Hello,
I have problems with different applications under Windows Mobile 5.0. When i try to run them i get the following error.
Code:
The file 'foo' cannot be opened. Either it is not signed with a trusted certificate, or one of its components cannot be found. You might need to reinstall or restore this file.
Is there anyway of disabling the checks for trusted applications in Windows Mobile 5.0 on the Wizard?
Does this help? (From Windows Mobile Blog)
Code:
This post will be a quick reference to the application security model in WM 2005. I'll gloss over some fine details in order to cover the broad points.
For CreateProcess() or running any executable
First, examine the signature on the binary. The three possibilities are that it is signed privileged, signed unprivileged, or unsigned. (determined by checking the Authenticode signature)
If signed by cert that chains to Privileged Execution Authorities store:
App runs privileged(CeGetCurrentTrust() == 2)
Else if signed by cert that chains to Unprivileged Execution Authorities store:
If device is one-tier (policy 4123 == 1)
App runs privileged.
else (two-tier)
App runs unprivileged. (CeGetCurrentTrust() == 1)
Else if app is unsigned
If unsigned apps are blocked (policy 4102 == 0)
App fails to load. (returns NTE_BAD_SIGNATURE).
Else if the device prompts, and the prompt times out or the user presses No
App fails to load.
Else if we are configured not to prompt (policy 4122 == 1) or the user accepts the prompt
If device is one-tier
App runs trusted.
else (two-tier)
App runs untrusted.
Greetings,
Brezel
This is from the wiki. It works on the Universal, should work on WM5 generally I guess:
Code:
Allow the unsigned app from installing for everything.
HKEY_LOCAL_MACHINE\Secutiry\Policies\Policies] Change value 0000101a from 0 to 1
Do a soft reset.
I think that's just for installing, not running. Tell me if it works.
V
On my Wizard that key already has a value 1, perhaps I should change it to 0 to get this effect? have no app to install right now, but will try if I install next time.
because..
..wizard has much older version of ROM than Universal. The old ROMs of Universal has the value 1 too..
I changed the following registry values
Code:
HKLM\Security\Policies\Policies\00001001 = 1 (RAPI)
HKLM\Security\Policies\Policies\00001005 = 40 (Cert)
HKLM\Security\Policies\Policies\00001017 = 144
HKLM\Security\Policies\Policies\0000101B = 1
HKLM\Security\Policies\Policies\0000101B = 0
HKLM\Security\Policies\Policies\00001006 = 1
Those values change nothing at all. The only difference is that i am not asked to allow installation of non certified applications. My problem, however, is not the installation, which works, but the application. Whenever i try to run it i get the error mentioned above. It is just not possible to run certain applications without certificate.
Greetings,
Brezel
I got the exact error and have asked for help on this forum and on HowardForum without any luck
You could re-sign the application using your own code signing certificate and add your certification authority certificate to trusted root certificate authorities on your WM5 device. :wink:
V-Ger said:
You could re-sign the application using your own code signing certificate and add your certification authority certificate to trusted root certificate authorities on your WM5 device. :wink:
Click to expand...
Click to collapse
I tried this, but without success. I already have my own root cert installed on the device (for SSL Activsync) and that works fine, but the app still won't work as a "signed app" :-(
Have you got this working?
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
I did create a code-signing cert in Certsrv, but I must have cocked something up. I will try again this afternoon and let you know.
Thanks for the help
V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
Ok, this is what I did (and it still didn't work):
1) Installed my own trusted-root CA onto my Mini S by opening the .cer file. This bit definately works as I'm able to sync my email with Exchange over SSL and this doesn't work unless the correct root cert is installed
2) Added a code-signing template in certservices with default settings. (Custom templates are not allowed in my Windows Std edition :-( )
3) Using IE, create a code-signing cert with default settings. Also export the private keys into a PVK file.
4) Using cert2spc, convert the cer file to an spc file
5) run signcode -spc cert.spc -v privkeys.pvk filetosign.exe ("Result successful with warning about file not being timestamped)
6) Copy .exe to device and run - still whinges about unknown publisher
Bah. Any suggestions as to what I'm doing wrong?
Daern
I have the same very irritating problem.
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
How do I do that ?
daern said:
V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
I did create a code-signing cert in Certsrv, but I must have cocked something up. I will try again this afternoon and let you know.
Thanks for the help
Click to expand...
Click to collapse
Ah. More success now. I've switched to using "signtool.exe signwizard" and that has enabled me to get it working...
daern said:
Ah. More success now. I've switched to using "signtool.exe signwizard" and that has enabled me to get it working...
Click to expand...
