Hey guys. I downloaded the Android SDK installer file (installer_r21.1-windows.exe) and noticed that it is NOT digitally signed. Kind of surprising given this is from Google and they are pretty high on security. Downloaded the earlier r21 installer and the same deal. Can you please confirm this on your side as well? Has this always been the case? We should let Google know about this as it is almost unheard of that commercial tools like this are not digitally signed in the modern age.
I know many people don't care or don't know much about digital signatures and security, etc. But, we all should. Thanks very much for the feedback.
At least when I'm updating Eclipse Android plugin it always asks me if I want to install unsigned content. I have used Eclipse & Android plugin since 2010 until recently on many different windows installations, so I'm quite sure this is how it is supposed to work. Screen capture in attachments is from today.
Related
Hi everybody,
I'm writing an application that is catching all incoming sms. The app is working fine as long as it is signed with a certificate which has to be stored in 'Privileged Execution Trust Authorities' and has to be trusted itself for example by a mobile2market certificate.
Of corse, there has to be sold much money, first (round about $800) for getting a trusted app.That has to be earned first and so I am looking for a 'cheaper' solution that makes me able to give my app outside.
Has anybody hints, sources or examples that deals with that stuff?
Thanks in advance.
Bernd M. Walter
Signing is pretty useless since you can just run signcode to create a new certificate
As far as I know, the code for creating a signature in the store for 'Privileged Execution Trust Authorities' has to be signed as well. so the dog catches his own tail, isn't it?
Of course I will try a little app, which calls the Method ProcessConfiguration for creating a 'privileged certificate. I will post my results about that.
Thanks for the hint.
Bernd M. Walter
I know from experimenting that WM 5 PPC devices, you can create a CAB with provisioning XML inside that will put your certificate in privileged store and run it without signing. You will still have to click 'ok' when it warns you that the cab it self is not signed, but it will install.
For smartphones (the ones without touch screen) you need to 'application unlock' the device first which requires altering security setting in registry.
This means that if you get a regular certificate, and sign your provisioning cab it should be able to install your privileged certificate.
It's not a free solution but you can purchase 10 regular signatures for about 400$ from Verisign and there is no need to prove anything to M$.
To the best of my knowledge, unless you are willing to have your users click 'yes' when your cab first runs there is no way around paying for signatures.
Hello everybody,
now I found the 'quick&dirty solution' I was looking for.
Inside of the WM5 SDK provides by Microsoft there is a CAB File named SDKCerts.cab. This CAB installs without any other requirements the TEST-ONLY certificates. If the application with privileged code is also signed with that certificate the application is able to run.
@levenum:
I know that I can get e.g. from verisign 10 signatures for the amount of $400. But these certs are only for executing unprivileged code. Getting certs for privileged code, the code itsself has to be tested and approved by Microsoft certified testcenters. And this 'service' is is not for free, too.
In my opinion that is nothing else than a big money printing machine created by M$ - But I have, what I want, an so this thread can be closed and here is the wrong place for political discussions.
Many thanks at all, who made some or many thoughts.
Bernd M. Walter
Hi,
I asked this question over on another mobile phone forum and a user directed me here, so here goes:
Is it necessary for apps developed for Windows Mobile 5 and 6 (PPC) to be "signed" in any way in order to be installed and run? Similar to the way newer Symbian OS apps must be signed? Or can they just be developed and flat-out installed without any hassle or complication, the same way apps for regular desktop Windows PC's can be?
As a programmer/developer and also a Symbian user, I absolutely HATE the need for signing or certifying anything for it to be able to run. If it's not necessary on a laptop or desktop, it shouldn't be necessary on a phone. I am considering switching over from Symbian to WM6, but ONLY if the platform is completely free of the need for anything resembling certificates and signing.
At the very least, is there the option for the end WM6/5 user to easily change a setting within the OS so as to allow the full installation of non-signed apps? I'd settle for that. With Symbian, both developers and users are completely imprisoned by certificates and cannot do anything without the permission of the OS fascists.
Thanks for any help on this..
on WM5 default, when you try and uninstall something unsigned, you just have to tap the "yes" button to run the application, after that it remembers it for that app.
so basically for my setup (wm5/wm6) i can run anything, signed or unsigned. And there is a fix somewhere to disable the notification warning
hope that helps
and
come to the light side
Pocket PC's for the win
Thanks for your reply.. it's certainly encouraging to hear that WM5/6 is not restricted by the absolute necessity for signed certificates like Symbian is. As a programmer I completely refuse to bother developing software for a platform that handcuffs both developer and end user so mercilessly. If I can write programs in Visual Basic that will comple to an EXE and run hassle-free on any Windows PC, I don't see why I should have any less freedom when writing programs for a mobile device.
