Merge branch 'add-signature-tool-install' into test-rc

Author: umbynos

Diff for: conn.go

@@ -19,14 +19,7 @@ package main
 
 import (
 	"bytes"
-	"crypto"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/hex"
 	"encoding/json"
-	"encoding/pem"
-	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -114,7 +107,7 @@ func uploadHandler(c *gin.Context) {
 			return
 		}
 
-		err := verifyCommandLine(data.Commandline, data.Signature)
+		err := utilities.VerifyInput(data.Commandline, data.Signature)
 
 		if err != nil {
 			c.String(http.StatusBadRequest, "signature is invalid")
@@ -215,23 +208,6 @@ func send(args map[string]string) {
 	h.broadcastSys <- mapB
 }
 
-func verifyCommandLine(input string, signature string) error {
-	sign, _ := hex.DecodeString(signature)
-	block, _ := pem.Decode([]byte(*signatureKey))
-	if block == nil {
-		return errors.New("invalid key")
-	}
-	key, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		return err
-	}
-	rsaKey := key.(*rsa.PublicKey)
-	h := sha256.New()
-	h.Write([]byte(input))
-	d := h.Sum(nil)
-	return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, sign)
-}
-
 func wsHandler() *WsServer {
 	server, err := socketio.NewServer(nil)
 	if err != nil {

Diff for: design/pkgs.go

@@ -110,20 +110,29 @@ var ToolPayload = Type("arduino.tool", func() {
 	TypeName("ToolPayload")
 
 	Attribute("name", String, "The name of the tool", func() {
-		Example("avrdude")
+		Example("bossac")
 	})
 	Attribute("version", String, "The version of the tool", func() {
-		Example("6.3.0-arduino9")
+		Example("1.7.0-arduino3")
 	})
 	Attribute("packager", String, "The packager of the tool", func() {
 		Example("arduino")
 	})
 
 	Attribute("url", String, `The url where the package can be found. Optional. 
-	If present checksum must also be present.`)
+	If present checksum must also be present.`, func() {
+		Example("http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz")
+	})
 
 	Attribute("checksum", String, `A checksum of the archive. Mandatory when url is present. 
-	This ensures that the package is downloaded correcly.`)
+	This ensures that the package is downloaded correcly.`, func() {
+		Example("SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100")
+	})
+
+	Attribute("signature", String, `The signature used to sign the url. Mandatory when url is present.
+	This ensure the security of the file downloaded`, func() {
+		Example("382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0")
+	})
 
 	Required("name", "version", "packager")
 })

Diff for: gen/http/cli/arduino_create_agent/cli.go

@@ -26,7 +26,7 @@ paths:
                         type: array
                         items:
                             type: string
-                            example: Repudiandae dignissimos consectetur eos molestiae culpa soluta.
+                            example: Pariatur laudantium inventore qui.
                 "400":
                     description: Bad Request response.
                     schema:
@@ -193,14 +193,14 @@ definitions:
             timeout:
                 type: boolean
                 description: Is the error a timeout?
-                example: false
+                example: true
         description: url invalid (default view)
         example:
             fault: false
             id: 123abc
             message: parameter 'p' must be an integer
             name: bad_request
-            temporary: false
+            temporary: true
             timeout: false
         required:
             - name
@@ -241,7 +241,7 @@ definitions:
             fault:
                 type: boolean
                 description: Is the error a server-side fault?
-                example: true
+                example: false
             id:
                 type: string
                 description: ID is a unique identifier for this particular occurrence of the problem.
@@ -261,14 +261,14 @@ definitions:
             timeout:
                 type: boolean
                 description: Is the error a timeout?
-                example: false
+                example: true
         description: url invalid (default view)
         example:
-            fault: true
+            fault: false
             id: 123abc
             message: parameter 'p' must be an integer
             name: bad_request
-            temporary: true
+            temporary: false
             timeout: true
         required:
             - name
@@ -284,7 +284,7 @@ definitions:
             fault:
                 type: boolean
                 description: Is the error a server-side fault?
-                example: false
+                example: true
             id:
                 type: string
                 description: ID is a unique identifier for this particular occurrence of the problem.
@@ -300,19 +300,19 @@ definitions:
             temporary:
                 type: boolean
                 description: Is the error temporary?
-                example: true
+                example: false
             timeout:
                 type: boolean
                 description: Is the error a timeout?
-                example: true
+                example: false
         description: url invalid (default view)
         example:
-            fault: false
+            fault: true
             id: 123abc
             message: parameter 'p' must be an integer
             name: bad_request
             temporary: true
-            timeout: false
+            timeout: true
         required:
             - name
             - id
@@ -352,20 +352,20 @@ definitions:
             name:
                 type: string
                 description: The name of the tool
-                example: avrdude
+                example: bossac
             packager:
                 type: string
                 description: The packager of the tool
                 example: arduino
             version:
                 type: string
                 description: The version of the tool
-                example: 6.3.0-arduino9
+                example: 1.7.0-arduino3
         description: A tool is an executable program that can upload sketches. (default view)
         example:
-            name: avrdude
+            name: bossac
             packager: arduino
-            version: 6.3.0-arduino9
+            version: 1.7.0-arduino3
         required:
             - name
             - version
@@ -377,29 +377,36 @@ definitions:
             checksum:
                 type: string
                 description: "A checksum of the archive. Mandatory when url is present. \n\tThis ensures that the package is downloaded correcly."
-                example: Totam cum inventore exercitationem in.
+                example: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
             name:
                 type: string
                 description: The name of the tool
-                example: avrdude
+                example: bossac
             packager:
                 type: string
                 description: The packager of the tool
                 example: arduino
+            signature:
+                type: string
+                description: |-
+                    The signature used to sign the url. Mandatory when url is present.
+                    	This ensure the security of the file downloaded
+                example: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
             url:
                 type: string
                 description: "The url where the package can be found. Optional. \n\tIf present checksum must also be present."
-                example: Totam vero ipsum corporis nihil voluptatem id.
+                example: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
             version:
                 type: string
                 description: The version of the tool
-                example: 6.3.0-arduino9
+                example: 1.7.0-arduino3
         example:
-            checksum: Modi dolorem reprehenderit perspiciatis illo aspernatur.
-            name: avrdude
+            checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+            name: bossac
             packager: arduino
-            url: Officia optio inventore atque in voluptatibus qui.
-            version: 6.3.0-arduino9
+            signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+            url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
+            version: 1.7.0-arduino3
         required:
             - name
             - version
@@ -424,14 +431,21 @@ definitions:
             checksum:
                 type: string
                 description: "A checksum of the archive. Mandatory when url is present. \n\tThis ensures that the package is downloaded correcly."
-                example: Et qui id et cumque illo.
+                example: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+            signature:
+                type: string
+                description: |-
+                    The signature used to sign the url. Mandatory when url is present.
+                    	This ensure the security of the file downloaded
+                example: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
             url:
                 type: string
                 description: "The url where the package can be found. Optional. \n\tIf present checksum must also be present."
-                example: Officia maiores reiciendis est nemo.
+                example: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
         example:
-            checksum: Corporis eum et numquam sapiente.
-            url: Est voluptatem eos reprehenderit quo sint quod.
+            checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+            signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+            url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
     ToolsRemoveResponseBody:
         title: 'Mediatype identifier: application/vnd.arduino.operation; view=default'
         type: object
@@ -452,9 +466,15 @@ definitions:
             $ref: '#/definitions/ToolResponse'
         description: AvailableResponseBody is the result type for an array of ToolResponse (default view)
         example:
-            - name: avrdude
+            - name: bossac
+              packager: arduino
+              version: 1.7.0-arduino3
+            - name: bossac
+              packager: arduino
+              version: 1.7.0-arduino3
+            - name: bossac
               packager: arduino
-              version: 6.3.0-arduino9
-            - name: avrdude
+              version: 1.7.0-arduino3
+            - name: bossac
               packager: arduino
-              version: 6.3.0-arduino9
+              version: 1.7.0-arduino3

