-
-
Notifications
You must be signed in to change notification settings - Fork 423
Improve signature check on library_index.json #2326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@ ## master #2326 +/- ## ========================================== - Coverage 63.08% 63.07% -0.01% ========================================== Files 200 200 Lines 19260 19265 +5 ========================================== + Hits 12150 12152 +2 - Misses 6061 6063 +2 - Partials 1049 1050 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have time I'd add a quick integration test that checks that we're enforcing the signature verification when calling the UpdateLibrariesIndex.
If you have time I'd add a quick integration test that checks that we're enforcing the signature verification when calling the UpdateLibrariesIndex.
How? It seems quite difficult to do, we have to provide a "fake" downloads.arduino.cc to serve a library_index.tar.bz2 without the signature...
Do you have any idea?
rhpco
commented
Sep 21, 2023
@cmaglie @alessio-perugini I suggest mocking the HTTP bad behaviour, for example implementing the test cases adopting https://github.com/jarcoal/httpmock library
Please check if the PR fulfills these requirements
See how to contribute
before creating one)
our contributing guidelines
UPGRADING.mdhas been updated with a migration guide (for breaking changes)configuration.schema.jsonupdated if new parameters are added.What kind of change does this PR introduce?
There are some cases where the signature check is skipped when upgrading indexes. This PR ensures that the signature check is enforced for the library_index.json.
What is the current behavior?
If the "bundle index+signature"
library_index.tar.bz2does not contain the signature, then the signature check is silently sipped.What is the new behavior?
If the "bundle index+signature"
library_index.tar.bz2does not contain the signature, then the index upgrade fails.Does this PR introduce a breaking change, and is titled accordingly?
No
Other information