[jira] [Updated] (FLEX-33150) Progamatically verify the MD5 hash of the downloaded Apache Flex SDK

Wed, 01 Aug 2012 07:06:07 -0700 

     [ 
https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Erik de Bruin updated FLEX-33150:
---------------------------------

    Attachment: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt

I've created a utility class that reads the Flex SDK archive MD5 hash from 
'apache.org', calculates the hash of the local (downloaded) archive and 
compares these. I've used the MD5Stream class mentioned on the dev list, 
working on a FileStream of the local archive. The class clones and 
re-dispatches the progress event of the FileStream to facilitate feedback to 
the user (read the 'note' below ;-)).

I've added some code to embed the new class in the main application, but I'm 
sure that needs more work.

Note: the calculation of the hash of the local file (66+ MB) takes a long, long 
time (> 150 seconds on my quad core 2.2 GHz Intel Core i7), so we might want to 
make this an optional feature, with a default of "don't try this at home, 
kids..."
                
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
>                 Key: FLEX-33150
>                 URL: https://issues.apache.org/jira/browse/FLEX-33150
>             Project: Apache Flex
>          Issue Type: Sub-task
>            Reporter: OmPrakash Muppirala
>            Assignee: Bertrand Delacretaz
>            Priority: Blocker
>         Attachments: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt
>
>
> >>>4.  The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures.  I have very little experience with crypto
> >> >algorithms.  Can someone take this up?  Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)?  I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-)  As I said, I dont know how to go about doing this
> >(yet)  I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need.  It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to