3 May 2011
Note: This is an updated and expanded version of an article originally written by Todd Prekaski.
When you're ready to ship an Adobe AIR application, you'll be required to digitally sign it for the Adobe AIR installer to install it to the user's system. The Adobe AIR runtime runs with the same user privileges as native applications, allowing local file system access, network operations, bitmap manipulations, local data access, and so on. By requiring your application to be signed, you instill confidence in your customers because they can validate the source of the application. Adobe offers a few different ways to build your AIR applications using Adobe Flash Builder 4.5, Adobe Flash Professional CS5.5, or Adobe Dreamweaver CS5.5. In this tutorial I will show you how to sign your AIR applications using these tools when targeting the desktop.
For information on how to package AIR applications for devices refer to the following tutorials:
When users install your application, they're trusting you, as the developer, to not create an application that behaves maliciously, for example, by accessing financial data files, deleting local images, or sending e-mails to all your contacts. Users want to feel confident that the software they're installing comes from a reliable vendor (publisher), and that what they're installing hasn't been modified since that vendor released it. As a developer, you may build a great application and release it to the world. After it's released, though, you don't really have any control over other people modifying the application, injecting some malicious code, and then redistributing it. Users should be aware that software they install from the web could have been tampered with or created by an unreliable malware vendor.
The best way to instill confidence in the end user is by requiring developers to digitally sign their applications with a security certificate from a trusted third-party vendor, such as ChosenSecurity, GlobalSign, Thawte, or VeriSign, called a certificate authority (CA). All AIR applications must be digitally signed in order for the AIR runtime to install them on the user's machine. Digital signing has found its way into virtually all commercial software development, whether you're dealing with a mobile app, device drivers for a major operating system, desktop applications from big publishers, or the AIR applications that you create. When users install software, they want to know who really built it, where the code came from, and whether it was modified since its release.
Digital signing also allows customers to verify the organizational affiliation of the software's publisher. For example, I can't sign an application with another company's certificate. This eliminates the possibility of building fake applications. Otherwise spyware makers could easily create an application, name it Photoshop.exe to make it look like it is from Adobe, and have it perform unauthorized, unwanted actions on users' systems.
In summary, code signing builds customer confidence that what they're installing was created by the named publisher, and that the code hasn't been changed since that publisher signed it.
A developer can use any class-3, high-assurance certificate provided by any CA to sign an Adobe AIR application. However, only ChosenSecurity, GlobalSign, Thawte, and VeriSign come preinstalled on most end user's machines (including Mac OS X or Windows).
The Adobe AIR runtime uses the operating system's keystore of trusted certificates when installing applications. Whatever the OS trusts, AIR will trust. Most likely your users will have a ChosenSecurity, GlobalSign, Thawte, or VeriSign root certificate on their systems, which means your users will be able to see the valid publisher when Adobe AIR attempts to install your app. In this article, I'll assume that you're getting a certificate from Thawte as it simplifies the process for the developer. Using certificate authorities other than ChosenSecurity, GlobalSign, Thawte, or VeriSign is going to require that the end user (not the developer of the software), or a system administrator charged with managing a computer on an enterprise network, manually install a root certificate for that certificate authority.
A developer may also self-sign an Adobe AIR application so they can test it, but when the AIR runtime tries installing the application, it presents the user with a an UNKOWN publisher warning (see Figure 1)–unless, of course, your user has installed your self-signed certificate on his or her machine.
ChosenSecurity, GlobalSign, Thawte, and VeriSign sell official Adobe AIR Developer Certificates on their websites. In the example below, you're going to purchase a certificate from Thawte using the Firefox browser.
Note: If you are familiar with security protocols, Java tools, and the command line, there are other ways to get your Java certificate into the proper format for signing an Adobe AIR application. You'll need the Java sign tools to get the certificate and private key into the right format. Your goal is to end up with a P12 file. Using the Java command line tools is beyond the scope of this article. Using the Firefox method and Thawte is the simplest way to procure a certificate, and you only have to do this once for the lifetime of your certificate.
