Why AIR fetches a Thawte CRL no matter who signed your app

I was recently asked why AIR fetches a Thawte CRL (from http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl) every time an application is installed–even if the application was signed with a certificate from another CA. It turns out there is a good reason for this, and the clue is in the URL itself.

By default, all AIR application signatures are timestamped. Timestamps are created by a timestamp server, and are themselves signatures. When AIR validates the timestamp signature, it downloads the CRL associated with the timestamp signing certificate–just like it would when validating any other signature. And the Thawte timestamp server uses a certificate that–no surprise here–has a CRL hosted by Thawte.

This default is easy to override using the “-tsa” option to the AIR file packaging tool, adt. A value of “-tsa none” turns off timestamps entirely. To specify an alternate timestamp server, specify the URL of that server after the -tsa flag.

For more on AIR code signing, including why timestamping is used, take a look at Code Signing in Adobe AIR.