Copy link to clipboard
Copied
Our publisher insists on porting our mobile app to MacOS. There is a major problem though - as stated in the topic.
When we build the project with our custom scripts, or a trivial project in Flash Builder we always fail with errors:
- "Error creating native installer file:Packaging failed. Packager internal error" for Flash Builders "Signed native installer",
- "Error creating file:Packaging failed. Packager internal error" for Flash Builders "Signed application with captive runtime",
- "Packaging failed. Packager internal error" for "bundle" and "native" targets directly in adt.
I can provide you with some 20 thousand final adt's syscalls obtained with dtruss.
Since error message is too cryptic, I have no idea what kind of information should I provide. What I can say is:
- Mobile builds for iOS and Android work without problems, as does running projects with adl,
- Since we reproduce problem in Flash Builder we probably can exclude syntax error in calling adt,
- Since we reproduce problem with trivial and empty project in Flash Builder, it doesn't seem to be related to code, nor configuration, nor additional packaged files,
- What seems to remain is problem with adt itself, maybe related to signing, since we have access to only one certificate at the moment.
AIR 14.0
Mac OS X 10.7.5
Copy link to clipboard
Copied
OK, so I discovered adt certificate generation feature
adt -certificate -cn SelfSign -ou QE -o "Example, Co" -c US 2048-RSA newcert.p12 39#wnetx3tl
With such a certificate everything works, but that doesn't really solve the issue. We cannot use self signed certificate to submit our app to Appstore.
Earlier certificate attempts resulted in error "Unable to build a valid certificate chain for the signer", but eventually we were able to create proper certificate chain. The result however is just as in the first post.
Could anyone share their experiences with building certificate chains?
Or maybe someone from Adobe knows what related to certificate can lead to "Packager internal error"?
Copy link to clipboard
Copied
std
Did you ever find a solution? I'm running into the same issue on Mac, and it seems there's little support for the "Packager internal error" question, so anything you found out would be helpful!
Copy link to clipboard
Copied
Steve
I have same problem with apple Developer Id Application certificate (downloaded from apple), got past the chain error message by including intermediate and root certificates when I exported from keychain, but got the package error referenced here. Also when I sign on windows machine with my code signing certificate (selecting windows installer) all publishes ok, but the certificate is not attached, says 'unknown developer' when I down load and try and run installer on windows machine. I sent the exe to Comodo (the guys I got the code signing certificate from) and they say the exe is not signed.
Finally I get 'The digital certificate is invalid' error when I try and use 'Developer Id Installer' certificate (downloaded from apple).
I think there must be several problems here with Air SDK.
Stopping me from publishing and I have a very upset Customer. Can someone from Adobe please advise asap.
Copy link to clipboard
Copied
to create an ANE you dont need to use a certificate -- or if you really want to, use a self cert. check the steps at the bottom of this page: http://www.adobe.com/devnet/air/articles/gaming-sdk-anes-64-bit-support.html
I've just done it using sdk16 and it works a treat (although still using dev cert for the app, quite sure it will be fine on production).
<AIR_SDK>/bin/adt -package -target ane stageAd.ane extension.xml -swc stageAd.swc -platform iPhone-ARM -platformoptions platformoptions.xml -C iPhone-ARM/ library.swf libstageAd.a
Copy link to clipboard
Copied
Hi!
I think I've found a workaround:
- Sign with a self-signed certificate first (Captive runtime)
- Open Keychain and find the full name of the Developer ID certificate: e.g. "Developer ID Application: My Company, LLC"
- Open Terminal and go to the folder where the your compiled .app is, then run:
codesign -f --deep -s "Developer ID Application: <complete certificate name>" <application filename>.app
You can verify that it is signed correctly by running:
spctl -a -v <appfile>.app
It should say "source=Developer ID"
If you want to distribute through Mac App Store there are more steps, but I didn't go through them, there might be info here:
Copy link to clipboard
Copied
tastethescabs had an answer that worked for me. I want to go into a little more detail for people like myself who aren't well versed with ADT.
Issues:
1. When signing an Air desktop app using an Apple Developer Certificate, you receive a "unable to build a valid certificate chain for the signer" message.
2. When signing an Air desktop app using an Apple Developer Certificate, you receive a "Packaging failed. Packager internal error" message.
Solution for first issue:
(NOTE: This solution currently works with CSAs other than Apple. I use GoDaddy and it works for me. If you’re using Apple as your CSA, skip to the second solution).
