mirror of
https://github.com/actions/setup-java.git
synced 2026-07-08 16:20:44 +03:00
feat: Add verify-signature plumbing and Temurin+Microsoft verification support (#1060)
* Add verify-signature plumbing and Temurin verification support * Rebuild dist after signature verification changes * Refine signature verification errors and regenerate dist * refactor: make gpg.ts generic, move Adoptium-specific constant to temurin distribution * fix: mock renameWinArchive in temurin tests and add signature e2e job * refactor: bundle Adoptium public key, replace keyserver lookup with local import * feat: add verify-signature-public-key input to allow custom GPG key override * refactor: extract Adoptium public key to adoptium-key.ts; tighten gpg.ts cleanup scope * Add verify-signature plumbing and Temurin verification support * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Add Microsoft signature verification support * Regenerate dist bundles for Microsoft signature checks * Harden Microsoft signature URL handling * Add setup-java-microsoft-signature-verification e2e job * chore: regenerate dist files * Fix e2e-versions: remove duplicate job, update signature jobs to checkout@v7 with env vars * Fix Prettier formatting in test files * fix: mock renameWinArchive in microsoft-installer tests to fix Windows CI failure * fix: use --homedir flag instead of GNUPGHOME env var for Windows GPG compatibility The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert Windows-style paths in environment variables like GNUPGHOME. This caused GPG to fail with exit code 2 when verifying Microsoft JDK signatures on Windows, because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid POSIX path. Fix: pass --homedir as an explicit command-line argument to both gpg --import and gpg --verify. MSYS2 does correctly convert Windows paths in command-line arguments, so this approach works reliably on Windows, Linux, and macOS. * fix: convert Windows paths to POSIX format for MSYS2 GPG on Windows The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is an MSYS2-based binary that uses POSIX path conventions internally. When Windows-style paths with backslashes and drive letters (D:\a\_temp\...) are passed as arguments, GPG may fail to resolve them correctly, resulting in a fatal error (exit code 2). Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX format (/d/a/_temp/...) before passing them to any gpg command. On Linux and macOS the helper is a no-op. Applied to all four paths used in verifyPackageSignature: - gpgHome (--homedir argument) - publicKeyFile (--import argument) - signaturePath (--verify signature argument) - archivePath (--verify data argument) * Fix gpg test formatting --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Bruno Borges <brborges@microsoft.com>
This commit is contained in:
@@ -10,12 +10,16 @@ import {
|
||||
getGitHubHttpHeaders,
|
||||
renameWinArchive
|
||||
} from '../../util';
|
||||
import * as gpg from '../../gpg';
|
||||
import {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
|
||||
import * as core from '@actions/core';
|
||||
import * as tc from '@actions/tool-cache';
|
||||
import fs from 'fs';
|
||||
import path from 'path';
|
||||
import {TypedResponse} from '@actions/http-client/lib/interfaces';
|
||||
|
||||
export {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
|
||||
|
||||
export class MicrosoftDistributions extends JavaBase {
|
||||
constructor(installerOptions: JavaInstallerOptions) {
|
||||
super('Microsoft', installerOptions);
|
||||
@@ -29,6 +33,26 @@ export class MicrosoftDistributions extends JavaBase {
|
||||
);
|
||||
let javaArchivePath = await tc.downloadTool(javaRelease.url);
|
||||
|
||||
if (this.verifySignature) {
|
||||
if (!javaRelease.signatureUrl) {
|
||||
throw new Error(
|
||||
`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`
|
||||
);
|
||||
}
|
||||
core.info(`Verifying Java package signature...`);
|
||||
try {
|
||||
await gpg.verifyPackageSignature(
|
||||
javaArchivePath,
|
||||
javaRelease.signatureUrl,
|
||||
this.verifySignaturePublicKey ?? MICROSOFT_PUBLIC_KEY
|
||||
);
|
||||
} catch (error) {
|
||||
throw new Error(
|
||||
`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}`
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
core.info(`Extracting Java archive...`);
|
||||
const extension = getDownloadArchiveExtension();
|
||||
if (process.platform === 'win32') {
|
||||
@@ -80,12 +104,23 @@ export class MicrosoftDistributions extends JavaBase {
|
||||
throw this.createVersionNotFoundError(range, availableVersionStrings);
|
||||
}
|
||||
|
||||
const file = foundRelease.files[0] as {
|
||||
download_url: string;
|
||||
signature_url?: string;
|
||||
};
|
||||
const signatureUrl = file.signature_url ?? `${file.download_url}.sig`;
|
||||
|
||||
return {
|
||||
url: foundRelease.files[0].download_url,
|
||||
url: file.download_url,
|
||||
signatureUrl,
|
||||
version: foundRelease.version
|
||||
};
|
||||
}
|
||||
|
||||
protected supportsSignatureVerification(): boolean {
|
||||
return true;
|
||||
}
|
||||
|
||||
private async getAvailableVersions(): Promise<tc.IToolRelease[] | null> {
|
||||
// TODO get these dynamically!
|
||||
// We will need Microsoft to add an endpoint where we can query for versions.
|
||||
|
||||
Reference in New Issue
Block a user