11 Replies Latest reply on Oct 16, 2009 2:28 PM by DMcQ

    TC Publisher ID for Adobe AIR - easier signing certificate?

    rrhyne
      I'm was about to go through the burning hoop that is the signing certificate, when I found a link to Chosen Security's
      TC Publisher ID for Adobe AIR. I'm having a hard time finding any info on it other than their press release though.
      Has anyone obtained one of these? Its it easier than a thawte signing certificate?

      What documents are required?
        • 1. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
          DMcQ Level 1

          I just purchased a TC Publisher ID certificate and am a little stumped in getting AIR to publish with it.

           

          The TrustCenter marketing site's only instructional material for this product, as far as I can tell, is a link to the Adobe docs on using certificates: http://help.adobe.com/en_US/AIR/1.5/devappsflex/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0. html

           

          There's a little more info in this dev article, but not much: http://www.adobe.com/devnet/air/articles/signing_air_applications_03.html

           

          Both these resources focus on Thawte certificates as a use case, and don't mention what to do if you're using OS X and a TC Publisher ID.

           

          In my own experience, I downloaded the cert directly to my downloads folder from the TrustCenter site. The certificate was instantly picked up by the OS X keychain. I used the Keychain Access app to  export a .p12 certificate file from the keychain for use in publishing the AIR app, but I get an "Error creating AIR file: unable to build a valid certificate chain for the signer" when trying to publish with Flex Builder. Without any docs to turn to, I'm stumped.

           

          For people more experienced with keys and certificates this operation might be a no-brainer, but for somebody who is just getting into this there's not much support for the purchase-to-publish process.

           

          Daniel

          • 2. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
            adobe_paul Adobe Employee

            I also got a TC Publisher ID (which, for the sake of others who read this, is actually the same thing as the ChosenSecurity cert described in the documentation).

             

            I just followed the instructions on the page you linked to:

            http://help.adobe.com/en_US/AIR/1.5/devappsflex/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0. html

             

            The example says Thawte certificate but it worked just the same for me with my TC/ChosenSecurity cert. (Admittedly I'm on Windows, not on Mac.) I think the key is to use Firefox to download the certificate, so that it goes into Firefox's keystore rather than the system keystore (i.e. Keychain on OSX).

            • 3. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
              tzeng Adobe Employee

              You probably don't have the whole certificate chain in the .p12 file while you export the cert.

               

              I am not familiar with the Keychain Access on Mac. I know on Windows, when you export a certificate to .p12 (.pfx) file, there is an option to check to export the whole chain.

              • 4. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                DMcQ Level 1

                Tzeng,

                 

                Yes, I've seen other postings about this error message suggesting this. However, with the Mac OSX Keychain Access tool, there doesn't seem to be an option to "export the whole certificate chain."

                 

                I can see the complete certificate chain in Keychain Access, and it looks like the entire chain is recognized. I would have thought that the Flash Builder AIR publishing process would ask Keychain Access about the integrity of the chain.

                 

                I guess I just need a testimonial from a mac user who has gotten this to work. However, I am using the new Flash Builder 4 beta, so perhaps this is a bug rather than a procedural problem.

                 

                Thanks for your thoughts.


                Daniel

                • 5. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                  DMcQ Level 1

                  H. Paul,

                   

                  Thanks for the thoughts. When downloading the certificate from TrustCenter, the Mac OSX Firefox simply gives the usual "save" or "open" options like any other file download. So it doesn't automatically open the cert as mentioned in the docs about Thawte. The TrustCenter (brief) instructions say to simply double-click the download to get it into the OSX keychain (no mention about Firefox).

                   

                  Daniel

                  • 6. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                    tzeng Adobe Employee

                    Flash Builder calls ADT to publish an AIR file.

                    ADT requires the whole certificate chain in the .p12 file.

                    • 7. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                      DMcQ Level 1

                      Hmm. So then the trick would be to get Keychain Access to export the certificate with the entire chain intact. However, there doesn't seem to be this option in the Keychain Access application. I'm now wondering if this is some kind of openssl command line foo that I'll need to stuggle with. Arg.

                       

                      I feel like TrustCenter should provide a little more documentation on this, since they say to use the OSX keychain to manage the key but don't mention anything about this certificate chain problem.

                       

                      Daniel

                      • 8. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                        DMcQ Level 1

                        For anybody following this thread, I did find some more info in the AIR 1.5.1 release notes:

                         

                        Full certificate path required for code signing

                        Some certificate vendors (VeriSign for example) do not provide by default the full certificate path; however, this is required for signing AIR applications. For information about creating a keystore with a full certificate chain, see http://access1.sun.com/techarticles/Keytool.html.

                         

                        ...although the link to the Keytool article is dead.

                         

                        Daniel

                        • 9. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                          tzeng Adobe Employee

                          You can access that page with this URL:

                          http://web.archive.org/web/20080120075237/http://access1.sun.com/techarticles/Keytool.html


                          You can export the certs in the chain seperately, then  put them together using tools like keytool.


                          • 10. Re: TC Publisher ID for Adobe AIR - easier signing certificate?
                            tzeng Adobe Employee

                            I think Sun has updated their tools and have a tool to manipulate the certs easier. I don't have the info. off hand though.

                            • 11. Solved
                              DMcQ Level 1

                              Tzeng,

                               

                              Thanks for the link, but luckily I won't need to mess with repackaging: It turns out that the instructions from TrustCenter were a little misleading : they said to double-click the downloaded  certificate to load it into the keychain. But you actually don't need to do this in OSX, it will actually steer you down the wrong path (trying to get a fully chained cert out of Keychain Access...something I couldn't figure out). You should actually download and then  manually load back into Firefox via the certificates dialog (it won't load into Firefox automatically) and then "backup" the certificate back to a new file.

                               

                              Regardless, thanks for your thoughts.

                               

                              Daniel