In the real world, devices shipped with certificates installed by the service provider of your device. That means, if you need to deploy your applications on the device, you need to work with the service provider to sign your application so that your application can be trusted. This model works quite well if your application is targeting only a particular device. However, if you are deploying your application to a wide variety of devices, this is a nightmareyou have to work with the various service providers of the devices and get your applications signed.
To avoid this code signing nightmare, Microsoft releases the Mobile2Market program. Most devices include the Mobile2Market certificates, which mean that as long as your application is signed with the Mobile2Market certificate, your application will be able to run on any devices. The signing process goes like this:
- Purchase a certificate from one of the certificate authorities (CA) that is a partner of the Mobile2Market program, for instance Verisign and GeoTrust.
- A certificate will be issued to identify your organization.
- When you are ready to deploy your application, sign your application with the certificate you obtained from the CA and send it to the CA.
- The CA, upon verifying the publisher signature, will replace the publisher signature with the signature of the appropriate Mobile2Market certificate.
- Your application is now Mobile2Market signed.
For development purposes, you can use the test certificates shipped with the Windows Mobile 6 SDKs. By default the Windows Mobile 6 SDKs ship with three test certificates for development use:
- Sample Privileged Root for Windows Mobile SDK (in Privileged Store)
- Failsafe Configuration Root for Windows Mobile SDK (in Privileged Store)
- Sample Unprivileged Root for Windows Mobile SDK (in Normal Store)
| Author's Note: Do not ship the test certificates on a real device.|
You can verify this by clicking the Certificate Management button in the Device Security Manager. Figure 6 shows that the Windows Mobile 6 Standard Emulator containing the three certificates.
If you want your application to execute in Privileged mode in the emulator, you need to sign your application using the Sample Privileged Root certificate. Likewise, applications signed with the Sample Unprivileged Root certificate will run in Normal mode in the emulator.
It is important to know that you should place the certificates in the appropriate stores on the device. If you place the unprivileged certificate in the Privileged store (the unprivileged certificate should instead be placed in the Standard store), applications signed with an unprivileged certificate will be executed in the privileged mode.
Figure 6. Three Certificates: The sample certificates shipped with the Windows Mobile emulators.
Figure 7. Sign the Project: Signing a project with a certificate.
Signing Your Application
Now let's see how to sign the SecureApp application with one of the test certificates.
In Solution Explorer, right-click on the project name and select Properties. Select the Devices tab and check the Sign the project output with this certificate checkbox (see Figure 7).
Click the Select Certificate button and the Select Certificate dialog will be shown. Click the Manage Certificates button and click the Import… button. Next, in the Certificate Import Wizard dialog, click Next and then Browse…
Navigate to the following directory: C:\Program Files\Windows Mobile 6 SDK\Tools\Security\SDK Development Certificates. Be sure to select Personal Information Exchange (*.pfx;*.p12) for the file type and then select SamplePrivDeveloper.pfx (see Figure 8). Note that this is a privileged certificate.
Back in the Certificate Import Wizard dialog, click Next for the next three steps and then Finish. Click Close.
Figure 8. A Privileged Certificate: Select the Personal Information Exchange and then the file.
Figure 9. The Properties Window: After signing your application with a privileged certificate.
In the Select Certificate dialog, select the certificate you have just selected and click OK. The Properties window will now look like Figure 9.
Rebuild the SecureApp application and press F5 to deploy the application to the emulator again. This time, you will be able to write the registry key.
| Try it Out: Sign the SecureApp application using the SampleUnprivDevelop.pfx certificate and then deploy the application. Can your write the registry key?|