Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: allow to specify customsignatureKey in theconfig.ini#1024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
dido18 merged 15 commits intomainfromfix-invalid-signature-with-custom-keys
Mar 27, 2025

Conversation

@dido18
Copy link
Contributor

@dido18dido18 commentedMar 25, 2025
edited
Loading

Please check if the PR fulfills these requirements

  • The PR has no duplicates (please search among thePull Requests
    before creating one)
  • Tests for the changes have been added (for bug fixes / features)
  • What kind of change does this PR introduce?
    Bug fix. Verify the signatures using a custom public key is not working anymore.
  • What is the current behavior?
    The create-agent ignores thesignatureKey in theconfig.ini and always uses the Arduino public key, so the signature verification fails.
  1. Generate pub/keys pairs likethis
### Create a private keyopenssl genrsa -out private_24MAR25_B.pem 2048### Extract the public key from the private keyopenssl rsa -pubout -in private_24MAR25_B.pem -out public_24MAR25_B.pem### Format the public key for the config.ini file -> paste in Arduino Create config.ini file and add a comment for file nameawk 'NR>0 {printf "%s\\n", $0}' public_24MAR25_B.pem
  1. Add thesignatureKey into the/home/<user>/.config/ArduinoCreateAgent/config.ini
signatureKey='-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtHP52M8dCYDGaC4UaOvU\ncfLqhteGX75EnbXMr6iOg7r7Of+doFV+Ee233Ly/di15CXaju3EpgUka5QSu6z2m\n4sne32aGw6T/eggY636CKcRHFPFjLmXX0CHq+Evg3E4g8W7Yslo2qu1SP3ySZCqe\nVpZHSeehlxFPpQKWXa1YiNF0gWh3cNQ0wneOsJ+ndShSuQ5C2YnSEoeoiEGVFOS0\nevX4GEdadudGBjHQUKjhj+k3Ydaz014aIIC7CUVkQog9B7vpB+znHJH/gCl9DqYO\n4mjPfHG4c5ppNu455hEe75R5q9bPc7TjBA3jpZsdrBY05lX2Q2nAQgSYIHpf78xl\n7wIDAQAB\n-----END PUBLIC KEY-----\n'
  1. Sign the commandhello with the private key generated in the step before with the go code below
import ("crypto""crypto/rand""crypto/rsa""crypto/sha256""crypto/x509""encoding/hex""encoding/pem""errors""fmt")func main() {key := `-----BEGIN PRIVATE KEY-----MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0c/nYzx0JgMZo<YOUR-REST-OF-PRIVATE-KEY>-----END PRIVATE KEY-----`res, err := sign([]byte("hello"), []byte(key))if err != nil {panic(err)}fmt.Println(string(res))}func sign(message []byte, key []byte) (string, error) {block, _ := pem.Decode(key)if block == nil {return "", errors.New("While decoding key " + string(key))}rng := rand.Readerprivate, err := x509.ParsePKCS8PrivateKey(block.Bytes)if err != nil {return "", errors.New("While parsing key " + err.Error())}hashed := sha256.Sum256(message)signature, err := rsa.SignPKCS1v15(rng, private.(*rsa.PrivateKey), crypto.SHA256, hashed[:])if err != nil {return "", errors.New("While signing message ")}return hex.EncodeToString(signature), nil}
  1. Launch the agent and create thetest.sh script:
response=$(curl -s -w " status code: %{http_code}" -X POST -H "Content-Type: application/json" -d '{   "commandline":"hello",   "port":"/dev/ttyACM1",   "board":"arduino:avr:leonardo",   "signature":"ae4f40d5a4f5d57df432ee41e3d2250fe611ce22c9aa6033dd5d764bff6dd8525342bd7ead24e6d6b3fe72a70a2b94e3073148776010fafff52d37d0afaba69f9390efe19ea8231d2e8f29c68bc6fc5b59cc5a48af237fec921799c9b5f98e5c18fb9efde3d6f19f2df2f7626bd6c42c167a60bb8452c08c4e0aa8e49092c27df709a3eed9b4bc2cf1b22c252d8055fce9c0ce13003e6bde41bbf669f85c409b80e4339af4d08706b1a67c1726393b0528ce4585567d4821b6e981c95805618ff6237171b2ff87ae3b9a0130b32730d3571d18eb8ac4113f70aebca6e2dd0562364cde90fbe4e121b5a84917ad30e8a18e0b6d0ca0152d3a995098eb9c0a761f",   "filename":"test"}' http://127.0.0.1:8991/upload)echo "Response: $response"
  1. Launch the shell script:
$ ./test.sh                                                                                                                                                  Response: signature is invalid status code: 400
  • What is the new behavior?

