You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flex.apache.org by "Erik de Bruin (JIRA)" <ji...@apache.org> on 2012/08/01 16:06:05 UTC

[jira] [Updated] (FLEX-33150) Progamatically verify the MD5 hash of the downloaded Apache Flex SDK

     [ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erik de Bruin updated FLEX-33150:
---------------------------------

    Attachment: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt

I've created a utility class that reads the Flex SDK archive MD5 hash from 'apache.org', calculates the hash of the local (downloaded) archive and compares these. I've used the MD5Stream class mentioned on the dev list, working on a FileStream of the local archive. The class clones and re-dispatches the progress event of the FileStream to facilitate feedback to the user (read the 'note' below ;-)).

I've added some code to embed the new class in the main application, but I'm sure that needs more work.

Note: the calculation of the hash of the local file (66+ MB) takes a long, long time (> 150 seconds on my quad core 2.2 GHz Intel Core i7), so we might want to make this an optional feature, with a default of "don't try this at home, kids..."
                
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
>                 Key: FLEX-33150
>                 URL: https://issues.apache.org/jira/browse/FLEX-33150
>             Project: Apache Flex
>          Issue Type: Sub-task
>            Reporter: OmPrakash Muppirala
>            Assignee: Bertrand Delacretaz
>            Priority: Blocker
>         Attachments: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt
>
>
> >>>4.  The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures.  I have very little experience with crypto
> >> >algorithms.  Can someone take this up?  Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)?  I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-)  As I said, I dont know how to go about doing this
> >(yet)  I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need.  It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira