Certificates and Application Identity

Adobe AIR requires that AIR files, which are used to distribute applications, be digitally signed. This doesn’t just protect your application in transit: The certificate used for signing also establishes the identity of your application. Change certificates and you’ve created a different application.

Application identity is critical when using the Updater API, among other features. If you call the Updater API with an AIR file that wasn’t signed with the same certificate as the caller, Adobe AIR will refuse to install the update. (Users will see an error message about a mis-configuration directing them back to you, the application’s publisher.) This helps prevent anyone from hijacking your application update mechanism–but it also means you need to choose and stick with a single certificate for this application.

Users installing directly from the AIR file will be given the option of installing what appears to be a new application–not an update to the old one. If you have to switch certificates, you’ll probably want to ask users to uninstall the old application.

What happens when your certificate expires? Updates will still work, as renewed certificates are allowed. It’s the identity of the signer as found in the certificate, not the entire certificate, that’s used to perform this validation. The identity in the certificate doesn’t change across a renewal.