Not delete the file if the signature fail

Author: Mattia Bertorello

arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java

@@ -41,8 +41,7 @@
 import java.io.File;
 import java.net.URL;
 import java.nio.file.*;
-import java.util.List;
-import java.util.stream.Collectors;
+import java.util.Collection;
 
 import static processing.app.I18n.format;
 import static processing.app.I18n.tr;
@@ -145,15 +144,13 @@ public void download(URL url, File tmpFile, Progress progress, String statusText
     }
   }
 
-  public void downloadIndexAndSignature(MultiStepProgress progress, List<String> downloadedFilesAccumulator, String packageIndexUrlString, ProgressListener progressListener, SignatureVerifier signatureVerifier) throws Exception {
+  public void downloadIndexAndSignature(MultiStepProgress progress, URL packageIndexUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier) throws Exception {
 
     // Extract the file name from the url
-    URL packageIndexUrl = new URL(packageIndexUrlString);
     String[] urlPathParts = packageIndexUrl.getFile().split("/");
     File packageIndex = BaseNoGui.indexer.getIndexFile(urlPathParts[urlPathParts.length - 1]);
 
     final String statusText = tr("Downloading platforms index...");
-    downloadedFilesAccumulator.add(packageIndex.getName());
 
     // Create temp files
     File packageIndexTemp = File.createTempFile(packageIndexUrl.getPath(), ".tmp");
@@ -164,18 +161,15 @@ public void downloadIndexAndSignature(MultiStepProgress progress, List<String> d
       if (verifyDomain(packageIndexUrl)) {
         URL signatureUrl = new URL(packageIndexUrl.toString() + ".sig");
 
-        if (checkSignature(progress, downloadedFilesAccumulator, signatureUrl, progressListener, signatureVerifier, statusText, packageIndexTemp)) {
+        if (checkSignature(progress, signatureUrl, progressListener, signatureVerifier, statusText, packageIndexTemp)) {
           Files.move(packageIndexTemp.toPath(), packageIndex.toPath(), StandardCopyOption.REPLACE_EXISTING);
-        } else {
-          downloadedFilesAccumulator.remove(packageIndex.getName());
         }
       } else {
         // Move the package index to the destination when the signature is not necessary
         Files.move(packageIndexTemp.toPath(), packageIndex.toPath(), StandardCopyOption.REPLACE_EXISTING);
-        log.info("The domain is not selected to verify the signature. packageIndex: {}", packageIndexUrl);
+        log.info("The domain is not selected to verify the signature. will be copied into this path {}, packageIndex url: {}", packageIndex, packageIndexUrl);
       }
     } catch (Exception e) {
-      downloadedFilesAccumulator.remove(packageIndex.getName());
       throw e;
     } finally {
       // Delete useless temp file
@@ -184,12 +178,8 @@ public void downloadIndexAndSignature(MultiStepProgress progress, List<String> d
   }
 
   public boolean verifyDomain(URL url) {
-    final List<String> domain = PreferencesData.
-      getCollection("http.signature_verify_domains")
-      .stream()
-      // Remove empty strings from the collection
-      .filter((v) -> !v.trim().isEmpty())
-      .collect(Collectors.toList());
+    final Collection<String> domain = PreferencesData.
+      getCollection("http.signature_verify_domains");
     if (domain.size() == 0) {
       // Default domain
       domain.add("downloads.arduino.cc");
@@ -202,7 +192,7 @@ public boolean verifyDomain(URL url) {
     }
   }
 
-  public boolean checkSignature(MultiStepProgress progress, List<String> downloadedFilesAccumulator, URL signatureUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier, String statusText, File fileToVerify) throws Exception {
+  public boolean checkSignature(MultiStepProgress progress, URL signatureUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier, String statusText, File fileToVerify) throws Exception {
 
     File packageIndexSignatureTemp = File.createTempFile(signatureUrl.getPath(), ".tmp");
     // Signature file name
@@ -219,7 +209,6 @@ public boolean checkSignature(MultiStepProgress progress, List<String> downloade
         log.info("Signature verified. url={}, signature url={}, file to verify={}, signature file={}", signatureUrl, signatureUrl, fileToVerify, packageIndexSignatureTemp);
         // Move if the signature is ok
         Files.move(packageIndexSignatureTemp.toPath(), packageIndexSignature.toPath(), StandardCopyOption.REPLACE_EXISTING);
-        downloadedFilesAccumulator.add(packageIndexSignature.getName());
       } else {
         log.error("{} file signature verification failed. File ignored.", signatureUrl);
         System.err.println(format(tr("{0} file signature verification failed. File ignored."), signatureUrl.toString()));

arduino-core/src/cc/arduino/contributions/libraries/LibraryInstaller.java

@@ -68,8 +68,6 @@ public LibraryInstaller(Platform platform, GPGDetachedSignatureVerifier signatur
   public synchronized void updateIndex(ProgressListener progressListener) throws Exception {
     final MultiStepProgress progress = new MultiStepProgress(3);
 
