.cab File Signing Requirements

Other versions of this page are also available for the following:

Windows Mobile SupportedWindows Embedded CE Supported


The Unsigned Themes and Unsigned CABS policy settings determine whether you must sign .cab files to install applications. You can use Microsoft Authenticode tools to sign .cab files. For information about these tools, see the Authenticode documentation under "Security" in the MSDN library.


Files signed using the Authenticode tool can later be revoked.

Of the policy settings require signed .cab files, you must confirm the following to install applications:

  • The revocation list does not include the certificate hashed. A certificate hash is a digest of the certificate date.
  • The certificate chain maps to a root certificate in the Software Publisher Certificate (SPC) store.

The .cab file is installed with the role mask associated with the root certificate. If the store does not contain a matching root certificate, the .cab file is treated as an unsigned .cab file. The Unsigned CABS policy determines whether the file can be installed and with which role mask an accepted file is installed.

See Also

Other Resources

Security Policy Settings