PackageDigitalSignatureManager.Sign Method (IEnumerable<Uri>, X509Certificate, IEnumerable<PackageRelationshipSelector>, String)

Signs a list of package parts and package relationships with a given X.509 certificate and identifier (ID).

Namespace:  System.IO.Packaging
Assembly:  WindowsBase (in WindowsBase.dll)

public PackageDigitalSignature Sign(
	IEnumerable<Uri> parts,
	X509Certificate certificate,
	IEnumerable<PackageRelationshipSelector> relationshipSelectors,
	string signatureId


Type: System.Collections.Generic.IEnumerable<Uri>

The list of uniform resource identifiers (URIs) for the PackagePart objects to sign.

Type: System.Security.Cryptography.X509Certificates.X509Certificate

The X.509 certificate to use to digitally sign each of the specified parts and relationships.

Type: System.Collections.Generic.IEnumerable<PackageRelationshipSelector>

The list of PackageRelationship objects to sign.

Type: System.String

An identification string to associate with the signature.

Return Value

Type: System.IO.Packaging.PackageDigitalSignature
The digital signature used to sign the elements specified in the parts and relationshipSelectors lists.


Neither parts nor relationshipSelectors specify any elements to sign.

The parts list can be empty or null if relationshipSelectors contains at least one entry.

The relationshipSelectors list can be empty or null if parts contains at least one entry.

Between the parts list and relationshipSelectors there must be at least one element to sign.

The following example shows how to digitally sign a list of package parts. For the complete sample, see the Creating a Package with a Digital Signature Sample.

        private static void SignAllParts(Package package)
            if (package == null)
                throw new ArgumentNullException("SignAllParts(package)");

            // Create the DigitalSignature Manager
            PackageDigitalSignatureManager dsm =
                new PackageDigitalSignatureManager(package);
            dsm.CertificateOption =

            // Create a list of all the part URIs in the package to sign 
            // (GetParts() also includes PackageRelationship parts).
            System.Collections.Generic.List<Uri> toSign =
                new System.Collections.Generic.List<Uri>();
            foreach (PackagePart packagePart in package.GetParts())
                // Add all package parts to the list for signing.

            // Add the URI for SignatureOrigin PackageRelationship part. 
            // The SignatureOrigin relationship is created when Sign() is called. 
            // Signing the SignatureOrigin relationship disables counter-signatures.

            // Also sign the SignatureOrigin part.

            // Add the package relationship to the signature origin to be signed.
            toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));

            // Sign() will prompt the user to select a Certificate to sign with. 

            // If there are no certificates or the SmartCard manager is 
            // not running, catch the exception and show an error message. 
            catch (CryptographicException ex)
                    "Cannot Sign\n" + ex.Message,
                    "No Digital Certificates Available",

        }// end:SignAllParts()

.NET Framework

Supported in: 4.5, 4, 3.5, 3.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft