« Apprise: an RSS aggregator written for AIR | Main | Lineup: an Exchange calendar viewer for AIR »
March 26, 2008
Tips on getting a code signing certificate
I got my own certificate for signing AIR applications a couple of weeks ago, so I thought I'd share my experience in order to help others more easily navigate the process. My intention is not to provide an exhaustive tutorial on code signing or the process of obtaining a certificate (if that's what you're looking for, see Todd Prekaski's article entitled Digitally Signing Adobe AIR Applications). Rather, I just want to list a few things you should know about before starting the process in order to ensure that it goes smoothly.
I decided to get my certificate from Thawte, but you can also use VeriSign (and soon other Certificate Authorities who Adobe is working with). Both Thawte and VeriSign issue code-signing certificates to organizations as opposed to individuals, so the tips below assume that you already have a corporate entity established. We are currently working with CAs who can issue personal certificates, so if you don't have a business, you will soon be able to get a certificate issued in your own name.
If you decide to get your certificate through Thawte, here are some important things to know:
- Use Firefox. Firefox has a certificate manager that allows you to easily export your certificate as a P12 file which is what you need in order to sign your applications. Yes, it's sort of a strange requirement, but it makes the process much easier.
- Use an email address other than Gmail, Hotmail, or Yahoo. Thawte will not issue a certificate to anyone using an address from a free email service. I tried to talk them into it (I love Gmail), but they wouldn't budge. I ended up having to use my Watch Report email address which they eventually accepted, however they would have rather I used an email address associated with the company's domain.
- Set up a corporate web page. My main business is Watch Report, but my company is called Cantrell Media Company. Since Watch Report is well established, I never bothered setting up a separate corporate web site. Thawte wanted one, so I threw together christiancantrell.com in about five minutes. It's not pretty, but it met the requirement.
- Get a business phone number, and list it publicly. I work out of my home, so I have a business line (I almost always use my mobile phone, but it's nice to have a landline to fall back on). However, when I got the second line, I didn't bother to create a corporate account with Verizon. Rather, I have both my home and business lines listed under my personal name. Thawte doesn't like this. They either want to see a phone bill with your business number and business name on it (which I couldn't produce), or they want to see your business and your business number listed in a public directory. I listed Cantrell Media Company on yellowpages.com which took a few days, but is completely free. Thawte was happy with that. (Here's the listing.)
Those are all the specific issues that caused me problems. If you own a business, and take all four points above into account when applying for your code-signing certificate, you should be able to obtain one within a couple of days with no problem at all.
Posted by cantrell at March 26, 2008 10:48 AM | References
Comments
Good stuff Christian. There is also an excellent article on this on the Adobe Developer Connection at: http://www.adobe.com/devnet/air/articles/signing_air_applications.html
Posted by: Jonathan Wall at March 26, 2008 11:02 AM
I've developed a demo using Air for an open source project. Because it is open source, I am not going to buy a certificate. I have tried signing my Air app using a Thawte freemail certificate (generally following the procedure in this article: http://www.dallaway.com/acad/webstart/). However, adt keeps throwing an error when I package it: not an X509 code-signing certificate. Strange that the procedure in the article is good enough to sign jar files, but not Air applications. As a last resort, I used openssl to convert the certificate to a p12 file. But no joy - adt still gives the same error.
Posted by: Matt at April 24, 2008 03:17 PM