On Jul 16, 2012, at 6:22 PM, Justin Mclean wrote: > Hi, > >>> 2. The installer downloads the binary distribution of the Apache Flex >>> sdk. Should the installer programatically verify the downloaded binary >>> file's signature before uncompressing it? >> >> That is a good idea. If you retrieve a KEYS file (and I'm not sure if that >> is a good idea) it must be from a different URL than the Binary. > > Initially would a simple MD5/SHA1 hash check be enough?
Yes. > Not sure it's straight forward to check digital signatures in Flex/AS. Anyone > have experience with this? Let's see what digital signature support eventually comes out of Infra. And yes it would be interesting to know what signature support there is in FlashPlayer and/or Flex SDK. Regards, Dave > > Thanks, > Justin
