Add PREF_CONTRIBUTIONS_TRUST_ALL and download the signature in any case

Author: Mattia Bertorello

arduino-core/src/cc/arduino/Constants.java

@@ -37,6 +37,7 @@ public class Constants {
   public static final String PREF_REMOVE_PLACEHOLDER = "___REMOVE___";
   public static final String PREF_BOARDS_MANAGER_ADDITIONAL_URLS = "boardsmanager.additional.urls";
   public static final String PREF_CONTRIBUTIONS_TRUST_ALL = "contributions.trust.all";
+  public static final String ALLOW_INSECURE_PACKAGES = "allow_insecure_packages";
 
   public static final String DEFAULT_INDEX_FILE_NAME = "package_index.json";
   public static final String BUNDLED_INDEX_FILE_NAME = "package_index_bundled.json";

arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java

@@ -29,6 +29,7 @@
 
 package cc.arduino.contributions;
 
+import cc.arduino.Constants;
 import cc.arduino.utils.FileHash;
 import cc.arduino.utils.MultiStepProgress;
 import cc.arduino.utils.Progress;
@@ -199,11 +200,9 @@ public boolean verifyDomain(URL url) {
   public boolean checkSignature(MultiStepProgress progress, URL signatureUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier, String statusText, File fileToVerify) throws Exception {
 
     final boolean allowInsecurePackages =
-      PreferencesData.getBoolean("allow_insecure_packages", false);
-    if (allowInsecurePackages) {
-      log.info("Allow insecure packages is true the signature will be skip and return always verified");
-      return true;
-    }
+      PreferencesData.getBoolean(Constants.ALLOW_INSECURE_PACKAGES, false);
+    final boolean trustAll = PreferencesData.getBoolean(Constants.PREF_CONTRIBUTIONS_TRUST_ALL);
+    final boolean skipVerification = allowInsecurePackages || trustAll;
 
     // Signature file name
     final String signatureFileName = FilenameUtils.getName(signatureUrl.getPath());
@@ -215,6 +214,12 @@ public boolean checkSignature(MultiStepProgress progress, URL signatureUrl, Prog
       // Download signature
       download(signatureUrl, packageIndexSignatureTemp, progress, statusText, progressListener, true);
 
+      if (skipVerification) {
+        log.info("Allowing insecure packages because allow_insecure_packages is set to true in preferences.txt" +
+          " but the signature was download");
+        return true;
+      }
+
       // Verify the signature before move the files
       final boolean signatureVerified = signatureVerifier.isSigned(fileToVerify, packageIndexSignatureTemp);
       if (signatureVerified) {

arduino-core/src/cc/arduino/contributions/packages/ContributionsIndexer.java

@@ -33,7 +33,6 @@
 import cc.arduino.contributions.DownloadableContribution;
 import cc.arduino.contributions.SignatureVerificationFailedException;
 import cc.arduino.contributions.SignatureVerifier;
-
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -87,7 +86,7 @@ public void parseIndex() throws Exception {
     File defaultIndexFile = getIndexFile(Constants.DEFAULT_INDEX_FILE_NAME);
     if (defaultIndexFile.exists()) {
       // Check main index signature
-      if (!PreferencesData.getBoolean("allow_insecure_packages") && !signatureVerifier.isSigned(defaultIndexFile)) {
+      if (!PreferencesData.getBoolean(Constants.ALLOW_INSECURE_PACKAGES) && !signatureVerifier.isSigned(defaultIndexFile)) {
         throw new SignatureVerificationFailedException(Constants.DEFAULT_INDEX_FILE_NAME);
       }