Enforce signature check on library_index.json (#2326)

Author: cmaglie

Diff for: arduino/resources/index.go

@@ -17,6 +17,7 @@ package resources
 
 import (
 	"context"
+	"errors"
 	"net/url"
 	"path"
 	"strings"
@@ -33,8 +34,9 @@ import (
 
 // IndexResource is a reference to an index file URL with an optional signature.
 type IndexResource struct {
-	URL          *url.URL
-	SignatureURL *url.URL
+	URL                          *url.URL
+	SignatureURL                 *url.URL
+	EnforceSignatureVerification bool
 }
 
 // IndexFileName returns the index file name as it is saved in data dir (package_xxx_index.json).
@@ -140,6 +142,10 @@ func (res *IndexResource) Download(destDir *paths.Path, downloadCB rpc.DownloadP
 		} else if !valid {
 			return &arduino.SignatureVerificationFailedError{File: res.URL.String()}
 		}
+	} else {
+		if res.EnforceSignatureVerification {
+			return &arduino.PermissionDeniedError{Message: tr("Error verifying signature"), Cause: errors.New(tr("missing signature"))}
+		}
 	}
 
 	// TODO: Implement a ResourceValidator

Diff for: commands/instances.go

@@ -511,7 +511,8 @@ func UpdateLibrariesIndex(ctx context.Context, req *rpc.UpdateLibrariesIndexRequ
 	defer tmp.RemoveAll()
 
 	indexResource := resources.IndexResource{
-		URL: librariesmanager.LibraryIndexWithSignatureArchiveURL,
+		URL:                          librariesmanager.LibraryIndexWithSignatureArchiveURL,
+		EnforceSignatureVerification: true,
 	}
 	if err := indexResource.Download(lm.IndexFile.Parent(), downloadCB); err != nil {
 		return err