Mobile code signing

All Windows 10 Mobile binaries need digital signatures to load and run on your device.

This section provides information about tools and procedures that must be used to support code signing for Windows 10 Mobile.

To implement code signing, you must:

  1. Install the Microsoft provided test OEM certificates by using InstallOEMCerts.CMD. For more info, see Set up the signing environment.

  2. Identify binaries with specific code-signing requirements, such as boot-critical drivers. This topic provides information on how to do this.

  3. Use Sign.CMD to sign the binaries according to signature requirements determined in step 2. For more info, see Sign binaries and packages.

  4. Submit binaries by using the OEM ingestion tool for retail signing. For more info, see Submit binaries to be retail signed.

It is important that you use the version of the tools that match the version of the binary files shipping with the kit. For example, do not use tools from a previous version of the kit with binaries from a newer version of the kit.

Code-signing requirements

All certificates used must meet the following requirements:

  • RSA 2048

  • SHA 256 minimum

Retail vs. test code signing

Test signing is performed by the OEM, and retail signing is performed by Microsoft. OEMs should use the tools and process for installing and using test certificates that are outlined in Set up the signing environment and Sign binaries and packages. OEMs should use the OEM ingestion tool and process to submit final binaries for retail signing and updates as discussed in Submit binaries to be retail signed.

Important  

You can use test certificates when developing or testing the device. However, you must not ship the device with a test or development certificate.

Code signing specifics

Embedded and catalog signing

Two types of code signing are used in Windows 10 Mobile:

  • Catalog signing: A digitally signed catalog file (.cat) can be used as a digital signature for a collection of files. A catalog file contains a collection of cryptographic hashes, or thumbprints. Each thumbprint corresponds to a file that is included in the collection.

    In Windows 10 Mobile, all software is added to the phone using packages. Each package is catalog signed as part of the package generation process with the "Windows Phone OEM Test Cert 2013 (TEST ONLY)".

    Each package has a catalog that contains file hashes for all files in the package. When this catalog is signed, all files that have hashes in the catalog are implicitly digitally signed, even when the files themselves do not have digital signatures embedded in them.

  • Embedded signing: With embedded signing, a digital signature is added to the driver's binary image file itself, instead of saving the digital signature in a catalog file. As a result, the driver's binary image is modified when the driver is embedded-signed.

Two parts of the operating system must be embedded signed with specific EKUs before they are placed in packages.

  • Boot-critical drivers are embedded signed with the "Windows Phone OEM Test Cert 2013 (TEST ONLY)".

  • HAL extensions provided by the SoC vendor are embedded signed with the "Windows Phone OEM Test Cert 2013 (TEST ONLY)".

Certificate EKU metadata

Certificates used for signing of code, contain meta information used during signature verification. Windows 10 Mobile uses the EKU (Enhanced Key Usage) metadata to control the execution of code. A set of EKUs exist in the OS and are used to allow or deny a file load and execute request. If a file has the wrong associated EKU with it, the file will fail to load.

InstallOEMCerts.cmd installs the correct test certificates that include the correct EKU meta information. If Sign.cmd is used with correct binary type option, the files will be signed with the correct certificates and associated EKUs. For more info, see Sign binaries and packages and Set up the signing environment.

The following table summarizes the signature type and lists the EKUs.

Binary type Signature type Certificate common name (CN) Required EKUs

Boot-critical drivers

Embedded signed

Windows Phone OEM Test Cert 2013 (TEST ONLY)

Code signing: 1.3.6.1.5.5.7.3.3

WP OEM: 1.3.6.1.4.1.311.76.5.40

HAL extensions provided by the SoC vendor.

Embedded signed

Windows Phone OEM HAL Extension Test Cert 2013 (TEST ONLY)

Code Signing (1.3.6.1.5.5.7.3.3)

WP HAL Extension (1.3.6.1.4.1.311.76.5.20)

All other binaries in packages

Catalog signed

Windows Phone OEM Test Cert 2013 (TEST ONLY)

Code signing: 1.3.6.1.5.5.7.3.3

WP OEM: 1.3.6.1.4.1.311.76.5.40

 

Set up the signing environment

Sign binaries and packages

 

 

Send comments about this topic to Microsoft