Add thesignatureKey into theconfig.ini with this format (using backtick)

signatureKey = `-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtHP52M8dCYDGaC4UaOvUcfLqhteGX75EnbXMr6iOg7r7Of+doFV+Ee233Ly/di15CXaju3EpgUka5QSu6z2m4sne32aGw6T/eggY636CKcRHFPFjLmXX0CHq+Evg3E4g8W7Yslo2qu1SP3ySZCqeVpZHSeehlxFPpQKWXa1YiNF0gWh3cNQ0wneOsJ+ndShSuQ5C2YnSEoeoiEGVFOS0evX4GEdadudGBjHQUKjhj+k3Ydaz014aIIC7CUVkQog9B7vpB+znHJH/gCl9DqYO4mjPfHG4c5ppNu455hEe75R5q9bPc7TjBA3jpZsdrBY05lX2Q2nAQgSYIHpf78xl7wIDAQAB-----END PUBLIC KEY-----`

If thetest.sh is launched, the result is

Response:  status code: 202
  • Does this PR introduce a breaking change?
    It should not.

Notable changes are the following:

  • the/upload endpoint logs an error if the signature verification failslog.WithField("err", err).Error("Error verifying the command") (while before the error was not shown anywhere)
  • thesignatureKey must be specified in the confi.ini wrapped with backthick ( ` )
  • add a section to thewiki page
  • Other information:
    Other correlated issues

Forum discussion about this issue:https://forum.arduino.cc/t/signing-command-line-for-arduino-create-agent/1366082/2

@codecov-commenter
Copy link

codecov-commenter commentedMar 25, 2025
edited
Loading

Codecov Report

❌ Patch coverage is35.65217% with74 lines in your changes missing coverage. Please review.
✅ Project coverage is 20.23%. Comparing base (5fcb7c4) to head (2237ff0).
⚠️ Report is 6 commits behind head on main.

Files with missing linesPatch %Lines
conn.go21.91%54 Missing and 3 partials⚠️
main.go0.00%10 Missing⚠️
utilities/utilities.go65.00%5 Missing and 2 partials⚠️
Additional details and impacted files
@@            Coverage Diff             @@##             main    #1024      +/-   ##==========================================+ Coverage   20.14%   20.23%   +0.09%==========================================  Files          42       42                Lines        3222     3242      +20     ==========================================+ Hits          649      656       +7- Misses       2488     2499      +11- Partials       85       87       +2
FlagCoverage Δ
unit20.23% <35.65%> (+0.09%)⬆️

Flags with carried forward coverage won't be shown.Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report?Share it here.

🚀 New features to boost your workflow:
  • ❄️Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dido18dido18 changed the titleFix invalid signature with custom keysFix invalid signature with custom public keyMar 26, 2025
@dido18dido18 changed the titleFix invalid signature with custom public keyfix: allow to specify customsignatureKey in theconfig.iniMar 26, 2025
@dido18dido18 mentioned this pull requestMar 26, 2025
@dido18dido18 requested a review froma teamMarch 26, 2025 13:34
Copy link
Contributor

@lucarin91lucarin91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I have some concerns on the ini file parsing, it seems not so stable to do a replace all on the\\n. I would try to investigate if we can do better then that.

@dido18
Copy link
ContributorAuthor

dido18 commentedMar 26, 2025
edited
Loading

I have some concerns on the ini file parsing, it seems not so stable to do a replace all on the\\n. I would try to investigate if we can do better then that.

To avoid possible issue with the replaceAll, we may allow only themultiline format using the backtick operator

Supported format

Multiline using the backtick

signatureKey = `-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtHP52M8dCYDGaC4UaOvUcfLqhteGX75EnbXMr6iOg7r7Of+doFV+Ee233Ly/di15CXaju3EpgUka5QSu6z2m4sne32aGw6T/eggY636CKcRHFPFjLmXX0CHq+Evg3E4g8W7Yslo2qu1SP3ySZCqeVpZHSeehlxFPpQKWXa1YiNF0gWh3cNQ0wneOsJ+ndShSuQ5C2YnSEoeoiEGVFOS0evX4GEdadudGBjHQUKjhj+k3Ydaz014aIIC7CUVkQog9B7vpB+znHJH/gCl9DqYO4mjPfHG4c5ppNu455hEe75R5q9bPc7TjBA3jpZsdrBY05lX2Q2nAQgSYIHpf78xl7wIDAQAB-----END PUBLIC KEY-----`

Rejected format

  1. Inline format with\n are converted into\\n by the go-ini lib)
signatureKey = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtHP52M8dCYDGaC4UaOvU\ncfLqhteGX75EnbXMr6iOg7r7Of+doFV+Ee233Ly/di15CXaju3EpgUka5QSu6z2m\n4sne32aGw6T/eggY636CKcRHFPFjLmXX0CHq+Evg3E4g8W7Yslo2qu1SP3ySZCqe\nVpZHSeehlxFPpQKWXa1YiNF0gWh3cNQ0wneOsJ+ndShSuQ5C2YnSEoeoiEGVFOS0\nevX4GEdadudGBjHQUKjhj+k3Ydaz014aIIC7CUVkQog9B7vpB+znHJH/gCl9DqYO\n4mjPfHG4c5ppNu455hEe75R5q9bPc7TjBA3jpZsdrBY05lX2Q2nAQgSYIHpf78xl\n7wIDAQAB\n-----END PUBLIC KEY-----\n'

Rejected with the error

msg="cannot parse signature key '-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtHP52M8dCYDGaC4UaOvU\\ncfLqhteGX75EnbXMr6iOg7r7Of+doFV+Ee233Ly/di15CXaju3EpgUka5QSu6z2m\\n4sne32aGw6T/eggY636CKcRHFPFjLmXX0CHq+Evg3E4g8W7Yslo2qu1SP3ySZCqe\\nVpZHSeehlxFPpQKWXa1YiNF0gWh3cNQ0wneOsJ+ndShSuQ5C2YnSEoeoiEGVFOS0\\nevX4GEdadudGBjHQUKjhj+k3Ydaz014aIIC7CUVkQog9B7vpB+znHJH/gCl9DqYO\\n4mjPfHG4c5ppNu455hEe75R5q9bPc7TjBA3jpZsdrBY05lX2Q2nAQgSYIHpf78xl\\n7wIDAQAB\\n-----END PUBLIC KEY-----\\n'
  1. Multiline using the single or double quotes:
signatureKey = "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtHP52M8dCYDGaC4UaOvUcfLqhteGX75EnbXMr6iOg7r7Of+doFV+Ee233Ly/di15CXaju3EpgUka5QSu6z2m4sne32aGw6T/eggY636CKcRHFPFjLmXX0CHq+Evg3E4g8W7Yslo2qu1SP3ySZCqeVpZHSeehlxFPpQKWXa1YiNF0gWh3cNQ0wneOsJ+ndShSuQ5C2YnSEoeoiEGVFOS0evX4GEdadudGBjHQUKjhj+k3Ydaz014aIIC7CUVkQog9B7vpB+znHJH/gCl9DqYO4mjPfHG4c5ppNu455hEe75R5q9bPc7TjBA3jpZsdrBY05lX2Q2nAQgSYIHpf78xl7wIDAQAB-----END PUBLIC KEY-----"

Error:

level=panic msg="config.ini cannot be parsed: key-value delimiter not found

@lucarin91
Copy link
Contributor

@dido18 Can you please add some documentation about this new key format in the ini file?

@dido18
Copy link
ContributorAuthor

dido18 commentedMar 26, 2025
edited
Loading

@dido18 Can you please add some documentation about this new key format in the ini file?

I update the wiki page with a new section

Copy link
Member

@cmagliecmaglie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Tested locally, it's working for me 👍🏼

dido18and others added5 commitsMarch 26, 2025 17:34
Co-authored-by: Luca Rinaldi <lucarin@protonmail.com>
Co-authored-by: Luca Rinaldi <lucarin@protonmail.com>
Co-authored-by: Luca Rinaldi <lucarin@protonmail.com>
@dido18dido18 merged commit901728d intomainMar 27, 2025
42 checks passed
@dido18dido18 deleted the fix-invalid-signature-with-custom-keys branchMarch 27, 2025 08:54
@XaytonXayton added this to the1.7.0 milestoneMar 31, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@cmagliecmagliecmaglie approved these changes

@lucarin91lucarin91lucarin91 approved these changes

+1 more reviewer

@alessio-peruginialessio-peruginialessio-perugini approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.7.0

Development

Successfully merging this pull request may close these issues.

6 participants

@dido18@codecov-commenter@lucarin91@cmaglie@alessio-perugini@Xayton
[8]ページ先頭
©2009-2025 Movatter.jp