Merge branch 'copilot/include-signature-verification' into signature-4

This commit is contained in:
John 2026-06-25 10:24:09 +00:00
commit 2c76c5eca9
6 changed files with 291 additions and 5 deletions

View File

@ -351,6 +351,29 @@ jobs:
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}"
shell: bash
setup-java-temurin-signature-verification:
name: temurin ${{ matrix.version }} signature verification - ${{ matrix.os }}
needs: setup-java-major-minor-versions
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
version: ['21', '17']
steps:
- name: Checkout
uses: actions/checkout@v6
- name: setup-java with signature verification
uses: ./
id: setup-java
with:
java-version: ${{ matrix.version }}
distribution: temurin
verify-signature: true
- name: Verify Java
run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}"
shell: bash
setup-java-ea-versions-sapmachine:
name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }}
needs: setup-java-major-minor-versions

View File

@ -41,7 +41,7 @@ For more details, see the full release notes on the [releases page](https://git
- `check-latest`: Setting this option makes the action to check for the latest available version for the version spec.
- `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails.
- `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin` and `microsoft`. If set to `true` for unsupported distributions, the action fails.
- `verify-signature-public-key`: ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution.

View File

@ -1,8 +1,15 @@
import {MicrosoftDistributions} from '../../src/distributions/microsoft/installer';
import {
MicrosoftDistributions,
MICROSOFT_PUBLIC_KEY
} from '../../src/distributions/microsoft/installer';
import os from 'os';
import data from '../data/microsoft.json';
import * as httpm from '@actions/http-client';
import * as core from '@actions/core';
import * as tc from '@actions/tool-cache';
import * as gpg from '../../src/gpg';
import * as util from '../../src/util';
import fs from 'fs';
describe('findPackageForDownload', () => {
let distribution: MicrosoftDistributions;
@ -102,6 +109,7 @@ describe('findPackageForDownload', () => {
.replace('{{OS_TYPE}}', os)
.replace('{{ARCHIVE_TYPE}}', archive);
expect(result.url).toBe(url);
expect(result.signatureUrl).toBe(`${url}.sig`);
});
it.each([
@ -187,4 +195,147 @@ describe('findPackageForDownload', () => {
/No matching version found for SemVer */
);
});
it('uses manifest-provided signature URL when available', async () => {
spyGetManifestFromRepo.mockReturnValue({
result: [
{
version: '17.0.10',
stable: true,
release_url: 'https://example.test',
files: [
{
filename: 'microsoft-jdk-17.0.10-linux-x64.tar.gz',
arch: 'x64',
platform: 'linux',
download_url: 'https://example.test/jdk.tar.gz',
signature_url: 'https://example.test/jdk.tar.gz.custom.sig'
}
]
}
],
statusCode: 200,
headers: {}
});
jest.spyOn(os, 'platform').mockReturnValue('linux');
const result = await distribution['findPackageForDownload']('17.0.10');
expect(result.signatureUrl).toBe('https://example.test/jdk.tar.gz.custom.sig');
});
});
describe('downloadTool', () => {
let spyDownloadTool: jest.SpyInstance;
let spyExtractJdkFile: jest.SpyInstance;
let spyCacheDir: jest.SpyInstance;
let spyVerifySignature: jest.SpyInstance;
let distribution: MicrosoftDistributions;
beforeEach(() => {
jest
.spyOn(os, 'platform')
.mockReturnValue(process.platform as ReturnType<typeof os.platform>);
distribution = new MicrosoftDistributions({
version: '17',
architecture: 'x64',
packageType: 'jdk',
checkLatest: false
});
spyDownloadTool = jest.spyOn(tc, 'downloadTool');
spyDownloadTool.mockImplementation(async () => {
return '/tmp/jdk.tar.gz';
});
spyExtractJdkFile = jest.spyOn(util, 'extractJdkFile');
spyExtractJdkFile.mockImplementation(async () => {
return '/tmp/unpacked';
});
jest.spyOn(fs, 'readdirSync').mockReturnValue(['jdk'] as any);
spyCacheDir = jest.spyOn(tc, 'cacheDir');
spyCacheDir.mockImplementation(async () => {
return '/tmp/cached';
});
spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature');
spyVerifySignature.mockImplementation(async () => {});
});
afterEach(() => {
jest.restoreAllMocks();
});
it('verifies signature when enabled', async () => {
const signedDistribution = new MicrosoftDistributions({
version: '17',
architecture: 'x64',
packageType: 'jdk',
checkLatest: false,
verifySignature: true
});
await signedDistribution['downloadTool']({
version: '17.0.14+7',
url: 'https://example.com/jdk.tar.gz',
signatureUrl: 'https://example.com/jdk.tar.gz.sig'
});
expect(spyVerifySignature).toHaveBeenCalledWith(
'/tmp/jdk.tar.gz',
'https://example.com/jdk.tar.gz.sig',
MICROSOFT_PUBLIC_KEY
);
});
it('uses custom public key when verifySignaturePublicKey is provided', async () => {
const customKey =
'-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----';
const signedDistribution = new MicrosoftDistributions({
version: '17',
architecture: 'x64',
packageType: 'jdk',
checkLatest: false,
verifySignature: true,
verifySignaturePublicKey: customKey
});
await signedDistribution['downloadTool']({
version: '17.0.14+7',
url: 'https://example.com/jdk.tar.gz',
signatureUrl: 'https://example.com/jdk.tar.gz.sig'
});
expect(spyVerifySignature).toHaveBeenCalledWith(
'/tmp/jdk.tar.gz',
'https://example.com/jdk.tar.gz.sig',
customKey
);
});
it('fails when signature is missing and verification is enabled', async () => {
const signedDistribution = new MicrosoftDistributions({
version: '17',
architecture: 'x64',
packageType: 'jdk',
checkLatest: false,
verifySignature: true
});
await expect(
signedDistribution['downloadTool']({
version: '17.0.14+7',
url: 'https://example.com/jdk.tar.gz'
})
).rejects.toThrow(
"Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version 17.0.14+7."
);
expect(spyVerifySignature).not.toHaveBeenCalled();
});
it('supports signature verification', () => {
expect(distribution['supportsSignatureVerification']()).toBe(true);
});
});

