Check gpg signature for library_index.json

Author: cmaglie

Diff for: arduino/libraries/librariesmanager/download.go

@@ -24,3 +24,6 @@ var LibraryIndexURL, _ = url.Parse("https://downloads.arduino.cc/libraries/libra
 
 // LibraryIndexGZURL is the URL where to get the gzipped library index.
 var LibraryIndexGZURL, _ = url.Parse("https://downloads.arduino.cc/libraries/library_index.json.gz")
+
+// LibraryIndexSignature is the URL where to get the library index signature.
+var LibraryIndexSignature, _ = url.Parse("https://downloads.arduino.cc/libraries/library_index.json.sig")

Diff for: arduino/libraries/librariesmanager/librariesmanager.go

@@ -35,9 +35,10 @@ type LibrariesManager struct {
 	LibrariesDir []*LibrariesDir
 	Libraries    map[string]*LibraryAlternatives `json:"libraries"`
 
-	Index        *librariesindex.Index
-	IndexFile    *paths.Path
-	DownloadsDir *paths.Path
+	Index              *librariesindex.Index
+	IndexFile          *paths.Path
+	IndexFileSignature *paths.Path
+	DownloadsDir       *paths.Path
 }
 
 // LibrariesDir is a directory containing libraries
@@ -95,15 +96,17 @@ func (lm LibrariesManager) Names() []string {
 
 // NewLibraryManager creates a new library manager
 func NewLibraryManager(indexDir *paths.Path, downloadsDir *paths.Path) *LibrariesManager {
-	var indexFile *paths.Path
+	var indexFile, indexFileSignature *paths.Path
 	if indexDir != nil {
 		indexFile = indexDir.Join("library_index.json")
+		indexFileSignature = indexDir.Join("library_index.json.sig")
 	}
 	return &LibrariesManager{
-		Libraries:    map[string]*LibraryAlternatives{},
-		IndexFile:    indexFile,
-		DownloadsDir: downloadsDir,
-		Index:        librariesindex.EmptyIndex,
+		Libraries:          map[string]*LibraryAlternatives{},
+		IndexFile:          indexFile,
+		IndexFileSignature: indexFileSignature,
+		DownloadsDir:       downloadsDir,
+		Index:              librariesindex.EmptyIndex,
 	}
 }
 

Diff for: commands/instances.go

@@ -201,18 +201,40 @@ func UpdateLibrariesIndex(ctx context.Context, req *rpc.UpdateLibrariesIndexRequ
 		}
 	}
 
+	// Download signature
+	tmpSignature := tmp.Join("library_index.json.sig")
+	if d, err := downloader.DownloadWithConfig(tmpSignature.String(), librariesmanager.LibraryIndexSignature.String(), *config, downloader.NoResume); err != nil {
+		return err
+	} else {
+		if err := Download(d, "Updating index: library_index.json.sig", downloadCB); err != nil {
+			return errors.Wrap(err, "downloading library_index.json.sig")
+		}
+	}
+
 	// Extract the real library_index
 	tmpIndex := tmp.Join("library_index.json")
 	if err := paths.GUnzip(tmpIndexGz, tmpIndex); err != nil {
 		return errors.Wrap(err, "unzipping library_index.json.gz")
 	}
 
-	// Copy extracted library_index to final destination
+	// Check signature
+	if ok, _, err := security.VerifyArduinoDetachedSignature(tmpIndex, tmpSignature); err != nil {
+		return errors.Wrap(err, "verifying signature")
+	} else if !ok {
+		return errors.New("library_index.json has an invalid signature!")
+	}
+
+	// Copy extracted library_index and signature to final destination
 	lm.IndexFile.Remove()
+	lm.IndexFileSignature.Remove()
 	if err := tmpIndex.CopyTo(lm.IndexFile); err != nil {
 		return errors.Wrap(err, "writing library_index.json")
 	}
+	if err := tmpSignature.CopyTo(lm.IndexFileSignature); err != nil {
+		return errors.Wrap(err, "writing library_index.json.sig")
+	}
 
+	// Rescan libraries
 	if _, err := Rescan(req.GetInstance().GetId()); err != nil {
 		return fmt.Errorf("rescanning filesystem: %s", err)
 	}