Diff for: gen/http/openapi.json

@@ -22,14 +22,17 @@ paths:
                                 type: array
                                 items:
                                     type: string
-                                    example: Eveniet iure nihil optio qui.
+                                    example: Rerum et soluta laudantium.
                                 example:
-                                    - Et perferendis eveniet voluptas.
-                                    - Ut aut illum eaque dolor magni.
-                                    - Amet illo veritatis laudantium optio.
+                                    - Et deserunt.
+                                    - Impedit iusto libero explicabo.
+                                    - Dolor adipisci nulla.
+                                    - Quam voluptas voluptates expedita rem ipsum.
                             example:
-                                - Illo enim vero qui rerum ut inventore.
-                                - Dolorem nihil autem minima alias.
+                                - Dignissimos consectetur eos molestiae culpa soluta deserunt.
+                                - Nobis sint dolorem unde.
+                                - Quia doloremque.
+                                - Atque iusto tempore sit quod dolor repellat.
                 "400":
                     description: 'invalid_url: url invalid'
                     content:
@@ -108,15 +111,15 @@ paths:
                             schema:
                                 $ref: '#/components/schemas/ToolCollection'
                             example:
-                                - name: avrdude
+                                - name: bossac
                                   packager: arduino
-                                  version: 6.3.0-arduino9
-                                - name: avrdude
+                                  version: 1.7.0-arduino3
+                                - name: bossac
                                   packager: arduino
-                                  version: 6.3.0-arduino9
-                                - name: avrdude
+                                  version: 1.7.0-arduino3
+                                - name: bossac
                                   packager: arduino
-                                  version: 6.3.0-arduino9
+                                  version: 1.7.0-arduino3
     /v2/pkgs/tools/installed:
         get:
             tags:
@@ -131,15 +134,15 @@ paths:
                             schema:
                                 $ref: '#/components/schemas/ToolCollection'
                             example:
-                                - name: avrdude
+                                - name: bossac
                                   packager: arduino
-                                  version: 6.3.0-arduino9
-                                - name: avrdude
+                                  version: 1.7.0-arduino3
+                                - name: bossac
                                   packager: arduino
-                                  version: 6.3.0-arduino9
-                                - name: avrdude
+                                  version: 1.7.0-arduino3
+                                - name: bossac
                                   packager: arduino
-                                  version: 6.3.0-arduino9
+                                  version: 1.7.0-arduino3
         post:
             tags:
                 - tools
@@ -152,11 +155,12 @@ paths:
                         schema:
                             $ref: '#/components/schemas/InstallRequestBody'
                         example:
-                            checksum: Beatae dolor adipisci nulla et quam voluptas.
-                            name: avrdude
+                            checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+                            name: bossac
                             packager: arduino
-                            url: Deserunt voluptatem impedit iusto libero.
-                            version: 6.3.0-arduino9
+                            signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+                            url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
+                            version: 1.7.0-arduino3
             responses:
                 "200":
                     description: OK response.
@@ -189,26 +193,27 @@ paths:
                   schema:
                     type: string
                     description: The name of the tool
-                    example: avrdude
-                  example: avrdude
+                    example: bossac
+                  example: bossac
                 - name: version
                   in: path
                   description: The version of the tool
                   required: true
                   schema:
                     type: string
                     description: The version of the tool
-                    example: 6.3.0-arduino9
-                  example: 6.3.0-arduino9
+                    example: 1.7.0-arduino3
+                  example: 1.7.0-arduino3
             requestBody:
                 required: true
                 content:
                     application/json:
                         schema:
                             $ref: '#/components/schemas/RemoveRequestBody'
                         example:
-                            checksum: Ipsa minima quia.
-                            url: Expedita rem ipsum quasi harum nostrum.
+                            checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+                            signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+                            url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
             responses:
                 "200":
                     description: OK response.
@@ -237,20 +242,20 @@ components:
                 name:
                     type: string
                     description: The name of the tool
