mirror of
https://github.com/actions/setup-java.git
synced 2026-07-08 14:21:50 +00:00
Merge branch 'copilot/include-signature-verification' into signature-4
This commit is contained in:
commit
2c76c5eca9
23
.github/workflows/e2e-versions.yml
vendored
23
.github/workflows/e2e-versions.yml
vendored
@ -351,6 +351,29 @@ jobs:
|
||||
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}"
|
||||
shell: bash
|
||||
|
||||
setup-java-temurin-signature-verification:
|
||||
name: temurin ${{ matrix.version }} signature verification - ${{ matrix.os }}
|
||||
needs: setup-java-major-minor-versions
|
||||
runs-on: ${{ matrix.os }}
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: [macos-latest, windows-latest, ubuntu-latest]
|
||||
version: ['21', '17']
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
- name: setup-java with signature verification
|
||||
uses: ./
|
||||
id: setup-java
|
||||
with:
|
||||
java-version: ${{ matrix.version }}
|
||||
distribution: temurin
|
||||
verify-signature: true
|
||||
- name: Verify Java
|
||||
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}"
|
||||
shell: bash
|
||||
|
||||
setup-java-ea-versions-sapmachine:
|
||||
name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
|
||||
needs: setup-java-major-minor-versions
|
||||
|
||||
@ -41,7 +41,7 @@ For more details, see the full release notes on the [releases page](https://git
|
||||
|
||||
- `check-latest`: Setting this option makes the action to check for the latest available version for the version spec.
|
||||
|
||||
- `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails.
|
||||
- `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin` and `microsoft`. If set to `true` for unsupported distributions, the action fails.
|
||||
|
||||
- `verify-signature-public-key`: ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution.
|
||||
|
||||
|
||||
@ -1,8 +1,15 @@
|
||||
import {MicrosoftDistributions} from '../../src/distributions/microsoft/installer';
|
||||
import {
|
||||
MicrosoftDistributions,
|
||||
MICROSOFT_PUBLIC_KEY
|
||||
} from '../../src/distributions/microsoft/installer';
|
||||
import os from 'os';
|
||||
import data from '../data/microsoft.json';
|
||||
import * as httpm from '@actions/http-client';
|
||||
import * as core from '@actions/core';
|
||||
import * as tc from '@actions/tool-cache';
|
||||
import * as gpg from '../../src/gpg';
|
||||
import * as util from '../../src/util';
|
||||
import fs from 'fs';
|
||||
|
||||
describe('findPackageForDownload', () => {
|
||||
let distribution: MicrosoftDistributions;
|
||||
@ -102,6 +109,7 @@ describe('findPackageForDownload', () => {
|
||||
.replace('{{OS_TYPE}}', os)
|
||||
.replace('{{ARCHIVE_TYPE}}', archive);
|
||||
expect(result.url).toBe(url);
|
||||
expect(result.signatureUrl).toBe(`${url}.sig`);
|
||||
});
|
||||
|
||||
it.each([
|
||||
@ -187,4 +195,147 @@ describe('findPackageForDownload', () => {
|
||||
/No matching version found for SemVer */
|
||||
);
|
||||
});
|
||||
|
||||
it('uses manifest-provided signature URL when available', async () => {
|
||||
spyGetManifestFromRepo.mockReturnValue({
|
||||
result: [
|
||||
{
|
||||
version: '17.0.10',
|
||||
stable: true,
|
||||
release_url: 'https://example.test',
|
||||
files: [
|
||||
{
|
||||
filename: 'microsoft-jdk-17.0.10-linux-x64.tar.gz',
|
||||
arch: 'x64',
|
||||
platform: 'linux',
|
||||
download_url: 'https://example.test/jdk.tar.gz',
|
||||
signature_url: 'https://example.test/jdk.tar.gz.custom.sig'
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
statusCode: 200,
|
||||
headers: {}
|
||||
});
|
||||
jest.spyOn(os, 'platform').mockReturnValue('linux');
