mirror of
https://github.com/actions/setup-java.git
synced 2026-07-08 14:21:50 +00:00
feat: add verify-signature-public-key input to allow custom GPG key override
This commit is contained in:
parent
a3589a9fc6
commit
33264d6476
@ -364,4 +364,32 @@ describe('downloadTool', () => {
|
||||
);
|
||||
expect(spyVerifySignature).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it('uses custom public key when verifySignaturePublicKey is provided', async () => {
|
||||
const customKey =
|
||||
'-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----';
|
||||
const distribution = new TemurinDistribution(
|
||||
{
|
||||
version: '17',
|
||||
architecture: 'x64',
|
||||
packageType: 'jdk',
|
||||
checkLatest: false,
|
||||
verifySignature: true,
|
||||
verifySignaturePublicKey: customKey
|
||||
},
|
||||
TemurinImplementation.Hotspot
|
||||
);
|
||||
|
||||
await distribution['downloadTool']({
|
||||
version: '17.0.14+7',
|
||||
url: 'https://example.com/jdk.tar.gz',
|
||||
signatureUrl: 'https://example.com/jdk.tar.gz.sig'
|
||||
});
|
||||
|
||||
expect(spyVerifySignature).toHaveBeenCalledWith(
|
||||
'/tmp/jdk.tar.gz',
|
||||
'https://example.com/jdk.tar.gz.sig',
|
||||
customKey
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
@ -28,6 +28,9 @@ inputs:
|
||||
description: 'Verify downloaded Java package signatures when supported by the selected distribution'
|
||||
required: false
|
||||
default: false
|
||||
verify-signature-public-key:
|
||||
description: 'ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution.'
|
||||
required: false
|
||||
server-id:
|
||||
description: 'ID of the distributionManagement repository in the pom.xml
|
||||
file. Default is `github`'
|
||||
|
||||
3
dist/cleanup/index.js
vendored
3
dist/cleanup/index.js
vendored
@ -51996,7 +51996,7 @@ else {
|
||||
"use strict";
|
||||
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0;
|
||||
exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0;
|
||||
exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home';
|
||||
exports.INPUT_JAVA_VERSION = 'java-version';
|
||||
exports.INPUT_JAVA_VERSION_FILE = 'java-version-file';
|
||||
@ -52006,6 +52006,7 @@ exports.INPUT_DISTRIBUTION = 'distribution';
|
||||
exports.INPUT_JDK_FILE = 'jdkFile';
|
||||
exports.INPUT_CHECK_LATEST = 'check-latest';
|
||||
exports.INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
||||
exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
||||
exports.INPUT_SERVER_ID = 'server-id';
|
||||
exports.INPUT_SERVER_USERNAME = 'server-username';
|
||||
exports.INPUT_SERVER_PASSWORD = 'server-password';
|
||||
|
||||
12
dist/setup/index.js
vendored
12
dist/setup/index.js
vendored
@ -77755,7 +77755,7 @@ function isProbablyGradleDaemonProblem(packageManager, error) {
|
||||
"use strict";
|
||||
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0;
|
||||
exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0;
|
||||
exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home';
|
||||
exports.INPUT_JAVA_VERSION = 'java-version';
|
||||
exports.INPUT_JAVA_VERSION_FILE = 'java-version-file';
|
||||
@ -77765,6 +77765,7 @@ exports.INPUT_DISTRIBUTION = 'distribution';
|
||||
exports.INPUT_JDK_FILE = 'jdkFile';
|
||||
exports.INPUT_CHECK_LATEST = 'check-latest';
|
||||
exports.INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
||||
exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
||||
exports.INPUT_SERVER_ID = 'server-id';
|
||||
exports.INPUT_SERVER_USERNAME = 'server-username';
|
||||
exports.INPUT_SERVER_PASSWORD = 'server-password';
|
||||
@ -78075,6 +78076,7 @@ class JavaBase {
|
||||
this.packageType = installerOptions.packageType;
|
||||
this.checkLatest = installerOptions.checkLatest;
|
||||
this.verifySignature = (_a = installerOptions.verifySignature) !== null && _a !== void 0 ? _a : false;
|
||||
this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey;
|
||||
}
|
||||
setupJava() {
|
||||
var _a, _b;
|
||||
@ -80331,6 +80333,7 @@ class TemurinDistribution extends base_installer_1.JavaBase {
|
||||
});
|
||||
}
|
||||
downloadTool(javaRelease) {
|
||||
var _a;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`);
|
||||
let javaArchivePath = yield tc.downloadTool(javaRelease.url);
|
||||
@ -80340,7 +80343,7 @@ class TemurinDistribution extends base_installer_1.JavaBase {
|
||||
}
|
||||
core.info(`Verifying Java package signature...`);
|
||||
try {
|
||||
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_PUBLIC_KEY);
|
||||
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : exports.ADOPTIUM_PUBLIC_KEY);
|
||||
}
|
