Adobe AIR requires all AIR applications to be digitally
signed. Code signing is a process of digitally signing code to ensure
integrity of software and the identity of the publisher. Developers
can sign AIR applications with a certificate issued by a Certification
Authority (CA) or by constructing a self-signed certificate.
Digitally signing AIR files with a certificate issued by a recognized
certificate authority (CA) provides significant assurance to users
that the application they are installing has not been accidentally
or maliciously altered. Digitally signing AIR files with a certificate
issued by a recognized certificate authority (CA) identifies the
developer as the signer (publisher). AIR recognizes code signing certificates
issued by the Verisign and Thawte certificate authorities. The AIR application
installer displays the publisher name during installation when the developer
has signed the AIR file with a Verisign or Thawte certificate.
The AIR application installer displays the publisher name during
installation when the AIR application has been signed with a certificate
that is trusted, or which chains to a certificate that is trusted
on the installation computer. The Certification Authority (CA) verifies
the publisher’s or developer’s identity using established verification
processes before issuing a high assurance certificate.
Developers can also sign AIR applications using a self-signed
certificate; one that they create themselves. However, the AIR application
installer presents these applications as originating from an unverified
publisher.
When an AIR file is signed, a digital signature is included in
the installation file. The signature includes a digest of the package,
which is used to verify that the AIR file has not been altered since
it was signed, and it includes information about the signing certificate,
which is used to verify the publisher identity.
AIR uses the public key infrastructure (PKI) supported through
the operating system’s certificate store. The computer on which
an AIR application is installed must either directly trust the certificate
used to sign the AIR application, or it must trust a chain of certificates
linking the certificate to a trusted certificate authority in order
for the publisher information to be verified.
If an AIR file is signed with a certificate that does not chain
to one of the trusted root certificates (and normally this includes
all self-signed certificates), then the publisher information cannot
be verified. While AIR can determine that the AIR file has not been
altered since it was signed, there is no way to verify who actually created
and signed the file.
Details on the code signing process and accepted certificate
formats are provided in the developer documentation.
Code signing with desktop native installers
When
you package your application as a native installer, you can optionally
apply a native code signature. Native code signing is supported
on Windows only. See
MSDN: Introduction to Code Signing
.
Code signing on mobile platforms
On mobile
platforms, AIR applications are signed according to the platform conventions
and requirements. Developers sign their applications using tools from
the AIR SDK and a certificate that meets the requirements of the
mobile platform. The installation of mobile AIR apps is handled
by the device operating system, not the AIR runtime. Thus AIR does
not validate the application signature or certificate holder identity.
