1 person found this helpful
Yes, the same thing applies in AIR 2.7. I think Flex has added some support for modules since Ethan's blog post was written, but I don't believe that support includes security for remote code.
I wrote an article covering the signature and validation aspects of the problem: http://www.adobe.com/devnet/air/flash/quickstart/articles/xml_signatures.html (which is also linked to from the comments on Ethan's blog, so you might have already seen it).
Thank you for that great article!
Based on this and your code example I added the signature checking to my application in the following way. Could you please tell me whether this is correct and secure?
I load the signatures.xml from the remote update package aswell as the signatures.xml from "app:/META-INF/signatures.xml" (signature file from locally installed air file).
Then i continue to process the file only if (remoteXmlSig..signatureNS::X509Certificate == localXmlSig..signatureNS::X509Certificate) since I only want to allow plugins that were signed with the same certificate as the installed air application.
2. I run your validation code but with
verifier.useSystemTrustStore = false;
in the "verifyManifest" function I add every file that was successfully validated into an array
in the end I use only the files within this array to update my application.
Is that correct?
That sounds right. Of course the only way to be reasonably sure it works is to test it!