views:

15

answers:

1

I'm trying to sign a Silverlight 4 OOB application (XAP file).
I use the following command:

"C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\signtool.exe" sign /v /f path\to\FILENAME.pfx /p PWD path\to\FILENAME.xap

and I get the response:

The following certificate was selected:
    Issued to: COMPANY NAME
    Issued by: Thawte Code Signing CA
    Expires:   Wed Dec 01 00:59:59 2010
    SHA1 hash: AE57AF01180BF995C7C5B01E235F296CCF611111

Done Adding Additional Store
Successfully signed: FILENAME.xap

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

But the XAP file is not signed.
If I view properties in explorer there are no 'Digital Signatures' listed. And if I try and install it I get the unverified dialog.
If I use exactly the same command but for a dll file, the signing works fine and I can see the digital signature applied to the file.

What could be the cause of this?
Do I need a different version of signtool.exe?

If it matters, the PFX was originally exported from an XP machine and I'm trying to run this on a Win7 machine (for dev) and a Win2008 server (build machine) and get the same behaviour on both.

Edit:
If I verify the certificate of the signed DLL I get the following:

SignTool Error: A certificate chain processed, but terminated in a root 
        certificate which is not trusted by the trust provider.

So it looks like I need to install some root certificates.

However, I'm not sure that explains why the XAP file doesn't report any certificate being added.

+1  A: 

Have you tried signing the application via the Signing tab in the Silverlight project's Project Properties? If your project properties are like mine, there might actually be two signing tabs in there (one is for strong naming the assembly) - the one you want will probably be the second one. Here's a link explaining the steps to sign the XAP: http://blogs.infosupport.com/blogs/alexb/archive/2010/05/10/silverlight-4-digitally-signing-a-xap.aspx. See if that helps solve the problem.

Also remember that simply signing the XAP isn't enough - you have to import the certificate into the Trusted Root store (which it doesn't look like you're doing). Click on the More Details... button in the Signing tab. It will probably state that this CA Root certificate is not trusted. Do the following:

  • Click the Install Certificate button on this dialog
  • Select the Place all certificates button in the following store option, and click the Browse... button
  • Select the Trusted Root Certification Authorities item in the tree
  • Press OK.

Another dialog should appear stating that it has been installed. Now recompile your app and it should work fine.

Hope this helps...

Chris

Chris Anderson
The certificates were installed but not in the trusted root store. Verification still fails on my machine but the xap appears signed when installed from the site.
Matt Lacey