I’ve found multiple posts on the web explaining how to sign a XAP file, including this one. In Silverlight 4, a XAP file must be signed in order to let an out of browser application update itself and to show the user a more friendly installation dialog when installing an elevated trust application. The process for digitally signing a XAP file explained on the web, includes using a post build event in which “signtool.exe” is called. With the new Silverlight 4 RC2 tools for Visual Studio 2010, there is another way to sign your XAP file…
Signing your XAP file from Visual Studio 2010
As mentioned earlier, you need to install the new Silverlight 4 tools RC2 for Visual Studio 2010, which you can get here. Then you can create a new Silverlight 4 project. After creating the project, right click on the project in Visual Studio (the Silverlight project, not the Web project) and select “properties”. This brings up the following screen:
Click on the “Signing” option, highlighted above. The screen changes to the following:
If you already have a certificate, you can use one of the “select” buttons to select it, after selecting the “Sign the Xap file” option. If you don’t have a certificate, you can use the “Create Test Certificate” button to get a test certificate for development purposes. After completing the wizard when the “Create Test Certificate” button is clicked, a new .pfx file is added to your project:
You can install this certificate in the “Trusted Root Certification Authorities” store by double clicking it from Windows explorer, for development purposes. You should remove it of course after you’re done with it. After installing it in the “Trusted Root Certification Authorities” store and enabling elevated trust on your Silverlight application, the installation dialog looks like this:
You can see on the image above that the certificate used to sign this XAP file, is trusted either directly or indirectly, because the dialog has a blue-ish color. Just for reference, here is the dialog if your XAP file isn’t signed or is signed but the certificate is not trusted:
The above yellow-ish dialog looks a lot more unfriendly of course :).