Digitally Signing Your Application

In some scenarios, you should sign your XAP file before deploying it to the users. Let's look at when you would want to do so, and how you do so.

Why Sign Your Application

Following are three key reasons why you might want to sign your application:

• If you want your Silverlight application to be able to run inside the browser with elevated trust privileges, your application can only do so when the XAP file is signed.
• When the user tries to install an unsigned Silverlight application to run outside the browser with elevated trust privileges, it will display a rather stern warning in the install dialog, as shown in Figure 17-9, stating that the publisher could not be verified. When you see this warning, it means that the application has not been signed. Signing your application will still show a dialog, but it will be a much friendlier one.
• You might want to sign your application if it is configured to run in OOB mode with elevated trust privileges. For an application that has elevated trust privileges to be updatable, the XAP file must be signed. Application updates will work when the site of origin for the application is localhost, but they will fail once the application goes into production if it isn't signed.

Figure 17-9. The installation dialog for unsigned applications that request elevated trust privileges

If your Silverlight application does not meet any of these criteria, you can still sign your XAP file if you wish, but doing so will have no impact on its execution.

Obtaining a Code-Signing Certificate

Signing an XAP file involves obtaining a verified Authenticode code-signing certificate from a trusted certificate authority (CA). The process of obtaining a certificate is beyond the scope of this book, but you can find a thorough walkthrough written by Jeff Wilcox on his blog, available at www.jeff.wilcox.name/2010/02/codesigning101/.

In summary, you purchase a certificate from a CA, they will verify your identity, and (generally) within a couple of days they will issue you with a valid certificate. You can then export the certificate from your certificate store as a .pfx file, which you can then use to sign your XAP file.

Workshop: Signing Your XAP File

Let's look at how you go about signing the XAP file.

1. Open the Project Properties for your Silverlight application, and open the Signing tab, as shown in Figure 17-10.
   

   Figure 17-10. The Signing tab in the Project Properties

2. Select the “Sign the Xap File” check box, and click the Select from File button. Find your .pfx file and select it. Its details will appear in the Certificate box.

   Note Alternatively, if you don't have a certificate from a CA, you can create your own temporary certificate for use while you are testing the application. Click the Create Test Certificate button, and enter a password in the two text boxes in the dialog that appears. This simple process will create a .pfx file for you and add it to your project for use during the compilation process.

3. You now need to install the certificate as a Trusted Root certificate on your machine. Click the More Details button, which will display the dialog shown in Figure 17-11.
   

   Figure 17-11. The Certificate Information dialog

4. If this dialog says that this CA root certificate is not trusted, you will need to install it. Click the Install Certificate button, and click through the wizard to the screen shown in Figure 17-12.
   

   Figure 17-12. The Certificate Import Wizard dialog

5. Select the “Place all certificates in the following store” option, and click the Browse button to see the dialog shown in Figure 17-13.
   

   Figure 17-13. Selecting a certificate store

6. Select the Trusted Root Certification Authorities store, and press OK. Finish the wizard, and the certificate will be successfully installed.
7. Now when you compile and run your application, you will get the much friendlier install dialog, as displayed in Figure 17-14.

Figure 17-14. The installation dialog for signed applications that request elevated trust