60
dist/setup/index.js vendored
View File

@ -79923,21 +79923,38 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.MicrosoftDistributions = void 0;
exports.MicrosoftDistributions = exports.MICROSOFT_PUBLIC_KEY = void 0;
const base_installer_1 = __nccwpck_require__(79935);
const util_1 = __nccwpck_require__(54527);
const gpg = __importStar(__nccwpck_require__(88343));
const microsoft_key_1 = __nccwpck_require__(56286);
const core = __importStar(__nccwpck_require__(37484));
const tc = __importStar(__nccwpck_require__(33472));
const fs_1 = __importDefault(__nccwpck_require__(79896));
const path_1 = __importDefault(__nccwpck_require__(16928));
var microsoft_key_2 = __nccwpck_require__(56286);
Object.defineProperty(exports, "MICROSOFT_PUBLIC_KEY", ({ enumerable: true, get: function () { return microsoft_key_2.MICROSOFT_PUBLIC_KEY; } }));
class MicrosoftDistributions extends base_installer_1.JavaBase {
constructor(installerOptions) {
super('Microsoft', installerOptions);
}
downloadTool(javaRelease) {
var _a;
return __awaiter(this, void 0, void 0, function* () {
core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`);
let javaArchivePath = yield tc.downloadTool(javaRelease.url);
if (this.verifySignature) {
if (!javaRelease.signatureUrl) {
throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`);
}
core.info(`Verifying Java package signature...`);
try {
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY);
}
catch (error) {
throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${error.message}`);
}
}
core.info(`Extracting Java archive...`);
const extension = (0, util_1.getDownloadArchiveExtension)();
if (process.platform === 'win32') {
@ -79951,6 +79968,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
});
}
findPackageForDownload(range) {
var _a;
return __awaiter(this, void 0, void 0, function* () {
const arch = this.distributionArchitecture();
if (arch !== 'x64' && arch !== 'aarch64') {
@ -79971,12 +79989,18 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
const availableVersionStrings = manifest.map(item => item.version);
throw this.createVersionNotFoundError(range, availableVersionStrings);
}
const file = foundRelease.files[0];
const signatureUrl = (_a = file.signature_url) !== null && _a !== void 0 ? _a : `${file.download_url}.sig`;
return {
url: foundRelease.files[0].download_url,
url: file.download_url,
signatureUrl,
version: foundRelease.version
};
});
}
supportsSignatureVerification() {
return true;
}
getAvailableVersions() {
return __awaiter(this, void 0, void 0, function* () {
// TODO get these dynamically!
@ -80019,6 +80043,38 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
exports.MicrosoftDistributions = MicrosoftDistributions;
/***/ }),
/***/ 56286:
/***/ ((__unused_webpack_module, exports) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.MICROSOFT_PUBLIC_KEY = void 0;
// Microsoft Build of OpenJDK GPG signing key
// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc
exports.MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BSN Pgp v1.1.0.0
mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL
RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+
UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl
/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6
r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx
fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh
IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB
CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB
icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL
MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ
EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq
yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy
JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4
Fa133tP85xzJEq1XeXm8WeLFo2wV
=rHCS
-----END PGP PUBLIC KEY BLOCK-----`;
/***/ }),
/***/ 11182:

