Added core "post install" and "pre uninstall" script support.

If a core has a post/pre install/uninstall script, it will be execute at the appropriate time IF:
1) source (package_*_index) is trusted (GPG signed)
2) or users have explicitly added line "contributions.trust.all=true" to their preferences.txt
Some minor refactor and clean up while I was at it

Author: Federico Fissore

app/src/cc/arduino/contributions/packages/ui/ContributionManagerUI.java

@@ -30,6 +30,7 @@
 package cc.arduino.contributions.packages.ui;
 
 import cc.arduino.contributions.DownloadableContribution;
+import cc.arduino.contributions.GPGDetachedSignatureVerifier;
 import cc.arduino.contributions.packages.ContributedPlatform;
 import cc.arduino.contributions.packages.ContributionInstaller;
 import cc.arduino.contributions.packages.ContributionsIndexer;
@@ -116,7 +117,7 @@ public void setIndexer(ContributionsIndexer indexer) {
     }
 
     // Create ConstributionInstaller tied with the provided index
-    installer = new ContributionInstaller(indexer, platform) {
+    installer = new ContributionInstaller(indexer, platform, new GPGDetachedSignatureVerifier()) {
       @Override
       public void onProgress(Progress progress) {
         setProgress(progress);

app/src/processing/app/Base.java

@@ -24,6 +24,7 @@
 
 import cc.arduino.contributions.BuiltInCoreIsNewerCheck;
 import cc.arduino.contributions.DownloadableContributionVersionComparator;
+import cc.arduino.contributions.GPGDetachedSignatureVerifier;
 import cc.arduino.contributions.VersionHelper;
 import cc.arduino.contributions.libraries.*;
 import cc.arduino.contributions.libraries.ui.LibraryManagerUI;
@@ -345,8 +346,8 @@ public Base(String[] args) throws Exception {
     PreferencesData.save();
 
     if (parser.isInstallBoard()) {
-      ContributionsIndexer indexer = new ContributionsIndexer(BaseNoGui.getSettingsFolder(), BaseNoGui.getPlatform());
-      ContributionInstaller installer = new ContributionInstaller(indexer, BaseNoGui.getPlatform()) {
+      ContributionsIndexer indexer = new ContributionsIndexer(BaseNoGui.getSettingsFolder(), BaseNoGui.getPlatform(), new GPGDetachedSignatureVerifier());
+      ContributionInstaller installer = new ContributionInstaller(indexer, BaseNoGui.getPlatform(), new GPGDetachedSignatureVerifier()) {
         private String lastStatus = "";
 
         @Override
@@ -392,7 +393,7 @@ protected void onProgress(Progress progress) {
       System.exit(0);
 
     } else if (parser.isInstallLibrary()) {
-      LibrariesIndexer indexer = new LibrariesIndexer(BaseNoGui.getSettingsFolder(), new ContributionsIndexer(BaseNoGui.getSettingsFolder(), BaseNoGui.getPlatform()));
+      LibrariesIndexer indexer = new LibrariesIndexer(BaseNoGui.getSettingsFolder(), new ContributionsIndexer(BaseNoGui.getSettingsFolder(), BaseNoGui.getPlatform(), new GPGDetachedSignatureVerifier()));
       LibraryInstaller installer = new LibraryInstaller(indexer, BaseNoGui.getPlatform()) {
         private String lastStatus = "";
 

app/test/cc/arduino/packages/contributions/GPGDetachedSignatureVerifierTest.java renamed to app/test/cc/arduino/contributions/GPGDetachedSignatureVerifierTest.java

@@ -27,9 +27,8 @@
  * the GNU General Public License.
  */
 
-package cc.arduino.packages.contributions;
+package cc.arduino.contributions;
 
-import cc.arduino.contributions.GPGDetachedSignatureVerifier;
 import org.junit.Before;
 import org.junit.Test;
 

app/test/cc/arduino/packages/contributions/package_index.json renamed to app/test/cc/arduino/contributions/package_index.json

@@ -27,7 +27,7 @@
  * the GNU General Public License.
  */
 
-package cc.arduino.contributions.packages;
+package cc.arduino.contributions;
 
 import java.util.Arrays;
 import java.util.List;
@@ -39,6 +39,7 @@ public class Constants {
   public static final String PACKAGE_INDEX_URL;
 
   public static final String PREFERENCES_BOARDS_MANAGER_ADDITIONAL_URLS = "boardsmanager.additional.urls";
+  public static final String PREF_CONTRIBUTIONS_TRUST_ALL = "contributions.trust.all";
 
   static {
     String extenalPackageIndexUrl = System.getProperty("PACKAGE_INDEX_URL");

app/test/cc/arduino/packages/contributions/package_index.json.sig renamed to app/test/cc/arduino/contributions/package_index.json.sig

