Introduced cache for PDSC files in .WEB. (#627)

… PDSC files need to be updated," Issue #2217

## Fixes
[Remove requirement that all PDSC files need to be
updated](Open-CMSIS-Pack/devtools#2217)

## Changes
Create and maintain a new cache.pidx file for .Web

## Checklist
<!-- Put an `x` in the boxes. All tasks must be completed and boxes
checked before merging. -->
- [x] 🤖 This change is covered by unit tests (if applicable).
- [x] 🤹 Manual testing has been performed (if necessary).
- [x] 🛡️ Security impacts have been considered (if relevant).
- [x] 📖 Documentation updates are complete (if required).
- [x] 🧠 Third-party dependencies and TPIP updated (if required).

---------

Co-authored-by: Sourabh Mehta <[email protected]>
Co-authored-by: Sourabh Mehta <[email protected]>
Co-authored-by: Joachim Krech <[email protected]>

Author: 3 people

.github/workflows/ci.yml

@@ -55,6 +55,12 @@ jobs:
       - name: Install xmllint
         run: sudo apt-get update && sudo apt-get install libxml2-utils
 
+      - name: Archive tpip report
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: tpip-report
+          path: ./build/cpackget-ubuntu-amd64.txt
+
       - name: Check if local_repository.pidx is valid
         run: |
           make test-xmllint-localrepository

cmd/commands/add.go

@@ -100,7 +100,7 @@ Add a pack using the following "<pack>" specification or using packs provided by
 		installer.UnlockPackRoot()
 		for _, packPath := range args {
 			var err error
-			if filepath.Ext(packPath) == installer.PdscExtension {
+			if filepath.Ext(packPath) == utils.PdscExtension {
 				err = installer.AddPdsc(packPath)
 			} else {
 				err = installer.AddPack(packPath, !addCmdFlags.skipEula, addCmdFlags.extractEula, addCmdFlags.forceReinstall, addCmdFlags.noRequirements, false, viper.GetInt("timeout"))

cmd/commands/init.go

@@ -53,7 +53,7 @@ The index-url is mandatory. Ex "cpackget init --pack-root path/to/mypackroot htt
 			return err
 		}
 
-		err = installer.UpdatePublicIndex(indexPath, true, true, initCmdFlags.downloadPdscFiles, false, true, true, viper.GetInt("concurrent-downloads"), viper.GetInt("timeout"))
+		err = installer.UpdatePublicIndex(indexPath, true, initCmdFlags.downloadPdscFiles, false, true, true, viper.GetInt("concurrent-downloads"), viper.GetInt("timeout"))
 		return err
 	},
 }

cmd/commands/rm.go

@@ -60,7 +60,7 @@ please use "--purge".`,
 		installer.UnlockPackRoot()
 		for _, packPath := range args {
 			var err error
-			if filepath.Ext(packPath) == installer.PdscExtension {
+			if filepath.Ext(packPath) == utils.PdscExtension {
 				err = installer.RemovePdsc(packPath)
 				if err == errs.ErrPdscEntryNotFound {
 					err = errs.ErrPackNotInstalled

cmd/commands/root.go

@@ -79,7 +79,7 @@ func configureInstaller(cmd *cobra.Command, args []string) error {
 			// Exclude index updating commands to not double update
 			if cmd.Name() != "init" && cmd.Name() != "index" && cmd.Name() != "update-index" && cmd.Name() != "list" {
 				installer.UnlockPackRoot()
-				err = installer.UpdatePublicIndex(installer.ActualPublicIndex, true, true, false, false, false, true, 0, 0)
+				err = installer.UpdatePublicIndex(installer.ActualPublicIndex, true, false, false, false, true, 0, 0)
 				if err != nil {
 					return err
 				}

cmd/commands/update_index.go

@@ -44,7 +44,7 @@ var UpdateIndexCmd = &cobra.Command{
 			return err
 		}
 
-		err = installer.UpdatePublicIndex("", true, updateIndexCmdFlags.sparse, false, updateIndexCmdFlags.downloadUpdatePdscFiles, true, true, viper.GetInt("concurrent-downloads"), viper.GetInt("timeout"))
+		err = installer.UpdatePublicIndex("", updateIndexCmdFlags.sparse, false, updateIndexCmdFlags.downloadUpdatePdscFiles, true, true, viper.GetInt("concurrent-downloads"), viper.GetInt("timeout"))
 		return err
 	},
 }

cmd/cryptography/checksum.go

@@ -9,7 +9,6 @@ import (
 	"strings"
 
