I'd just like some information about self-signed certificates
if possible, I have read the Air docuimentation on this topic, and
I've successfully created and packaged my app and the installation
succeeds and everything works.
I've read up on self-signed certificates as well but I still
don't fully 'get it'
I used the ADT app to create the certificate, the password
that I entered when creating the certificate, is that the private
key? If so what is the public key? Is the cerrtificate the public
Also, how do people verify that the app has not been
modified? Do I need to give out the password I used when creating
the certificate? Do you just use a hashing program (such as the md5
CLI app) to view the md5 hash of the .air file and then place this
on the application's download web page so that people can see it
and then check the hash of the file they download is the same? If
so, what is the point of creating the certificate, you can view the
md5 hash of any file whether it has a cert or not..?
Some answers would be incredible, but a link to some good
explanatory documentation would also be great,
Your private key is stored in the keystore (.pfx or .p12)
file that adt created for you when you created your self-sign
certificate. The file itself is protected by the password you
entered. Don't ever give this file to anyone, and under no
circumstances should you give the password to anyone.
The public key is also stored in the same file. You can
export the public key, embedded in a certificate, from the keystore
file, although you likely won't have any need to do that.
If the resulting .air file is ever modified then the
application won't install. There's no need for users to check the
hash or anything like that to validate the file; it's all done
automatically as part of the installation process.
Hope that helps,
Oliver Goldman | Adobe AIR Engineering