diff --git a/.github/workflows/e2e-versions.yml b/.github/workflows/e2e-versions.yml index cc15a025..281d4570 100644 --- a/.github/workflows/e2e-versions.yml +++ b/.github/workflows/e2e-versions.yml @@ -351,6 +351,29 @@ jobs: run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" shell: bash + setup-java-temurin-signature-verification: + name: temurin ${{ matrix.version }} signature verification - ${{ matrix.os }} + needs: setup-java-major-minor-versions + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [macos-latest, windows-latest, ubuntu-latest] + version: ['21', '17'] + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: setup-java with signature verification + uses: ./ + id: setup-java + with: + java-version: ${{ matrix.version }} + distribution: temurin + verify-signature: true + - name: Verify Java + run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + shell: bash + setup-java-ea-versions-sapmachine: name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }} needs: setup-java-major-minor-versions diff --git a/README.md b/README.md index f17065cd..53f7f70a 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ For more details, see the full release notes on the [releases page](https://git - `check-latest`: Setting this option makes the action to check for the latest available version for the version spec. - - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails. + - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin` and `microsoft`. If set to `true` for unsupported distributions, the action fails. - `verify-signature-public-key`: ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution. diff --git a/__tests__/distributors/microsoft-installer.test.ts b/__tests__/distributors/microsoft-installer.test.ts index ca5a253a..6eb2b58e 100644 --- a/__tests__/distributors/microsoft-installer.test.ts +++ b/__tests__/distributors/microsoft-installer.test.ts @@ -1,8 +1,15 @@ -import {MicrosoftDistributions} from '../../src/distributions/microsoft/installer'; +import { + MicrosoftDistributions, + MICROSOFT_PUBLIC_KEY +} from '../../src/distributions/microsoft/installer'; import os from 'os'; import data from '../data/microsoft.json'; import * as httpm from '@actions/http-client'; import * as core from '@actions/core'; +import * as tc from '@actions/tool-cache'; +import * as gpg from '../../src/gpg'; +import * as util from '../../src/util'; +import fs from 'fs'; describe('findPackageForDownload', () => { let distribution: MicrosoftDistributions; @@ -102,6 +109,7 @@ describe('findPackageForDownload', () => { .replace('{{OS_TYPE}}', os) .replace('{{ARCHIVE_TYPE}}', archive); expect(result.url).toBe(url); + expect(result.signatureUrl).toBe(`${url}.sig`); }); it.each([ @@ -187,4 +195,147 @@ describe('findPackageForDownload', () => { /No matching version found for SemVer */ ); }); + + it('uses manifest-provided signature URL when available', async () => { + spyGetManifestFromRepo.mockReturnValue({ + result: [ + { + version: '17.0.10', + stable: true, + release_url: 'https://example.test', + files: [ + { + filename: 'microsoft-jdk-17.0.10-linux-x64.tar.gz', + arch: 'x64', + platform: 'linux', + download_url: 'https://example.test/jdk.tar.gz', + signature_url: 'https://example.test/jdk.tar.gz.custom.sig' + } + ] + } + ], + statusCode: 200, + headers: {} + }); + jest.spyOn(os, 'platform').mockReturnValue('linux'); + + const result = await distribution['findPackageForDownload']('17.0.10'); + + expect(result.signatureUrl).toBe('https://example.test/jdk.tar.gz.custom.sig'); + }); +}); + +describe('downloadTool', () => { + let spyDownloadTool: jest.SpyInstance; + let spyExtractJdkFile: jest.SpyInstance; + let spyCacheDir: jest.SpyInstance; + let spyVerifySignature: jest.SpyInstance; + let distribution: MicrosoftDistributions; + + beforeEach(() => { + jest + .spyOn(os, 'platform') + .mockReturnValue(process.platform as ReturnType); + + distribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false + }); + + spyDownloadTool = jest.spyOn(tc, 'downloadTool'); + spyDownloadTool.mockImplementation(async () => { + return '/tmp/jdk.tar.gz'; + }); + + spyExtractJdkFile = jest.spyOn(util, 'extractJdkFile'); + spyExtractJdkFile.mockImplementation(async () => { + return '/tmp/unpacked'; + }); + + jest.spyOn(fs, 'readdirSync').mockReturnValue(['jdk'] as any); + spyCacheDir = jest.spyOn(tc, 'cacheDir'); + spyCacheDir.mockImplementation(async () => { + return '/tmp/cached'; + }); + + spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature'); + spyVerifySignature.mockImplementation(async () => {}); + }); + + afterEach(() => { + jest.restoreAllMocks(); + }); + + it('verifies signature when enabled', async () => { + const signedDistribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }); + + await signedDistribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + MICROSOFT_PUBLIC_KEY + ); + }); + + it('uses custom public key when verifySignaturePublicKey is provided', async () => { + const customKey = + '-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----'; + const signedDistribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true, + verifySignaturePublicKey: customKey + }); + + await signedDistribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + customKey + ); + }); + + it('fails when signature is missing and verification is enabled', async () => { + const signedDistribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }); + + await expect( + signedDistribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz' + }) + ).rejects.toThrow( + "Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version 17.0.14+7." + ); + expect(spyVerifySignature).not.toHaveBeenCalled(); + }); + + it('supports signature verification', () => { + expect(distribution['supportsSignatureVerification']()).toBe(true); + }); }); diff --git a/dist/setup/index.js b/dist/setup/index.js index c29c01af..e4732040 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -79923,21 +79923,38 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.MicrosoftDistributions = void 0; +exports.MicrosoftDistributions = exports.MICROSOFT_PUBLIC_KEY = void 0; const base_installer_1 = __nccwpck_require__(79935); const util_1 = __nccwpck_require__(54527); +const gpg = __importStar(__nccwpck_require__(88343)); +const microsoft_key_1 = __nccwpck_require__(56286); const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); const path_1 = __importDefault(__nccwpck_require__(16928)); +var microsoft_key_2 = __nccwpck_require__(56286); +Object.defineProperty(exports, "MICROSOFT_PUBLIC_KEY", ({ enumerable: true, get: function () { return microsoft_key_2.MICROSOFT_PUBLIC_KEY; } })); class MicrosoftDistributions extends base_installer_1.JavaBase { constructor(installerOptions) { super('Microsoft', installerOptions); } downloadTool(javaRelease) { + var _a; return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`); + } + core.info(`Verifying Java package signature...