-                    example: avrdude
+                    example: bossac
                 packager:
                     type: string
                     description: The packager of the tool
                     example: arduino
                 version:
                     type: string
                     description: The version of the tool
-                    example: 6.3.0-arduino9
+                    example: 1.7.0-arduino3
             description: A tool is an executable program that can upload sketches.
             example:
-                name: avrdude
+                name: bossac
                 packager: arduino
-                version: 6.3.0-arduino9
+                version: 1.7.0-arduino3
             required:
                 - name
                 - version
@@ -277,7 +282,7 @@ components:
                 temporary:
                     type: boolean
                     description: Is the error temporary?
-                    example: false
+                    example: true
                 timeout:
                     type: boolean
                     description: Is the error a timeout?
@@ -288,8 +293,8 @@ components:
                 id: 123abc
                 message: parameter 'p' must be an integer
                 name: bad_request
-                temporary: false
-                timeout: true
+                temporary: true
+                timeout: false
             required:
                 - name
                 - id
@@ -303,29 +308,36 @@ components:
                 checksum:
                     type: string
                     description: "A checksum of the archive. Mandatory when url is present. \n\tThis ensures that the package is downloaded correcly."
-                    example: Sint odio sed consequatur numquam.
+                    example: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
                 name:
                     type: string
                     description: The name of the tool
-                    example: avrdude
+                    example: bossac
                 packager:
                     type: string
                     description: The packager of the tool
                     example: arduino
+                signature:
+                    type: string
+                    description: |-
+                        The signature used to sign the url. Mandatory when url is present.
+                        	This ensure the security of the file downloaded
+                    example: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
                 url:
                     type: string
                     description: "The url where the package can be found. Optional. \n\tIf present checksum must also be present."
-                    example: Et quo doloremque sapiente atque.
+                    example: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
                 version:
                     type: string
                     description: The version of the tool
-                    example: 6.3.0-arduino9
+                    example: 1.7.0-arduino3
             example:
-                checksum: Mollitia commodi sunt.
-                name: avrdude
+                checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+                name: bossac
                 packager: arduino
-                url: Quae reprehenderit provident provident debitis illo.
-                version: 6.3.0-arduino9
+                signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+                url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
+                version: 1.7.0-arduino3
             required:
                 - name
                 - version
@@ -347,31 +359,35 @@ components:
                 checksum:
                     type: string
                     description: "A checksum of the archive. Mandatory when url is present. \n\tThis ensures that the package is downloaded correcly."
-                    example: Ea culpa.
+                    example: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+                signature:
+                    type: string
+                    description: |-
+                        The signature used to sign the url. Mandatory when url is present.
+                        	This ensure the security of the file downloaded
+                    example: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
                 url:
                     type: string
                     description: "The url where the package can be found. Optional. \n\tIf present checksum must also be present."
-                    example: Odit officiis illo qui quia provident illo.
+                    example: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
             example:
-                checksum: Rerum eum esse corporis ex.
-                url: Molestiae dolor quaerat enim.
+                checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+                signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+                url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
         ToolCollection:
             type: array
             items:
                 $ref: '#/components/schemas/ArduinoTool'
             example:
-                - name: avrdude
-                  packager: arduino
-                  version: 6.3.0-arduino9
-                - name: avrdude
+                - name: bossac
                   packager: arduino
-                  version: 6.3.0-arduino9
-                - name: avrdude
+                  version: 1.7.0-arduino3
+                - name: bossac
                   packager: arduino
-                  version: 6.3.0-arduino9
-                - name: avrdude
+                  version: 1.7.0-arduino3
+                - name: bossac
                   packager: arduino
-                  version: 6.3.0-arduino9
+                  version: 1.7.0-arduino3
 tags:
     - name: indexes
       description: The indexes service manages the package_index files

