[jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash of the downloaded Apache Flex SDK

[Erik de Bruin (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13425574#comment-13425574
 ] 

Erik de Bruin commented on FLEX-33150:
--------------------------------------

Maybe something like this does the trick (haven't run it, so mileage may vary 
;-)):

public function verifyApacheFlexSDKIntegrity(localApacheFlexSDKZipFile:File, 
                                                                   
md5HashFromApacheOrg:String):Boolean {
        /**
         *  Note: get MD5 hash of Apache distro from: 
         *      
http://www.apache.org/dist/incubator/flex/4.8.0-incubating/binaries/apache-flex-sdk-4.8.0-incubating-bin.zip.md5
         */
        
        var fileAsByteArray:ByteArray = new ByteArray();
        
        var fileStream:FileStream = new FileStream();
        fileStream.open(localApacheFlexSDKZipFile, FileMode.READ);
        fileStream.readBytes(fileAsByteArray);
        fileStream.close();
        
        var md5:MD5 = new MD5();
        
        var hashAsByteArray:ByteArray = md5.hash(fileAsByteArray)
        
        var md5HashFromLocal:String = 
hashAsByteArray.readUTFBytes(hashAsByteArray.length);
        
        return md5HashFromLocal = md5HashFromApacheOrg;
}


                
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
>                 Key: FLEX-33150
>                 URL: https://issues.apache.org/jira/browse/FLEX-33150
>             Project: Apache Flex
>          Issue Type: Sub-task
>            Reporter: OmPrakash Muppirala
>            Assignee: Bertrand Delacretaz
>            Priority: Blocker
>
> >>>4.  The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures.  I have very little experience with crypto
> >> >algorithms.  Can someone take this up?  Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)?  I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-)  As I said, I dont know how to go about doing this
> >(yet)  I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need.  It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira