To revoke an application, a mobile operator can revoke the certificate used to sign the .cab file. The hash of the certificate is used to revoke signed .cab files. In the case of unsigned .cab files and unsigned applications, the revocation works on the hash of the .cab file itself. Certificates can be revoked using the Revoke.exe application contained in the Windows Mobile 6.5 SDKs.
The use of Authenticode to sign and verify .cab files on Windows Mobile devices enables mobile operators or a company network to prevent the installation of a .cab file by using a revocation method.
One such method is to revoke the certificate that the .cab file uses. The revoke tool creates a provisioning document that may be sent to the device, adding the certificate to the revocation list. When a .cab file is installed, this list is checked to make sure that the certificate for the .cab file is still valid.
Another method to prevent the installation of a .cab file is to revoke the unique hash of the .cab file. This enables mobile operators to revoke a single, specific signed .cab file. The revoke tool creates a hash of a .cab file and creates instructions for that hash to be added to the revocation list on the device. The CAB Installer also hashes any signed .cab files downloaded to the device. If the result of this hash matches an entry in the revocation list, the installation fails. For example, if a third-party developer releases a signed application that the mobile operator does not approve, the mobile operator has the option to revoke that .cab file and ensure that it does not install on the device.
Last, it is possible to revoke the unique hash of unsigned .cab files and unsigned applications. In the case of unsigned .cab files and unsigned applications, the revoke tool works on the hash of the .cab file, or the application itself. The hash of the .cab file, or the application itself, is added to the revocation list on the device.