I’ve been referring a lot of people lately to the steps to sign a XAP. So I decided to post an excerpt I wrote about signing Silverlight XAP files in the Silverlight 4 Whitepaper on Channel 9 here to help spread the word. The signing process is important if you are creating an elevated trust out of browser application because it helps:

  • Reassure your users that the application is authentic
  • Allow updates to elevated trust applications

Elevated trust out-of-browser applications enable developers to take advantage of platform features that are inaccessible to sandboxed Silverlight applications. You can digitally sign your XAP files to reassure end users of the authenticity of an application’s publisher and that the code’s integrity is intact. This feature only applies to trusted apps; sandboxed XAPs may be signed but doing so will have no effect on it.

When a user attempts to install an elevated trust out of browser application, the user will be presented with a dialog as shown below.


Unverified Publisher Install Dialog on Windows and Mac

A signed XAP would prompt the user with a dialog similar to the following:


Verified Publisher Install Dialog on Windows and Mac

XAP signing also affects an elevated trust application’s ability to update itself. For an update to be allowed, the installed XAP and the update candidate (the new XAP) must be signed with matching certificates that have not expired.

A XAP can be signed post-build using the SignTool.exe command line tool which is in the Windows SDK, as part of Visual Studio 2010 and a handful of other packages. XAPs must be signed using code signing certificates.

You can obtain a digitally signed certificate from various publishers. Prices range and most tend to be valid for 1 year before expiring.

To sign a XAP using a test certificate for development purposes, open a Visual Studio Command Prompt and type the following to create a root certificate:

   1: makecert 
   2:  -n "CN=My Root Certificate Authority" 
   3:  -r 
   4:  -a sha1 
   5:  -sv c:\Demo\TestOOBRootCA.pvk c:\Demo\TestOOBRootCA.cer 
   6:  -sr LocalMachine 
   7:  -sky signature

When prompted for a password enter a password and write it down so you do not forget it. You'll be prompted to enter the password a few times. Enter the same password each time. Now type the following into the command window and press Enter to create a child certificate that can be used for code signing. It will be signed by the root certificate created earlier.

We strongly recommend using a password that uses some combination of letters, numbers and special characters.

   1: makecert 
   2:  -sv c:\Demo\TestOOBCodeSigningCA.pvk 
   3:  -iv c:\Demo\TestOOBRootCA.pvk 
   4:  -n "CN=Test OOB Crew Code Signing CA" 
   5:  -ic c:\Demo\TestOOBRootCA.cer c:\Demo\TestOOBCodeSigningCA.cer

Enter the password when prompted. Generate a PFX file (contains the password and the private key in one file for convenience). Note that the same password entered earlier is used.

Enter the following into the command window and press Enter:

   1: pvk2pfx 
   2:  -pvk c:\Demo\TestOOBCodeSigningCA.pvk 
   3:  -spc c:\Demo\TestOOBCodeSigningCA.cer 
   4:  -pfx c:\Demo\TestOOBCodeSigningCA.pfx 
   5:  -po password

Enter the password when prompted. Now that you have a certificate you are ready to sign the XAP. If you purchased a digital certificate you would skip right to the next step where you sign the XAP. Type the following command to sign the XAP:

   1: signtool sign 
   2:  /v 
   3:  /f c:\Demo\TestOOBCodeSigningCA.pfx 
   4:  /p password 
   5:  c:\Demo\SilverlightApplication2\SilverlightApplication2.Web\ClientBin\SilverlightApplication2.xap

If the XAP was successfully signed you'll see verbiage similar to the following in the command window.

Signing a XAP using signtool.exe

Every time an out of browser Silverlight project with elevated trust is built with Visual Studio 2010, a new XAP is created. This new XAP must be signed once again. For development purposes you can add a post build event and perform the signtool sign command to sign the XAP after each build.