diff --git a/arduino/resources/index.go b/arduino/resources/index.go index b5d4e8a02cf..c1412c5ba61 100644 --- a/arduino/resources/index.go +++ b/arduino/resources/index.go @@ -17,6 +17,7 @@ package resources import ( "context" + "errors" "net/url" "path" "strings" @@ -33,8 +34,9 @@ import ( // IndexResource is a reference to an index file URL with an optional signature. type IndexResource struct { - URL *url.URL - SignatureURL *url.URL + URL *url.URL + SignatureURL *url.URL + EnforceSignatureVerification bool } // IndexFileName returns the index file name as it is saved in data dir (package_xxx_index.json). @@ -140,6 +142,10 @@ func (res *IndexResource) Download(destDir *paths.Path, downloadCB rpc.DownloadP } else if !valid { return &arduino.SignatureVerificationFailedError{File: res.URL.String()} } + } else { + if res.EnforceSignatureVerification { + return &arduino.PermissionDeniedError{Message: tr("Error verifying signature"), Cause: errors.New(tr("missing signature"))} + } } // TODO: Implement a ResourceValidator diff --git a/commands/instances.go b/commands/instances.go index 6049c346ab0..15d52f6996b 100644 --- a/commands/instances.go +++ b/commands/instances.go @@ -511,7 +511,8 @@ func UpdateLibrariesIndex(ctx context.Context, req *rpc.UpdateLibrariesIndexRequ defer tmp.RemoveAll() indexResource := resources.IndexResource{ - URL: librariesmanager.LibraryIndexWithSignatureArchiveURL, + URL: librariesmanager.LibraryIndexWithSignatureArchiveURL, + EnforceSignatureVerification: true, } if err := indexResource.Download(lm.IndexFile.Parent(), downloadCB); err != nil { return err