incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLEX-33150) Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
Date Tue, 31 Jul 2012 07:12:33 GMT

    [ https://issues.apache.org/jira/browse/FLEX-33150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13425574#comment-13425574
] 

Erik de Bruin commented on FLEX-33150:
--------------------------------------

Maybe something like this does the trick (haven't run it, so mileage may vary ;-)):

public function verifyApacheFlexSDKIntegrity(localApacheFlexSDKZipFile:File, 
								   md5HashFromApacheOrg:String):Boolean {
	/**
	 *  Note: get MD5 hash of Apache distro from: 
	 *      http://www.apache.org/dist/incubator/flex/4.8.0-incubating/binaries/apache-flex-sdk-4.8.0-incubating-bin.zip.md5
	 */
	
	var fileAsByteArray:ByteArray = new ByteArray();
	
	var fileStream:FileStream = new FileStream();
	fileStream.open(localApacheFlexSDKZipFile, FileMode.READ);
	fileStream.readBytes(fileAsByteArray);
	fileStream.close();
	
	var md5:MD5 = new MD5();
	
	var hashAsByteArray:ByteArray = md5.hash(fileAsByteArray)
	
	var md5HashFromLocal:String = hashAsByteArray.readUTFBytes(hashAsByteArray.length);
	
	return md5HashFromLocal = md5HashFromApacheOrg;
}


                
> Progamatically verify the MD5 hash of the downloaded Apache Flex SDK
> --------------------------------------------------------------------
>
>                 Key: FLEX-33150
>                 URL: https://issues.apache.org/jira/browse/FLEX-33150
>             Project: Apache Flex
>          Issue Type: Sub-task
>            Reporter: OmPrakash Muppirala
>            Assignee: Bertrand Delacretaz
>            Priority: Blocker
>
> >>>4.  The installer app needs to programatically verify the downloaded
> >>>flex
> >> >binaries' signatures.  I have very little experience with crypto
> >> >algorithms.  Can someone take this up?  Even if someone can explain the
> >> >steps to do this, I can get it done.
> >>
> >> Are you going to check the signature (.asc) or the checksum (.md5)?  I'm
> >> sure the later is much easier.
> >>
> >>
> >.md5 it is, then ;-)  As I said, I dont know how to go about doing this
> >(yet)  I will do some research on this when I get a chance.
> It looks like com.adobe.com.crypto.MD5Stream in
> https://github.com/mikechambers/as3corelib will do what you need.  It has
> a BSD license so we can use it with no issues.
> Mail discussion thread:
> http://markmail.org/message/czqpeetkjart3ei6

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message