You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flex.apache.org by "OmPrakash Muppirala (JIRA)" <ji...@apache.org> on 2012/07/30 20:25:35 UTC
[jira] [Created] (FLEX-33150) Progamatically verify the MD5 hash of
the downloaded Apache Flex SDK
OmPrakash Muppirala created FLEX-33150:
------------------------------------------
Summary: Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
Key: FLEX-33150
URL: https://issues.apache.org/jira/browse/FLEX-33150
Project: Apache Flex
Issue Type: Sub-task
Reporter: OmPrakash Muppirala
Assignee: Bertrand Delacretaz
Priority: Blocker
>>>4. The installer app needs to programatically verify the downloaded
>>>flex
>> >binaries' signatures. I have very little experience with crypto
>> >algorithms. Can someone take this up? Even if someone can explain the
>> >steps to do this, I can get it done.
>>
>> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
>> sure the later is much easier.
>>
>>
>.md5 it is, then ;-) As I said, I dont know how to go about doing this
>(yet) I will do some research on this when I get a chance.
It looks like com.adobe.com.crypto.MD5Stream in
https://github.com/mikechambers/as3corelib will do what you need. It has
a BSD license so we can use it with no issues.
Mail discussion thread:
http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (FLEX-33150) Progamatically verify the MD5 hash
of the downloaded Apache Flex SDK
Posted by "OmPrakash Muppirala (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
OmPrakash Muppirala resolved FLEX-33150.
----------------------------------------
Resolution: Fixed
Resolved in svn revision 1369734
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (FLEX-33150) Progamatically verify the MD5 hash of
the downloaded Apache Flex SDK
Posted by "Erik de Bruin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erik de Bruin updated FLEX-33150:
---------------------------------
Attachment: (was: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt)
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash
of the downloaded Apache Flex SDK
Posted by "Erik de Bruin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13427251#comment-13427251 ]
Erik de Bruin commented on FLEX-33150:
--------------------------------------
I've updated my contribution.
Note: this solution is now part of my 'mega-patch', attached to FLEX-33106. I have removed all my other patches. I was getting my patches crossed, and as the Ghostbusters noted: "Don't cross the patches… It would be bad… Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light." ;-)
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (FLEX-33150) Progamatically verify the MD5 hash of
the downloaded Apache Flex SDK
Posted by "Erik de Bruin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erik de Bruin updated FLEX-33150:
---------------------------------
Attachment: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt
I've created a utility class that reads the Flex SDK archive MD5 hash from 'apache.org', calculates the hash of the local (downloaded) archive and compares these. I've used the MD5Stream class mentioned on the dev list, working on a FileStream of the local archive. The class clones and re-dispatches the progress event of the FileStream to facilitate feedback to the user (read the 'note' below ;-)).
I've added some code to embed the new class in the main application, but I'm sure that needs more work.
Note: the calculation of the hash of the local file (66+ MB) takes a long, long time (> 150 seconds on my quad core 2.2 GHz Intel Core i7), so we might want to make this an optional feature, with a default of "don't try this at home, kids..."
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
> Attachments: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt
>
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
Looks good.
Just a question (for anyone) from a security point of view would it be better to:
a) Compile the MD5 hashes values into the application (ie place in the XML file or as static consts)
OR
b) Or download the hashes from the Apache Web site?
Download hashes over HTTP could be risky for all sort of reasons. Needing a HTTPS connection may cause issue with firewalls and the like.
Thanks,
Justin
[jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash
of the downloaded Apache Flex SDK
Posted by "Erik de Bruin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13425574#comment-13425574 ]
Erik de Bruin commented on FLEX-33150:
--------------------------------------
Maybe something like this does the trick (haven't run it, so mileage may vary ;-)):
public function verifyApacheFlexSDKIntegrity(localApacheFlexSDKZipFile:File,
md5HashFromApacheOrg:String):Boolean {
/**
* Note: get MD5 hash of Apache distro from:
* http://www.apache.org/dist/incubator/flex/4.8.0-incubating/binaries/apache-flex-sdk-4.8.0-incubating-bin.zip.md5
*/
var fileAsByteArray:ByteArray = new ByteArray();
var fileStream:FileStream = new FileStream();
fileStream.open(localApacheFlexSDKZipFile, FileMode.READ);
fileStream.readBytes(fileAsByteArray);
fileStream.close();
var md5:MD5 = new MD5();
var hashAsByteArray:ByteArray = md5.hash(fileAsByteArray)
var md5HashFromLocal:String = hashAsByteArray.readUTFBytes(hashAsByteArray.length);
return md5HashFromLocal = md5HashFromApacheOrg;
}
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash
of the downloaded Apache Flex SDK
Posted by "OmPrakash Muppirala (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13426073#comment-13426073 ]
OmPrakash Muppirala commented on FLEX-33150:
--------------------------------------------
Erik,
I don't know any better, I guess this should work!
Do you want to work on it, test it and submit a patch for this feature? This should boost your committer-worthiness karma ;-)
The code is available here:
https://svn.apache.org/repos/asf/incubator/flex/utilities/InstallApacheFlex
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash
of the downloaded Apache Flex SDK
Posted by "OmPrakash Muppirala (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13426835#comment-13426835 ]
OmPrakash Muppirala commented on FLEX-33150:
--------------------------------------------
Erik,
Thanks a lot for working on this. I havent tried your code yet. Will do it tonight.
I prefer to keep the hash verification mandatory. Compared to the overall download times, the ~150 seconds should not be too much of an addition.
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
> Key: FLEX-33150
> URL: https://issues.apache.org/jira/browse/FLEX-33150
> Project: Apache Flex
> Issue Type: Sub-task
> Reporter: OmPrakash Muppirala
> Assignee: Bertrand Delacretaz
> Priority: Blocker
> Attachments: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt
>
>
> >>>4. The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures. I have very little experience with crypto
> >> >algorithms. Can someone take this up? Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)? I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-) As I said, I dont know how to go about doing this
> >(yet) I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need. It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira