1 Reply Latest reply on Aug 14, 2008 1:41 PM by Oliver Goldman

    Signed JavaScript?

    Avrithor
      From the Dev Center article Introducing the Adobe AIR Security Model, regarding the loading of remote scripts into your application:
      "In the event that your server is compromised, or if you do not perform that code loading very diligently (that is, sign the script with your certificate and subsequently verify the validity of the signature)..."

      How would one go about this? I understand that there are tools that will sign a JavaScript file and generate a Java .jar file that is then referenced by the ARCHIVE attribute of the SCRIPT tag. How then would my AIR application go about verifying this signature? What kind of certificate would one need? (At thawte.com, for example, there is no "JavaScript certificate" option—is JavaScript signable with the same certificate I would purchase for signing AIR applications?)
        • 1. Re: Signed JavaScript?
          Oliver Goldman Adobe Employee
          There's no out-of-the-box solution for this that we're aware of. One relatively straightforward approach, although still not simple, would be to package your script in an .air file, as if it was another application. You could then use the XMLSignatureValidator API to assist with signature validation.