flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FLEX-33150) Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
Date Wed, 01 Aug 2012 14:06:05 GMT

     [ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Erik de Bruin updated FLEX-33150:

    Attachment: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt

I've created a utility class that reads the Flex SDK archive MD5 hash from 'apache.org', calculates
the hash of the local (downloaded) archive and compares these. I've used the MD5Stream class
mentioned on the dev list, working on a FileStream of the local archive. The class clones
and re-dispatches the progress event of the FileStream to facilitate feedback to the user
(read the 'note' below ;-)).

I've added some code to embed the new class in the main application, but I'm sure that needs
more work.

Note: the calculation of the hash of the local file (66+ MB) takes a long, long time (>
150 seconds on my quad core 2.2 GHz Intel Core i7), so we might want to make this an optional
feature, with a default of "don't try this at home, kids..."
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>                 Key: FLEX-33150
>                 URL: https://issues.apache.org/jira/browse/FLEX-33150
>             Project: Apache Flex
>          Issue Type: Sub-task
>            Reporter: OmPrakash Muppirala
>            Assignee: Bertrand Delacretaz
>            Priority: Blocker
>         Attachments: InstallApacheFlex_Patch_EdB_MD5_2012-08-01.txt
> >>>4.  The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures.  I have very little experience with crypto
> >> >algorithms.  Can someone take this up?  Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)?  I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-)  As I said, I dont know how to go about doing this
> >(yet)  I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need.  It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message