Chrome Malicious Warning Message on Packaged Desktop Air Application for Windows

Every have a DOH moment?

So I have created an air application that can be deployed on the desktop, mobile devices and the web. For each version, I followed the directions to package the application using digital certificates in Flashbuilder 4.6 for a signed application with a captive runtime.

Note: The mobile device packaging zips all the necessary files and directories and the captive runtimes with a digital certificate into a single file. So the Android pocketnotes.apk file for example will have an associated digital certificate (as does the iphone/ipad pocketnotes.ipa file).

This packaging into a single exe file does not happen for the desktop version. Flashbuilder 4.6 outputs a directory which contains a desktop .exe file for the application as well as an air runtime directory and in my setup an additional directory of data files. So for example, the export directory contains the following:

  • pocketnotes.exe
  • Adobe Air directory (which contains the captive runtime)
  • data directory (which contains xml files which are to be displayed)

The result is the desktop app needs to be packaged for easy installation on the desktop. For Windows, I used the InnoSetup program to package up all the necessary files. When the Windows desktop app was downloaded from the site I kept getting a malicious file warning from the Chrome browser during testing. If you downloaded the setup.exe file using the Firefox browser there was not a message until you tried to install the application. When you double-clicked the downloaded pocketnotesSetup.exe you would get an installation message that the publisher could not be verified and the application you are attempting to install does not have a valid digital signature.

So I first tried the avenue documented in a previous blog entry on downloading NIM apps which discussed using a php file to request the file be downloaded in order to mitigate the error message. This avenue which initially seemed to work on my local machine when using the Chrome browser did not work on the server. Using this php download file actually caused more problems because I must not have set it up correctly and the php code corrupted the contents of the downloaded zip file.

In any case, the digital signature was not being read even though I followed the directions to set it in the Adobe Flashbuilder publishing process. Being a little obtuse, it took me a while to figure out that the InnoSetup generated installation file (pocketnotesSetup.exe) was the culprit and not the Adobe Air generated executable.DOOH!

I googled “digital sign InnoSetup” to try to see if it was possible to incorporate digital certificates. Found a stack overflow question which indicated that it was possible to integrate a signing tool into the packaging process.

I now realized I had to do two things:

  1. Install signtool.exe from Microsoft on my desktop machine
  2. Run InnoSetup using a Digital Signature when packaging my Adobe Air Captive runtime desktop application for Windows.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: