Signing an AIR file to change the application certificate

To update an existing AIR application to use a new signing certificate, use the ADT -migrate command.

Certificate migration can be useful in the following situations:

  • Upgrading from a self-signed certificate to one issued by a certification authority

  • Changing from a self-signed certificate that is about to expire to a new self-signed certificate

  • Changing from one commercial certificate to another, for example, when your corporate identity changes

In order to apply a migration signature, the original certificate must still be valid. Once the certificate has expired, a migration signature cannot be applied. Users of your application will have to uninstall the existing version before they can install the updated version. Note that the migration signature is time stamped, by default, so AIR updates signed with a migration signature will remain valid even after the certificate expires.

Note: You do not typically have to migrate the certificate when you renew a commercially issued certificate. A renewed certificate retains the same publisher identity as the original unless the distinguished name has changed. For a full list of the certificate attributes that are used to determine the distinguished name, see About AIR publisher identifiers.
To migrate the application to use a new certificate:

  1. Create an update to your application

  2. Package and sign the update AIR file with the new certificate

  3. Sign the AIR file again with the original certificate using the -migrate command

An AIR file signed with the -migrate command can be used both to install a new version of the application and to update any previous versions, including those signed with the old certificate.

Migrate an AIR application to use a new certificate

 Use the ADT -migrate command with following syntax:
adt -migrate SIGNING_OPTIONS air_file_in air_file_out

SIGNING_OPTIONS The signing options identify the private key and certificate with which to sign the AIR file. These options must identify the original signing certificate and are described in ADT command line signing options.

air_file_in The AIR file for the update, signed with the new certificate.

air_file_out The AIR file to create.

ADT Example

adt –migrate -storetype pkcs12 -keystore cert.p12 myApp.air myApp.air

For more information, see Digitally signing an AIR file.

Note: The -migrate command was added to ADT in the AIR 1.1 release. Applying a migration signature to an AIR package produced with the version of ADT included in AIR 1.0 is not supported.