Click to collapse
Bugger. Too quick off the mark. It's still not working. Arrrrrgh!
easycure1974 said:
I have the same very irritating problem.
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
How do I do that ?
Click to expand...
Click to collapse
[WIN2k3 Server]
START/All Programs/Administrative Tools/Certification Authority
SERVER/Certificate Templates/New/Certificate Template to Issue
http://servername/certsrv
-Request a Certificate
-advanced certificate request
-Create and submit a request to this CA
-Certificate Template: Code Signing
[leave default settings]
-SUBMIT
Thank you - shall try and if that could help me solve this annoying problem !
V-Ger said:
Yes I tried it and it works!
1.First you have to issue a Code signing certificate:
- Add a code signing template using Certification Authority snap-in
- Issue a code signing certificate
2. Download and Extract code signing tools:
http://ftp.intron.ac/pub/security/raw/codesigningx86.exe
3. Run signcode.exe on WM5 executable file using the certificate you created earlier.
4 Copy executable file to WM5 device
Click to expand...
Click to collapse
Are you *absolutely* sure that this works? I am now sure that I am doing this right, but I don't believe that apps signed against a certificate that only exists in the public root store (i.e. the one used for SSL connections) will be accepted as "valid". I've tried every way I can think of getting this to work, but with no success :-(
When I posted to say that it was working, what I actually saw was PPC recognising a file with a different file name, but the same CRC as a file that I had already said "Yes, I know it's unsigned. Run it anyway". Even though the new file was a different name, WM2005 ran it anyway without comment, as it assumed (correctly) that it was the same file with a different name... As I haven't yet found a way to make WM2005 forget the exes that I have accepted (I assume it's in the reg somewhere) I have now resorted to recompiling the same exe each time, but with different resource data, thus ensuring it's always different!
What device are you using to test this? I wonder if your derivative of the HTC Wizard has different certs installed than mine (UK O2 XDA Mini S)
Would it be possible for you to send me a sample .exe and your own root cert for me to test on my device. At least then I'll know if it's my device or my technique that is causing me problems ;-)
Thanks
Daern
Yes, I am positive it works. I am using Universal (Qtek 9000), but that shouldn't make any difference.
Besides the error message after each soft reset.
I can still install many software and use it smoothly.
Haven't seen any other problem yet.
What is the certificate about?
At the risk of appearing as a heretic..is there any way that this problem (which I get when clicking on any hyperlink) is related to the SdkCerts.CAB installed as part of ozVGA?
Dumb idea I know however I have no idea of what that CAB did. Can I somehow remove its effects just to prove it isn't the cause? ..hope this isn't off topic.
J
Related
Is there a way via registry editing or otherwise to set up a device to ignore the requirement to have certified dll's and executables.
This would be temporary just for trying out programs extracted from other roms without having to worry about certifying everything just to see if it works.
Thanks
the policies that control this can be viewed here:
http://msdn.microsoft.com/library/d.../wce51conwindowsmobiledevicesecuritymodel.asp
the "unsigned applications policy" should already be 1.
change the "Unsigned Prompt Policy" to 1 also. I.e. change the following registry entry to 1.
HKLM\Security\Policies\Policies\101a
Note that the web page says that this policy is 4122, but 4122 is 101a in hex.
You may also want to set "unsigned cabs" to 16
(HKLM\Security\Policies\Policies\1005 to 16)
Also, this will not work for drivers that are loaded during booting. I'm pretty sure they must be signed. It's not that difficult to create a certificate, install it on your device, then sign the driver dll so it will work.
you can also change this using the "SecurityPolicy Configuration Service" see
http://msdn.microsoft.com/library/d...lesdk5/html/wce51samsettingsecuritypolicy.asp
Thanks a bunch! good info.
Howdy all. Do you flash your phone a lot? Don’t you hate it having to put in your WIFI and Exchange settings all the time? Well now you don’t have to with the Settings Creator. I started off creating a XML for just myself but then I decided to give back to the community that has helped me so much with my flashing and cooking needs.
To run the program all that is required is the .NET framework 2.0 (See below for link). After you input the information that is required a nice CAB file will be created, just pop that on your phone and viola settings are all done. In the words of my Cousin Vinny "Make once, use a bunch".
Known Issues:
1. WEP 128bit does not work (I think this is a limitation of the Hermes because even manually I cannot get it to work)
2. E-mail is for Exchange Direct Push Only
Help requested:
1. I don’t have access to a AP/Router that does WPA2 therefore I have no idea if this works with that level on authentication works (Also try manually to see if it is a limitation of the device)
2. I don’t have access to a AP/Router that does WPA with AES Encryption therefore I have no idea if this works with that level on authentication works (Also try manually to see if it is a limitation of the device)
Please provide any feedback you may have. Thanks guys.
