feat: Add verify-signature plumbing and Temurin+Microsoft verification support (#1060)

* Add verify-signature plumbing and Temurin verification support * Rebuild dist after signature verification changes * Refine signature verification errors and regenerate dist * refactor: make gpg.ts generic, move Adoptium-specific constant to temurin distribution * fix: mock renameWinArchive in temurin tests and add signature e2e job * refactor: bundle Adoptium public key, replace keyserver lookup with local import * feat: add verify-signature-public-key input to allow custom GPG key override * refactor: extract Adoptium public key to adoptium-key.ts; tighten gpg.ts cleanup scope * Add verify-signature plumbing and Temurin verification support * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add Microsoft signature verification support * Regenerate dist bundles for Microsoft signature checks * Harden Microsoft signature URL handling * Add setup-java-microsoft-signature-verification e2e job * chore: regenerate dist files * Fix e2e-versions: remove duplicate job, update signature jobs to checkout@v7 with env vars * Fix Prettier formatting in test files * fix: mock renameWinArchive in microsoft-installer tests to fix Windows CI failure * fix: use --homedir flag instead of GNUPGHOME env var for Windows GPG compatibility The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert Windows-style paths in environment variables like GNUPGHOME. This caused GPG to fail with exit code 2 when verifying Microsoft JDK signatures on Windows, because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid POSIX path. Fix: pass --homedir as an explicit command-line argument to both gpg --import and gpg --verify. MSYS2 does correctly convert Windows paths in command-line arguments, so this approach works reliably on Windows, Linux, and macOS. * fix: convert Windows paths to POSIX format for MSYS2 GPG on Windows The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is an MSYS2-based binary that uses POSIX path conventions internally. When Windows-style paths with backslashes and drive letters (D:\a\_temp\...) are passed as arguments, GPG may fail to resolve them correctly, resulting in a fatal error (exit code 2). Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX format (/d/a/_temp/...) before passing them to any gpg command. On Linux and macOS the helper is a no-op. Applied to all four paths used in verifyPackageSignature: - gpgHome (--homedir argument) - publicKeyFile (--import argument) - signaturePath (--verify signature argument) - archivePath (--verify data argument) * Fix gpg test formatting --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Bruno Borges <brborges@microsoft.com>
2026-06-29 18:40:33 +03:00 · 2026-06-29 13:19:49 +01:00
parent e9339ddc84
commit b150355f04
20 changed files with 1117 additions and 112 deletions
@@ -1,6 +1,7 @@
 import * as path from 'path';
 import * as io from '@actions/io';
 import * as exec from '@actions/exec';
+import * as tc from '@actions/tool-cache';
 import * as gpg from '../src/gpg';

 jest.mock('@actions/exec', () => {
@@ -9,6 +10,12 @@ jest.mock('@actions/exec', () => {
  };
 });

+jest.mock('@actions/tool-cache', () => {
+  return {
+    downloadTool: jest.fn()
+  };
+});
+
 const tempDir = path.join(__dirname, 'runner', 'temp');
 process.env['RUNNER_TEMP'] = tempDir;

@@ -25,6 +32,35 @@ describe('gpg tests', () => {
    }
  });

+  describe('toGpgPath', () => {
+    const originalPlatform = process.platform;
+
+    afterEach(() => {
+      Object.defineProperty(process, 'platform', {value: originalPlatform});
+    });
+
+    it('returns path unchanged on non-Windows platforms', () => {
+      Object.defineProperty(process, 'platform', {value: 'linux'});
+      expect(gpg.toGpgPath('/tmp/some/path')).toBe('/tmp/some/path');
+      expect(gpg.toGpgPath('D:\\a\\_temp\\file')).toBe('D:\\a\\_temp\\file');
+    });
+
+    it('converts Windows backslashes and drive letter to POSIX path on Windows', () => {
+      Object.defineProperty(process, 'platform', {value: 'win32'});
+      expect(gpg.toGpgPath('D:\\a\\_temp\\gpg-home')).toBe(
+        '/d/a/_temp/gpg-home'
+      );
+      expect(
+        gpg.toGpgPath('C:\\Users\\runner\\AppData\\Local\\Temp\\key.asc')
+      ).toBe('/c/Users/runner/AppData/Local/Temp/key.asc');
+    });
+
+    it('handles uppercase and lowercase drive letters on Windows', () => {
+      Object.defineProperty(process, 'platform', {value: 'win32'});
+      expect(gpg.toGpgPath('d:\\a\\_temp\\file')).toBe('/d/a/_temp/file');
+    });
+  });
+
  describe('importKey', () => {
    it('attempts to import private key and returns null key id on failure', async () => {
      const privateKey = 'KEY CONTENTS';
@@ -51,5 +87,47 @@ describe('gpg tests', () => {
        expect.anything()
      );
    });
+
+    describe('verifyPackageSignature', () => {
+      it('imports bundled key and verifies package', async () => {
+        const publicKeyContent =
+          '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----';
+        (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig');
+        await gpg.verifyPackageSignature(
+          '/tmp/jdk.tar.gz',
+          'https://example.com/jdk.tar.gz.sig',
+          publicKeyContent
+        );
+
+        expect(tc.downloadTool).toHaveBeenCalledWith(
+          'https://example.com/jdk.tar.gz.sig'
+        );
+        expect(exec.exec).toHaveBeenNthCalledWith(
+          1,
+          'gpg',
+          [
+            '--homedir',
+            expect.any(String),
+            '--batch',
+            '--import',
+            expect.stringContaining('public-key.asc')
+          ],
+          expect.objectContaining({silent: true})
+        );
+        expect(exec.exec).toHaveBeenNthCalledWith(
+          2,
+          'gpg',
+          [
+            '--homedir',
+            expect.any(String),
+            '--batch',
+            '--verify',
+            '/tmp/jdk.tar.gz.sig',
+            '/tmp/jdk.tar.gz'
+          ],
+          expect.objectContaining({silent: true})
+        );
+      });
+    });
  });
 });