SymbianSigned and its locked OS is a deal-breaker for me. In looking through this forum though, it seems that there are in fact some components of WM that absolutely must be signed to be installed? Like skins for example? Are there any other components that fall into that category?
Still hoping to get a defnitive answer on what components of WM require mandatory signing and which ones are totally non-restrictive optional. So far my understanding is that under no circumstances do any applications ever have to be signed in order to be installed and run, no matter what kind of advanced access and functions they involve. Correct? Whereas fully integrated keyboard skins do need to be signed, for some reason. Correct?
Any other categories not covered above that do or don't require signing?
Thanks!
As far as I know the worse case scenario for signing is that you must also install your own cert. All that happens when you do this is again a warning.
As for the merits of the whole signing thing. Although I agree symbian goes too far, I think some kind of signing procedure, that is more robust should be required for windows mobile.
My preferred solution would be to have restricted functions that on install warn the user of exactly what capabilities the SW has, and allows the user to allow or restrict certain capabilities.
Simply an I trust this or that is useless as everyone ends up trusting everything as you have little choice. But given that it is easy to write SW using the RIL functions that completely unknown to the user can call expensive pay lines, download ridiculous amounts of data over gprs, or even send me personal information from your device, some security should definitely be required.
The truth is because of the ability to make expensive phone calls directly to people who will have direct financial benefit, I would argue security for a phone is at least if not more important than on the PC.
my 2 cents
WM5/WM6 editions for touch-screen devices generally come with "relaxed" security which means that third party apps don't have to be signed to execute once somebody answers yes to a first-time warning dialog box. ROM cookers here generally relax this requirement even more by setting a registry value HKLM\Security\Policies\Policies\0000101A to a 1. This disables the first-time warning message also.
However, services and device drivers generally need to be signed because they are executed before these relaxed settings take effect. Application developers generally can work around this too by starting the service/device driver themselves with a little program placed in \windows\startup
WM6/WM5 editions for devices without touch-screens generally have a higher security setting that disallows execution of any application unless it is signed.
One of the most important things that makes iPhone appealing for the end-user is the famous Installer. Although jailbreaking your device is not something Apple wants you to do, everyone does it, and it was one of the main reasons that iPhone became so popular.
An end-user who wants goodies for his phone does not know how to search online for applications, choose the best, download, copy, and install... Installer saves you this hassle by providing a one-stop location to download (virtually) any application you might want, using the iPhone itself, making it extremely easy for the user.
Is there a similar application for WM? If not, can't we start it XDA-Developers and build a general public repository for freeware applications to promote the applications of developers here in the forums and contribute the WM software community? The application would have to be widely advertised and not just included in custom ROMs by default, so that people who don't know how to install custom ROMs can get a copy of this application easily.
This is a proposal to the developers to start a new application, not a request for an already available one. I don't have the required development skills for it.
[Was this discussed before? Can't find a trace]
I agree!
Since the new 2.0 FW came out I have been using my iPhone again. I actually still prefer my Touch even with the new exchange support. The installer (app store and Cydia for now) on the iPhone is amazing. While I know how to install apps, think about the new WM user. If they had an installer program that could be downloaded and installed from a site (here?) and then have access to installing programs like S2U2, S2P, PCM Contacts, Keyboards, or even pay products like SPB MS, UL, etc. Potentially the program could also monitor for updates, so when A_C (the great!) comes out with a new update, the user would not need to be checking this forum and happen to see the thread with the update, it would be notified by the application on the device (when they launch the installer app). Skins could be available, the possibilities are endless - the iPhone has proven that.
As far as the application itself, I am no programmer, but it seems like it would be fairly easy to create a program that would look for a list of cab files on a website directory, download the list and allow the download and installation of the cab file. Yes, No?
I agree, this would be very useful. Currently I use Ubuntu Linux, and downloading and installing programs is this easy, because of repositories. I just search for a program using a package manager, and I'm given a list of programs that is relevant to my search. Then I simply have to click and install. I've seen this on the iPod touch, and it is very useful and quick
I just found that someone proposed a similar idea at http://forum.xda-developers.com/showthread.php?t=396486.
However, the approach is not logical as someone has proposed using a thread filtering algorithm instead of creating an actual repository.
Anyway, isn't any developer interested?!
I was looking for something similar since ages. However, the best bet I think (in terms of ease of development) would be to setup a ppc-friendly website with freeware cabs available. Ofcourse, not an ideal solution but should do the trick. How about something like an AppStore for ppc devices ?
