Code signing Windows Mobile applications - Recommendations?

Question

I'm tasked with obtaining a code signing certificate. Our application actually consists of 2 complementary components: a desktop application and a Windows Mobile application designed to run on PDAs. Currently our mobile install (via CAB file) triggers the security prompts in Windows Mobile 6 and it is confusing to our users. We want to eliminate those security warnings.

It seems easy enough to find certificates to sign a desktop application -- which we also need -- but I'm less clear about whether or not such a code signing certificate will fix our Windows Mobile problems. My ideal solution is 1 certificate that can sign both the desktop and mobile apps.

So much I read about mobile app signing revolves around Mobile2Market and crazy multi-step signing procedures -- even sending your executables in to have them signed and returned. I think this is mainly aimed at the mobile phone market, where cellular providers have tightly locked down the phones against non-signed apps.

Our devices are primarily Windows Mobile 6 PDAs (iPAQ 210) that come pre-configured with One Tier security. We don't want to provision devices, install a certificate, etc (unless absolutely necessary). We just want to sign the files and forget about it.

Has anyone done something similar and have any recommendations? I'm especially interested in lower-cost solutions that don't involve paying lots of money to Verisign -- something like Comodo perhaps.

Answer 1

You can self-sign the binaries, but the end user will have to install your certificate into the device store, and that is probably going to be more painful, and more expensive in support costs than to just get a real signature.

What you need is to purcahse a M2M certificate from Verisign. They will send you a USB key that contains some sort of key material, and you will use it and their application to sign your binary.

What level of security gives what prompts is outlined here.