Signing an AIR file to change the application certificate

To publish an update for an existing AIR application while using a new or renewed signing certificate, use the ADT -migrate command to apply a certificate migration signature. A migration signature is a second signature applied to an AIR file using the original certificate. The migration signature validates that an application update was produced by the owners of the original certificate.

In order to apply a migration signature, the original certificate must still be valid or have expired within the last 180 days. Once the certificate has expired and the 180 day grace period has elapsed, a migration signature cannot be applied. Users of your application will have to uninstall the existing version before they can install the updated version. The migration signature is time stamped, by default, so AIR updates signed with a migration signature will remain valid even after the certificate expires.

Note: The 180 day grace period only applies to applications specifying AIR version 1.5.3, or higher, in the application descriptor namespace.

To migrate the application to use a new or renewed certificate:

  1. Create an update to your application

  2. Package and sign the update AIR file with the new certificate

  3. Sign the AIR file again with the original certificate using the -migrate command

An AIR file signed with the -migrate command can be used both to install a new version of the application and to update any previous versions, including those signed with the old certificate.

Note: When updating an application published for a version of AIR earlier than1.5.3, you must specify the original publisher ID in the application descriptor. Otherwise, users of your application must uninstall the earlier version before installing the update.

Migrate an AIR application to use a new certificate

 Use the ADT -migrate command with following syntax:
adt -migrate SIGNING_OPTIONS air_file_in air_file_out

SIGNING_OPTIONS The signing options identify the private key and certificate with which to sign the AIR file. These options must identify the original signing certificate and are described in ADT command line signing options.

air_file_in The AIR file for the update, signed with the new certificate.

air_file_out The AIR file to create.

ADT Example

adt –migrate -storetype pkcs12 -keystore cert.p12 myApp.air myApp.air

For more information, see Digitally signing an AIR file.

Note: The -migrate command was added to ADT in the AIR 1.1 release.