Okay, here we go!
Presenting...the MD5/SHA1/Jar verification app
New, version 2.2 of MD5/SHA1/Jar-verification app:
Changes in the 2.2 version include:
1. larger rows and font for easier/better file-selection
2. sorted list of files displayed in file-selector
3. retain directory between each file-selection
4. verify read-access of selected file to prevent force-close
5. test file's suffix to warn if non jar-type file selected for jar-verification
6. add menu support (help, change log, acknowledgements)
Version 2.1 of MD5/SHA1/Jar-verification app:
Version 2.0 of MD5/SHA1/Jar-verification
(save to either /sdcard/download or /sdcard)
[note: this checksumdb.txt file is totally optional and is really only relevant for the Eris at this time]
Checksums for 'MD5-Checksum-v2.2.apk':
Size: 36,523 (bytes)
Checksums for 'MD5-Checksum-v2.1.apk':
Size: 33,268 (bytes)
Checksums for 'MD5-Checksum-v2.0.apk':
Size: 28,951 (bytes)
Checksums for 'checksumdb.txt':
Size: 20,480 (bytes)
I developed this app to try to help folks ensure that the files they download or move to their phones are complete and uncorrupted copies of the ones they intended (and to prevent the subsequent problems that might occur as a result of these incomplete or corrupt files).
My first efforts with this app were to simply calculate an MD5 checksum for a file. Then came the SHA1 option. Eventually, with a suggestion from bftb0/eu1, I started poking-around with trying to make a 'jarsigner -verify' like functionality. Hopefully, it does so (or enough). I'm still trying to figure-out the certificate signing stuff...
How to use:
1a. Select MD5
radio buffon to calculate an MD5 checksum on the file
1b. Select SHA1
radio-button to calculate an SHA1 checksum on the file
1c. Select JV1
(Jar Verify method #1) radio-button to validate the SHA1 checksums of each file listed in the jar file that you specified's META-INF/MANIFEST.MF file. This is the older version of the jar verification function that basically verifies the jar file using the JarFile methods AND by explicity reading and re-calculating the SHA1 checksums for each file in the jar.
1d. Select JV2
(Jar Verify method #2) radio-button to validate the SHA1 checksums of each file listed in the jar file that you specified's META-INF/MANIFEST.MF file. This is the newer version of the jar verification function that simply uses the JarFile methods to verify the jar file MUCH faster than JV1.
2. Press the Select File
button and use the file selector/explorer to select your file. You may also manually enter and/or edit your selected file in the input text area.
3. Select the Process File
button to initiate either and MD5 or SHA1 calculation on the file or to verify a jar file
You should be aware that SHA1 checksums take at least twice as long to calculate as MD5 checksums. Also, performing a JV1
(original jar verify method) against a 100MB custom ROM jar file takes about 2.5 minutes on an unrooted Droid X (performance mode), and 7 minutes on my Eris (rooted, running Ivan's 1.0 at 710MHz). The new JV2 jar verification method takes only 23 seconds for the same 100MB file
(on my Droid X, btw).
Note: this app, in its various stages have been tested on Android 1.5 (Motorola Cliq), a rooted 2.1 Eris, an unrooted 2.1 Droid X. It was created in the Android SDK / Eclipse to be run from Android 1.5 and higher.
Interesting Observations Recently Made
1. The PB00IMG.zip (Eris 2.1 leaks) files are not jar files (I did not realize that
2. The 'jarsigner.exe -verify' does not check certificates, just the SHA1 digests of the files in the MANIFEST.MF file and the presence of the files in the manifest. You can see this with a 'jarsigner.exe -verify -verbose xxx.zip'' command (only 's' and 'm' markers are reported).
3. Un-zipping a jar file and re-zipping it does not create an identical .zip (jar) file. However, the files contained in the .zip (still a jar) do properly validate with my app and with the 'jarsigner.exe' utility.
4. And the most interesting item of all: whilst attempting to create a "bad" jar file by hex-editing a file (i.e., to verify that my app will report badly-formed or corrupt jar files), I discovered that my app was trapping when trying to read the .zip via an InputStream. The exception reported was basically "invalid digest"--the jar is auto-verified while it is being read!
I hadn't even gotten to my code that re-calculated the SHA1 sum, converted it to base64, and then compared it to the value from the manifest. So, basically, at this point, the digest verification that takes place in my app happens twice: once implicitly by the Java jar classes and once explicitly by the code that I wrote.
I'm still trying to "digest" (pun fully intened) this information, but I'll probably make two options for jar verification: one for the implicit digest checking, and one that will do both like its doing now. edit: this is now done with JV1 being the original method and JV2 being the newer (and much faster) method
For other information re. previous versions of this app, please reference:
Future changes planned
1. Progress bar during jar file verification
2. Log file output of jar file verification
3. Possibly do jar file certificate checking
4. Create Nandroid backup directory verifier (calculate MD5 sums for each file (boot.img, data.img, and system.img) and audit against nandroid.md5 file)
5. Convert all output display to pop-up dialogs (make app compatible on all devices)
1. jcase and eclips3 for boot-strapping me with my first Android app
2. bftb0 / erisuser1 for all his knowledge and help over at AF and for encouraging me to implement the jarsigner-like functionality (as best as I can at this point)
3. Robert W. Harder for his public domain Base64 encoding/decoding classes (http://iharder.sourceforge.net/current/java/base64/
4. Android Forum's doogald for his valuable feedback
Thanks, and let me know if you have questions and/or what you think. Cheers!