it’s the same on both platforms now. Because the Smartphone CAB format provided much more power and flexibility, the unified WM5.0 installer uses that format. CAB format, signature checking, _setup.xml, and all.
 


Why don’t they work on PPC 2003?


So why won’t PPC 2003 install the signed CABs? Well, when you sign a CAB, it adds the signature to the normal data in the CAB. There’s a length marker in the cab which contains the total size of the files inside the CAB. When the file is signed, the size of the files inside the CAB and the length marker don’t change, but the size of the CAB itself gets larger. (because the signature data is now attached to it) The loader on PPC 2003 wasn’t expecting signed CABs, so it compares that length marker to the file size of the CAB, sees that they’re different, and throws out the file.



Workaround!


When we were working on WM 5.0, we added some code to ActiveSync that will make a CAB look unsigned if it’s deploying via the application manager to a 2003 (or earlier) PPC device. But this doesn’t fix the problem for users that haven’t yet upgraded, or are installing signed cabs via the browser or storage cards. I have received some requests to describe the method that ActiveSync uses to make the CAB unsigned. There is a KB article in the works that describes the process of “unsigning” CAB files, but in short it works like this. The third DWORD in the CABfile is the cbCabinet member of the header. On a signed CAB, that size is smaller than the actual size of the file. To make the CAB look unsigned again, just change that DWORD to contain the actual size of the file. The CAB header is fully documented in the CAB SDK which is downloadable on microsoft.com.When the KB article goes live, I’ll link it from this entry.



Hope this helps or entertains you,


Scott


edit 4/26: Fixed the wacky fonts. Sorry about that.


Comments (17)

  1. gazer says:

    Apologies for side tracking from the orignal post, but can any provide details on how to disable the remember password option in Pocket Outlook?

  2. After my morning coffee I sat down to read through what people have been saying while I was asleep last…

  3. James Hawthorne says:

    @gazer:

    Here’s what I don’t get.  You KNOW…you KNOW that your comment is way off topic and totally irrelevant and could probably be easily answered by google, and yet you comment anyway.  "Sorry for doing something that’s completely ridiculous, but where can I buy some size 3 clown shoes?"

    @scyost: Sounds awesome!  Looking forward to it!

  4. gazer says:

    James,

    I don’t think asking security related question impacting Pocket Outlook in WM is completely out of context, after all it is the WM blog. I am not aware of any API or workaround to cater for this simple but obvious security requirement, hence the posting.

    Finally didn’t you search google for the clown shoes ?

  5. Mike Hudgell says:

    Well, if fixing the size (incorrectly) works in all cases, and provides a solution that is backwards compatible, why do the software tools not do that automatically?

  6. daern says:

    Scott,

    Thanks so much for this detailed response to my thoroughly unprofessional rant (here, if anyone cares to read: http://blogs.msdn.com/windowsmobile/archive/2005/12/17/security_model_faq.aspx)

    This has really cleared things up for me and, althought it’s not a nice situation, at least it’s explicable.

    Question: In PPC2003SE (and possibly earlier versions) there is a wceloadsp.exe, which I assume is a smartphone-type of wceload. CPF files (which use _setup.xml) are associated with this and CAB files are associated with the original wceload.exe. What do you think would happen if I took my signed CAB file, renamed it to CPF and ran it on the device? Theoretically, that version of wceload would understand it, load it and work ok, even though the native wceload would spit out the same CAB.

    I think I might have to dig out a device and try this…

    Once again, thanks for the info,

    Daern

  7. Chris Conti says:

    is there any documentation on how CE/PPC/SP use the abReserve block in the CAB Header?  It looks as if it is basically:

    typedef struct _CAB_SIGNINFO

    {

     WORD ???;

     WORD ???; //maybe cert count? version number?

     DWORD coffWIN_CERTIFICATE;

     DWORD cbCertBlock

    } CAB_SIGNINFO, *PCAB_SIGNINFO;

    but it would be nice to see some official doc/confirmation.

  8. scyost says:

    Mike, I’m not sure I understand the question. Changing the header in this manner invalidates the signature on the CAB, so it’s really only useful for the downlevel Pocket PC devices.

  9. Nino.Mobile says:

     

    Software / Hardware 

    ActiveSync 4.2 Beta Preview has been released

    SlingPlayer Mobile…

  10. Kieren Smith says:

    Hmm…this brings up a cunning idea which I think is worth the experimentation (I’m working on this myself).

    Applying this change *after* signing the CAB invalidates the signature, but if the size of the signature being appended to the file can be predicted before signing, then this opens one of two possibilities:

    1) Manually adjust the size in the header to match the size after signing, THEN sign the file.

    2) If option 1 works, then option 2 would be to adjust the CAB creation tools to reserve space in the file for the signature (already mentioned in the CAB SDK, but unavailable as an option when building WM CABs).

    That would be a whole lot easier than fiddling with the CAB header at install time (which would still depend on being able to detect OS version accurately at all times, a separate and equally "fun" issue)

  11. Matthew says:

    There’s another fun bit to this that nobody else has mentioned yet. If you change the active USB function driver of a WM5 device such that it uses Serial over USB rather than the new RNDIS, then ActiveSync 4.x MAY see the device as being old and therefore strip off the signature during transfer, causing the warning about an unsigned file to pop up. I say may because I’ve seen this behavior on some devices and not others, but I haven’t yet traced it down to model and checked differences in USB enumeration between those that did and did not.

  12. Alex says:

    I wrote a pocket pc program in VB 2003. But I have to deploy it to wm2005. I built the cab file and put it my device. It will have a message saying that it is a unknown publisher. How can I disable this message?

  13. scyost says:

    Kieren / Daern – I really don’t think there’s a way to slide a signed cab through the check in the ’03 installer. But if you find one I’d love to hear about it.

    Matthew: I’ve never heard of this issue before. If you have any more information, please e-mail me.

  14. daern says:

    "I wrote a pocket pc program in VB 2003. But I have to deploy it to wm2005. I built the cab file and put it my device. It will have a message saying that it is a unknown publisher. How can I disable this message?"

    Alex, you will have to sign your CAB file (and, indeed, the EXE within it) against the Mobile 2 Market program. More info here:

    http://msdn.microsoft.com/mobility/windowsmobile/partners/mobile2market/default.aspx

    In short, you’ll have to pay an amount of money to either Verisign or Geotrust to do this.

    Daern

  15. Matthew says:

    Scott: I don’t have good details to give you at the moment. I’d have to try out a few handhelds to get a list of those affected. I have seen it, but not recently. I’ll give some details when I have a chance to reproduce and document, but right now I’m busy getting things wrapped up before MEDC.

  16. Joe says:

    Is this the same reason signed cab files will work on WM5 and not on CE 5.0?

  17. Jason Kemp says:

    Scott,

    Has the KB article been published for this issue?

    Thanks