Switching Certificates

There’s one important code signing feature that didn’t make it into my recent article on code signing in Adobe AIR: the ability to switch to a new certificate.

You can use this feature to transition from a self-sign certificate used during initial development to a CA-issued certificate purchased later. You can also use it switch between certificates issued by different CAs, or even to switch identities if say, your company is purchased by another.

The feature is straightforward to use: First, package a version of your application using your new certificate. Then, sign it a second time (using the “-migrate” option to adt) using your old certificate. The second signature covers the first, so the original signer is effectively granting permission to the new signer to take over the application’s identity. Note, though, that both certificates must be valid for some overlapping period of time in order to make the transition.

Without this feature switching certificates is disruptive for the end user: the version of the application signed with the new certificate is handled as an entirely different application than the old one. The application can’t even update itself from one to the other, as the Updater API will refuse to see them as related.

With this feature the transition is much smoother, although there are still a couple of rough edges. An application can use the Updater API to update to the new version when using this feature. However, the application’s publisher ID will change during this update, which means that:

  • The application’s local connection name will change,
  • The application will no longer have access to its old encrypted local store, and
  • The application’s application storage directory will change.

Regarding the storage directory, it’s worth noting that you can still access the old one via the File API; you just can’t get to it via File.applicationStorageDirectory.

See also help on the Adobe Developer Center.