Add signature verification to V2 tool install endpoint

[umbynos]

Please check if the PR fulfills these requirements

• The PR has no duplicates (please search among the Pull Requests
  before creating one)
• Tests for the changes have been added (for bug fixes / features)

• What kind of change does this PR introduce?

security enhancement in the V2 tools install endpoint

• What is the current behavior?

The "URL" and "Checksum" arguments of the /v2/pkgs/tools/installed endpoint are overriding "name", "packager" and "version" without performing signature verification:

$ curl -X POST --header 'Content-Type: application/json' --d
ata '{"name": "dummy","version": "dummy","packager": "dumm
y", "url": "https://dl.espressif.com/dl/esptool-2.3.1-linu
x.tar.gz","checksum": "SHA-256:cff30841dad80ed5d7d2d58a318
43b63afa57528979a9c839806568167691d8e"}' 127.0.0.1:8991/v2
/pkgs/tools/installed

{"status":"ok"}

$ ll ~/.arduino-create/dummy/dummy/dummy/esptool.py 
-rw-r--r-- 1 umberto umberto 115K Sep  7 12:26 /home/umberto/.arduino-create/dummy/dummy/dummy/esptool.py

• What is the new behavior?

If "URL" or "Checksum" or "Signature" arguments are not present, we try to install the tool from the loaded package_index.json:
With the same CURL listed above, this is the result:

{"name":"not_found","id":"IoHH-Xxv","message":"tool not found with packager 'dummy', name 'dummy', version 'dummy'","temporary":false,"timeout":false,"fault":false}

$ ll ~/.arduino-create/dummy/dummy/dummy/esptool.py
ls: cannot access '/home/umberto/.arduino-create/dummy/dummy/dummy/esptool.py': No such file or directory

The signature is used to verify the URL.
If the signature is present but does not match:

$ curl -X POST --header 'Content-Type: application/json' --data '{"name": "dummy","version": "dummy","packager": "dummy", "url": "https://dl.espressif.com/dl/esptool-2.3.1-linux.tar.gz","checksum": "SHA-256:cff30841dad80ed5d7d2d58a31843b63afa57528979a9c839806568167691d8e", "signature": "wr0ngS1gn4tur3"}' 127.0.0.1:8991/v2/pkgs/tools/installed

{"name":"fault","id":"5sZKrQPL","message":"crypto/rsa: verification error","temporary":false,"timeout":false,"fault":true}

ll ~/.arduino-create/dummy/dummy/dummy/esptool.py
ls: cannot access '/home/umberto/.arduino-create/dummy/dummy/dummy/esptool.py': No such file or directory

• Does this PR introduce a breaking change?

Technically no, since the Web Editor is already sending the "signature" argument in the request to the agent.

• Other information:

[codecov-commenter]

Codecov Report

Patch coverage: 67.74% and project coverage change: +0.44% 🎉

Comparison is base (08422e6) 16.88% compared to head (b7d18c2) 17.32%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #826      +/-   ##
==========================================
+ Coverage   16.88%   17.32%   +0.44%     
==========================================
  Files          53       53              
  Lines        4075     4081       +6     
==========================================
+ Hits          688      707      +19     
+ Misses       3287     3273      -14     
- Partials      100      101       +1     

Flag	Coverage Δ
unit	17.32% <67.74%> (+0.44%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
conn.go	0.00% <0.00%> (ø)
gen/tools/service.go	18.51% <ø> (ø)
main.go	2.28% <ø> (ø)
utilities/utilities.go	18.62% <60.00%> (+7.13%)	⬆️
gen/http/tools/server/types.go	36.73% <66.66%> (+0.56%)	⬆️
v2/pkgs/tools.go	67.30% <100.00%> (+0.86%)	⬆️

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.