Upcoming Certificate Renewal Changes in Adobe AIR

AIR currently secures application updates published with renewed certificates by comparing the publisher ID computed from the old and new certificates. If the publisher IDs are identical the update is allowed; otherwise, it’s not.

Recently we’ve been made aware that the publisher ID computation is flawed in ways that make it quite likely that renewed certificates will not have identical publisher IDs. These range from the trivial to the unresolvable:

  • In one case, an original certificate contained a typo in the publisher’s identity. This was corrected in the renewal. However, the publisher ID computation requires that the publisher’s identity matches exactly.
  • In another case, similar, key information changed–but in one of the intermediate certificates in the certificate chain. The change was legitimate, but again fell outside the scope of changes that the publisher ID computation allows.
  • In perhaps the most serious issue, the publisher ID algorithm requires that the root certificate in the certificate chain be identical across renewals. Root certificates are typically valid for 20 years or more, so this was not anticipated as a serious limitation. However, many root certificates will be retired in the next few years in favor of certificates with longer key lengths–long before they expire.

If you’ve run into this situation, you should use the migration signature feature, which was first added in AIR 1.1. It was originally designed to allow secured updates across unrelated certificates (i.e., not renewals). As a general purpose mechanism, however, it also works just as well with renewals, whether or not they run into this issue.

There are, however, two drawbacks to the migration signature mechanism:

  1. You have to use the mechanism before your old certificate expires. Certificate renewals are often issued only after the previous certificate has expired.
  2. When you migrate between certificates your publisher ID changes. Among other things, this causes the application to lose access to any data stored in the EncryptedLocalStore.

This is an unfortunate turn of events for a feature that was designed to make things easier, and we apologize for the trouble all of this has caused. To address these issues, we will be making two significant changes in an otherwise minor release of AIR. This release is currently scheduled for December. The changes are:

  1. Applications will use a specified, not computed, publisher ID. This will allow them to change certificates without losing access to existing data.
  2. For purposes of changing certificates, certificates will be accepted as valid for six months after they expire. This allows plenty of time to renew and update the application.

Further details will be made available in conjunction with the upcoming release.

2 Responses to Upcoming Certificate Renewal Changes in Adobe AIR

  1. freddy says:

    Does this means that after the adobe air update, when we follow any further steps that are posted we won’t lose information stored in the ELS + it will be done in such a way that information isn’t exposed to third parties + the data in the appstore will be grabbed from the same place as long as we specify a matching publisher id?[That’s correct, assuming by “third party” you mean other users. —Oliver]

  2. Rui Cruz says:

    Hello,I had several problems passing trough this issue. I had to generate hundreds of installers with new certificate and trough adt migrate the old certificate. I had serious problem getting the preferences.xml that is essential to our app from old appData folder to the new one. Our certificate had expired also, so I had to go back on local date to the certificate expired date.Anyway after all this process, I need to ask something. We had implemented an required update check, and should solve the problem, but If an user haves the old version and only opens the software again in 6 months, he will get the error saying that there is already one app with that name on system? right?, so basically we will have to migrate the old certificate on all new versions we export? Am I correct???best regards,Rui Cruz[Basically, yes. See this post for further discussion. —Oliver]