built on AIR - - - - so it runs on Win, Mac and Linux:

Getting a digitally signed certificate for my AIR app

August 17, 2009| Published in AIR 0

One of the unique and I think attractive aspects of working with Adobe AIR is that you can provide your users with proof of a safe, tamper-free installation file, by using a security certificate. This is great for small shareware apps that are notoriously dodgy and suspicious. Adobe has just rewarded my use of Adobe Marketplace by offering me a complementary 1-year Class 3 code-signing certificate from Thawte, which is worth $300 – thanks, guys!

So of course, in good Dutch tradition I’ll not be letting that go to waste. But although I think it’s great to provide reassurance and a smooth experience to users, the AIR documentation leaves me a bit… apprehensive as to what my own user experience is going to be. So here goes: getting my AIR app digitally signed.

Starting situation

I’ve submitted the Telexer application to numerous shareware download sites. These sites often request a so-called PAD-file for submission, and they have their processes automated around the traditional software idiom of computer platform and executable file to download. This means that in some cases I submitted the same file to the site’s Windows, Mac and Linux sections. I am happy to note they all accepted my odd newfangled .air file! It also means that these sites feature a direct download url to the versioned .air file – not to the install badge that would provide users with a smooth and easy installation.

If and when I update the version, I have to notify the numerous download sites of my changed url – which is a bother, of course. I’m not sure if I could have one unchanging file name and just a version number update, to trigger the automated AIR app update process – I haven’t tried it.

Bears on the road

At the moment, the check for most recent version happens only in the licensed version. So what I’d like to happen is that when somebody has downloaded a trial from some archive site, and some time later decides to get the licensed version, that the app politely offers to upgrade to latest version if there is any. This way a user doesn’t need to de-install & re-install; there’s one easy, smooth, and therefore very desirable flow of checking, downloading, and updating files; it’s how a grown-up & well-connected app should behave.

It’s what will happen, when I continue to use the self-signed certificate. When I move over to a signed certificate, it seems I can use the old, current, self-signed one as a migration signature for as long as I like – good. Adobe Help states: “As of AIR 1.1, you can migrate an application to use a new certificate using the -migrate command.” But to actually sign my app with the migratory sig, I apparently need to use a special set of command line tools… oh boy… I can see a lot of testing coming my way.

In a year, I either need to renew the Thawte certificate, or resume using the self-signed option. So I’ll probably be updating with a migration signature for the whole year, just to keep my options open. And I’m really not looking forward to learn the ins and outs of the ADT command line tool.

Why use the certificate at all?

I really would like to keep the smooth update experience – so, no messing with the app’s identity if I can help it, I’ll be using the migration option. Also, I would like to turn those two red warning signs in the AIR installer off, preferably to bright, happy green, somehow. With Thawte, slogan: “your Internet trust provider”, I’ll get rid of one red flag, but it’ll merely turn to yellow. It’s nice to show you’re considered secure, but will it be enough to reassure users? When all else in the process is strange? Well, the only solution to counter strangeness, is to start behaving like it’s normal :-) so I will go for it. If we wouldn’t do that, all innovation would grind to a halt on the argument that it’s not what people are used to…

But I’m not convinced that it’s the commercially sensible thing to do; nor do I relish the coming experience I’ll be having with Adobe AIR’s command line publishing tool.

Thawte process: first step

The first step in acquiring the certificate, a .p12 file that you use when publishing your AIR file, is filling out a form on the Thawte site, where you supply them with your company’s details and contact info. For example, they ask for your company’s invoice tax number. They will then check to see if the company is genuine. As my company is Dutch, I wondered if a Dutch tax ID number would be easily verifiable. But Thawte is good… I just received a telephone call where a Thawte operative checked my name & number, and when I asked if they had been able to check the tax ID, the guy said they checked with the KvK instead – the “Kamer van Koophandel”, the Dutch organisation where companies are registered. Which is the way to go, here. And my KvK registration checked out, so he confirmed that I would receive the key as soon as the payment had cleared. This call was about three hours after I had submitted the form. So far, so good; very smooth!

to be continued

tell a friend
share
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Mixx
  • Tumblr
  • Technorati
  • NewsVine
follow
share and connect
Posted in category AIRTagged , Bookmark the permalink
Post a comment or leave a trackback.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please leave these two fields as-is: