OK. I'd like to take your advice, and create a .json file for the compiler toolchain. A .json permits a clean install of the toolchain. Also I can provide the stm32duino people with a "copy-paste" solution.
- Why sign?
- How to sign? What's the .json syntax?
Currently the signature check mechanism uses a public and private keys and consists in signing the Arduino's package_index.json server side with our private key, and checking the signature in the IDE using the Arduino's public key bundled in the IDE.We are investigating in ways to make more secure also 3rd party cores indexes, maybe starting using our own key end ending up having some sort of CA mechanism similar to the one used by web browsers. But this is not so easy to implement so we implemented only the first bits of the feature.
- Do all packages have to be signed?
- Do all packages have to be signed with the same signature?
IMHO, a section about signing in the package_index.json spec would not be a bad thing.
It's a shame this can't be done upstream in the original stm32duino project. Have they just refused to add ARM Linux support? As you've proven, it's not so difficult.