From 33264d64767ade021759c2801365a46eaac4aeb1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:19:49 +0000 Subject: [PATCH] feat: add verify-signature-public-key input to allow custom GPG key override --- .../distributors/temurin-installer.test.ts | 28 +++++++++++++++++++ action.yml | 3 ++ dist/cleanup/index.js | 3 +- dist/setup/index.js | 12 ++++++-- src/constants.ts | 1 + src/distributions/base-installer.ts | 2 ++ src/distributions/base-models.ts | 1 + src/distributions/temurin/installer.ts | 2 +- src/setup-java.ts | 6 ++++ 9 files changed, 53 insertions(+), 5 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index e3b67d9a..ddf707eb 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -364,4 +364,32 @@ describe('downloadTool', () => { ); expect(spyVerifySignature).not.toHaveBeenCalled(); }); + + it('uses custom public key when verifySignaturePublicKey is provided', async () => { + const customKey = + '-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----'; + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true, + verifySignaturePublicKey: customKey + }, + TemurinImplementation.Hotspot + ); + + await distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + customKey + ); + }); }); diff --git a/action.yml b/action.yml index 10f23758..cd200f45 100644 --- a/action.yml +++ b/action.yml @@ -28,6 +28,9 @@ inputs: description: 'Verify downloaded Java package signatures when supported by the selected distribution' required: false default: false + verify-signature-public-key: + description: 'ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution.' + required: false server-id: description: 'ID of the distributionManagement repository in the pom.xml file. Default is `github`' diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 76511f98..b9673a0b 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -51996,7 +51996,7 @@ else { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -52006,6 +52006,7 @@ exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; +exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; diff --git a/dist/setup/index.js b/dist/setup/index.js index f22f71bf..15de2de4 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -77755,7 +77755,7 @@ function isProbablyGradleDaemonProblem(packageManager, error) { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -77765,6 +77765,7 @@ exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; +exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -78075,6 +78076,7 @@ class JavaBase { this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; this.verifySignature = (_a = installerOptions.verifySignature) !== null && _a !== void 0 ? _a : false; + this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey; } setupJava() { var _a, _b; @@ -80331,6 +80333,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { }); } downloadTool(javaRelease) { + var _a; return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); @@ -80340,7 +80343,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { } core.info(`Verifying Java package signature...`); try { - yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_PUBLIC_KEY); + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : exports.ADOPTIUM_PUBLIC_KEY); } catch (error) { throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); @@ -80796,6 +80799,7 @@ function run() { const cacheDependencyPath = core.getInput(constants.INPUT_CACHE_DEPENDENCY_PATH); const checkLatest = (0, util_1.getBooleanInput)(constants.INPUT_CHECK_LATEST, false); const verifySignature = (0, util_1.getBooleanInput)(constants.INPUT_VERIFY_SIGNATURE, false); + const verifySignaturePublicKey = core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined; let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); if (versions.length !== toolchainIds.length) { @@ -80809,6 +80813,7 @@ function run() { packageType, checkLatest, verifySignature, + verifySignaturePublicKey, distributionName, jdkFile, toolchainIds @@ -80842,12 +80847,13 @@ function run() { run(); function installVersion(version, options, toolchainId = 0) { return __awaiter(this, void 0, void 0, function* () { - const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, toolchainIds } = options; + const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, verifySignaturePublicKey, toolchainIds } = options; const installerOptions = { architecture, packageType, checkLatest, verifySignature, + verifySignaturePublicKey, version }; const distribution = (0, distribution_factory_1.getJavaDistribution)(distributionName, installerOptions, jdkFile); diff --git a/src/constants.ts b/src/constants.ts index e80ad07d..5b018896 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -7,6 +7,7 @@ export const INPUT_DISTRIBUTION = 'distribution'; export const INPUT_JDK_FILE = 'jdkFile'; export const INPUT_CHECK_LATEST = 'check-latest'; export const INPUT_VERIFY_SIGNATURE = 'verify-signature'; +export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; export const INPUT_SERVER_ID = 'server-id'; export const INPUT_SERVER_USERNAME = 'server-username'; export const INPUT_SERVER_PASSWORD = 'server-password'; diff --git a/src/distributions/base-installer.ts b/src/distributions/base-installer.ts index 7c485e7a..4494019c 100644 --- a/src/distributions/base-installer.ts +++ b/src/distributions/base-installer.ts @@ -21,6 +21,7 @@ export abstract class JavaBase { protected stable: boolean; protected checkLatest: boolean; protected verifySignature: boolean; + protected verifySignaturePublicKey: string | undefined; constructor( protected distribution: string, @@ -38,6 +39,7 @@ export abstract class JavaBase { this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; this.verifySignature = installerOptions.verifySignature ?? false; + this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey; } protected abstract downloadTool( diff --git a/src/distributions/base-models.ts b/src/distributions/base-models.ts index 0945d306..867a058a 100644 --- a/src/distributions/base-models.ts +++ b/src/distributions/base-models.ts @@ -4,6 +4,7 @@ export interface JavaInstallerOptions { packageType: string; checkLatest: boolean; verifySignature?: boolean; + verifySignaturePublicKey?: string; } export interface JavaInstallerResults { diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index a1a52ee3..58b19874 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -127,7 +127,7 @@ export class TemurinDistribution extends JavaBase { await gpg.verifyPackageSignature( javaArchivePath, javaRelease.signatureUrl, - ADOPTIUM_PUBLIC_KEY + this.verifySignaturePublicKey ?? ADOPTIUM_PUBLIC_KEY ); } catch (error) { throw new Error( diff --git a/src/setup-java.ts b/src/setup-java.ts index 52931417..e4ec400b 100644 --- a/src/setup-java.ts +++ b/src/setup-java.ts @@ -32,6 +32,8 @@ async function run() { constants.INPUT_VERIFY_SIGNATURE, false ); + const verifySignaturePublicKey = + core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined; let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); @@ -49,6 +51,7 @@ async function run() { packageType, checkLatest, verifySignature, + verifySignaturePublicKey, distributionName, jdkFile, toolchainIds @@ -106,6 +109,7 @@ async function installVersion( packageType, checkLatest, verifySignature, + verifySignaturePublicKey, toolchainIds } = options; @@ -114,6 +118,7 @@ async function installVersion( packageType, checkLatest, verifySignature, + verifySignaturePublicKey, version }; @@ -149,6 +154,7 @@ interface installerInputsOptions { packageType: string; checkLatest: boolean; verifySignature: boolean; + verifySignaturePublicKey: string | undefined; distributionName: string; jdkFile: string; toolchainIds: Array;