Digitally signing an AIR file
Digitally signing your AIR installation files with a certificate issued by a recognized certification authority (CA) provides significant assurance to your users that the application they are installing has not been accidentally or maliciously altered and identifies you as the signer (publisher). AIR displays the publisher name during installation when the AIR application has been signed with a certificate that is trusted, or which chains to a certificate that is trusted on the installation computer. Otherwise the publisher name is displayed as “Unknown.”
Important: A malicious entity could forge an AIR file with your identity if it somehow obtains your signing keystore file or discovers your private key.
Information about code-signing certificates
The security assurances, limitations, and legal obligations involving the use of code-signing certificates are outlined in the Certificate Practice Statements (CPS) and subscriber agreements published by the issuing certification authority. For more information about the agreements for the certification authorities that currently issue AIR code signing certificates, refer to:
ChosenSecurity CPS (http://www.chosensecurity.com/resource_center/repository.htm)
GlobalSign CPS (http://www.globalsign.com/repository/index.htm)
Thawte CPS (http://www.thawte.com/cps/index.html)
Thawte Code Signing Developer's Agreement (http://www.thawte.com/ssl-digital-certificates/free-guides-whitepapers/pdf/develcertsign.pdf)
VeriSign CPS (http://www.verisign.com/repository/CPS/)
VeriSign Subscriber's Agreement (https://www.verisign.com/repository/subscriber/SUBAGR.html)
About AIR code signing
When an AIR file is signed, a digital signature is included in the installation file. The signature includes a digest of the package, which is used to verify that the AIR file has not been altered since it was signed, and it includes information about the signing certificate, which is used to verify the publisher identity.
AIR uses the public key infrastructure (PKI) supported through the operating system’s certificate store to establish whether a certificate can be trusted. The computer on which an AIR application is installed must either directly trust the certificate used to sign the AIR application, or it must trust a chain of certificates linking the certificate to a trusted certification authority in order for the publisher information to be verified.
If an AIR file is signed with a certificate that does not chain to one of the trusted root certificates (and normally this includes all self-signed certificates), then the publisher information cannot be verified. While AIR can determine that the AIR package has not been altered since it was signed, there is no way to know who actually created and signed the file.
Note: A user can choose to trust a self-signed certificate and then any AIR applications signed with the certificate displays the value of the common name field in the certificate as the publisher name. AIR does not provide any means for a user to designate a certificate as trusted. The certificate (not including the private key) must be provided to the user separately and the user must use one of the mechanisms provided by the operating system or an appropriate tool to import the certificate into the proper location in system certificate store.
About AIR publisher identifiers
Important: As of AIR 1.5.3 the publisher ID is deprecated and no longer computed based on the code signing certificate. New applications do not need and should not use a publisher ID. When updating existing applications, you must specify the original publisher ID in the application descriptor file.
Prior to AIR 1.5.3, the AIR application installer generated a publisher ID during the installation of an AIR file. This was an identifier that is unique to the certificate used to sign the AIR file. If you reused the same certificate for multiple AIR applications, they received the same publisher ID. Signing an application update with a different certificate and sometimes even a renewed instance of the original certificate changed the publisher ID.
In AIR 1.5.3 and later, a publisher ID is not assigned by AIR. An application published with AIR 1.5.3 can specify a publisher ID string in the application descriptor. You should only specify a publisher ID when publishing updates for applications originally published for versions of AIR prior to 1.5.3. If you do not specifying the original ID in the application descriptor then the new AIR package is not treated as an update of the existing application.
To determine the original publisher ID, find the publisherid file in the META-INF/AIR subdirectory where the original application is installed. The string within this file is the publisher ID. Your application descriptor must specify the AIR 1.5.3 runtime (or later) in the namespace declaration of the application descriptor file in order to specify the publisher ID manually.
The publisher ID, when present, is used for the following purposes:
When a publisher ID changes, the behavior of any AIR features relying on the ID also changes. For example, data in the existing encrypted local store can no longer be accessed and any Flash or AIR instances that create a local connection to the application must use the new ID in the connection string. The publisher ID cannot change in AIR 1.5.3, or later. If you use a different publisher ID when publishing an AIR package, the installer treats the new package as a different application.
About Certificate formats
The AIR signing tools accept any keystores accessible through the Java Cryptography Architecture (JCA). This includes file-based keystores such as PKCS12-format files (which typically use a .pfx or .p12 file extension), Java .keystore files, PKCS11 hardware keystores, and the system keystores. The keystore formats that ADT can access depend on the version and configuration of the Java runtime used to run ADT. Accessing some types of keystore, such as PKCS11 hardware tokens, may require the installation and configuration of additional software drivers and JCA plug-ins.
To sign AIR files, you can use most existing code signing certificates or you can obtain a new one issued expressly for signing AIR applications. For example, any of the following types of certificate from VeriSign, Thawte, GlobalSign, or ChosenSecurity can be used:
Note: The certificate must be created for code signing. You cannot use an SSL or other type of certificate to sign AIR files.
