SQSCANGHA-140 Add OpenPGP signature verification for scanner downloads (#235)

src/main/install-sonar-scanner.js

@@ -18,13 +18,14 @@
 
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
-import * as os from "os";
-import * as path from "path";
+import * as os from "node:os";
+import * as path from "node:path";
 import {
   getPlatformFlavor,
   getScannerDownloadURL,
   scannerDirName,
 } from "./utils";
+import { verifySignature } from "./gpg-verification";
 
 const TOOLNAME = "sonar-scanner-cli";
 
@@ -34,6 +35,7 @@ const TOOLNAME = "sonar-scanner-cli";
 export async function installSonarScanner({
   scannerVersion,
   scannerBinariesUrl,
+  skipSignatureVerification = false,
 }) {
   const flavor = getPlatformFlavor(os.platform(), os.arch());
 
@@ -54,6 +56,25 @@ export async function installSonarScanner({
     core.info(`Downloading from: ${downloadUrl}`);
 
     const downloadPath = await tc.downloadTool(downloadUrl);
+
+    if (skipSignatureVerification) {
+      core.warning("⚠ Skipping GPG signature verification (not recommended)");
+    } else {
+      const signatureUrl = `${downloadUrl}.asc`;
+      core.info(`Downloading signature from: ${signatureUrl}`);
+
+      let signaturePath;
+      try {
+        signaturePath = await tc.downloadTool(signatureUrl);
+      } catch (error) {
+        throw new Error(
+          `Failed to download signature file from ${signatureUrl}: ${error.message}`
+        );
+      }
+
+      await verifySignature(downloadPath, signaturePath);
+    }
+
     const extractedPath = await tc.extractZip(downloadPath);
 
     // Find the actual scanner directory inside the extracted folder