I’ve found multiple posts on the web explaining how to sign a XAP file, including this one. In Silverlight 4, a XAP file must be signed in order to let an out of browser application update itself and to show the user a more friendly installation dialog when installing an elevated trust application. The  process for digitally signing a  XAP file explained on the web, includes using a post build event in which “signtool.exe” is called. With the new Silverlight 4 RC2 tools for Visual Studio 2010, there is another way to sign your XAP file…


Signing your XAP file from Visual Studio 2010

As mentioned earlier, you need to install the new Silverlight 4 tools RC2 for Visual Studio 2010, which you can get here. Then you can create a new Silverlight 4 project. After creating the project, right click on the project in Visual Studio (the Silverlight project, not the Web project) and select “properties”. This brings up the following screen:



Click on the “Signing” option, highlighted above. The screen changes to the following:


If you already have a certificate, you can use one of the “select” buttons to select it, after selecting the “Sign the Xap file” option. If you don’t have a certificate, you can use the “Create Test Certificate” button to get a test certificate for development purposes. After completing the wizard when the “Create Test Certificate” button is clicked, a new .pfx file is added to your project:


You can install this certificate in the “Trusted Root Certification Authorities” store by double clicking it from Windows explorer, for development purposes. You should remove it of course after you’re done with it. After installing it in the “Trusted Root Certification Authorities” store and enabling elevated trust on your Silverlight application, the installation dialog looks like this:


You can see on the image above that the certificate used to sign this XAP file, is trusted either directly or indirectly, because the dialog has a blue-ish color. Just for reference, here is the dialog if your XAP file isn’t signed or is signed but the certificate is not trusted:


The above yellow-ish dialog looks a lot more unfriendly of course :).

4 thoughts on “Silverlight 4: Digitally signing a XAP with Visual Studio 2010

  1. Thank you, you made Tim Heur’s post on this subject look archaic in comparison. You rock! Tim, why didn’t you create a video on doing this, it would have saved me at least 2 hours.

  2. Thanks Alex, I went though the whole process of buying a cert (from Comodo) and how finally got my app all signed…

    @Heath: Tim’s post shows how to do it manually – perhaps the GUI did not exist at the time – his posts are very useful…

  3. Is importante to you know that when Code Sign certificate expires, if you buy a new certificate and this new certificate has been issued by a different CA, automatic updates won’t work.

    VeriSign, for example, changes de CA from CN = VeriSign Class 3 Code Signing 2009-2 CA to CN = VeriSign Class 3 Code Signing 2010 CA.

    VeriSign certificates don’t work with SL. You must check with you CA authority of your choice if the Issuer field changes from one year to another.

    No one knows that. We have exchanged dozens of emails with Microsoft and VeriSign and at the moment, we not arrived in a solution.