I'm not entirely sure my problem comes from RewriteRule but I've searched this forum for topics on corrupted AIR files and the Install Badge and tried almost every possible tip with no luck so I thought maybe my special issue comes from it...
Here we go:
I have a server-side script that builds AIR apps which are supposed to be installed (via an Install Badge). Those AIR apps are not stored at a public URL (for security reasons) but read (via PHP) when a specific URL is called. Let me give you an example (with fake paths) :
The server-side built AIR app is store at /srv/data/air/myApp.air
The air.php uses the GET id to read the AIR file :
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Disposition: attachment; filename=$name;" );
With $mimeType="application/vnd.adobe.air-application-installer-package+zip" and $name="999.air"...
When accessing the rewritten URL directly with a browser, everything is fine: the AIR file can be downloaded and installed as expected.
But! When using an Install Badge linking to that URL, I get the nasty "The application could not be installed because the AIR file is damaged" message...
And here's what's stored in .airappinstall.log:
Starting app install of http://(...)/9889.air
UI SWF load is complete
Downloading file to C:\Documents and Settings\Quentin\Local Settings\Temp\fla19D.tmp
Received HTTP Response Status event
Response URL is http://(...)/9889.air
Downloaded file is not an air file.
starting cleanup of temporary files
application installer exiting
OK, I've got news.
In fact I realized the appurl set in the Install badge is (obviously) not called directly but by a script located at http://adobe.com/apollo... So your my session is not available in the script that is called and that reads the actual AIR file. So I can't check wether the user requiring the file has the right to. At least, not the way I intended to do it...
I will keep you updated if I find something!
Well, I found a way to fix that...
I also pass some client data in the URL so I can checks rights and stuff in the script, without relying on session... With a bit of MD5 magic for a little more security.
That's it: the culprit was not RewriteRule, but the session that could not go from the page where the Install Badge is to the script where the AIR file is provided.