 	errs "github.com/open-cmsis-pack/cpackget/cmd/errors"
-	"github.com/open-cmsis-pack/cpackget/cmd/installer"
 	"github.com/open-cmsis-pack/cpackget/cmd/utils"
 	log "github.com/sirupsen/logrus"
 )
@@ -64,7 +63,7 @@ func GenerateChecksum(sourcePack, destinationDir, hashFunction string) error {
 		if !utils.DirExists(destinationDir) {
 			return errs.ErrDirectoryNotFound
 		}
-		base = filepath.Clean(destinationDir) + string(filepath.Separator) + strings.TrimSuffix(string(filepath.Base(sourcePack)), installer.PackExtension)
+		base = filepath.Clean(destinationDir) + string(filepath.Separator) + strings.TrimSuffix(string(filepath.Base(sourcePack)), utils.PackExtension)
 	}
 	checksumFilename := base + "." + strings.ReplaceAll(hashFunction, "-", "") + ".checksum"
 	if utils.FileExists(checksumFilename) {
@@ -96,7 +95,7 @@ func VerifyChecksum(packPath, checksumPath string) error {
 	// exist .checksums with different algos in the same dir
 	if checksumPath == "" {
 		for _, hash := range Hashes {
-			checksumPath = strings.ReplaceAll(packPath, installer.PackExtension, "."+hash+".checksum")
+			checksumPath = strings.ReplaceAll(packPath, utils.PackExtension, "."+hash+".checksum")
 			if utils.FileExists(checksumPath) {
 				break
 			}

cmd/cryptography/signature.go

@@ -48,8 +48,15 @@ func validateSignatureScheme(zip *zip.ReadCloser, version string, signing bool)
 		return "invalid"
 	}
 	// Warn the user if the tag was made by an older cpackget version
-	if utils.SemverCompare(strings.Split(sv, "-")[1][1:], strings.Split(version, "-")[0][1:]) == -1 {
-		log.Warnf("This pack was signed with an older version of cpackget (%s)", sv)
+	svParts := strings.Split(sv, "-")
+	versionParts := strings.Split(version, "-")
+	if len(svParts) > 1 && len(versionParts) > 0 {
+		// Extract version strings safely
+		svVersion := strings.TrimPrefix(svParts[1], "v")
+		vVersion := strings.TrimPrefix(versionParts[0], "v")
+		if utils.SemverCompare(svVersion, vVersion) == -1 {
+			log.Warnf("This pack was signed with an older version of cpackget (%s)", sv)
+		}
 	}
 	if s[1] == "f" && len(s) == 4 {
 		if !utils.IsBase64(s[2]) && !utils.IsBase64(s[3]) {
@@ -148,12 +155,19 @@ func sanityCheckCertificate(cert *x509.Certificate, vendor string) error {
 		log.Warn("Certificate should not be a CA certificate")
 	}
 	ku := getKeyUsage(cert.KeyUsage)
-	if len(ku) == 2 {
-		if ku[0] != "\"Digital Signature\"" || ku[1] != "\"Content Commitment\"" {
-			log.Warn("Does not have \"Digital Signature\" and \"Content Commitment\" key usage fields")
+	// Check for required key usages: "Digital Signature" and "Content Commitment"
+	hasDigitalSig := false
+	hasContentCommit := false
+	for _, usage := range ku {
+		if usage == "\"Digital Signature\"" {
+			hasDigitalSig = true
+		}
+		if usage == "\"Content Commitment\"" {
+			hasContentCommit = true
 		}
-	} else {
-		log.Warn("Does not have \"Digital Signature\" and \"Content Commitment\" key usage fields")
+	}
+	if !hasDigitalSig || !hasContentCommit {
+		log.Warn("Does not have required \"Digital Signature\" and \"Content Commitment\" key usage fields")
 	}
 	return nil
 }
@@ -196,6 +210,7 @@ func exportCertificate(b64Cert, path string) error {
 	if err != nil {
 		return err
 	}
+	defer out.Close()
 	b64, err := base64.StdEncoding.DecodeString(b64Cert)
 	if err != nil {
 		return err
@@ -237,7 +252,10 @@ func signPackHashX509(keyPath string, cert *x509.Certificate, hash []byte) ([]by
 		b, err := isPrivateKeyFromCertificate(cert, block.Bytes, "PKCS1")
 		if !b {
 			log.Error("Private key does not derive from provided x509 certificate")
-			return nil, err
+			if err != nil {
+				return nil, err
+			}
+			return nil, errs.ErrBadPrivateKey
 		}
 		rsaPrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
@@ -247,7 +265,10 @@ func signPackHashX509(keyPath string, cert *x509.Certificate, hash []byte) ([]by
 		b, err := isPrivateKeyFromCertificate(cert, block.Bytes, "PKCS8")
 		if !b {
 			log.Error("Private key does not derive from provided x509 certificate")
-			return nil, err
+			if err != nil {
+				return nil, err
+			}
+			return nil, errs.ErrBadPrivateKey
 		}
 		pk, err := x509.ParsePKCS8PrivateKey(block.Bytes)
 		if err != nil {