|
||||
|
||||
const result = await distribution['findPackageForDownload']('17.0.10');
|
||||
|
||||
expect(result.signatureUrl).toBe('https://example.test/jdk.tar.gz.custom.sig');
|
||||
});
|
||||
});
|
||||
|
||||
describe('downloadTool', () => {
|
||||
let spyDownloadTool: jest.SpyInstance;
|
||||
let spyExtractJdkFile: jest.SpyInstance;
|
||||
let spyCacheDir: jest.SpyInstance;
|
||||
let spyVerifySignature: jest.SpyInstance;
|
||||
let distribution: MicrosoftDistributions;
|
||||
|
||||
beforeEach(() => {
|
||||
jest
|
||||
.spyOn(os, 'platform')
|
||||
.mockReturnValue(process.platform as ReturnType<typeof os.platform>);
|
||||
|
||||
distribution = new MicrosoftDistributions({
|
||||
version: '17',
|
||||
architecture: 'x64',
|
||||
packageType: 'jdk',
|
||||
checkLatest: false
|
||||
});
|
||||
|
||||
spyDownloadTool = jest.spyOn(tc, 'downloadTool');
|
||||
spyDownloadTool.mockImplementation(async () => {
|
||||
return '/tmp/jdk.tar.gz';
|
||||
});
|
||||
|
||||
spyExtractJdkFile = jest.spyOn(util, 'extractJdkFile');
|
||||
spyExtractJdkFile.mockImplementation(async () => {
|
||||
return '/tmp/unpacked';
|
||||
});
|
||||
|
||||
jest.spyOn(fs, 'readdirSync').mockReturnValue(['jdk'] as any);
|
||||
spyCacheDir = jest.spyOn(tc, 'cacheDir');
|
||||
spyCacheDir.mockImplementation(async () => {
|
||||
return '/tmp/cached';
|
||||
});
|
||||
|
||||
spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature');
|
||||
spyVerifySignature.mockImplementation(async () => {});
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks();
|
||||
});
|
||||
|
||||
it('verifies signature when enabled', async () => {
|
||||
const signedDistribution = new MicrosoftDistributions({
|
||||
version: '17',
|
||||
architecture: 'x64',
|
||||
packageType: 'jdk',
|
||||
checkLatest: false,
|
||||
verifySignature: true
|
||||
});
|
||||
|
||||
await signedDistribution['downloadTool']({
|
||||
version: '17.0.14+7',
|
||||
url: 'https://example.com/jdk.tar.gz',
|
||||
signatureUrl: 'https://example.com/jdk.tar.gz.sig'
|
||||
});
|
||||
|
||||
expect(spyVerifySignature).toHaveBeenCalledWith(
|
||||
'/tmp/jdk.tar.gz',
|
||||
'https://example.com/jdk.tar.gz.sig',
|
||||
MICROSOFT_PUBLIC_KEY
|
||||
);
|
||||
});
|
||||
|
||||
it('uses custom public key when verifySignaturePublicKey is provided', async () => {
|
||||
const customKey =
|
||||
'-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----';
|
||||
const signedDistribution = new MicrosoftDistributions({
|
||||
version: '17',
|
||||
architecture: 'x64',
|
||||
packageType: 'jdk',
|
||||
checkLatest: false,
|
||||
verifySignature: true,
|
||||
verifySignaturePublicKey: customKey
|
||||
});
|
||||
|
||||
await signedDistribution['downloadTool']({
|
||||
version: '17.0.14+7',
|
||||
url: 'https://example.com/jdk.tar.gz',
|
||||
signatureUrl: 'https://example.com/jdk.tar.gz.sig'
|
||||
});
|
||||
|
||||
expect(spyVerifySignature).toHaveBeenCalledWith(
|
||||
'/tmp/jdk.tar.gz',
|
||||
'https://example.com/jdk.tar.gz.sig',
|
||||
customKey
|
||||
);
|
||||
});
|
||||
|
||||
it('fails when signature is missing and verification is enabled', async () => {
|
||||
const signedDistribution = new MicrosoftDistributions({
|
||||
version: '17',
|
||||
architecture: 'x64',
|
||||
packageType: 'jdk',
|
||||
checkLatest: false,
|
||||
verifySignature: true
|
||||
});
|
||||
|
||||
await expect(
|
||||
signedDistribution['downloadTool']({
|
||||
version: '17.0.14+7',
|
||||
url: 'https://example.com/jdk.tar.gz'
|
||||
})
|
||||
).rejects.toThrow(
|
||||
"Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version 17.0.14+7."