A web site won't serve the purpose. There are several web sites out there already. A Windows Mobile application will make it completely different. It can serve as a UI for a cab manager (much like *nix apt-get or other package managers: Installer, Cydia, App Store). The point is reaching the end-user through the phone, not a web site, not the PC.
z_rudy said:
A web site won't serve the purpose. There are several web sites out there already. A Windows Mobile application will make it completely different. It can serve as a UI for a cab manager (much like *nix apt-get or other package managers: Installer, Cydia, App Store). The point is reaching the end-user through the phone, not a web site, not the PC.
Click to expand...
Click to collapse
Well, even if someone managed to make such an app, in idea it would still be needing a working internet connection to download the cabs. So in a way it is as internet dependent as a website. However, I agree that such a software would be cool but difficult to develop.
Isn't one of the features of the installer app that users can add repositories from all over the place,but still have a unified interface at the end of the day? A website could not achieve that.
Surur
In the meantime why not set up an rss feed from eg: http://www.freewarepocketpc.net/ and you are at least halfway there.
Skymarket - Windows Mobile app store coming “this fall”
http://wmpoweruser.com/?p=819
The answer
-removed- will announce full launch soon.
hmmm... isn't a wiki the easiest answer?
everyone can modify it and it has enough structure to make it as deep as folks want and search is built in.
and it can be quite fast on mobile if no graphics.
if I see itunes not wanting to start up every other week because there is another update, I'm going to simply uninstall it.
There is already an paa like this in our phones .. the MS version that does not do ****. if anything, all it would take is have it register the programs installed on the ppc, and have the ms version search for updates in the middle of the night while we sleep. the only thing though: the developers have to put a link for the updates in the about section. this would help MS update check those websites for updates, instead of having someone putt all the labor hours collecting cabs. the developers can do it them selves everytime they make an update just like posting it on a thread.
Unfortunately, MS does not have much on their website other than promotional advertising for their own product.
it will be hard work but very possible. considering all the custom roms out there, not many cabs can be installed with just a tap of the stylus. there will be dependency issues, memory issues, etc. but anyway, check out Device Update of CrC's roms for hermes. it's a small repo for his rom. cool, aint it?
gotvitamink said:
I agree, this would be very useful. Currently I use Ubuntu Linux, and downloading and installing programs is this easy, because of repositories. I just search for a program using a package manager, and I'm given a list of programs that is relevant to my search. Then I simply have to click and install. I've seen this on the iPod touch, and it is very useful and quick
Click to expand...
Click to collapse
Exactly this.
Makes many things much easier.
I have noticed a fair number of posts on the web for annotation programs for android, which is severely hampered by the lack of such programs. I have downloaded and installed the Wireless ToolKit 2.5 and am attempting to rebuild a Java program called Jarnal as a .jad to eventually convert to a .apk install, but having NOOB problems as I am not a Java programmer. It would seem it should be very very easy to build a midlet from this program as the .class and .java source files are all available for download with the .jar and install progs, but I am having no luck. If someone out there knows a little about the WTK and can help me on how to place the files in the project directories I think I could get something going from there. So far, attempts have left me with .class strings not found or errors in java.lang calls. I really would like to get this going not just for me, but for all the folks that have been crying out for some kind of annotator. There are all kinds for Iphone, Nokia, Windows desktop....but none for Android, which is kind of stupid considering the large usage and Android just an offshoot of Linux and Java is so widely accepted. I attempted to get the developer of Xournal to jump on porting to Android, but no success. So far, I have tried Jarnal and attempting something with Notelab as of this posting, but doubt with lack of java experience I will get anywhere. If anyone could help it would be greatly appreciated by many I am sure.
I totally agree-I've been looking for Android apps to replace my pen-and-paper notepad. However, no apps even remotely close to Xournal or NoteLab are available.
Having those for Android would expedite purchase of a tablet (I was waiting for the NotionInk Adam, but am not very confident anymore; now the Archos 101 is higher on my list)
Any one available to create this winning app??
Ron
Hi
As everyone knows much better than I, the `android` executable, is the all-in-one utility to download and install sdk packages; nothing wrong with that, unless you have an unreliable, slow connection (like yours truly), in which case you might have wished you could actually download the packages yourself (perhaps via some download manager/accelerator of your choice), and then feed them into the sdk manager for further installation.
I have built a dumb but working tool that separates these processes -- it fetches the list of all available sdk components from google's servers, lists them for the user, and lets the users install the packages they have downloaded through it, mediating between the user and the actual SDK manager. It is located at github.com/icefapper/offdroid.
It's served me well, but I cede it might sound laughable to those who have quality Internet at their disposal. Still, I would be glad if anyone on this forum could take a look at it, share their opinions, and possibly help improve it even further. Thanks