Diff for: gen/http/openapi.yaml

@@ -0,0 +1,22 @@
+// Copyright 2022 Arduino SA
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published
+// by the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package globals
+
+// DefaultIndexURL is the default index url
+var (
+	// SignatureKey is the public key used to verify commands and url sent by the builder
+	SignatureKey = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0yZr1yUSen7qmE3cxF\nIE12rCksDnqR+Hp7o0nGi9123eCSFcJ7CkIRC8F+8JMhgI3zNqn4cUEn47I3RKD1\nZChPUCMiJCvbLbloxfdJrUi7gcSgUXrlKQStOKF5Iz7xv1M4XOP3JtjXLGo3EnJ1\npFgdWTOyoSrA8/w1rck4c/ISXZSinVAggPxmLwVEAAln6Itj6giIZHKvA2fL2o8z\nCeK057Lu8X6u2CG8tRWSQzVoKIQw/PKK6CNXCAy8vo4EkXudRutnEYHEJlPkVgPn\n2qP06GI+I+9zKE37iqj0k1/wFaCVXHXIvn06YrmjQw6I0dDj/60Wvi500FuRVpn9\ntwIDAQAB\n-----END PUBLIC KEY-----"
+)

Diff for: gen/http/openapi3.json

@@ -34,6 +34,7 @@ import (
 	cors "github.com/andela/gin-cors"
 	cert "github.com/arduino/arduino-create-agent/certificates"
 	"github.com/arduino/arduino-create-agent/config"
+	"github.com/arduino/arduino-create-agent/globals"
 	"github.com/arduino/arduino-create-agent/systray"
 	"github.com/arduino/arduino-create-agent/tools"
 	"github.com/arduino/arduino-create-agent/updater"
@@ -78,7 +79,7 @@ var (
 	logDump        = iniConf.String("log", "off", "off = (default)")
 	origins        = iniConf.String("origins", "", "Allowed origin list for CORS")
 	regExpFilter   = iniConf.String("regex", "usb|acm|com", "Regular expression to filter serial port list")
-	signatureKey   = iniConf.String("signatureKey", "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0yZr1yUSen7qmE3cxF\nIE12rCksDnqR+Hp7o0nGi9123eCSFcJ7CkIRC8F+8JMhgI3zNqn4cUEn47I3RKD1\nZChPUCMiJCvbLbloxfdJrUi7gcSgUXrlKQStOKF5Iz7xv1M4XOP3JtjXLGo3EnJ1\npFgdWTOyoSrA8/w1rck4c/ISXZSinVAggPxmLwVEAAln6Itj6giIZHKvA2fL2o8z\nCeK057Lu8X6u2CG8tRWSQzVoKIQw/PKK6CNXCAy8vo4EkXudRutnEYHEJlPkVgPn\n2qP06GI+I+9zKE37iqj0k1/wFaCVXHXIvn06YrmjQw6I0dDj/60Wvi500FuRVpn9\ntwIDAQAB\n-----END PUBLIC KEY-----", "Pem-encoded public key to verify signed commandlines")
+	signatureKey   = iniConf.String("signatureKey", globals.SignatureKey, "Pem-encoded public key to verify signed commandlines")
 	updateURL      = iniConf.String("updateUrl", "", "")
 	verbose        = iniConf.Bool("v", true, "show debug logging")
 	crashreport    = iniConf.Bool("crashreport", false, "enable crashreport logging")

Diff for: gen/http/openapi3.yaml

@@ -20,6 +20,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
+	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -48,34 +49,68 @@ func TestValidSignatureKey(t *testing.T) {
 	require.NotNil(t, key)
 }
 
-func TestInstallToolDifferentContentType(t *testing.T) {
+func TestInstallToolV2(t *testing.T) {
 	r := gin.New()
 	goa := v2.Server(config.GetDataDir().String())
 	r.Any("/v2/*path", gin.WrapH(goa))
 	ts := httptest.NewServer(r)
 
-	URL := "http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz"
-	Checksum := "SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100"
-	request := tools.ToolPayload{
+	type test struct {
+		request      tools.ToolPayload
+		responseCode int
+		responseBody string
+	}
+
+	BossacURL := "http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz"
+	BossacChecksum := "SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100"
+	BossacSignature := "382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0"
+	bossacInstallURLOK := tools.ToolPayload{
+		Name:      "bossac",
+		Version:   "1.7.0-arduino3",
+		Packager:  "arduino",
+		URL:       &BossacURL,
+		Checksum:  &BossacChecksum,
+		Signature: &BossacSignature,
+	}
+
+	WrongSignature := "wr0ngs1gn4tur3"
+	bossacInstallWrongSig := tools.ToolPayload{
+		Name:      "bossac",
+		Version:   "1.7.0-arduino3",
+		Packager:  "arduino",
+		URL:       &BossacURL,
+		Checksum:  &BossacChecksum,
+		Signature: &WrongSignature,
+	}
+
+	bossacInstallNoURL := tools.ToolPayload{
 		Name:     "bossac",
 		Version:  "1.7.0-arduino3",
 		Packager: "arduino",
-		URL:      &URL,
-		Checksum: &Checksum,
 	}
 
