Marc Hughes

I am a developer from a bit west of Boston.

Self signed vs. CA signed AIR apps

01 Mar 2008

I got my official Thawte code-signing certificate this week.  It turns out you can't upgrade an application from a self-signed to a CA-signed version in AIR.  If you have the same problem you might be interested in the solution I'm going to use.

First, here's my goals:

  1. Migrate people to the new CA signed version
  2. Don't force most people with the Self-Signed version to upgrade immediately
  3. Keep both self and CA signed versions up to date (for a limited amount of time)

I'll be moving the website download to the signed version 
  • New people will get the signed version.
  • Existing users who go to the website to upgrade will be told they can't install it.  Those people will have to manually uninstall their version, and install the new signed version.

I have an auto-upgrade option in the software.  Most people use this to upgrade.  Previous versions checked a file called appUpdate.xml to see if there was an available update.  I'll start publishing two versions of that file.
  • appUpdate.xml - This will continue to point to the self-signed version
  • signedAppUpdate.xml - This will point to the new CA-signed version
In my application, I'll add code to determine which of those to choose.  Luckily, the nativeApplication.publisherID variable will be different depending on how the AIR app was signed.

if( nativeApplication.publisherID == "MYSIGNEDPUBLISHER_ID" )


// This is our officially signed version

appUpdater.updateURL = "";




// This is our self signed version

appUpdater.updateURL = "";


And finally, I update my ANT build script so I generate two different .air files, and create both the appUpdate XML files.

I'll also put a nag into the self-signed version's upgrade window saying something like:

We've recently started cryptographically signing our applications for your safety.  Unfortunately, you can't upgrade from a non-signed version to a signed version.  For your security we suggest that you uninstall this unsigned software and then download and install from our website.  You may continue using unsigned versions if you prefer.

And then someday I'll completely disable the auto-update of the self-signed version when enough people have migrated over.