Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implemented package_index.json signature verification #791

Merged
merged 8 commits into from
Jul 7, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added arduino/security/keys/arduino_public.gpg.key
Binary file not shown.
43 changes: 43 additions & 0 deletions arduino/security/rice-box.go

Large diffs are not rendered by default.

36 changes: 36 additions & 0 deletions arduino/security/signature_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
// This file is part of arduino-cli.
//
// Copyright 2020 ARDUINO SA (http://www.arduino.cc/)
//
// This software is released under the GNU General Public License version 3,
// which covers the main part of arduino-cli.
// The terms of this license can be found at:
// https://www.gnu.org/licenses/gpl-3.0.en.html
//
// You can be released from the requirements of the above licenses by purchasing
// a commercial license. Buying such a license is mandatory if you want to
// modify or otherwise use the software for commercial activities involving the
// Arduino software without disclosing the source code of your own applications.
// To purchase a commercial license, send an email to [email protected].

package security

import (
"testing"

"github.com/arduino/go-paths-helper"
"github.com/stretchr/testify/require"
)

func TestSignatureVerification(t *testing.T) {
res, signer, err := VerifyArduinoDetachedSignature(paths.New("testdata/package_index.json"), paths.New("testdata/package_index.json.sig"))
require.NoError(t, err)
require.NotNil(t, signer)
require.True(t, res)
require.Equal(t, uint64(0x7baf404c2dfab4ae), signer.PrimaryKey.KeyId)

res, signer, err = VerifyArduinoDetachedSignature(paths.New("testdata/invalid_file.json"), paths.New("testdata/package_index.json.sig"))
require.False(t, res)
require.Nil(t, signer)
require.Error(t, err)
}
54 changes: 54 additions & 0 deletions arduino/security/signatures.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
// This file is part of arduino-cli.
//
// Copyright 2020 ARDUINO SA (http://www.arduino.cc/)
//
// This software is released under the GNU General Public License version 3,
// which covers the main part of arduino-cli.
// The terms of this license can be found at:
// https://www.gnu.org/licenses/gpl-3.0.en.html
//
// You can be released from the requirements of the above licenses by purchasing
// a commercial license. Buying such a license is mandatory if you want to
// modify or otherwise use the software for commercial activities involving the
// Arduino software without disclosing the source code of your own applications.
// To purchase a commercial license, send an email to [email protected].

package security

import (
"fmt"

rice "github.com/GeertJohan/go.rice"
"github.com/arduino/go-paths-helper"
"golang.org/x/crypto/openpgp"
)

// VerifyArduinoDetachedSignature that give signaturePath GPG signature match the given targetPath file
// ant the is an authentic signature from Arduino.
func VerifyArduinoDetachedSignature(targetPath *paths.Path, signaturePath *paths.Path) (bool, *openpgp.Entity, error) {
keysBox, err := rice.FindBox("keys")
if err != nil {
panic("could not find bundled signature keys")
}
arduinoKeyringFile, err := keysBox.Open("arduino_public.gpg.key")
if err != nil {
panic("could not find bundled signature keys")
}
keyRing, err := openpgp.ReadKeyRing(arduinoKeyringFile)
if err != nil {
return false, nil, fmt.Errorf("retrieving Arduino public keys: %s", err)
}

target, err := targetPath.Open()
if err != nil {
return false, nil, fmt.Errorf("opening target file: %s", err)
}
defer target.Close()
signature, err := signaturePath.Open()
if err != nil {
return false, nil, fmt.Errorf("opening signature file: %s", err)
}
defer signature.Close()
signer, err := openpgp.CheckDetachedSignature(keyRing, target, signature)
return (signer != nil && err == nil), signer, err
}
Loading