Channels ▼
RSS

Web Development

Code Signing in Adobe AIR


Oliver is a senior computer scientist at Adobe Systems. He can be reached at goldman@ieee.org.


Adobe AIR, Adobe's platform for building desktop applications from web technologies, requires that all AIR-based applications be signed to secure delivery. By signing an application, the application's publisher securely associates their identity with the application. For example, eBay signs its AIR-based eBay Desktop application before making it available for download. When users install the application, AIR uses the signature to confirm eBay's identity as the publisher and to confirm that the application has not been tampered with in transit. This confirmed identity is displayed to the user as part of the installation process.

Using signatures only to detect tampering, without also establishing a trusted identity, is not an interesting guarantee. If you don't know who signed an application, you can't be sure the application hasn't been tampered with, even if the signature is valid. The attacker might have simply resigned the application after tampering with it.

But while Adobe AIR application signatures can tell you who published an application, they don't tell you whether you should trust that publisher. Signatures also do not in any way make the application safer to run. A signed application published by "Evil Intruder, LLC" is just as likely to be malicious as an unsigned application from the same publisher and is just as capable of doing harm to your computer.

Trusted Identity

A signature is said to be "trusted" when that signature accurately declares the identity of the publisher. This is not the same as trusting the application.

There are two ways in which trust in a signature may be established.

  • First, I might trust a signature because the publisher has, in some secure way, given me a copy of his certificate. This is best done in person, where identity can be established, and by physically exchanging the certificate—perhaps on a USB drive. This mechanism doesn't scale well, as it requires establishing trust for each publisher on an individual basis.
  • The alternative is to trust an intermediary who can vouch for the identity of the publisher. There is more than one way to go about this, but the most common is to trust a certification authority to vouch for others. A certification authority validates publisher's identities and issues certificates to them. If you trust the certification authority, you implicitly trust their validation process.

Implementation of Trusted Identity

Although it might be surprising at first glance, a certificate claims to establish an identity by simply including the name of that entity in the certificate. That's right: Anyone with access to a computer and a modicum of know-how can produce a perfectly valid certificate that claims it belongs to you. Establishing trust in an identity is about determining whether to believe what a certificate says. Trust in a certificate is established by linking the certificate in the AIR file to a list of trusted certificates maintained by the operating system. On a typical computer, this certificate store comes populated with the certificates of various certification authorities that the operating-system publisher has decided should be trusted. For example, this certificate store typically includes a certificate for Verisign that lets your computer—without additional setup—establish a trusted identity for many of the secure websites that you visit. You can modify this list of certificates, although most users don't.

Adobe AIR considers a certificate to be trusted if either the same certificate is stored in the system certificate store as a trusted certificate, or if it is possible to establish a certificate chain from the signing certificate to some trusted certificate in the system store.

In a certificate chain, each certificate is signed by another certificate, which is in turned signed by another certificate, until you reach a trusted root certificate. Typical chains contain only three certificates: the publisher's certificate, one intermediate, and the root. So long as the root is trusted by the system, the intermediate and the publisher are also trusted. Certificates that are not trusted via a certificate chain—and therefore must be listed directly in the certificate store to be trusted—are often referred to as "self-signed" certificates. Rather than being signed by another certificate—a certification authority, for instance—they are quite literally signed by themselves. This self-signature doesn't provide for a chain, but it does provide a way to detect any tampering with the certificate. "Self-signed" is sometimes used to mean "untrusted" because, by default, self-signed certificates are not trusted in your certificate store. The two are not really the same thing. All certificates must be signed, and the root certificates for all certification authorities are also self-signed. While most self-signed certificates are not trusted, many of the most important certificates are.

Managing Trusted Identity

Adobe AIR does not provide any facilities for directly managing trusted certificates and, therefore, no facilities for managing trusted identity. These facilities are already provided by your operating system, along with tools that you or an administrator can use to add and remove trusted certificates.

If a commercial certification authority issues the certificate that was used to sign the application you are installing, you probably won't have to take any additional steps to have that certificate be trusted on your system. The certification authority is probably already entered in your system store. Both Windows and Mac OS come preconfigured to trust certification authorities selected by the operating system vendor. If not—say, you received your friend's certificate on a USB drive at the coffee shop—then you make that certificate trusted on your machine by loading it into the system certificates store. On Mac OS, you do this via Keychain; on Windows via Internet Options.

Trusted Software

Trusting identity is one thing; trusting software is quite another. For example, I trust the eBay desktop application because I believe eBay would not deliberately publish a malicious or otherwise dangerous application. Establishing that eBay signed the application I'm about to install is a requisite first step to trusting the application. The rest of my decision hinges on my knowledge of eBay, its reputation as a company, and how paranoid I am.

An established identity is just as key to establishing a lack of trust. For example, I wouldn't be willing to install an application just because I knew with certainty that Evil Hacker, LLC published it. All the same, I would be glad that their identity had been established: I believe they would deliberately harm my machine and I don't want to be installing any of their software.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 
Dr. Dobb's TV