Hi, >> 2. The installer downloads the binary distribution of the Apache Flex >> sdk. Should the installer programatically verify the downloaded binary >> file's signature before uncompressing it? > > That is a good idea. If you retrieve a KEYS file (and I'm not sure if that is > a good idea) it must be from a different URL than the Binary.
Initially would a simple MD5/SHA1 hash check be enough? Not sure it's straight forward to check digital signatures in Flex/AS. Anyone have experience with this? Thanks, Justin
