AIR [2.6] Applications, Digital signatures

Report · Jun 14, 2011

We are attempting to roll out some productivity AIR applications. When I sign an application with our cert, the Air installer recognizes that the file is signed, but Windows does not.

This is a problem because our white listing solution uses Windows to verify signatures, if Windows cannot determine that the file is signed, our service will not permit the Air installer to proceed.

We have a proper certificate from Verisgn.

This problem exists with both 1.5, and 2.6; in both AIR packages and native installers.

How/where is this installer package actually being signed? Is there some work around to allow Windows to see it?

Any guidance would be appreciated.

Thank you

Report · Jun 21, 2011

I don't think Windows can detect if .air files are signed or not, but in the case of native installer, this is supported.

You can pass a certificate to sign the generated native installer in addition to the actual AIR application. This option is available via command-line ADT (sadly, not exposed in FB as this is win only).

Quote:

Optionally, on Windows you can add a second set of signing options, indicated as [WINDOWS_INSTALLER_SIGNING_OPTIONS]

in the syntax listing. On Windows, in addition to signing the AIR file, you can sign the Windows Installer file. Use the same type of certificate and signing option syntax as you would for signing the AIR file (see ADT code signing options). You can use the same certificate to sign the AIR file and the installer file, or you can specify different certificates. When a user downloads a signed Windows Installer file from the web, Windows identifies the source of the file, based on the certificate

From http://help.adobe.com/en_US/air/build/WS789ea67d3e73a8b22388411123785d839c-8000.html

P.S: For more clarification regarding this, the AIR installation forum will be a better place: http://forums.adobe.com/community/air/installation?view=discussions&start=0

-Anirudh

Report · Jun 23, 2011

Thank you, I had attempted to use ADT since posting, but had overlooked the [WINDOWS_INSTALLER_SIGNING_OPTIONS].

Current state/Lessons learned:

Signed native installer published from FB with the windows SDK's signtool.

and

Used ADT to package signed AIR file into a (different) signed native installer (had to use a PFX* cert, the p12 did not work for some reason)

Sadly, while both are detected as signed applications by windows, but both are still flagged by our whitelisting software.

At least we know where to direct our complaints now!

* If you need to turn a p12 into a PFX (also required to use signtool): import the p12 into Internet Explorer (Internet Options-> Content-> Certificates in IE8), and simply export it again as a PFX.

Adobe Community

AIR [2.6] Applications, Digital signatures