|
||||
);
|
||||
expect(spyVerifySignature).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('supports signature verification', () => {
|
||||
expect(distribution['supportsSignatureVerification']()).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
60
dist/setup/index.js
vendored
60
dist/setup/index.js
vendored
@ -79923,21 +79923,38 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.MicrosoftDistributions = void 0;
|
||||
exports.MicrosoftDistributions = exports.MICROSOFT_PUBLIC_KEY = void 0;
|
||||
const base_installer_1 = __nccwpck_require__(79935);
|
||||
const util_1 = __nccwpck_require__(54527);
|
||||
const gpg = __importStar(__nccwpck_require__(88343));
|
||||
const microsoft_key_1 = __nccwpck_require__(56286);
|
||||
const core = __importStar(__nccwpck_require__(37484));
|
||||
const tc = __importStar(__nccwpck_require__(33472));
|
||||
const fs_1 = __importDefault(__nccwpck_require__(79896));
|
||||
const path_1 = __importDefault(__nccwpck_require__(16928));
|
||||
var microsoft_key_2 = __nccwpck_require__(56286);
|
||||
Object.defineProperty(exports, "MICROSOFT_PUBLIC_KEY", ({ enumerable: true, get: function () { return microsoft_key_2.MICROSOFT_PUBLIC_KEY; } }));
|
||||
class MicrosoftDistributions extends base_installer_1.JavaBase {
|
||||
constructor(installerOptions) {
|
||||
super('Microsoft', installerOptions);
|
||||
}
|
||||
downloadTool(javaRelease) {
|
||||
var _a;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`);
|
||||
let javaArchivePath = yield tc.downloadTool(javaRelease.url);
|
||||
if (this.verifySignature) {
|
||||
if (!javaRelease.signatureUrl) {
|
||||
throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`);
|
||||
}
|
||||
core.info(`Verifying Java package signature...`);
|
||||
try {
|
||||
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY);
|
||||
}
|
||||
catch (error) {
|
||||
throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${error.message}`);
|
||||
}
|
||||
}
|
||||
core.info(`Extracting Java archive...`);
|
||||
const extension = (0, util_1.getDownloadArchiveExtension)();
|
||||
if (process.platform === 'win32') {
|
||||
@ -79951,6 +79968,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
|
||||
});
|
||||
}
|
||||
findPackageForDownload(range) {
|
||||
var _a;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const arch = this.distributionArchitecture();
|
||||
if (arch !== 'x64' && arch !== 'aarch64') {
|
||||
@ -79971,12 +79989,18 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
|
||||
const availableVersionStrings = manifest.map(item => item.version);
|
||||
throw this.createVersionNotFoundError(range, availableVersionStrings);
|
||||
}
|
||||
const file = foundRelease.files[0];
|
||||
const signatureUrl = (_a = file.signature_url) !== null && _a !== void 0 ? _a : `${file.download_url}.sig`;
|
||||
return {
|
||||
url: foundRelease.files[0].download_url,
|
||||
url: file.download_url,
|
||||
signatureUrl,
|
||||
version: foundRelease.version
|
||||
};
|
||||
});
|
||||
}
|
||||
supportsSignatureVerification() {
|
||||
return true;
|
||||
}
|
||||
getAvailableVersions() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// TODO get these dynamically!
