Or Continue to Thread: [Begging] Devs - please publis…
Find Your Device:
11th September 2010, 08:52 AM   |  #21  
Recognized Developer
Flag Indy
Thanks Meter: 90
268 posts
Join Date:Joined: Jun 2010
MD5/SHA1/Jar Verifier App (new, v2.2!)
Okay, here we go! Presenting...the MD5/SHA1/Jar verification app.

New, version 2.2 of MD5/SHA1/Jar-verification app:
Download: MD5-Checksum-v2.2.apk

Changes in the 2.2 version include:

1. larger rows and font for easier/better file-selection
2. sorted list of files displayed in file-selector
3. retain directory between each file-selection
4. verify read-access of selected file to prevent force-close
5. test file's suffix to warn if non jar-type file selected for jar-verification
6. add menu support (help, change log, acknowledgements)

Version 2.1 of MD5/SHA1/Jar-verification app:
Download: MD5-Checksum-v2.1.apk

Version 2.0 of MD5/SHA1/Jar-verification app:
Download: MD5-Checksum-v2.0.apk
Download: checksumdb.txt (save to either /sdcard/download or /sdcard)
[note: this checksumdb.txt file is totally optional and is really only relevant for the Eris at this time]

Checksums for 'MD5-Checksum-v2.2.apk':
  Size:   36,523 (bytes)
  MD5:   3aec3fd4cae8f200db8457894ae4193f
  SHA1:  b164382f92259aa0726c7fe61178904c58bc5fbc

Checksums for 'MD5-Checksum-v2.1.apk':
  Size:   33,268 (bytes)
  MD5:   667440bb47bd574c4972d1fa6f4cfda1
  SHA1:  394f16a5520dab3ff1f56bd769695040d2447df2

Checksums for 'MD5-Checksum-v2.0.apk':
  Size:   28,951 (bytes)
  MD5:   2fd0d7bf6cd2b43a667592eb4ed83c15
  SHA1:  287419e3e006d514b2f8287b1a0a524e0dd39818

Checksums for 'checksumdb.txt':
  Size:   20,480 (bytes)
  MD5:   a68db3d2e822938fe9f626b82d054a5f
  SHA1:  dc4899c45be32472c925123395c502f3852b9d24

I developed this app to try to help folks ensure that the files they download or move to their phones are complete and uncorrupted copies of the ones they intended (and to prevent the subsequent problems that might occur as a result of these incomplete or corrupt files).

My first efforts with this app were to simply calculate an MD5 checksum for a file. Then came the SHA1 option. Eventually, with a suggestion from bftb0/eu1, I started poking-around with trying to make a 'jarsigner -verify' like functionality. Hopefully, it does so (or enough). I'm still trying to figure-out the certificate signing stuff...

How to use:

1a. Select MD5 radio buffon to calculate an MD5 checksum on the file

1b. Select SHA1 radio-button to calculate an SHA1 checksum on the file

1c. Select JV1 (Jar Verify method #1) radio-button to validate the SHA1 checksums of each file listed in the jar file that you specified's META-INF/MANIFEST.MF file. This is the older version of the jar verification function that basically verifies the jar file using the JarFile methods AND by explicity reading and re-calculating the SHA1 checksums for each file in the jar.

1d. Select JV2 (Jar Verify method #2) radio-button to validate the SHA1 checksums of each file listed in the jar file that you specified's META-INF/MANIFEST.MF file. This is the newer version of the jar verification function that simply uses the JarFile methods to verify the jar file MUCH faster than JV1.

2. Press the Select File button and use the file selector/explorer to select your file. You may also manually enter and/or edit your selected file in the input text area.

3. Select the Process File button to initiate either and MD5 or SHA1 calculation on the file or to verify a jar file

You should be aware that SHA1 checksums take at least twice as long to calculate as MD5 checksums. Also, performing a JV1 (original jar verify method) against a 100MB custom ROM jar file takes about 2.5 minutes on an unrooted Droid X (performance mode), and 7 minutes on my Eris (rooted, running Ivan's 1.0 at 710MHz). The new JV2 jar verification method takes only 23 seconds for the same 100MB file (on my Droid X, btw).

Note: this app, in its various stages have been tested on Android 1.5 (Motorola Cliq), a rooted 2.1 Eris, an unrooted 2.1 Droid X. It was created in the Android SDK / Eclipse to be run from Android 1.5 and higher.

Interesting Observations Recently Made:

1. The PB00IMG.zip (Eris 2.1 leaks) files are not jar files (I did not realize that )

2. The 'jarsigner.exe -verify' does not check certificates, just the SHA1 digests of the files in the MANIFEST.MF file and the presence of the files in the manifest. You can see this with a 'jarsigner.exe -verify -verbose xxx.zip'' command (only 's' and 'm' markers are reported).

3. Un-zipping a jar file and re-zipping it does not create an identical .zip (jar) file. However, the files contained in the .zip (still a jar) do properly validate with my app and with the 'jarsigner.exe' utility.

4. And the most interesting item of all: whilst attempting to create a "bad" jar file by hex-editing a file (i.e., to verify that my app will report badly-formed or corrupt jar files), I discovered that my app was trapping when trying to read the .zip via an InputStream. The exception reported was basically "invalid digest"--the jar is auto-verified while it is being read! I hadn't even gotten to my code that re-calculated the SHA1 sum, converted it to base64, and then compared it to the value from the manifest. So, basically, at this point, the digest verification that takes place in my app happens twice: once implicitly by the Java jar classes and once explicitly by the code that I wrote. I'm still trying to "digest" (pun fully intened) this information, but I'll probably make two options for jar verification: one for the implicit digest checking, and one that will do both like its doing now. edit: this is now done with JV1 being the original method and JV2 being the newer (and much faster) method


Click image for larger version

Name:	4-md5-result.jpg
Views:	262
Size:	94.5 KB
ID:	399017 Click image for larger version

Name:	7-sha1-result-start-jar-verify.jpg
Views:	182
Size:	48.4 KB
ID:	399051 Click image for larger version

Name:	8-jar-verify-result.jpg
Views:	136
Size:	75.6 KB
ID:	399052 Click image for larger version

Name:	9-jar-verify-failed.jpg
Views:	124
Size:	91.5 KB
ID:	399053

For other information re. previous versions of this app, please reference:

v1.1: http://androidforums.com/eris-all-th...-verifier.html

v1.0: http://androidforums.com/htc-droid-e...checksums.html

Future changes planned:

1. Progress bar during jar file verification
2. Log file output of jar file verification
3. Possibly do jar file certificate checking
4. Create Nandroid backup directory verifier (calculate MD5 sums for each file (boot.img, data.img, and system.img) and audit against nandroid.md5 file)
5. Convert all output display to pop-up dialogs (make app compatible on all devices)


1. jcase and eclips3 for boot-strapping me with my first Android app

2. bftb0 / erisuser1 for all his knowledge and help over at AF and for encouraging me to implement the jarsigner-like functionality (as best as I can at this point)

3. Robert W. Harder for his public domain Base64 encoding/decoding classes (http://iharder.sourceforge.net/current/java/base64/)

4. Android Forum's doogald for his valuable feedback

Thanks, and let me know if you have questions and/or what you think. Cheers!
Last edited by scary alien; 20th September 2010 at 06:19 AM. Reason: added v2.2 app