Windows Mobile checks each and every executable module such as dynamic-link libraries (.dll) and executable (.exe) files as they are loaded to validate that the code is signed, the signature is valid, and the signature matches a recognized certificate installed on the device. Software installation through .cab files is also protected by this process with a separate certificate store, and a revocation process is available on the device to block execution and installation of rogue applications.

Code signing provides two guarantees: that the code has not been modified since signing and that the owner of the code can be identified. How it does this is similar to how authenticity for X.509 server certificates is established, as ...