arduino
diff --git a/Diff for: ‎arduino/security/keys/arduino_public.gpg.key
5.94 KB b/Diff for: ‎arduino/security/keys/arduino_public.gpg.key
5.94 KB
diff --git a/Diff for: ‎arduino/security/rice-box.go
+43 b/Diff for: ‎arduino/security/rice-box.go
+43
diff --git a/Diff for: ‎arduino/security/signature_test.go
+36 b/Diff for: ‎arduino/security/signature_test.go
+36
diff --git a/Diff for: ‎arduino/security/signatures.go
+54 b/Diff for: ‎arduino/security/signatures.go
+54
@@ -0,0 +1,36 @@
+// This file is part of arduino-cli.
+//
+// Copyright 2020 ARDUINO SA (http://www.arduino.cc/)
+//
+// This software is released under the GNU General Public License version 3,
+// which covers the main part of arduino-cli.
+// The terms of this license can be found at:
+// https://www.gnu.org/licenses/gpl-3.0.en.html
+//
+// You can be released from the requirements of the above licenses by purchasing
+// a commercial license. Buying such a license is mandatory if you want to
+// modify or otherwise use the software for commercial activities involving the
+// Arduino software without disclosing the source code of your own applications.
+// To purchase a commercial license, send an email to [email protected].
+
+package security
+
+import (
+	"testing"
+
+	"github.com/arduino/go-paths-helper"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignatureVerification(t *testing.T) {
+	res, signer, err := VerifyArduinoDetachedSignature(paths.New("testdata/package_index.json"), paths.New("testdata/package_index.json.sig"))
+	require.NoError(t, err)
+	require.NotNil(t, signer)
+	require.True(t, res)
+	require.Equal(t, uint64(0x7baf404c2dfab4ae), signer.PrimaryKey.KeyId)
+
+	res, signer, err = VerifyArduinoDetachedSignature(paths.New("testdata/invalid_file.json"), paths.New("testdata/package_index.json.sig"))
+	require.False(t, res)
+	require.Nil(t, signer)
+	require.Error(t, err)
+}
@@ -0,0 +1,54 @@
+// This file is part of arduino-cli.
+//
+// Copyright 2020 ARDUINO SA (http://www.arduino.cc/)
+//
+// This software is released under the GNU General Public License version 3,
+// which covers the main part of arduino-cli.
+// The terms of this license can be found at:
+// https://www.gnu.org/licenses/gpl-3.0.en.html
+//
+// You can be released from the requirements of the above licenses by purchasing
+// a commercial license. Buying such a license is mandatory if you want to
+// modify or otherwise use the software for commercial activities involving the
+// Arduino software without disclosing the source code of your own applications.
+// To purchase a commercial license, send an email to [email protected].
+
+package security
+
+import (
+	"fmt"
+
+	rice "github.com/GeertJohan/go.rice"
+	"github.com/arduino/go-paths-helper"
+	"golang.org/x/crypto/openpgp"
+)
+
+// VerifyArduinoDetachedSignature that give signaturePath GPG signature match the given targetPath file
+// ant the is an authentic signature from Arduino.
+func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path) (bool, *openpgp.Entity, error) {
+	keysBox, err := rice.FindBox("keys")
+	if err != nil {
+		panic("could not find bundled signature keys")
+	}
+	arduinoKeyringFile, err := keysBox.Open("arduino_public.gpg.key")
+	if err != nil {
+		panic("could not find bundled signature keys")
+	}
+	keyRing, err := openpgp.ReadKeyRing(arduinoKeyringFile)
+	if err != nil {
+		return false, nil, fmt.Errorf("retrieving Arduino public keys: %s", err)
+	}
+
+	target, err := targetPath.Open()
+	if err != nil {
+		return false, nil, fmt.Errorf("opening target file: %s", err)
+	}
+	defer target.Close()
+	signature, err := signaturePath.Open()
+	if err != nil {
+		return false, nil, fmt.Errorf("opening signature file: %s", err)
+	}
+	defer signature.Close()
+	signer, err := openpgp.CheckDetachedSignature(keyRing, target, signature)
+	return (signer != nil && err == nil), signer, err
+}