5 Replies Latest reply on Apr 5, 2012 1:14 AM by Rajshree K

    How to migrate certificate for a native installer

    Anatoly Paraev Level 1


      We have a native AIR app that uses some native files, so it needs to be packaged using "adt -package -target native [files...]" command and cannot be created as an AIRI file.
      We include the SWF file, the app description XML and the required native files into the installer, and we also include our code signing certificate into this command line, and everything worked great.
      Recently our code signing certificate expired, and we released an update with a new certificate.
      However on the machines where our application had been installed previously, installation fails with the following error.
      The certificate of the installed app fails to match either the signature or migration signature of the AIR file
      It turns out that AIR framework expects a migration signature for applications that had been installed before and changed certificate.
      The problem is that "adt -migrate" command expects an .AIR file, and fails to migrate a native installer (such as .EXE or .APP).
      How should we migrate a native installer? is there any option in adt to do this?
      Thank you in advance,

        • 1. Re: How to migrate certificate for a native installer
          Anatoly Paraev Level 1

          Any answer from the AIR team?

          • 2. Re: How to migrate certificate for a native installer

            I had a similar situation.. did following and it worked.


            1) Package the AIR application using the new certificate.

            2) apply the migration step on the .air file from step1

                      e.g  adt -migrate -storetype pkcs12 -keystore <<old cert path>> firstStep.air  migratedApp.air


            3) package the  migrated air (from step 2) using the native package command,  but this time use the new certificate.

                 i.e.  adt -package -target native  -storetype pkcs12 -keystore <<new cert>> myNativeExe.exe migratedApp.air



            Important point is:  when you are signing / migrating with old certificate. The old certificate should be a valid one. if it's expired already, it should be within its active Grace period.


            The installed application which are signed with old certificates, and if your old certificate is out of the grace period, then they won't be able to upgrade to the new version.


            Hope this helps.



            • 3. Re: How to migrate certificate for a native installer

              I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.

              But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying

              'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.


              On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.

              I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.


              I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.


              I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.


              Any ideas? Or somebody having the same issue?



              • 4. Re: How to migrate certificate for a native installer
                martin_janik Level 1

                Ok, it seems that if I skip the sign option in the step 3, the installer don't give the mis-configured error. When I tried before, it must have been some bad certificate combination . I was trying a lot of them to make it work.

                • 5. Re: How to migrate certificate for a native installer
                  Rajshree K

                  can i use native process in flex web project?