Privileged Modules: HOWTO validate signatures

In previous blog posts and presentations, I’ve talked about the need to do signature validation before importing a module into an AIR application. People asked for specifics, but I haven’t managed to figure out all the details and document them well enough for common use.
Luckily, Charles “Joe” Ward has figured it out. Joe’s article on the Developer Center walks us through the steps needed to validate the signature of a resource, and how to sign the resource in the first place using ADT or our own Java code.
Using these techniques, it’s possible to load privileged modules into your AIR app. Download the module files (SWFs, say) along with their signature files. Store them somewhere local (app-storage: is good, app: is bad). Validate that they’re really the modules you developed and signed, then import them (using loadBytes() with allowLoadBytesCodeExecution enabled).
Read “Creating and validating XML signatures”.

Comments are closed.