View File

@ -10,12 +10,16 @@ import {
getGitHubHttpHeaders,
renameWinArchive
} from '../../util';
import * as gpg from '../../gpg';
import {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
import * as core from '@actions/core';
import * as tc from '@actions/tool-cache';
import fs from 'fs';
import path from 'path';
import {TypedResponse} from '@actions/http-client/lib/interfaces';
export {MICROSOFT_PUBLIC_KEY} from './microsoft-key';
export class MicrosoftDistributions extends JavaBase {
constructor(installerOptions: JavaInstallerOptions) {
super('Microsoft', installerOptions);
@ -29,6 +33,26 @@ export class MicrosoftDistributions extends JavaBase {
);
let javaArchivePath = await tc.downloadTool(javaRelease.url);
if (this.verifySignature) {
if (!javaRelease.signatureUrl) {
throw new Error(
`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`
);
}
core.info(`Verifying Java package signature...`);
try {
await gpg.verifyPackageSignature(
javaArchivePath,
javaRelease.signatureUrl,
this.verifySignaturePublicKey ?? MICROSOFT_PUBLIC_KEY
);
} catch (error) {
throw new Error(
`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}`
);
}
}
core.info(`Extracting Java archive...`);
const extension = getDownloadArchiveExtension();
if (process.platform === 'win32') {
@ -80,12 +104,23 @@ export class MicrosoftDistributions extends JavaBase {
throw this.createVersionNotFoundError(range, availableVersionStrings);
}
const file = foundRelease.files[0] as {
download_url: string;
signature_url?: string;
};
const signatureUrl = file.signature_url ?? `${file.download_url}.sig`;
return {
url: foundRelease.files[0].download_url,
url: file.download_url,
signatureUrl,
version: foundRelease.version
};
}
protected supportsSignatureVerification(): boolean {
return true;
}
private async getAvailableVersions(): Promise<tc.IToolRelease[] | null> {
// TODO get these dynamically!
// We will need Microsoft to add an endpoint where we can query for versions.

View File

@ -0,0 +1,21 @@
// Microsoft Build of OpenJDK GPG signing key
// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc
export const MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BSN Pgp v1.1.0.0
mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL
RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+
UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl
/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6
r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx
fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh
IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB
CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB
icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL
MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ
EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq
yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy
JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4
Fa133tP85xzJEq1XeXm8WeLFo2wV
=rHCS
-----END PGP PUBLIC KEY BLOCK-----`;