When you sign an AIR file, the packaging tool queries the server of a timestamp authority to obtain an independently verifiable date and time of signing. The time stamp obtained is embedded in the AIR file. As long as the signing certificate is valid at the time of signing, the AIR file can be installed, even after the certificate has expired. On the other hand, if no time stamp is obtained, the AIR file ceases to be installable when the certificate expires or is revoked.
By default, the AIR packaging tools obtain a time stamp. However, to allow applications to be packaged when the time-stamp service is unavailable, you can turn time stamping off. Adobe recommends that all publicly distributed AIR files include a time stamp.
The default time-stamp authority used by the AIR packaging tools is Geotrust.
Obtaining a certificate
To obtain a certificate, you would normally visit the certification authority web site and complete the company’s procurement process. The tools used to produce the keystore file needed by the AIR tools depend on the type of certificate purchased, how the certificate is stored on the receiving computer, and, in some cases, the browser used to obtain the certificate. For example, to obtain and export an Adobe Developer certificate from Thawte you must use Mozilla Firefox. The certificate can then be exported as a .p12 or .pfx file directly from the Firefox user interface.
You can generate a self-signed certificate using the Air Development Tool (ADT) used to package AIR installation files. Some third-party tools can also be used.
For instructions on how to generate a self-signed certificate, as well as instructions on signing an AIR file, see Packaging an AIR installation file using the AIR Developer Tool (ADT). You can also export and sign AIR files using Flex Builder, Dreamweaver, and the AIR update for Flash.
The following example describes how to obtain an AIR Developer Certificate from the Thawte Certification Authority and prepare it for use with ADT.
Example: Getting an AIR Developer Certificate from Thawte
Note: This example illustrates only one of the many ways to obtain and prepare a code signing certificate for use. Each certification authority has its own policies and procedures.
To purchase an AIR Developer Certificate, the Thawte web site requires you to use the Mozilla Firefox browser. The private key for the certificate is stored within the browser’s keystore. Ensure that the Firefox keystore is secured with a master password and that the computer itself is physically secure. (You can export and remove the certificate and private key from the browser keystore once the procurement process is complete.)
As part of the certificate enrollment process a private/public key pair is generated. The private key is automatically stored within the Firefox keystore. You must use the same computer and browser to both request and retrieve the certificate from Thawte’s web site.
Important: The private key and certificate are still stored within the Firefox keystore. While this permits you to export an additional copy of the certificate file, it also provides another point of access that must be protected to maintain the security of your certificate and private key.
In some circumstances, you must change the certificate you use to sign updates for your AIR application. Such circumstances include:
For AIR to recognize an AIR file as an update, you must either sign both the original and update AIR files with the same certificate or apply a certificate migration signature to the update. A migration signature is a second signature applied to the update AIR package using the original certificate. The migration signature uses the original certificate to establish that the signer is the original publisher of the application.
After an AIR file with a migration signature is installed, the new certificate becomes the primary certificate. Subsequent updates do not require a migration signature. However, you should apply migration signatures for as long as possible to accommodate users who skip updates.
Important: The certificate must be changed before the original certificate expires. If you do not create an update signed with a migration signature before your certificate expires, users will have to uninstall their existing version of your application before installing a new version. As of AIR 1.5.3, an expired certificate can be used to apply a migration signature within a 180 day grace period after the certificate has expired. (You cannot use the expired certificate to apply the main application signature.)
To change certificates:
An AIR file with a migration signature is, in other respects, a normal AIR file. If the application is installed on a system without the original version, AIR installs the new version in the usual manner.
Note: Prior to AIR 1.5.3, signing an AIR application with a renewed certificate did not always require a migration signature. Starting with AIR 1.5.3, a migration signature is always required for renewed certificates.
The procedure for applying a migration signature is described in Signing an AIR file to change the application certificate.
Application identity changes
Prior to AIR 1.5.3, the identity of an AIR application changed when an update signed with a migration signature was installed. Changing the identity of an application has the several repercussions, including:
When publishing an update with AIR 1.5.3, the application identity cannot change. The original application and publisher IDs must be specified in the application descriptor of the update AIR file. Otherwise, the new package is not recognized as an update.
Note: When publishing a new AIR application with AIR 1.5.3 or later, you should not specify a publisher ID.
As of AIR 1.5.3, a certificate that has expired within the last 180 days can still be used to apply a migration signature to an application update. To take advantage of this grace period, and the update application descriptor must specify 1.5.3 in the namespace attribute. After the grace period, the certificate can no longer be used. Users updating to a new version of your application will have to uninstall their existing version. Note that there is no grace period in AIR versions before 1.5.3.
This section provides a glossary of some of the key terminology you should understand when making decisions about how to sign your application for public distribution.