Adobe AIR Article

Digitally signing Adobe AIR applications

Why sign an application?

When users install your application, they're trusting you that you're not going to do sucky things, like sniff their files for financial data to upload to some server in a third-world country, or to delete all your local images, or to send e-mails on behalf of all your friends. Users want to feel confident that the software they're installing comes from a reliable vendor (publisher), and that what they're installing hasn't been modified since that vendor released it. As a developer, you build a great application and release it to the world. After it's released, though, you don't really have any control over other people taking my application, modifying it, injecting some evil bits, and then distributing it on your behalf. Users should be aware that anything they install from the web could be tampered with or come from an unreliable malware vendor.

The only way to instill confidence in the end user is by requiring developers to digitally sign their applications with a security certificate from a trusted third-party vendor, such as Thawte or VeriSign, called a certificate authority (CA). All AIR applications must be digitally signed in order for the AIR runtime to install them on the user's machine. Digital signing has found its way into all commercial software development, whether you're dealing with a mobile app executing on a PDA, device drivers for a major operating system, desktop applications from a big publishers, or the AIR applications that you create. How many times have you risked the stability of your system by knowingly installing some random software, even though you didn't know who really built it, where the code came from, or whether it was modified since its release? Wouldn't you feel much better knowing that you could verify the source and authenticity of the bits?

Digital signing also allows customers to verify their organizational affiliation. For example, I can't sign an application with Adobe Software's certificate. This eliminates the possibility of building fake applications. Otherwise spyware makers could easily create a Photoshop.exe app, pretending it is by Adobe, and have it use your bank account number from your tax software to create fake checks.

Code signing takes care of these scenarios by building customer confidence that what they're installing was created by the named publisher, and that the code hasn't been changed since that publisher signed it.

Pre-planning saves pain

Don't wait until the night before you're expecting to release your application to start the code signing process. There's some administrative overhead involved in acquiring a certificate from a CA which will take time to resolve. There's some learning and experimenting needed once you acquire a certificate. And then you don't want to be releasing different versions of your application to users that are signed with different certificates.

When you sign an AIR application with a certificate, whether it's a developer self-signed test certificate, or the official certificate of your company, that version of your AIR application can only ever be updated with another version of your application published with the same certificate. Let me clarify, you cannot create and release an application into the wild with a developer test certificate and then at a later date sign it with a production certificate and re-release it. It will have to be a new application. Any automatic updating of the old application will fail, and it'll only install as a separate application.

Let's get started procuring a certificate.

How to get a certificate

A developer can use any class-3, high-assurance certificate provided by any CA to sign an Adobe AIR application. However, only VeriSign and Thawte come pre-installed on most end user's machines (Mac OS X or Windows) and are trusted by the operating systems. The Adobe AIR runtime uses the operating system's keystore of trusted certificates when installing applications. Whatever the OS trusts, AIR will trust. Most likely your users will have either a Thawte or VeriSign root certificate on their systems, which means your users will be able to see the valid publisher when Adobe AIR attempts to install your app. In this article, I'll assume that you're getting a certificate from Thawte as it simplifies the process for the developer. Using certificate authorities other than Thawte or Overusing is going to require that the end user (not the developer of the software), or a system admin charged with managing a computer on an enterprise network, manually install a root certificate for that certificate authority.

Note: There's also a way for a developer to self-sign an Adobe AIR application so they can test it, but when the AIR runtime tries installing the application, it presents the user with a big old UNKOWN publisher warning, see Figure 1. (Unless, of course, your user has installed your self-signed certificate on his or her machine.)

Figure 1. A user sees this dialog box when installing an application with a developer certificate. Note the UNKNOWN publisher identity.

Thawte sells an official Adobe AIR Developer Certificate on the company's website. In the example below, you're going to purchase a certificate from Thawte using the Firefox browser, which is required for the process you're following here, because it's the easiest. Thawte offers certificates starting at $300 for one year.

Note: For those of you familiar with the security protocols, Java tools, and the command line, there are other ways to get your Java certificate into the proper format for signing an Adobe AIR application. You'll need the Java sign tools to get the certificate and private key into the right format. Your goal is to end up with a P12 file. Using the Java command line tools is beyond the scope of this document. Using the Firefox method and Thawte is the simplest way to procure a certificate. And you only have to do this once for the lifetime of your certificate.

Procuring a certificate from Thawte

Obtaining an official Adobe AIR Developer Certificate from Thawte is the easiest way to get your code signed. For this example, I'm going to get a certificate from Thawte using the Firefox web browser. It's really important that you use Firefox because the purchased certificate is going to be installed into the Firefox certificate manager where it'll be exported in a specific format required by all of the Adobe tools for signing your Adobe AIR application.

1. Go to the Thawte website, select an Adobe AIR Developer Certificate, and then press the red Submit button (see Figure 2).

   

   Figure 2. Start the procurement process at Thawte's website for a certificate to sign your Adobe AIR application.

   The next step is the first of three at the Thawte website titled "Configure your Enrollment."

2. Choose the duration for your certificate (1 year or 2 years), fill out your organizational information, website, and then provide a password for managing your account.
3. Continue through the steps "Confirm your Enrollment" and "Complete your enrollment." Thawte will authenticate your organization (PDF, 112K) and then request more information from you. Be prepared to fax them information like Articles of Incorporation, VAT certificates, Partnership papers, fictitious name certificates, and so on. During this process they verify your identity and business association.
4. After organization verification is complete, Thawte will e-mail you instructions on how to retrieve the certificate. Again, be sure that you retrieve the certificate using Firefox since you're going to export the certificate from Firefox in a format needed by all the Adobe code signing tools.
5. Open the link that you received from Thawte in the Firefox web browser and log in to the Thawte website using the password you created in Step 2 above.
6. Click Fetch certificate. Thawte will automatically install the certificate you purchased from them into your Firefox certificate manager.

7. Now that Thawte has installed your certificate into Firefox, it's time to export it for use from all of Adobe's tools. Navigate to Tools/Options/Advanced and you'll see the dialog box in Figure 3.

   

   Figure 3. The Firefox 2.0 Options dialog box

8. Click the View Certificates button to view Figure 4.

   

   Figure 4. The Firefox certificate manager. Note the certificate you just purchased from Thawte (in this example: eBay).

9. Select the certificate you want to export, and then click the Backup button. Firefox will save your certificate and private key in a P12 file (PKCS12 format), which will be required for signing from either the ADT command line tool in the Flex 3 SDK and the Flex Builder 3 Export Wizard, as well as Dreamweaver CS3 or Flash CS3 with Adobe AIR support.

   Note: You may be required to change the file name extension to .pfx, depending on the toolset you're signing with.

10. Enter the location you want to save the file and give it a name that you'll remember later. I put mine in c:\mydev\certificates\air_cert.p12.

11. You'll be prompted to create a password for your certificate and private key (see Figure 5); enter it twice.

    

    Figure 5. Create a password to protect your certificate and private key.

12. Click OK and voilà, your certificate is ready to start signing your Adobe AIR applications.

After you've acquired your certificate, you're ready to start signing your Adobe AIR applications. Skip to the appropriate section below to learn how to use the certificate you just acquired from Thawte with your favorite tool:

• Signing an Adobe AIR application with Flex Builder 3
• Signing an Adobe AIR application with the Flex 3 SDK
• Signing an Adobe AIR application with Flash CS3 Professional
• Signing an Adobe AIR application with Dreamweaver CS3

Page 2 of 7

Previous Page

Next Page