-    List<String> downloadedFilesAccumulator = new LinkedList<>();
-
     DownloadableContributionsDownloader downloader = new DownloadableContributionsDownloader(BaseNoGui.librariesIndexer.getStagingFolder());
     // Step 1: Download index
     File outputFile = BaseNoGui.librariesIndexer.getIndexFile();
@@ -88,7 +86,7 @@ public synchronized void updateIndex(ProgressListener progressListener) throws E
 
     URL signatureUrl = new URL(libraryURL.toString() + ".sig");
     if (downloader.verifyDomain(signatureUrl)) {
-      if (downloader.checkSignature(progress, downloadedFilesAccumulator, signatureUrl, progressListener, signatureVerifier, statusText, libraryIndexTemp)) {
+      if (downloader.checkSignature(progress, signatureUrl, progressListener, signatureVerifier, statusText, libraryIndexTemp)) {
         // Replace old index with the updated one
         if (libraryIndexTemp.length() > 0) {
           Files.move(libraryIndexTemp.toPath(), outputFile.toPath(), StandardCopyOption.REPLACE_EXISTING);

arduino-core/src/cc/arduino/contributions/packages/ContributionInstaller.java

@@ -53,6 +53,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
+import java.net.URL;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -282,30 +283,34 @@ public synchronized List<String> remove(ContributedPlatform contributedPlatform)
     return errors;
   }
 
-  public synchronized List<String> updateIndex(ProgressListener progressListener) throws Exception {
+  public synchronized List<String> updateIndex(ProgressListener progressListener) {
     MultiStepProgress progress = new MultiStepProgress(1);
 
-    List<String> downloadedPackageIndexFilesAccumulator = new LinkedList<>();
     final DownloadableContributionsDownloader downloader = new DownloadableContributionsDownloader(BaseNoGui.indexer.getStagingFolder());
-    downloader.downloadIndexAndSignature(progress, downloadedPackageIndexFilesAccumulator, Constants.PACKAGE_INDEX_URL, progressListener, signatureVerifier);
 
-    Set<String> packageIndexURLs = new HashSet<>();
-    String additionalURLs = PreferencesData.get(Constants.PREF_BOARDS_MANAGER_ADDITIONAL_URLS, "");
-    if (!"".equals(additionalURLs)) {
-      packageIndexURLs.addAll(Arrays.asList(additionalURLs.split(",")));
-    }
+    final Set<String> packageIndexURLs = new HashSet<>(
+      PreferencesData.getCollection(Constants.PREF_BOARDS_MANAGER_ADDITIONAL_URLS)
+    );
+    packageIndexURLs.add(Constants.PACKAGE_INDEX_URL);
+    List<String> downloadedPackageIndexFilesAccumulator = new LinkedList<>();
 
-    for (String packageIndexURL : packageIndexURLs) {
+    for (String packageIndexURLString : packageIndexURLs) {
       try {
-        downloader.downloadIndexAndSignature(progress, downloadedPackageIndexFilesAccumulator, packageIndexURL, progressListener, signatureVerifier);
+        // Extract the file name from the URL
+        final URL packageIndexURL = new URL(packageIndexURLString);
+        String[] urlPathParts = packageIndexURL.getPath().split("/");
+        downloadedPackageIndexFilesAccumulator.add(BaseNoGui.indexer.getIndexFile(urlPathParts[urlPathParts.length - 1]).getName());
+
+        log.info("Start download and signature check of={}", packageIndexURLs);
+        downloader.downloadIndexAndSignature(progress, packageIndexURL, progressListener, signatureVerifier);
       } catch (Exception e) {
         log.error(e.getMessage(), e);
         System.err.println(e.getMessage());
       }
     }
 
     progress.stepDone();
-
+    log.info("Downloaded package index URL={}", packageIndexURLs);
     return downloadedPackageIndexFilesAccumulator;
   }
 
@@ -315,8 +320,11 @@ public synchronized void deleteUnknownFiles(List<String> downloadedPackageIndexF
     if (additionalPackageIndexFiles == null) {
       return;
     }
+    log.info("Check unknown files. Additional package index folder files={}, Additional package index url downloaded={}", downloadedPackageIndexFiles, additionalPackageIndexFiles);
+
     for (File additionalPackageIndexFile : additionalPackageIndexFiles) {
       if (!downloadedPackageIndexFiles.contains(additionalPackageIndexFile.getName())) {
+        log.info("Delete this unknown file={} because not included in this list={}", additionalPackageIndexFile, additionalPackageIndexFiles);
         Files.delete(additionalPackageIndexFile.toPath());
       }
     }

arduino-core/src/processing/app/PreferencesData.java

@@ -265,7 +265,10 @@ static public Font getFont(String attr) {
   }
 
   public static Collection<String> getCollection(String key) {
-    return Arrays.asList(get(key, "").split(","));
+    return Arrays.stream(get(key, "").split(","))
+      // Remove empty strings from the collection
+      .filter((v) -> !v.trim().isEmpty())
+      .collect(Collectors.toList());
   }
 
   public static void setCollection(String key, Collection<String> values) {