-UllSang
Program requires .NET 2.0 Framework. (Download at http://www.microsoft.com/downloads/...CB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
Also required is Visual J#)
Attachment 1: The binary release
Attachment 2: Source code.
Licensed under: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
Change log:
---0.1
-----First Release
Running this on the desktop complained at first - you need to install the Visual J# Redistributable to make it work, as it doesn't seem to be part of the .NET framework by default.
Hope that helps.
Ah thanks for the heads up, I had no idea that it wasn't a part of the .NET framework by default. Did you instal the J# package and try the program? Thanks.
UllSang said:
Known Issues:
1. WEP 128bit does not work (I think this is a limitation of the Hermes because even manually I cannot get it to work)
Click to expand...
Click to collapse
A humble suggestion - this may be worth looking at again as I use wep 128bit and do not find any problem when entered as hex key.
Mike
Hmm.. intresting... I can not get it to work. I am inputting it as an ASCII though and it only works for 64 bit. After i saw your post i tried it entering as hex and it still does not work, it could be my cheap piece of crap router. Any chance you tried it out with the program? Thanks
The N7 just got delivered. I immediately and successfully unlocked and rooted, thanks to Wugs (thanks Wugs!). Now I need to figure out how to connect to my VPN provider who uses OpenVPN and .ovpn config files. There are a few apps in the store, and I'm not sure which ones to install, or how to configure.
Thanks,
RF
I think Android supports VPN's (or at least it does in ICS) without the need of any 3rd-party apps, but then again I don't think I ever messed with OpenVPN.
If it means anything, I was able to connect to my own VPN I made with Windows 7 from ICS.
Install both OpenVPN apps from F. Schäuffelhut.
One is the binary, the other checks your setup and manages your tunnels.
You will also need busybox.
just tested all this today.
espionage724 said:
I think Android supports VPN's (or at least it does in ICS) without the need of any 3rd-party apps, but then again I don't think I ever messed with OpenVPN.
If it means anything, I was able to connect to my own VPN I made with Windows 7 from ICS.
Click to expand...
Click to collapse
If a standard port etc, yes, this should just work.
martyg7 said:
Install both OpenVPN apps from F. Schäuffelhut.
One is the binary, the other checks your setup and manages your tunnels.
You will also need busybox.
just tested all this today.
Click to expand...
Click to collapse
If not on a standard port (like I have set up, so I can OpenVPN out of my work wifi), or an oddball configuration, it works out of the box, rooted of course. I was afraid of the TUN module/config but it was compiled in. Thanks Google
There is also another openvpn by schwabe that doesn't require you to install any binaries. You just need to copy the authentication cert files, edit the .ovpn file to include the correct cert files and the server and import the profile. If you're having trouble, i can write a small tutorial on how to do so. There are also other tutorials on how you can do it if you Google openvpn on Android tutorials/guides.
Sent from my Nexus 7
I used the OpenVPN apps from F. Schauffelhut. I copied the config files from my Windows PC setup, and edited the ovpn file. However I don't know how to store the login credentials as encrypted. The OpenVPN Settings from F.S. doesn't query the user for id/pw. It just fails. So I added "auth-user-pass pwd_file" entry into the ovpn file, but it's in plaintext.
I don't want to have to type the login each time, but I do want it encrypted. Can anyone provide some info here? I'm a noob with OpenVPN. TIA.
Edit: It is working right now, just that the login info is unencrypted.
BTW, here is my ovpn file:
Code:
client
dev tun
proto tcp
remote xxxxxxxxxxx ###
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher BF-CBC
keysize 512
comp-lzo
verb 4
mute 5
tun-mtu 1500
mssfix 1450
auth-user-pass pwd_file
reneg-sec 0
route-method exe
route-delay 1 10
route-metric 512
route 0.0.0.0 0.0.0.0
I believe you can encrypt the .cert files that are used by adding them to the credentials manager in settings-security. I haven't tried it so i can't confirm. Alternatively you could try an app that encrypts that folder so that it needs to be decrypted before use.
Sent from my Nexus 7
Thanks for the replies.
I went a different route, and it worked flawlessly: I made a folder in the N7 main directory (same place as Alarms, Music, etc..) called OpenVPN. Inside that, I placed a folder from my PC OpenVPN/config folder, that contained my ,ovpn file and the .crt files, etc. I then installed OpenVPN For Android from Arne Schwabe. Launching that app, and going into the 'Precious VPNs' option, allowed me to 'Import'. I navigated to the OpenVPN folder, and then the folder containing the VPN files. Highlighting the *.ovpn file and then hitting 'Select' has the app 'do it's thing'. When done, you hit finish/complete/done (forget what it was), and the VPN connection shows up in the list. Activating it and browsing to an IP check website, showed my VPN provider's exit IP. It was all easier than it looks by typing it.
