Application Signing (Devices)

Most Windows Mobile devices arrive from the mobile operator or equipment manufacturer preconfigured with security settings that restrict the execution of unsigned applications and installation of unsigned CAB files. In order for your application to run, you have to sign your application with a certificate that is installed on the device of your end-users.

How to Sign Device Applications

To sign an application, you must sign all the EXE, managed assemblies, DLL, CAB, and MUI (Multilingual User Interface) files that constitute the application. To graphically view how signing works in device projects, see Graphical Flowchart of Signing Process for Devices. The following topics explain how to sign device applications:

Signing an Application for Day to Day Development

If you develop on a device whose security settings are less restrictive than the settings of end-users, you may not encounter the same the security warnings or errors as your end-users. Therefore, it is a good idea to simulate the end-user's security environment by developing your application on a security enabled device. To do this, sign your device application with the Visual Studio development certificate and install the certificate on your development device or emulator. The process of signing with a development certificate during the development phase promotes good end-user experiences. Certificates for day-to-day development work and a tool to install them are included in Visual Studio.

To install the required certificates on the device

  1. Connect to the device by using whatever connection mechanism you have available.

  2. Copy from the development computer to the device. is located by default at drive:\Program Files\Microsoft Visual Studio 9.0\SmartDevices\SDK\SDKTools.

  3. On the device, explode to install the certificates.

Signing an Application for Release

The SDK certificates are for development or testing only. End-users do not have SDK certificates installed on their devices. Therefore, when an application is ready to be released, it must be signed with a certificate that is on the user's device. All OEMs and mobile operators currently include the Mobile2Market unprivileged certificates on the devices they ship. Most OEMs and mobile operators also include the Mobile2Market privileged certificates. Therefore, unless your application must run as a trusted application on a device that does not have the Mobile2Market privileged certificate, you should have your application signed with one of the Mobile2Market certificates. For more information about the Mobile2Market Program, see Mobile2Market: Code Signing for Windows Mobile Applications in the Windows Mobile Developer Center.

To run your application on a device that does not have the Mobile2Market privileged certificate, you must ask the OEM or mobile operator to sign your application.


If the device security configuration requires signed binary files and the application binary files are unsigned, the application will not run. For more information about security configuration, see Configuring Security on Windows Mobile Devices.

See Also

Other Resources

Security in Device Projects

Packaging Device Solutions for Deployment