||||
catch (error) {
|
||||
throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`);
|
||||
@ -80796,6 +80799,7 @@ function run() {
|
||||
const cacheDependencyPath = core.getInput(constants.INPUT_CACHE_DEPENDENCY_PATH);
|
||||
const checkLatest = (0, util_1.getBooleanInput)(constants.INPUT_CHECK_LATEST, false);
|
||||
const verifySignature = (0, util_1.getBooleanInput)(constants.INPUT_VERIFY_SIGNATURE, false);
|
||||
const verifySignaturePublicKey = core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined;
|
||||
let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID);
|
||||
core.startGroup('Installed distributions');
|
||||
if (versions.length !== toolchainIds.length) {
|
||||
@ -80809,6 +80813,7 @@ function run() {
|
||||
packageType,
|
||||
checkLatest,
|
||||
verifySignature,
|
||||
verifySignaturePublicKey,
|
||||
distributionName,
|
||||
jdkFile,
|
||||
toolchainIds
|
||||
@ -80842,12 +80847,13 @@ function run() {
|
||||
run();
|
||||
function installVersion(version, options, toolchainId = 0) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, toolchainIds } = options;
|
||||
const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, verifySignaturePublicKey, toolchainIds } = options;
|
||||
const installerOptions = {
|
||||
architecture,
|
||||
packageType,
|
||||
checkLatest,
|
||||
verifySignature,
|
||||
verifySignaturePublicKey,
|
||||
version
|
||||
};
|
||||
const distribution = (0, distribution_factory_1.getJavaDistribution)(distributionName, installerOptions, jdkFile);
|
||||
|
||||
@ -7,6 +7,7 @@ export const INPUT_DISTRIBUTION = 'distribution';
|
||||
export const INPUT_JDK_FILE = 'jdkFile';
|
||||
export const INPUT_CHECK_LATEST = 'check-latest';
|
||||
export const INPUT_VERIFY_SIGNATURE = 'verify-signature';
|
||||
export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key';
|
||||
export const INPUT_SERVER_ID = 'server-id';
|
||||
export const INPUT_SERVER_USERNAME = 'server-username';
|
||||
export const INPUT_SERVER_PASSWORD = 'server-password';
|
||||
|
||||
@ -21,6 +21,7 @@ export abstract class JavaBase {
|
||||
protected stable: boolean;
|
||||
protected checkLatest: boolean;
|
||||
protected verifySignature: boolean;
|
||||
protected verifySignaturePublicKey: string | undefined;
|
||||
|
||||
constructor(
|
||||
protected distribution: string,
|
||||
@ -38,6 +39,7 @@ export abstract class JavaBase {
|
||||
this.packageType = installerOptions.packageType;
|
||||
this.checkLatest = installerOptions.checkLatest;
|
||||
this.verifySignature = installerOptions.verifySignature ?? false;
|
||||
this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey;
|
||||
}
|
||||
|
||||
protected abstract downloadTool(
|
||||
|
||||
@ -4,6 +4,7 @@ export interface JavaInstallerOptions {
|
||||
packageType: string;
|
||||
checkLatest: boolean;
|
||||
verifySignature?: boolean;
|
||||
verifySignaturePublicKey?: string;
|
||||
}
|
||||
|
||||
export interface JavaInstallerResults {
|
||||
|
||||
@ -127,7 +127,7 @@ export class TemurinDistribution extends JavaBase {
|
||||
await gpg.verifyPackageSignature(
|
||||
javaArchivePath,
|
||||
javaRelease.signatureUrl,
|
||||
ADOPTIUM_PUBLIC_KEY
|
||||
this.verifySignaturePublicKey ?? ADOPTIUM_PUBLIC_KEY
|
||||
);
|
||||
} catch (error) {
|
||||
throw new Error(
|
||||
|
||||
@ -32,6 +32,8 @@ async function run() {
|
||||
constants.INPUT_VERIFY_SIGNATURE,
|
||||
false
|
||||
);
|
||||
const verifySignaturePublicKey =
|
||||
core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined;
|
||||
let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID);
|
||||
|
||||
core.startGroup('Installed distributions');
|
||||
@ -49,6 +51,7 @@ async function run() {
|
||||
packageType,
|
||||
checkLatest,
|
||||
verifySignature,
|
||||
verifySignaturePublicKey,
|
||||
distributionName,
|
||||
jdkFile,
|
||||
toolchainIds
|
||||
@ -106,6 +109,7 @@ async function installVersion(
|
||||
packageType,
|
||||
checkLatest,
|
||||
verifySignature,
|
||||
verifySignaturePublicKey,
|
||||
toolchainIds
|
||||
} = options;
|
||||
|
||||
@ -114,6 +118,7 @@ async function installVersion(
|
||||
packageType,
|
||||
checkLatest,
|
||||
verifySignature,
|
||||
verifySignaturePublicKey,
|
||||
version
|
||||
};
|
||||
|
||||
@ -149,6 +154,7 @@ interface installerInputsOptions {
|
||||
packageType: string;
|
||||
checkLatest: boolean;
|
||||
verifySignature: boolean;
|
||||
verifySignaturePublicKey: string | undefined;
|
||||
distributionName: string;
|
||||
jdkFile: string;
|
||||
toolchainIds: Array<string>;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user