@@ -1,6 +1,8 @@
 /*
  * This file is part of Arduino.
  *
+ * Copyright 2015 Arduino LLC (http://www.arduino.cc/)
+ *
  * Arduino is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
@@ -23,8 +25,6 @@
  * the GNU General Public License.  This exception does not however
  * invalidate any other reasons why the executable file might be covered by
  * the GNU General Public License.
- *
- * Copyright 2015 Arduino LLC (http://www.arduino.cc/)
  */
 
 package cc.arduino.contributions;
@@ -37,7 +37,7 @@
 import java.io.*;
 import java.util.Iterator;
 
-public class GPGDetachedSignatureVerifier {
+public class GPGDetachedSignatureVerifier extends SignatureVerifier {
 
   private String keyId;
 
@@ -49,9 +49,7 @@ public GPGDetachedSignatureVerifier(String keyId) {
     this.keyId = keyId;
   }
 
-  public boolean verify(File signedFile, File signature, File publicKey) throws IOException, PGPException {
-    PGPPublicKey pgpPublicKey = readPublicKey(publicKey, keyId);
-
+  protected boolean verify(File signedFile, File signature, File publicKey) throws IOException {
     FileInputStream signatureInputStream = null;
     FileInputStream signedFileInputStream = null;
     try {
@@ -71,11 +69,15 @@ public boolean verify(File signedFile, File signature, File publicKey) throws IO
       assert pgpSignatureList.size() == 1;
       PGPSignature pgpSignature = pgpSignatureList.get(0);
 
+      PGPPublicKey pgpPublicKey = readPublicKey(publicKey, keyId);
+
       pgpSignature.init(new BcPGPContentVerifierBuilderProvider(), pgpPublicKey);
       signedFileInputStream = new FileInputStream(signedFile);
       pgpSignature.update(IOUtils.toByteArray(signedFileInputStream));
 
       return pgpSignature.verify();
+    } catch (PGPException e) {
+      throw new IOException(e);
     } finally {
       IOUtils.closeQuietly(signatureInputStream);
       IOUtils.closeQuietly(signedFileInputStream);

app/test/cc/arduino/packages/contributions/public.gpg.key renamed to app/test/cc/arduino/contributions/public.gpg.key

@@ -0,0 +1,55 @@
+/*
+ * This file is part of Arduino.
+ *
+ * Copyright 2015 Arduino LLC (http://www.arduino.cc/)
+ *
+ * Arduino is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * As a special exception, you may use this file as part of a free software
+ * library without restriction.  Specifically, if other files instantiate
+ * templates or use macros or inline functions from this file, or you compile
+ * this file and link it with other files to produce an executable, this
+ * file does not by itself cause the resulting executable to be covered by
+ * the GNU General Public License.  This exception does not however
+ * invalidate any other reasons why the executable file might be covered by
+ * the GNU General Public License.
+ */
+
+package cc.arduino.contributions;
+
+import processing.app.BaseNoGui;
+
+import java.io.File;
+import java.io.IOException;
+
+public abstract class SignatureVerifier {
+
+  public boolean isSigned(File indexFile) {
+    File signature = new File(indexFile.getParent(), indexFile.getName() + ".sig");
+    if (!signature.exists()) {
+      return false;
+    }
+
+    try {
+      return verify(indexFile, signature, new File(BaseNoGui.getContentFile("lib"), "public.gpg.key"));
+    } catch (Exception e) {
+      BaseNoGui.showWarning(e.getMessage(), e.getMessage(), e);
+      return false;
+    }
+  }
+
+  protected abstract boolean verify(File signedFile, File signature, File publicKey) throws IOException;
+
+}

arduino-core/src/cc/arduino/contributions/packages/Constants.java renamed to arduino-core/src/cc/arduino/contributions/Constants.java

@@ -47,6 +47,8 @@ public abstract class ContributedPackage {
 
   public abstract ContributedHelp getHelp();
 
+  private boolean trusted;
+
   public ContributedPlatform findPlatform(String architecture, String version) {
     if (architecture == null || version == null) {
       return null;
@@ -66,6 +68,14 @@ public ContributedTool findTool(String name, String version) {
     return null;
   }
 
+  public boolean isTrusted() {
+    return trusted;
+  }
+
+  public void setTrusted(boolean trusted) {
+    this.trusted = trusted;
+  }
+
   @Override
   public String toString() {
     String res;