RF
PS. I also installed Orbot, and since I'm rooted, the 'Transparently Proxy All Applications' option. After also checking the option to use the N7's default IP Tables (this is not the default, the app tries to use it's built in binaries and it will fail on the N7) everything connected through Tor as well...so I have two options for browsing - VPN or Tor.
I love this device (rooted) !
Glad it worked out however remember that the app is also storing info in a file that can only be read by the app but it is still in plain text. The author of the app describes it in detail in the faq section. However it is much better than having to keep the files available in plain text at all times.
Sent from my Nexus 7
I went ahead and compiled the new Windows Terminal preview for my own use, and figured I may as well share it with the forums! The only changes I made were to the project's metadata as the default values did not fill themselves in with the project's data (Package Name, Version Number, etc.)
I intend to keep the package more or less up to date with Microsoft's repository (https://github.com/microsoft/terminal) until Microsoft decides to release the binary packages on the Windows Store for use, at which point, I will likely remove the package from my server as it will be obsolete with a first-party release of the project.
You can download the certificate and project here: https://tonoxisisle.services/windows-10/Cascadia/
To grab the APPX certificate, choose "Additional Links" and then choose Publisher Cert. As with all third-party, non-Windows Store APPX packages, you will need to import the publisher certificate into the certificate store. After importing the certificate, you can install the application via choosing the "Get the App" button. (It appears to be regenerating the certificate each time I rebuild the app package, so I am unsure how that will work :/ )
Please enjoy! I love this developer community and am normally an Android person, but since I was also curious about the new Windows Terminal, and wanted to give back to the community that has given so much that I figured I may as well publish the build I have. I attest that I have made no changes to the source, and only to the AppX manifest, and am willing to upload the sources on my hard disk if requested for others to verify.
(To see the new UI, including the new tab and settings button, press CTRL+T. To have the terminal always show tabs, choose Settings and then change
Code:
"alwaysShowTabs": false
to
Code:
"alwaysShowTabs":true
and restart the terminal. Tabs will be shown when the terminal starts. I personally enjoy enabling tabs in the titlebar of the terminal!)
EDIT: The AppX package SHOULD support x86 machines as well, as I had built the package with x86 and x64 binaries. It does not include the ARM64 binaries, though if requested, I suppose it wouldn't be too difficult to update the app package with the ARM64 binaries.
"Either you need a new certificate installed for this app package, or you need a new app package with trusted certificates. Your system administrator or the app developer can help. A certificate chain processed, but terminated in a root certificate which isn't trusted (0x800B0109)"
Installation fails on both online installer and offline msixbundle installer. Installed the certificate beforehand to both local and user groups.
surajmanalcell said:
"Either you need a new certificate installed for this app package, or you need a new app package with trusted certificates. Your system administrator or the app developer can help. A certificate chain processed, but terminated in a root certificate which isn't trusted (0x800B0109)"
Installation fails on both online installer and offline msixbundle installer. Installed the certificate beforehand to both local and user groups.
Click to expand...
Click to collapse
On the second screen (where it asks to select the certificate store), click on Place all certificates in the following store, click on Browse, and then select the third option from the bottom called Trusted Packaged App Installation Authorities, then click OK, click Next, and then click Finish.
Now you should be able to install the app package as normal.
Sorry, I guess I should've been more clear about that. Thanks @Futur3Sn0w
This has officially been released on the Windows Store, so I have discontinued attempting to compile it. About time too, it was getting hard to keep it updated and still compiling properly with the manifest changes I made to make the name and description appear properly... For some reason, even in a new clone I was still having problems building for ARM64 and x86.
Hi,
Situation \ Case
I was facing a problem with some apps because some of them
Without certificate or expired
The minimum target system is higher than my system
Related Errors
Failure text: A Prerequisite for an install could not be satisfied
The app package must be digitally signed for signature validation
Solution
Export Signed Certificate with private key
Open Manage Computer Certificates by searching for it in Start Menu
Find any certificate with long expiry date in the available folders, you may start with
Personal
Only the certificate with key icon will work so be sure there is a key icon at the top-left corner
Right Click-> Tasks -> Export
Click Next -> Choose "Yes, export the private key"
Click Next -> Keep the options as it is
Click Next -> Activate Password Option -> Enter any password you need
Click Next -> Select Any Location to save the certificate
Click Next -> Review -> Finish
Why you need this certificate?
