Digitally Signing a XAP Silverlight | John Papa

John Papa

Evangelist on the loose

Digitally Signing a XAP Silverlight


I’ve been referring a lot of people lately to the steps to sign a XAP. So I decided to post an excerpt I wrote about signing Silverlight XAP files in the Silverlight 4 Whitepaper on Channel 9 here to help spread the word. The signing process is important if you are creating an elevated trust out of browser application because it helps:

  • Reassure your users that the application is authentic
  • Allow updates to elevated trust applications

Elevated trust out-of-browser applications enable developers to take advantage of platform features that are inaccessible to sandboxed Silverlight applications. You can digitally sign your XAP files to reassure end users of the authenticity of an application’s publisher and that the code’s integrity is intact. This feature only applies to trusted apps; sandboxed XAPs may be signed but doing so will have no effect on it.

When a user attempts to install an elevated trust out of browser application, the user will be presented with a dialog as shown below.


Unverified Publisher Install Dialog on Windows and Mac

A signed XAP would prompt the user with a dialog similar to the following:


Verified Publisher Install Dialog on Windows and Mac

XAP signing also affects an elevated trust application’s ability to update itself. For an update to be allowed, the installed XAP and the update candidate (the new XAP) must be signed with matching certificates that have not expired.

A XAP can be signed post-build using the SignTool.exe command line tool which is in the Windows SDK, as part of Visual Studio 2010 and a handful of other packages. XAPs must be signed using code signing certificates.

You can obtain a digitally signed certificate from various publishers. Prices range and most tend to be valid for 1 year before expiring.

To sign a XAP using a test certificate for development purposes, open a Visual Studio Command Prompt and type the following to create a root certificate:

   1: makecert 

   2:  -n "CN=My Root Certificate Authority" 

   3:  -r 

   4:  -a sha1 

   5:  -sv c:\Demo\TestOOBRootCA.pvk c:\Demo\TestOOBRootCA.cer 

   6:  -sr LocalMachine 

   7:  -sky signature


When prompted for a password enter a password and write it down so you do not forget it. You’ll be prompted to enter the password a few times. Enter the same password each time. Now type the following into the command window and press Enter to create a child certificate that can be used for code signing. It will be signed by the root certificate created earlier.

We strongly recommend using a password that uses some combination of letters, numbers and special characters.

   1: makecert 

   2:  -sv c:\Demo\TestOOBCodeSigningCA.pvk 

   3:  -iv c:\Demo\TestOOBRootCA.pvk 

   4:  -n "CN=Test OOB Crew Code Signing CA" 

   5:  -ic c:\Demo\TestOOBRootCA.cer c:\Demo\TestOOBCodeSigningCA.cer


Enter the password when prompted. Generate a PFX file (contains the password and the private key in one file for convenience). Note that the same password entered earlier is used.

Enter the following into the command window and press Enter:

   1: pvk2pfx 

   2:  -pvk c:\Demo\TestOOBCodeSigningCA.pvk 

   3:  -spc c:\Demo\TestOOBCodeSigningCA.cer 

   4:  -pfx c:\Demo\TestOOBCodeSigningCA.pfx 

   5:  -po password


Enter the password when prompted. Now that you have a certificate you are ready to sign the XAP. If you purchased a digital certificate you would skip right to the next step where you sign the XAP. Type the following command to sign the XAP:

   1: signtool sign 

   2:  /v 

   3:  /f c:\Demo\TestOOBCodeSigningCA.pfx 

   4:  /p password 

   5:  c:\Demo\SilverlightApplication2\SilverlightApplication2.Web\ClientBin\SilverlightApplication2.xap


If the XAP was successfully signed you’ll see verbiage similar to the following in the command window.

Signing a XAP using signtool.exe

Every time an out of browser Silverlight project with elevated trust is built with Visual Studio 2010, a new XAP is created. This new XAP must be signed once again. For development purposes you can add a post build event and perform the signtool sign command to sign the XAP after each build.

tags: Silverlight
  • Anonymous

    Pingback from Twitter Trackbacks for Digitally Signing a XAP Silverlight : [] on

  • Anonymous

    Can I add an additional note please… with many browsers, after you’ve signed your XAP, you need to refresh the page a few times and clear the browser cache completely… otherwise you’ll keep getting the cached non-signed version.
    For the first time signer that problem is confusing and you end up scratching the-old head and re-compiling lots of times with a frustrated look on ya face.

  • Anonymous

    Pingback from Silverlight 4: Digitally signing a XAP – Alex van Beek – blog community

  • Anonymous

    With the new Visual Studio 2010 RC2 tools there is new way to sign your XAP which is explained here:…/silverlight-4-d

  • Anonymous

    Daily tech links for .net and related technologies – May 10-12, 2010 Web Development jQuery Templates

  • Anonymous

    Pingback from Daily tech links for .net and related technologies – May 10-12, 2010 | OOP – Object Oriented Programing

  • rod

    I can’t understand why you didn’t mention the possibility of doing this via the Project Properties page in Visual Studio?
    Was it not available at the time? Does it not work and you have to use the command line?

  • john

    Rod – It had just become available after I wrote this.

  • Chandresh

    Hey John, I am facing a typical issue in my silverlight application. Please let me describe it:
    > My Silverlight application is out-of browser with elevated trusts enabled.
    > My application performs cross-domain WCF services calls using secured HTTP, i.e. HTTPS for all WCF services hosted.
    > Having said this, I signed the application with a temporary certificate created on my machine. However, the application doesn’t perform any HTTPS service call to the WCF services. Can you please suggest where I am wrong ?

  • Jobzky

    This article is great and very helpful. I was able to sign my xap file and deploy to IIS but when I tried to access the site I my client test PC still got the warning which means it seems the silverlight oob app is not trusted by the client. I found out that to solve the issue, my client PC should manually install the certificate from my server PC. Is there a way that a signed xap upon install would install also the certificate from server?

  • Dinesh

    Hi John,
    I have similar issue with Signed xap file. I am able to recieve new updates when it is deployed on the machine where dev enviorenment is available. The auto update doesnt work when i deploy it on windows server 2003. Let me know am i missing anything?

%d bloggers like this: