If you do not really look for security - especially in the forging/alteration aspects, a secret symmetric key embedded in the application would be enough to satisfy alteration detection and encryption aspects. Just use a standard block cipher, and MAC (Message Authentication Code (wikipedia)). Of course, it would be relatively simple to extract the key and alter these documents.
Unfortunately, identifying the source is a little trickier. Identity comes implicitly when you use PKI, because each private key implicitly identifies an entity. Since you do not have such a natural identifier, you will now need to define your own identification scheme: perhaps a MAC address of the first network adapter you see on the machine that runs it, or perhaps a more elaborate scheme where you explicitly assign identities to individual applications, or the individuals that use the application. Once you have some sort of identity definition, it would be a simple matter to add this identification string at the start of your document before encrypt/sign operation as a separate XML field.