Application Signing (Devices)
Most Windows Mobile devices arrive from the mobile operator or equipment manufacturer preconfigured with security settings that restrict the execution of unsigned applications and installation of unsigned CAB files. In order for your application to run, you have to sign your application with a certificate that is installed on the device of your end-users.
How to Sign Device Applications
To sign an application, you must sign all the EXE, managed assemblies, DLL, CAB, and MUI (Multilingual User Interface) files that constitute the application. To graphically view how signing works in device projects, see Graphical Flowchart of Signing Process for Devices. The following topics explain how to sign device applications:
How to: Sign a Visual Basic or Visual C# Application (Devices)
How to: Sign the Project Output in a Visual C++ Project (Devices)
How to: Start Signtool.exe as a Post-Build Event (Devices)
Note
If you run a post-build step that alters a binary, you have to sign the binary again. In other words, you must disable Authenticode Signing in the project properties, and sign instead as a post-build step. This action is necessary because anything that alters the binary after it is signed invalidates the signature. Thus, the binary must be signed again.
Signing an Application for Day to Day Development
If you develop on a device whose security settings are less restrictive than the settings of end-users, you may not encounter the same the security warnings or errors as your end-users. Therefore, it is a good idea to simulate the end-user's security environment by developing your application on a security enabled device. To do this, sign your device application with the Visual Studio development certificate and install the certificate on your development device or emulator. The process of signing with a development certificate during the development phase promotes good end-user experiences. Certificates for day-to-day development work and a tool to install them are included in Visual Studio.
To install the required certificates on the device
Connect to the device by using whatever connection mechanism you have available.
Copy VSDCerts.cab from the development computer to the device.
VSDCERTS.cab is located by default at drive:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools.
On the device, explode VSDCerts.cab to install the certificates.
Signing an Application for Release
The SDK certificates are for development or testing only. End-users do not have SDK certificates installed on their devices. Therefore, when an application is ready to be released, it must be signed with a certificate that is on the user's device. All OEMs and mobile operators currently include the Mobile2Market unprivileged certificates on the devices they ship. Most OEMs and mobile operators also include the Mobile2Market privileged certificates. Therefore, unless your application must run as a trusted application on a device that does not have the Mobile2Market privileged certificate, you should have your application signed with one of the Mobile2Market certificates. For more information about the Mobile2Market Program, see Mobile2Market: Code Signing for Windows Mobile Applications in the Windows Mobile Developer Center.
To run your application on a device that does not have the Mobile2Market privileged certificate, you must ask the OEM or mobile operator to sign your application.
Note
If the device security configuration requires signed binary files and the application binary files are unsigned, the application will not run. For more information about security configuration, see Configuring Security on Windows Mobile Devices.