Certificates require multiple keys. One key (the private key) lives on your computer. This key basically says, "Yep! This person is allowed to sign things." Your public key lives with whichever CSA (Code Signing Authority) you're using. That key says, "We're reputable and give a thumbs up to your private key".
That's not where it ends. There are other keys such as an Intermediate key. This key comes from your CSA and basically says, "I know this public key and he's allowed to do XY&Z. For example, one intermediate key might be for code signing and another for SSL on your website. You can have multiple intermediate keys based on your needs.
Finally, there's the Root key. This key also comes from your CSA, and is the same for everyone. It basically says, "I don't know who that private key is, but I can vouch for the public and intermediate keys. Trust them." So end the end, you basically have this chain of authority.
Root (I'm the home) -> Intermediate (I'm the front door) -> Public (I'm the keyhole) -> Private (I'm the key)
Visit your CSA's website for their certificates. Apple's is: https://www.apple.com/certificateauthority/
Which ones do you need? Since I'm not an expert, I ended up installing a bunch of them and exporting them all as a p12. Then I went back and deleted certificates one by one until I got down to 3. Here are the ones that I used from Apple:
EDIT: After revisiting this to job my memory, it seems as though I made a mistake on which certificates to use. Since I'm not positive why I listed those three certificates from Apple above, I'm going to leave that part in the post as it may be relevant to someone else. In my current situation, I have a code signing certificate from GoDaddy. GoDaddy allows you to key your certificate with something called Starfield. This is an option when downloading your certificate from GoDaddy. On the main page of your SSL Certificates from GoDaddy, you'll find a link to a repository (Repository ). From that repository, download and install the following certificates:
Now, follow the instructions below, selecting these three certificates as opposed to the three Apple certificates above.
What you need to do is open the OSX Keychain and go to the “Certificates” tab. After you download and install the above certificates (they’ll install just by opening them), you’ll need to COMMAND-click each one. Then, find your Apple Developer certificate. There should be a dropdown arrow next to it. Click that arrow and COMMAND-click your private key AND the Apple Developer certificate. At this point, you should have 5 things selected. Right click on one of them and select, “Export 5 items”. Save it as a .p12 file and give it a password. Now you can sign your Air apps with that p12 certificate.
NOTE: If you try to sign your app with this certificate and you’re using the Apple Developer Program as your CSA, you’ll receive the second error listed above. This works great for other CSAs, but not Apple.
Solution for second issue:
In short, you’re going to use the ADT to self-sign your app, then apply your Apple Developer certificate to the compiled app. It’s way easier than it sounds. Again, I’m not a pro with ADT, so I’m going to act like I’m speaking to myself.
Setup your ADT on a Mac:
ADT stands for AIR Developer Tool. It’s a command line tool which means you’ll be typing code into the Terminal app.
- Make sure you have the most recent version of Java installed: http://java.com
- Download the latest Air SDK: http://www.adobe.com/devnet/air/air-sdk-download.html
1. Open your Terminal.app (located in the Applications/Utilities folder)
2. The first thing we need to do is point the terminal to the ADT file.
- Unzip your Air SKA file that you downloaded and find the folder called, “bin”.
- Drag the “bin” folder into your terminal. This will give you its path. Copy this path and paste it somewhere for later use.
- That “bin” folder contains the ADT and we’re going to point the terminal to that folder by typing: export PATH=$PATH: /THE/PATH/YOU/COPIED/bin
- Hit enter
- To test it, type: adt -version
- When you type “adt” you’re telling the terminal to use the ADT program.
- The dash means “do this”
- The part after the dash is essentially the function.
- adt -version will return the version of the ADT, meaning you’re pointing it to the right place.
- You only have to set the path once per session. If you close the terminal, you’ll have to set the path again when you open it.
Creating a Self-Signed Certificate with the ADT
A Self-Signed Certificate means that you are acting as the CSA. The problem with this is that you’re probably a nobody and no system will trust you. It’s fine for testing things locally because you can ignore security warnings, but it’s horrible for actual distribution. Very little security and most operating systems won’t even allow users to install your app.
In our case, we’re going to self-sign, then apply the actual Apple Developer Certificate afterwards.
1. In the terminal type this and it enter: adt -certificate -cn SelfSign -ou QE -o “YourCompanyName“ -c US 2048-RSA nameOfCertificate.p12 39#wnetx3tl
- Note: This will save the certificate to your user folder. If you can’t find it, just do a spotlight search for the name of the certificate.
-Note: The "39#wnetx3tl" part is your password. You can change this, but make sure you also change it in the code below.
