msmobiles.com - Code signing of software for Microsoft smartphone in practice, part 1 of 2

News | Catalog | Articles | Tools | Newsgroups | Forums
Code signing of software for Microsoft smartphone in practice, part 1 of 2
Get insight into code signing process.

Thanks to courtesy of AIM Productions company we are able to present you detailed description of the code signing process.

At the beginning you need to purchase so called "Smartphone Credentials for Code Signing", that you can purchase here (msmobiles.com recommends GeoTrust as cheaper and technologically better solution). "Smartphone Credentials for Code Signing" include USB token:

[image]
(on picture above: "Tanager" smartphone at the top and USB token for code signing from GeoTrust at the bottom)

[image]
(on picture above: USB token for code signing from GeoTrust; individual serial number has been blurred for security reasons)

This USB token looks like USB memory stick but in fact it is "iKey 2032" with a processor and is made by "Rainbow". Without this token no code signing is possible.

Code signing process of smartphone applications consists of 2 steps generally speaking. Firstly one must sign the file with "private key" that is local to the PC. This first step means, that with the help of the USB Token and signcode.exe application (part of Smartphone SDK) one is signing the file locally. The purpose of this local signing is to ensure that second step does not violate security. The second step is: uploading of the file signed in first step to the server and after uploading the file is being immediately signed at the server side and available later for downloading. That´s all as far as general description is concerned, now let´s go into details...

First start program "C:\Windows CE Tools\wce300\Smartphone 2002\tools\signcode.exe". You will see "Welcome to the Digital Signature Wizard" with short introduction. Click on "Next" button and observe this dialog:

[image]

... where you should select through "Browse..." button the file to be locall signed. After pressing "Next" this dialog appears:

[image]

... where you can select much more options if you wish, but usually one selects "Typical Recommended for most users", presses "Next" but and goes to the next dialog:

[image]

... where you need to select a certificate by which you will be signing the file locally. After selection of the proper (= issued by GeoTrust) certification the next dialog is this:

[image]

... where you can see details of this certificate. After clicking next you can observe these dialogs, where you can enter some additional information:

[image]

[image]

So now everything is ready and the signing proper can take place:

[image]

After pressing on "Finish" button this dialog appears:

[image]

... where you have to enter password for the USB token. After entering the proper password you get this dialog:

[image]

... where you can see, that the local signing phase completed successfully. Now it is time for the second and last phase: signing of the file on the server.

To continue reading the part 2 of this article click here.