When you edit any appx file using the MSIX Tool you will lose the original certificate
also this certificate will be helpful to install any appx with expired certificate.
(If you didn't find any certificate let me know)
On your PC
Download and install MSIX Packaging Tool
https://www.microsoft.com/en-us/p/msix-packaging-tool/9n5lw3jbcxkfPrepare your appx:
Some times your app could be packed as appxbundle
In this case just open the file using 7-Zip or any archive software
Extract the appx that Named at the end "ARM" (based on your system)
Exam. extract APP.UWP_2.1.0.0_ARM.appx
If you sure that you have the right file which is for "ARM" and ".appx" Move To the next step
Edit the package using MSIX Packaging Tool:
Select "Package Editor"
Select Your appx file
Assign new certificate
In "Signing preference" Select Sign with a certificate (.pfx)
Select the certificate and enter the password
Edit Manifest file
Scroll Down and click on "Open file" In "Manifest file"
A Text Editor will appear with the Manifest file content
You will edit "MinVersion" value Inside "TargetDeviceFamily"
Set MinVersion="10.0.1.0" (Lower than you device target absolutely)
Save the changes and close the file
The changes will be assigned automatically to package
Click Save -> Choose to keep the same version or to Increase it
Now before you save change the extension from "msix" to "appx"
Done.
Installing
To Install the appx you need to install the same certificate (assigned by MSIX tool) before.
On mobile: Just open the certificate, click install.
On PC:
Open the certificate
Click "Install Certificate"
Select "Local Machine" then click "Next"
Select "Place all the certificates in the following store"
Click "Browse"
Select "Trusted People" then click "OK"
Click "Next" then click "Finish"
Hope this will help.
@astifan Thank you for this. Do you think i will be able to install PC UWP apps on Mobile using this ? For example i want to install Slack on my Lumia 950 with Latest Jan 2020 Update,
warriorvibhu said:
@astifan Thank you for this. Do you think i will be able to install PC UWP apps on Mobile using this ? For example i want to install Slack on my Lumia 950 with Latest Jan 2020 Update,
Click to expand...
Click to collapse
Most welcome , sadly no you can't, the app should for ARM devices only and desktop apps only for x86-x64
You can force it to install by change the architect in "Manifest file" from x86-x64 to arm but it will not work for sure
astifan said:
Most welcome , sadly no you can't, the app should for ARM devices only and desktop apps only for x86-x64
You can force it to install by change the architect in "Manifest file" from x86-x64 to arm but it will not work for sure
Click to expand...
Click to collapse
Yeah true, I was hoping that they already have them arm ready with all Windows X news and now it seems that not coming anymore. Such amazing OS (Windows Phone) just wasted.
warriorvibhu said:
Yeah true, I was hoping that they already have them arm ready with all Windows X news and now it seems that not coming anymore. Such amazing OS (Windows Phone) just wasted.
Click to expand...
Click to collapse
Right, Microsoft wasted many important projects for no reason
If you are looking for real PC experience and you are not using you phone as main phone
try to flash one of the recent builds from WOA project
Release Version 2105.22 · WOA-Project/Lumia-Drivers
Lumia Drivers BSP - Version 2105.1 Released: 05/08/2021 11:00 PM UTC+2 Quality: Preview Important installation notes Please make sure your battery is fully charged before installing this driver pa...
github.com
Now it's really good and provide better performance
+Disabling Windows Defender will solve a lot of performance issues.
or check this channel for Fadil Fadz which contains many good solutions to use WOA even boot from SD card if you want to keep your W10M
Than you for sharing i recently bought Lumia 950 for experimentation and projects .. Only challenge is i heard WOA is performing extremely poorly on Lumia 950, Nevertheless worth a try. I will take up that project today and keep you posted.
@astifan So I went through the cycle of flashing Windows 10 and getting all the updates. I even got 21H1 feature update. Sadly its very slow and unusable.
I also tried multiple methods to try to retain Windows Phone and still keep development / developer menu but was unsuccessful.
Do you know how I can flash just the developer / development Menu that lets me booth into USB Mass storage Mode without Flashing the whole WOA. Sorry if its common knowledge or dumb question.
A link to WOA SD Card Installer will also help.
I cannot find any certificate, could you share some?
Rechard Jack 1229 said:
I cannot find any certificate, could you share some?
Click to expand...
Click to collapse
Use the attached certificate,
Password: w10mgroup
astifan said:
Use the attached certificate,
Password: w10mgroup
Click to expand...
Click to collapse
Thank you. I will try it.