-Note: "YourCompanyName" cannot contain spaces. In reality, this is a temporary certificate, so it doesn't matter what this says because it's going to be replaced.
- You don’t need to touch this certificate. We’re going to let the ADT refer to it.
Signing your App with the Self-Signed Certificate
To apply the Self-Signed Certificate, you’re going to have to get the path to your app. If you haven’t done so already, go into whichever program you use to code. I use Adobe Animate. Instead of publishing your app as a .air file, select the option for Air Intermediate (which gives you a .airi file).
1. Drag your .airi file into the terminal and copy the path that it gives you. Hit enter to start a new line (it will give you an error, but we don’t care).
2. Tell the ADT to compile the .airi file with the self-signed certificate by typing: adt -package -storetype pkcs12 -keystore nameOfCertificate.p12 -storepass 39#wnetx3tl -tsa "http://timestamp.comodoca.com/authenticode" -target bundle /PATH/TO/WHERE/YOU/WANT/TO/SAVE/YOUR/APP/myApp /PATH/TO/YOUR/AIRI/FILE/myapp.airi
-package: Tells the ADT that we’re going to compile this app.
-storetype: The type of certificate we’re using (pkcs12 is .p12)
-keystore: The location of the certificate (the one we self-signed)
-storepass: The password we assigned to the cert when we created it with ADT
-tsa: Time Stamp Authority. There are different ones you can use. It’s not dependent on your CSA. Recently, the default tsa stopped their service, causing tons of problems. So if you get a time stamp error, search for “Time Stamp Authority Link” in Google.
-target: This is the final output type. If you type, “air” instead of “bundle”, you’ll get a .air installer file. If you keep, “bundle”, it will output a .app file if you’re on a Mac and a .exe file if you’re on a PC. It’s the same code, but it dependent on the operating system that you’re using. So yes, you need a PC or virtual machine to compile a Windows .exe app.
- After the target type, you need to put two paths. The first is the path to where you want to save your app. Make sure it ends with the name that you want to call your app (don’t add the .app at the end). The second path is to your .airi file.
3. Once it’s done, you should end up with a .app file in the location that you set. If you attempt to open it, you’ll get warnings about it having an Unknown Developer/Authority. Don’t bother opening it right now. Next, we’re going to apply our Apple Developer Certificate.
Applying your Apple Developer Certificate to your Self-Signed app
This is pretty easy. We’re just going to tell the ADT to get the Apple Developer Certificate from your Keychain and apply it to the self-signed app that you just created.
1. Go into your Keychain app and go to the, “Certificates” tab in the side menu. Search for, “Developer ID Application”. You should find your Apple Developer Certificate.
2. Copy the full name of your certificate. It should look like this: “Developer ID Application: Company Name (HRO1930IWQ)”
3. In the Terminal app, type: codesign -f --deep -s "Developer ID Application: Company Name (HRO1930IWQ)" /PATH/TO/WHERE/YOU/SAVED/YOUR/APP/myApp.app
4. To check and make sure it’s signed, type this: spctl -a -v /PATH/TO/WHERE/YOU/SAVED/YOUR/APP/myApp.app
- You should get a response that says: /PATH/TO/WHERE/YOU/SAVED/YOUR/APP/myApp.app: accepted source=Developer ID
That’s it. It you get an error, double check that the path to your app is correct (don’t point it to the .airi file).
At this point, you’re app is now signed with your Apple Developer Certificate. It is a major hassle and gave me a week’s worth of headaches to figure it out. I literally knew nothing about code signing until this issue came up. I really hope this helps other people.
One last note: If you’re ever in a forum and you figure out an answer to your question or someone else’s, you’re morally obligated to post your findings. I can’t stand finding people with the same issue as me, only to read, “Never mind! I figured it out!” Please take the time to help everyone else out by explaining what you did. You don’t have to go into as much detail as me, but my gosh, don’t just keep it to yourself.
Copy link to clipboard
Copied
Thanks to @tonystech for the clear explanation of the problems and solutions to this issue.
I want to add some further insight and suggestions to this process of packaging an AIR app for macOS.
Overview
To summarize, the suggested flow for packaging an AIR app for macOS is:
1. Package the AIR app using a temporary self-signed certificate. This will build the actual app bundle.
2. Enhance the app bundle so that it meets the base requirements for a first-class desktop application.
3. Code sign the completed app bundle. The app is now ready to run.
4. [Bonus] Create a presentable dmg or pkg if delivering to the Mac App Store. The app is now ready to distribute.
