They are required. However, these values are very easy to calculate.
Just write a small shell script to spit out your server plist for you.
Getting the DMG's size is trivial, and the hash can be calculated with
"openssl sha1 -binary <dmg>| openssl base64". See
for more details.
Oh, one more thing that can make testing a lot easier: use file: URLs
for testing rather than http(s): URLs. This can make testing a lot
simpler and faster because all your files (including the server plist)
can sit locally on your machine.