Note: The GlobalSign Free Code Signing Tool provides a simple front end to the command-line tools for signing Adobe AIR applications. Using the tool is simple and intuitive: select your application type, your certificate, and optionally add a timestamp. GlobalSign's Code Signing Tool prompts to download the correct SDK and tools depending on your chosen application, and shows the executable command line helping expedite the process of digitally signing applications with ease. For more information refer to the GlobalSign website.
For this example, I'll show you how to get a certificate from Thawte using the Firefox web browser. When you use Firefox, the purchased certificate is installed into the Firefox certificate manager where it can be exported in a specific format required by all of the Adobe tools for signing your Adobe AIR application.
Locate and select the certificate you purchased from Thawte, and then click Export. Firefox will save your certificate and private key in a P12 file (PKCS12 format), which will be required for signing from either the ADT command line tool in the Flex 4.5 SDK, Flash Builder 4.5, Dreamweaver CS5.5, or Flash CS5.5.
Note: You may be required to change the file name extension to .pfx, depending on the toolset you're signing with.
Flash Builder makes it easy to sign your AIR applications.
Note: To check what will be included in the release build, click Package Contents. This is a good opportunity to make sure that everything your application needs (for example, the images used for icons) is included.
Flash Builder will generate your AIR file.
You can also create signed AIR applications using Flash Professional CS5.5. When you are ready to sign your application, follow these steps:
Note: If you don't have a certificate and you want to use a self-signed certificate click New Then fill in all the fields, choose a name and a location for the certificate (see Figure 10), and click OK. You should see a confirmation window saying the certificate was created.
The AIR Settings dialog box also includes General, Icons, and Advanced tabs. You can use the General tab to review the included files and assets. The Icons tab, as the name suggests, lets you set the application icons. The Advanced tab is helpful when you want to set the default width and height, the default x and y position of your window, the installation folder, and so on.
The next time you choose File > Publish, the settings you selected previously will be used as the default values. If you want to change them, then click the tool icon next to the Player option (see Figure 11) in the Publish settings. This opens the AIR Settings dialog box. Click OK to save any changes you make.
Note: To enable support for AIR applications in Dreamweaver you have to download and install the Adobe AIR extension for Dreamweaver.
Follow these steps to create a signed AIR application in Dreamweaver:
Note: If you do not have a certificate from a CA and you want to create a self-signed certificate, click Create (see Figure 14). Then type the publisher name and password (at a minimum), and click OK (see Figure 15) to create a self-signed certificate.
If you prefer working with command line tools, then you can use the ADT command line tool from the AIR SDK to generate the certificate and sign your application.
If you don't have a certificate from a CA and you want to use a self-signed certificate, you can create one using ADT. Here is an example, which you can execute at the command line in a Console or Terminal window:
adt -certificate -cn YourNameOrCompanyOrAnythingYouWant 1024-RSA certificate_name.p12 certificate_password
–cn parameter you should set your name or company name. Don't forget the password you set (in this example, it is
certificate_password). You will need it later. After executing this command you should have a certificate named certificate_name.p12 in the directory in which you executed the command. (You can specify an absolute path together with the certificate name if you want to create the file in a different folder.)
When you are ready to package and sign your application, you can use the following command:
adt -package -storetype pkcs12 -keystore PATH_TO_YOUR_CERTIFICATE/certificate_name.p12 -storepass certificate_password YOUR_APPLICATION_NAME.air YOUR_APPLICATION_NAME-app.xml YOUR_APPLICATION_NAME.swf
Note that in the command above that you have to specify at least:
In this example, the command is meant to be run inside the folder that contains these three resources are. If you want to add additional resources to the package, such as icon images, just add the file names at the end of the command.
Note: To compile your application and obtain the SWF file you can use the mxmlc application from the command line.