My company renewed an expired certificate and we use it to sign the updated AIR application. But during installation, AIR consider it's a new application NOT an update of the original one.
I compared the renewed certificate and the expired one and found the issuer is different, the new one issuer is "VeriSign Class 3 Code Signing 2009-2 CA" but the expired one issuer is "VeriSign Class 3 Code Signing 2004 CA".
I would like to know if AIR use the issuer to compute the publisher ID of an application, is there any solution to solve this issue and make the new signed application as an update or the original one?
AIR uses the certificate chain back to the root certificate for determining the publisher ID. If any information in the distinguished name fields of the root or intermediate certificates is changed, then the publisher ID won't be the same. While Certificate Authorities like Verisign don't change their certificates very often, they can. My guess is that Verisign retired the older certificate used to sign your expired code signing certificate.
The moral of the story is not to renew your certificates BEFORE they expire.