Skip to content

Package index signature verification fails silently #1661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alranel opened this issue Feb 14, 2022 · 1 comment · Fixed by #2138
Closed

Package index signature verification fails silently #1661

alranel opened this issue Feb 14, 2022 · 1 comment · Fixed by #2138
Assignees
@MatteoPologruto
Labels
topic: code Related to content of the project itself type: imperfection Perceived defect in any part of project

Comments

@alranel
Copy link
Contributor

alranel commented Feb 14, 2022

It looks like the verification of the signature on the package index is failing:

 % arduino-cli core update-index --log-level info -v
INFO[0000] Using config file: /Users/alranel/Library/Arduino15/arduino-cli.yaml
INFO[0000] arduino-cli version 0.21.0
INFO[0000] Checking if CLI is Bundled into the IDE
INFO[0000] Adding libraries dir                          dir=/Users/alranel/Documents/Arduino/libraries location=user
INFO[0000] Executing `arduino-cli core update-index`
INFO[0000] URL: https://downloads.arduino.cc/packages/package_index.json
INFO[0000] Updating index                                url="https://downloads.arduino.cc/packages/package_index.json"
Updating index: package_index.json downloaded
Updating index: package_index.json.sig downloaded
INFO[0000] Checking signature                            error="opening signature file: open /var/folders/47/_57rjy4111jc7dfpgjmcc93w0000gp/T/170775452.sig: no such file or directory" index=/var/folders/47/_57rjy4111jc7dfpgjmcc93w0000gp/T/170775452 signatureFile=/var/folders/47/_57rjy4111jc7dfpgjmcc93w0000gp/T/170775452.sig

If this is an actual failure, shouldn't arduino-cli issue a stronger error or at least a warning?

Just for comparison, when updating the library index there's no information at all about signature verification:

% arduino-cli lib update-index --log-level info -v
INFO[0000] Using config file: /Users/alranel/Library/Arduino15/arduino-cli.yaml
INFO[0000] arduino-cli version 0.21.0
INFO[0000] Checking if CLI is Bundled into the IDE
INFO[0000] Adding libraries dir                          dir=/Users/alranel/Documents/Arduino/libraries location=user
INFO[0000] Executing `arduino-cli lib update-index`
INFO[0000] Updating libraries index
Updating index: library_index.json.gz downloaded
Updating index: library_index.json.sig downloaded
@per1234 per1234 added topic: code Related to content of the project itself type: imperfection Perceived defect in any part of project labels Feb 14, 2022
@umbynos
Copy link
Contributor

umbynos commented Feb 3, 2023

If the signature verification goes wrong, the CLI should error, but continue with other indexes download/verification. @MatteoPologruto please talk with @cmaglie to tackle this.

@MatteoPologruto MatteoPologruto linked a pull request Apr 5, 2023 that will close this issue
[skip-changelog] Issue a warning when the signature verification fails #2138
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MatteoPologruto MatteoPologruto

Labels
topic: code Related to content of the project itself type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[skip-changelog] Issue a warning when the signature verification fails MatteoPologruto/arduino-cli
5 participants
@alranel @silvanocerza @per1234 @umbynos @MatteoPologruto