|
||||
@ -80019,6 +80043,38 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
|
||||
exports.MicrosoftDistributions = MicrosoftDistributions;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 56286:
|
||||
/***/ ((__unused_webpack_module, exports) => {
|
||||
|
||||
"use strict";
|
||||
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.MICROSOFT_PUBLIC_KEY = void 0;
|
||||
// Microsoft Build of OpenJDK GPG signing key
|
||||
// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc
|
||||
exports.MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: BSN Pgp v1.1.0.0
|
||||
|
||||
mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL
|
||||
RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+
|
||||
UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl
|
||||
/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6
|
||||
r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx
|
||||
fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh
|
||||
IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB
|
||||
CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB
|
||||
icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL
|
||||
MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ
|
||||
EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq
|
||||
yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy
|
||||
JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4
|
||||
Fa133tP85xzJEq1XeXm8WeLFo2wV
|
||||
=rHCS
|
||||
-----END PGP PUBLIC KEY BLOCK-----`;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 11182:
|
||||
|
||||
@ -10,12 +10,16 @@ import {
|
||||
getGitHubHttpHeaders,
|
||||
renameWinArchive
|
||||
} from '../../util';
|
||||
import * as gpg from '../../gpg';
|
||||
import {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
|
||||
import * as core from '@actions/core';
|
||||
import * as tc from '@actions/tool-cache';
|
||||
import fs from 'fs';
|
||||
import path from 'path';
|
||||
import {TypedResponse} from '@actions/http-client/lib/interfaces';
|
||||
|
||||
export {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
|
||||
|
||||
export class MicrosoftDistributions extends JavaBase {
|
||||
constructor(installerOptions: JavaInstallerOptions) {
|
||||
super('Microsoft', installerOptions);
|
||||
@ -29,6 +33,26 @@ export class MicrosoftDistributions extends JavaBase {
|
||||
);
|
||||
let javaArchivePath = await tc.downloadTool(javaRelease.url);
|
||||
|
||||
if (this.verifySignature) {
|
||||
if (!javaRelease.signatureUrl) {
|
||||
throw new Error(
|
||||
`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`
|
||||
);
|
||||
}
|
||||
core.info(`Verifying Java package signature...`);
|
||||
try {
|
||||
await gpg.verifyPackageSignature(
|
||||
javaArchivePath,
|
||||
javaRelease.signatureUrl,
|
||||
this.verifySignaturePublicKey ?? MICROSOFT_PUBLIC_KEY
|
||||
);
|
||||
} catch (error) {
|
||||
throw new Error(
|
||||
`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}`
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
core.info(`Extracting Java archive...`);
|
||||
const extension = getDownloadArchiveExtension();
|
||||
if (process.platform === 'win32') {
|
||||
@ -80,12 +104,23 @@ export class MicrosoftDistributions extends JavaBase {
|
||||
throw this.createVersionNotFoundError(range, availableVersionStrings);
|
||||
}
|
||||
|
||||
const file = foundRelease.files[0] as {
|
||||
download_url: string;
|
||||
signature_url?: string;
|
||||
};
|
||||
const signatureUrl = file.signature_url ?? `${file.download_url}.sig`;
|
||||
|
||||
return {
|
||||
url: foundRelease.files[0].download_url,
|
||||
url: file.download_url,
|
||||
signatureUrl,
|
||||
version: foundRelease.version
|
||||
};
|
||||
}
|
||||
|
||||
protected supportsSignatureVerification(): boolean {
|
||||
return true;
|
||||
}
|
||||
|
||||
private async getAvailableVersions(): Promise<tc.IToolRelease[] | null> {
|
||||
// TODO get these dynamically!
|
||||
// We will need Microsoft to add an endpoint where we can query for versions.
|
||||
|
||||
21
src/distributions/microsoft/microsoft-key.ts
Normal file
21
src/distributions/microsoft/microsoft-key.ts
Normal file
@ -0,0 +1,21 @@
|
||||
// Microsoft Build of OpenJDK GPG signing key
|
||||
// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc
|
||||
export const MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: BSN Pgp v1.1.0.0
|
||||
|
||||
mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL
|
||||
RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+
|
||||
UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl
|
||||
/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6
|
||||
r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx
|
||||
fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh
|
||||
IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB
|
||||
CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB
|
||||
icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL
|
||||
MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ
|
||||
EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq
|
||||
yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy
|
||||
JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4
|
||||
Fa133tP85xzJEq1XeXm8WeLFo2wV
|
||||
=rHCS
|
||||
-----END PGP PUBLIC KEY BLOCK-----`;
|
||||
Loading…
Reference in New Issue
Block a user