Part 1 is necessary because it avoids the cryptic packaging errors AIR encounters when using non self-signed certs, and the app has to be code signed again manually later.
Part 2 is necessary because AIR adt packager is not capable of producing an acceptable app.
Parts 3 and 4 are necessary because of security and presentation to end-user.
Steps
Here are the steps I go through when crafting an AIR app for macOS.
Step 1 - Build and package the application with adt using temporary certificate
@tonystech covered this very well in his post above, apologies for the redundant information.
Create a temporary self-signed certificate in p12 format using the adt binary included with the AIR sdk. The adt syntax is:
adt -certificate -cn <name> ( -ou <org-unit> )? ( -o <org-name> )? ( -c <country> )? ( -validityPeriod <years> )? 2048-RSA <pfx-file> <password>
Example usage:
adt -certificate -cn SelfSign -ou Dev -o Dev -c US 2048-RSA temporaryCertificate.p12 temppass
Run your standard compile and build process using the IDE of your choice, pointing to the temporary certificate created above.
Step 2 - Replace icons
AIR does not package high resolution application icons. These icons must be independently created, packaged, and placed in the application bundle.
Documentation on high resolution icons is available from Apple in their High Resolution Guidelines for OS X document:
Optimizing for High Resolution
Once your complete high resolution icon set is crafted, use the tiffutil command to create a final Icons.icns file. Replace the icons that AIR created with this new high resolution file by replacing the file in your application bundle at Contents/Resources/Icon.icns.
Step 3 - Remove DRM and Disallowed Libraries
Delete the following files located in your app bundle in /Contents/Frameworks/Adobe AIR.framework/Resources:
Adobe AIR.vch
adobecp.plugin
adobecp.vch
AdobeCP15.plugin
(reference: https://helpx.adobe.com/flash-player/kb/posting-air-app-mac-app.html)
If distributing through Mac App Store, the plist in the Flash Player.plugin package must be deleted. path/to/bundle.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/Flash\ Player.plugin/Contents/Info.plist.
Step 4 - Add Missing keys to Info.plist
In bundle.app/Contents edit the Info.plist file to add any necessary keys.
Typically you will want to add a CFBundleVersion key as AIR does not do this. You must also add an LSApplicationCategoryType key for distribution through the Mac App Store.
Reference on LSApplicationCategoryType keys: https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articl...
Step 5 - Set Permissions
In Terminal, perform:
chmod -R 777 bundle.app/
Reference:
http://pigsels.com/2012/04/air-app-store-publishing-guide/
Step 5 - Create Entitlements plist should be created to set permissions and capabilities for your app. This is beyond the scope of this guide, see Apple's dev site for this.
Sample entitlements file:
<?xml version="1.0" encoding="utf-8"?>
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
Step 6 - Code sign
The specific Apple developer program derived certificate to use for code sign will depend upon delivery target. For distribution outside of the Apple App Store, a Developer ID Application type of certificate is needed. For distribution via the Mac App Store, a Mac App Distribution type of certificate is needed. Using the proper certificate is key! Using an improper certificate will appear to work, but the gatekeeper validation will fail.
A good reference: https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/Maintaini...
The exact common name string of the certificate to use will be listed in the proper certificate shown in the Keychain Access utility app. Developer ID certificates are named starting with "Developer ID." Mac App Distribution and Mac App Installer certificates are named starting with "3rd Party Mac Developer." See Table 14-2 from the above link for details.
A deep code sign can be performed with a single command from the Terminal. Example of typical code sign:
codesign -f --deep -s "Developer ID Application: YOUR COMPANY (X6UWRFHA)" /path/to/YourApp.app --entitlements pathToYour/entitlements.plist
Step 7 - Verify code sign
In Terminal:
spctl -a -t exec -vv YourApp.app
Verification must pass. If it does not, the app may be blocked from running on the end user machine.
Step 8 - Create a release dmg [optional]
Creation of this is beyond the scope of this outline. An excellent and comprehensive video tutorial on crafting a release dmg is available at http://computers.tutsplus.com/tutorials/how-to-create-a-retina-ready-dmg-based-app-installer--cms-21...
Step 9 - Mac App Store package creation [optional]
For onboarding into the Mac App Store, you'll need to create a .pkg:
productbuild --component /path/to/bundle.app /Applications --sign "3rd Party Mac Developer Installer: YOU COMPANY (X6UWKFTNN)" bundle.pkg
You should now be done and ready to ship!