Poor man's (or woman's) code signing and auto-updating a Silverlight OOB XAP

To get Windows to trust your code (in my case a Silverlight Out-of-Browser XAP file), you need to sign it with a certificate. With a Silverlight OOB app, this makes the difference when installing between seeing this:

or this:

Also, trusted applications can automatically update themselves (when adding the necessary code of course) while untrusted ones can't. That's when you get the following error:

"Cannot update application, the installed application and update candidate differ in certificate/signature state."

To avoid this you must sign your XAP. This is fairly easy if you just buy a certificate, for which you can easily pay €100+ per year. However, if you (and your users) can live with the first dialog (the warning), you can at least get the auto-update feature.

First, we need to create a PFX file. Visual Studio can do this for you, when you indicate you want to sign your assembly. This is not the same as signing your XAP, but we need this step to create the PFX file. Go to the project properties and choose the signing tab. Then, mark the option to sign the assembly and select 'New...' in the dropdown:

Give your file a name and a password. If you don't provide a password, it will be a .snk file and we can't sign our XAP with that.

Now, uncheck the option for signing your assembly and choose to sign your XAP. Click on the 'Select from File...' button and choose your newly created PFX file (it will be in the folder of your current project).

You might also want to enter a Timestamp server URL (more on that below).

If you want more control, leave it unchecked and sign the XAP in a post-build event. Something like the following is what I used:

if $(Configuration) == Release (
  call "$(DevEnvDir)..\Tools\vsvars32.bat"
  signtool sign /v /f $(ProjectDir)MyKey.pfx /p MyPassPhrase /t http://timestamp.comodoca.com/authenticode TheApplication.xap

What this does is sign the XAP only when we're in Release mode. It first calls a batch script to set the necessary path variables, so the post-build event can call the signtool executable.

Then it signs TheApplication.xap with the MyKey.pfx file, 'MyPassPhrase' as password and it uses the Comodo timestamp server. Timestamping is necessary if you wan't to be able to continue to update the XAP, even when your certificate has expired.

When installing the application, the user will still get the warning that the source isn't trusted. This is because the certificate that signed the XAP hasn't been installed in the certificate store of the user's computer. But at least the auto-updating now works.