How to Sign an Adobe AIR Application Using Flex SDK

Sign Adobe Air Application

Note: Due to new CA/B, All code signing certificates now stored on FIPS 140-2 or Common Criteria EAL 4+ compliant Hardware Security Module (HSM) or Yubikey USB tokens. So, code signing certificates will no longer be exportable or no direct link issuing process.  

Adobe AIR is one of the great products among several for building desktop and mobile applications. It is an integrated runtime environment that supports applications for Windows, macOS, and mobile operating systems.

After developing desktop or mobile apps on Adobe AIR, developers are required to digitally sign them before users can install those on their devices. Doing so will help instill trust and boost the confidence of your audience in your company to download and use your Adobe AIR apps.

In this article, we’ll talk about how you can sign your Adobe AIR application using Flex SDK. But first, let’s get to know why you should sign an AIR application.

Why Sign Your Adobe AIR Applications?

Whenever users download your AIR applications, they trust you for making the application secure and free from any malware or vulnerability. They don’t like anyone to be sniffing around their financial data or stealing sensitive information from their system.

They want to feel confident that the software is safe for download, installation, and use. Apart from being a great developer and releasing your application to the world, it’s your responsibility to make it safe for your users.

They should know that the software is coming from a reliable vendor, and hasn’t been modified by anyone else since the release. Though there isn’t much you can do about others modifying or injecting malicious actors into your software code and distributing it on your behalf.

What you can do instead is digitally sign an AIR application using Flex SDK which alerts users that the app is from a verified publisher. And if they download the modified version of your app from elsewhere, they should be notified that the app is from an unknown and unreliable publisher.

By digitally signing Adobe AIR Application from a trusted Certificate Authority like Certera, Sectigo or Comodo or their distributors, you can improve the trustworthiness of your organization. These CAs offer code signing certificates that help your users verify the source and authenticity of the code.

Moreover, signing an AIR application from a CA also allows customers to verify your organization’s affiliation to ensure others can’t sign the certificate. Doing so further helps eliminate the possibility of developing apps under fake company names.

Process of Digitally Signing Adobe AIR Application

You shouldn’t wait for the last moment to sign your Adobe AIR app before releasing it. You must plan it well in advance and get yourself acquainted with the process.

The digital signing process involves a lot of administrative work for obtaining the code signing certificate from a trusted CA. You cannot release software with the self-signed certificate used for pre-production & testing purposes and then update it with an actual certificate.

Understand that the software released with a certificate can only be updated using an app with the same certificate to maintain consistency. Also, you want to secure your code signing certificate’s credentials and store them in a safe hard drive that no unauthorized person can access.

Coming to the obtaining part of the code signing certificate, Adobe AIR applications use the operating system’s Keystore and trust what it trusts. The certificate is only required when the application reaches the distribution stage. For the development stage, you can self-sign the application without needing to apply for a digital code signing certificate with CA.

But once it is developed, you can sign an AIR application using the Flex SDK. Here’s how you can do so:

adt -package -storetype pkcs12 -keystore <your_PFX_file> -storepass password YourApp.air YourApp-app.xml YourApp.swf

  • The full path to PFX/P12 file that contains the code signing certificate is <your_PFX_file>
  • Change the password of your digital signing certificate from password to any suitable unbreakable password

Procuring your code signing certificate from renowned CAs like Sectigo and Comodo is necessary as they offer better security protocols. Since they have rigorous business vetting to authenticate the software publisher, it’s highly unlikely that your app gets compromised.

Wrapping Up

Signing your Adobe AIR using Flex SDK is a simple process as described in this article. However, there are several other options available for digitally signing Adobe AIR applications but the process is the same.

You first need to obtain a valid code signing certificate from a certificate authority or their distributors. Then make it available in a proper file format like P12 or PFX and then digitally sign the Adobe AIR application within the development tool. Once done, your AIR application becomes ready for distribution. This concludes our guide on how to sign an AIR application using Flex SDK.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.