Hi, > The recommendation is to sign this binary convenience package in the same way > as the binary packages are signed - as pgp detached signature. You can follow > the digital signing discussions on infrastructure-dev in either the archives > or by joining the list.
As AIR app include their own signing process wouldn't it be simpler to just sign the application once rather than twice? If we only sign the package as above we may want to consider the warning message (basically states that the application is from an unknown and untrusted source) that is shown when an AIR app is installed for the first time - the normal Apache signing process won't change this warning. Thanks, Justin
