7 Replies Latest reply on May 1, 2008 12:58 PM by Oliver Goldman

    Digitally signing AIR apps for the client

    Czajka Level 1
      How does a developer digitally sign a client's application without requiring the client to have to purchase the certificate? We want to do this for them. Are there any options for the developer?
        • 1. Re: Digitally signing AIR apps for the client
          tzeng Adobe Employee
          You need to have a certificate for the client.

          -ted
          • 2. Re: Digitally signing AIR apps for the client
            Czajka Level 1
            So, they need to buy it and give it to us? They may have a problem with the process - downloading Firefox, etc. There is no way for one party to give approval to another to do this?
            • 3. Re: Digitally signing AIR apps for the client
              tzeng Adobe Employee
              You need to talk to those companies that issue certificates about this.

              -ted
              • 4. Digitally signing AIR apps for the client
                Czajka Level 1
                What happens when a certificate applied to an AIR app. expires? Does anyone know the technical details of the process? Is the expiration date embedded in the cerficate? Will the installer just revert to an UNKNOWN publisher or present another message, such as certificate expired? Will the installer still work?

                My Web guy thinks we can purchase the certificate for our client after discussing this process with them, by being listed as the technical contact and getting their contact info (like we can with SSL certificates). We do NOT want to put the customer through the below steps. There is a document though on Thawte's website that says the business and technical contacts must be from the same company though. This document (https://www.thawte.com/guides/pdf/enroll_codesign_eng.pdf) says nothing about AIR though.

                Here's some text Thawte sent me:

                ------------------

                ENROLLING:

                1. Visit https://www.thawte.com/process/retail/new_devel?language=en&productInfo.productType=devel 2
                2 Select the Adobe AIR Developer Certificate
                3. Enter the required information in the enrollment process "step 1 Configure your enrollment"

                Note: As part of this process a private/public key pair will be generated by thawte. The private key will be automatically stored within the Firefox keystore.

                4. Click Submit to complete your enrollment.
                5. Click Accept after confirming that all information entered on the enrollment page is correct.
                6. After the certificate is issued, log into the status page using the link provided in the confirmation email to download the certificate.
                7. Click on "Fetch Certificate" and the certificate will automatically be saved to the Firefox keystore.
                8. Export the private key and certificate from the Firefox keystore.

                The exported file can now be used to sign the Adobe Air application.

                -----------------------

                FIREFOX INFO:

                You must use FireFox to initiate the Adobe AIR developer certificate browser and to obtain the certificate.

                1. Visit https://www.thawte.com/process/retail/new_devel?language=en&productInfo.productType=devel 2
                2 Select the Adobe AIR Developer Certificate
                3. Enter the required information in the enrollment process "step 1 Configure your enrollment"

                Note: As part of this process a private/public key pair will be generated by thawte. The private key will be automatically stored within the Firefox keystore.

                4. Click Submit to complete your enrollment.
                5. Click Accept after confirming that all information entered on the enrollment page is correct.
                6. After the certificate is issued, log into the status page using the link provided in the confirmation email to download the certificate.
                7. Click on "Fetch Certificate" and the certificate will automatically be saved to the Firefox keystore.
                8. Export the private key and certificate from the Firefox keystore with this solution: SO6899

                The exported file can now be used to sign the Adobe Air application.

                The a guide to signing the application can be found in SO6896

                Note: When exporting the private key and certificate from Firefox, it ill be exported in a .p12 (pfx) format which ADT, Flex, Flash Authoring, Dreamweaver, and Apatana tools can consume.

                Thawte will perform an Identity verification process, which may take 2-5 working days, and may need additional information.

                https://www.thawte.com/ssl-digital-certificates/free-guides-whitepapers/pdf/enroll_codesig n_eng.pdf

                After verification is complete, Thawte will email you instructions on how to retrieve the certificate.

                Please make sure that you retrieve the certificate using Firefox.

                -----------------------

                How to export the private key and certificate from Firefox to sign Adobe®AIR™applications

                Solution ID: SO6899

                Adobe®AIR™ Developer Certificates can use a .pfx or a .p12 file to sign applications. Please follow the steps below to export the certificate with the private key from Firefox:

                1. A. Start Firefox
                B. Select Tools
                C. Select Options
                D. Select Advanced
                E. Select Certificates
                F. Select Manage Certificates
                Note: On a MAC OS go to Firefox > Preferences > Advanced > Certificates > Manage Certificates

                2. Select your signing certificate you retrieved from the status page and click the Backup button.
                3. Enter the file name and location to export the certificate and private key to and click Save.
                4. If you are using the Firefox Master Password, you will be prompted for your master password for the software security device.
                5. From the "Choose a certificate backup" password dialog box, enter a password to create/export the certificate.
                6. Enter the password twice and click OK. You should receive a successful backup password message.
                7. Use this .p12 (pfx) file within ADT, Flex, Flash Authoring, Dreamweaver, or Apatana tool.
                When prompted for a password, use the password for the .p12 file export in step 5.
                8. Sign the application.

                -----------------------

                Follow the steps below to sign Adobe®AIR™ applications:

                1. Open AIR Application and Installer Settings from the Adobe Air application
                2. Click Set button under Installer settings, next to Digital signature
                3. In the Digital Signature dialog box, click Browse.
                4. Select the certificate.
                5. Enter a password.
                6. Click OK

                The application now has the digital signature applied.

                • 5. Re: Digitally signing AIR apps for the client
                  Oliver Goldman Adobe Employee
                  When the certificate expires any AIR file signed with it, assuming it is timestamped, will continue to install and the publisher will continue to be displayed. (Timestamping is done by default, but can be explicitly disabled.)

                  An expired certificate cannot be used to sign any new AIR files. When your certificate expires, you can purchase a renewal from your certificate provider.

                  You and your client should think carefully about the implications of purchasing a certificate as you're describing here. If you perform the purchase for them, you'll have access to their private key. Even if your customer trusts you with this, you should consider whether or not you want to take on the responsibility of securing this key. If the key is compromised, so is your customer's business and reputation.

                  Exporting the key from Firefox is really the only tricky bit of the process--most of it is just filling out web forms, which I suspect your customer is familiar with. You might consider simply assisting your customer with the export process but still performing the process on their machine.

                  regards,
                  Oliver Goldman | Adobe AIR Engineering

                  • 6. Re: Digitally signing AIR apps for the client
                    Czajka Level 1
                    Thanks Oliver. Would a developer/publisher purchase a new certificate for each new application or just one certificate for all the applications they were developing that year? What would prevent them from only using 1?

                    I understand updates require the use of the same certificate as the original application.
                    • 7. Re: Digitally signing AIR apps for the client
                      Oliver Goldman Adobe Employee
                      Typically a publisher would purchase just one certificate for use with multiple applications.

                      Updates do require the same certificate, but it should be noted that for update purposes renewals of a certificate qualify being the same as the original.

                      Oliver Goldman | Adobe AIR Engineering