From 5bb9f87faea58728edc381b86bad5a24568cabe1 Mon Sep 17 00:00:00 2001 From: Cristian Maglie Date: Tue, 20 Aug 2019 17:51:24 +0200 Subject: [PATCH] Do not fail abruptly if signature verification fails If the package_index.json signature is not valid, a dialog box asking the user to "update" the index is shown. Previously a java-exception was printed if running from terminal or the IDE would not start at all (with no apparent reason) if lanched from GUI. --- .../SignatureVerificationFailedException.java | 46 ------------------- .../packages/ContributionsIndexer.java | 25 ++++++---- .../src/processing/app/BaseNoGui.java | 3 +- 3 files changed, 17 insertions(+), 57 deletions(-) delete mode 100644 arduino-core/src/cc/arduino/contributions/SignatureVerificationFailedException.java diff --git a/arduino-core/src/cc/arduino/contributions/SignatureVerificationFailedException.java b/arduino-core/src/cc/arduino/contributions/SignatureVerificationFailedException.java deleted file mode 100644 index 77136cb46cb..00000000000 --- a/arduino-core/src/cc/arduino/contributions/SignatureVerificationFailedException.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * This file is part of Arduino. - * - * Copyright 2015 Arduino LLC (http://www.arduino.cc/) - * - * Arduino is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - * - * As a special exception, you may use this file as part of a free software - * library without restriction. Specifically, if other files instantiate - * templates or use macros or inline functions from this file, or you compile - * this file and link it with other files to produce an executable, this - * file does not by itself cause the resulting executable to be covered by - * the GNU General Public License. This exception does not however - * invalidate any other reasons why the executable file might be covered by - * the GNU General Public License. - */ - -package cc.arduino.contributions; - -import processing.app.I18n; - -import static processing.app.I18n.tr; - -@SuppressWarnings("serial") -public class SignatureVerificationFailedException extends Exception { - - public SignatureVerificationFailedException(String filename) { - super(I18n.format(tr("{0} file signature verification failed"), filename)); - } - - public SignatureVerificationFailedException(String filename, Throwable cause) { - super(I18n.format(tr("{0} file signature verification failed"), filename), cause); - } -} diff --git a/arduino-core/src/cc/arduino/contributions/packages/ContributionsIndexer.java b/arduino-core/src/cc/arduino/contributions/packages/ContributionsIndexer.java index 0e63fc1e3c6..2a97e0e7d0e 100644 --- a/arduino-core/src/cc/arduino/contributions/packages/ContributionsIndexer.java +++ b/arduino-core/src/cc/arduino/contributions/packages/ContributionsIndexer.java @@ -31,13 +31,14 @@ import cc.arduino.Constants; import cc.arduino.contributions.DownloadableContribution; -import cc.arduino.contributions.SignatureVerificationFailedException; import cc.arduino.contributions.SignatureVerifier; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.module.mrbean.MrBeanModule; import org.apache.commons.compress.utils.IOUtils; + +import processing.app.BaseNoGui; import processing.app.Platform; import processing.app.PreferencesData; import processing.app.debug.TargetPackage; @@ -86,15 +87,21 @@ public void parseIndex() throws Exception { File defaultIndexFile = getIndexFile(Constants.DEFAULT_INDEX_FILE_NAME); if (defaultIndexFile.exists()) { // Check main index signature - if (!signatureVerifier.isSigned(defaultIndexFile)) { - if (PreferencesData.areInsecurePackagesAllowed()) { - System.err.println(format(tr("Warning: forced trusting untrusted contributions"))); - } else { - throw new SignatureVerificationFailedException(Constants.DEFAULT_INDEX_FILE_NAME); - } + if (signatureVerifier.isSigned(defaultIndexFile)) { + mergeContributions(defaultIndexFile); + } else if (PreferencesData.areInsecurePackagesAllowed()) { + System.err.println(format(tr("Warning: forced trusting untrusted contributions"))); + mergeContributions(defaultIndexFile); + } else { + BaseNoGui + .showWarning(Constants.DEFAULT_INDEX_FILE_NAME, + tr("A package index has an invalid signature and needs to be updated.\n" + + "Please open the Board Manager from the menu\n" + + "\n" // + + " Tools -> Board -> Board Manager\n" + + "\nto update it"), + null); } - - mergeContributions(defaultIndexFile); } // Set main and bundled indexes as trusted diff --git a/arduino-core/src/processing/app/BaseNoGui.java b/arduino-core/src/processing/app/BaseNoGui.java index 37d4b33e9f0..0d921f6ccc6 100644 --- a/arduino-core/src/processing/app/BaseNoGui.java +++ b/arduino-core/src/processing/app/BaseNoGui.java @@ -2,7 +2,6 @@ import cc.arduino.Constants; import cc.arduino.contributions.GPGDetachedSignatureVerifier; -import cc.arduino.contributions.SignatureVerificationFailedException; import cc.arduino.contributions.VersionComparator; import cc.arduino.contributions.libraries.LibrariesIndexer; import cc.arduino.contributions.packages.ContributedPlatform; @@ -482,7 +481,7 @@ static public void initPackages() throws Exception { try { indexer.parseIndex(); - } catch (JsonProcessingException | SignatureVerificationFailedException e) { + } catch (JsonProcessingException e) { File indexFile = indexer.getIndexFile(Constants.DEFAULT_INDEX_FILE_NAME); File indexSignatureFile = indexer.getIndexFile(Constants.DEFAULT_INDEX_FILE_NAME + ".sig"); indexFile.delete();