Fabrice's weblog

Code signing certificates

If you need to sign a piece of code - eg. a Silverlight application, like I did with Sesame, an EXE, a DLL, an AIR application, a JAR applet - you need a code signing certificate.

A code signing certificate must be bought from a certificate authority, for example GoDaddy, VeriSign, Thawte, and Comodo. Note: a code signing certificate and an SSL certificate are not the same thing.
Be aware that not all providers allow you to sign everything with a single certificate. Some sell separate certificates for Microsoft Authenticode (that's what you need for Silverlight XAPs, for DLLs, for EXEs, and more), for Java, for AIR, and so on. Given that a code signing certificate is not exactly cheap, you may prefer to buy a single certificate that will allow you to sign files in different file formats.

I chose to buy my certificate from K Software, a reseller of Comodo certificates. It was much cheaper and moreover there isn't the restriction the other vendors impose on what you can sign.

Once you have your code signing certificate, you'll use SignTool.exe, which is a command-line tool part of the Windows SDK and installed with Visual Studio, or simply use Visual Studio 2010.

Resources:

• Tim Heuer article: What's new in Silverlight 4 - XAP signing
• Tim Heuer video: XAP Signing
• Jeff Wilcox article: Getting started with code signing for under $100
• Alex van Beek article: Digitally signing a XAP with Visual Studio 2010
  
• SignGUI, a free graphical front end for SignTool.exe
• signcode-pwd, a command line tool to automate SignCode and prevent the password dialog from popping up