-	payload, err := json.Marshal(request)
-	require.NoError(t, err)
+	tests := []test{
+		{bossacInstallURLOK, http.StatusOK, "ok"},
+		{bossacInstallWrongSig, http.StatusInternalServerError, "verification error"},
+		{bossacInstallNoURL, http.StatusBadRequest, "tool not found"}, //because the index is not added
+	}
+
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("Installing %s", test.request.Name), func(t *testing.T) {
+			payload, err := json.Marshal(test.request)
+			require.NoError(t, err)
 
-	// for some reason the fronted sends requests with "text/plain" content type.
-	// Even if the request body contains a json object.
-	// With this test we verify is parsed correctly.
-	for _, encoding := range []string{"encoding/json", "text/plain"} {
-		resp, err := http.Post(ts.URL+"/v2/pkgs/tools/installed", encoding, bytes.NewBuffer(payload))
-		require.NoError(t, err)
-		body, err := io.ReadAll(resp.Body)
-		require.NoError(t, err)
-		require.Contains(t, string(body), "ok")
-		require.Equal(t, http.StatusOK, resp.StatusCode)
+			// for some reason the fronted sends requests with "text/plain" content type.
+			// Even if the request body contains a json object.
+			// With this test we verify is parsed correctly.
+			for _, encoding := range []string{"encoding/json", "text/plain"} {
+				resp, err := http.Post(ts.URL+"/v2/pkgs/tools/installed", encoding, bytes.NewBuffer(payload))
+				require.NoError(t, err)
+				body, err := io.ReadAll(resp.Body)
+				require.NoError(t, err)
+				require.Contains(t, string(body), test.responseBody)
+				require.Equal(t, test.responseCode, resp.StatusCode)
+			}
+		})
 	}
 }

Diff for: gen/http/tools/client/cli.go

@@ -18,12 +18,20 @@ package utilities
 import (
 	"archive/zip"
 	"bytes"
+	"crypto"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"io"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
+
+	"github.com/arduino/arduino-create-agent/globals"
 )
 
 // SaveFileonTempDir creates a temp directory and saves the file data as the
@@ -141,3 +149,22 @@ func Unzip(zippath string, destination string) (err error) {
 	}
 	return
 }
+
+// VerifyInput will verify an input against a signature
+// A valid signature is indicated by returning a nil error.
+func VerifyInput(input string, signature string) error {
+	sign, _ := hex.DecodeString(signature)
+	block, _ := pem.Decode([]byte(globals.SignatureKey))
+	if block == nil {
+		return errors.New("invalid key")
+	}
+	key, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return err
+	}
+	rsaKey := key.(*rsa.PublicKey)
+	h := sha256.New()
+	h.Write([]byte(input))
+	d := h.Sum(nil)
+	return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, sign)
+}

Diff for: gen/http/tools/client/types.go

@@ -31,6 +31,7 @@ import (
 	"strings"
 
 	"github.com/arduino/arduino-create-agent/gen/tools"
+	"github.com/arduino/arduino-create-agent/utilities"
 	"github.com/codeclysm/extract/v3"
 )
 
@@ -135,10 +136,16 @@ func (c *Tools) Installed(ctx context.Context) (tools.ToolCollection, error) {
 func (c *Tools) Install(ctx context.Context, payload *tools.ToolPayload) (*tools.Operation, error) {
 	path := filepath.Join(payload.Packager, payload.Name, payload.Version)
 
-	if payload.URL != nil {
+	//if URL is defined and is signed we verify the signature and override the name, payload, version parameters
+	if payload.URL != nil && payload.Signature != nil && payload.Checksum != nil {
+		err := utilities.VerifyInput(*payload.URL, *payload.Signature)
+		if err != nil {
+			return nil, err
+		}
 		return c.install(ctx, path, *payload.URL, *payload.Checksum)
 	}
 
+	// otherwise we install from the loaded indexes
 	list, err := c.Indexes.List(ctx)
 	if err != nil {
 		return nil, err