`); + try { + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY); + } + catch (error) { + throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${error.message}`); + } + } core.info(`Extracting Java archive...`); const extension = (0, util_1.getDownloadArchiveExtension)(); if (process.platform === 'win32') { @@ -79951,6 +79968,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { }); } findPackageForDownload(range) { + var _a; return __awaiter(this, void 0, void 0, function* () { const arch = this.distributionArchitecture(); if (arch !== 'x64' && arch !== 'aarch64') { @@ -79971,12 +79989,18 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { const availableVersionStrings = manifest.map(item => item.version); throw this.createVersionNotFoundError(range, availableVersionStrings); } + const file = foundRelease.files[0]; + const signatureUrl = (_a = file.signature_url) !== null && _a !== void 0 ? _a : `${file.download_url}.sig`; return { - url: foundRelease.files[0].download_url, + url: file.download_url, + signatureUrl, version: foundRelease.version }; }); } + supportsSignatureVerification() { + return true; + } getAvailableVersions() { return __awaiter(this, void 0, void 0, function* () { // TODO get these dynamically! @@ -80019,6 +80043,38 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { exports.MicrosoftDistributions = MicrosoftDistributions; +/***/ }), + +/***/ 56286: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.MICROSOFT_PUBLIC_KEY = void 0; +// Microsoft Build of OpenJDK GPG signing key +// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc +exports.MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL +RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+ +UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl +/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6 +r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx +fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh +IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB +CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB +icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL +MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ +EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq +yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy +JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4 +Fa133tP85xzJEq1XeXm8WeLFo2wV +=rHCS +-----END PGP PUBLIC KEY BLOCK-----`; + + /***/ }), /***/ 11182: diff --git a/src/distributions/microsoft/installer.ts b/src/distributions/microsoft/installer.ts index a48a3c2a..9e8e0338 100644 --- a/src/distributions/microsoft/installer.ts +++ b/src/distributions/microsoft/installer.ts @@ -10,12 +10,16 @@ import { getGitHubHttpHeaders, renameWinArchive } from '../../util'; +import * as gpg from '../../gpg'; +import {MICROSOFT_PUBLIC_KEY} from './microsoft-key'; import * as core from '@actions/core'; import * as tc from '@actions/tool-cache'; import fs from 'fs'; import path from 'path'; import {TypedResponse} from '@actions/http-client/lib/interfaces'; +export {MICROSOFT_PUBLIC_KEY} from './microsoft-key'; + export class MicrosoftDistributions extends JavaBase { constructor(installerOptions: JavaInstallerOptions) { super('Microsoft', installerOptions); @@ -29,6 +33,26 @@ export class MicrosoftDistributions extends JavaBase { ); let javaArchivePath = await tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error( + `Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.` + ); + } + core.info(`Verifying Java package signature...`); + try { + await gpg.verifyPackageSignature( + javaArchivePath, + javaRelease.signatureUrl, + this.verifySignaturePublicKey ?? MICROSOFT_PUBLIC_KEY + ); + } catch (error) { + throw new Error( + `Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}` + ); + } + } + core.info(`Extracting Java archive...`); const extension = getDownloadArchiveExtension(); if (process.platform === 'win32') { @@ -80,12 +104,23 @@ export class MicrosoftDistributions extends JavaBase { throw this.createVersionNotFoundError(range, availableVersionStrings); } + const file = foundRelease.files[0] as { + download_url: string; + signature_url?: string; + }; + const signatureUrl = file.signature_url ?? `${file.download_url}.sig`; + return { - url: foundRelease.files[0].download_url, + url: file.download_url, + signatureUrl, version: foundRelease.version }; } + protected supportsSignatureVerification(): boolean { + return true; + } + private async getAvailableVersions(): Promise { // TODO get these dynamically! // We will need Microsoft to add an endpoint where we can query for versions. diff --git a/src/distributions/microsoft/microsoft-key.ts b/src/distributions/microsoft/microsoft-key.ts new file mode 100644 index 00000000..3cb1f42c --- /dev/null +++ b/src/distributions/microsoft/microsoft-key.ts @@ -0,0 +1,21 @@ +// Microsoft Build of OpenJDK GPG signing key +// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc +export const MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL +RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+ +UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl +/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6 +r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx +fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh +IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB +CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB +icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL +MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ +EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq +yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy +JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4 +Fa133tP85xzJEq1XeXm8WeLFo2wV +=rHCS +-----END PGP PUBLIC KEY BLOCK-----`;