diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 4f3f4f1a..c489afa2 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -51996,7 +51996,7 @@ else { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -52005,6 +52005,7 @@ exports.INPUT_JAVA_PACKAGE = 'java-package'; exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; +exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -52066,13 +52067,15 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); const exec = __importStar(__nccwpck_require__(95236)); +const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); +exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { @@ -52110,6 +52113,29 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; +function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { + return __awaiter(this, void 0, void 0, function* () { + const signaturePath = yield tc.downloadTool(signatureUrl); + const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + try { + const options = { silent: true, env }; + yield exec.exec('gpg', [ + '--batch', + '--keyserver', + 'keyserver.ubuntu.com', + '--recv-keys', + keyFingerprint + ], options); + yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + } + finally { + yield io.rmRF(signaturePath); + yield io.rmRF(gpgHome); + } + }); +} +exports.verifyPackageSignature = verifyPackageSignature; /***/ }), diff --git a/dist/setup/index.js b/dist/setup/index.js index f393386b..98a96e6e 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -77755,7 +77755,7 @@ function isProbablyGradleDaemonProblem(packageManager, error) { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -77764,6 +77764,7 @@ exports.INPUT_JAVA_PACKAGE = 'java-package'; exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; +exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -78063,6 +78064,7 @@ const constants_1 = __nccwpck_require__(27242); const os_1 = __importDefault(__nccwpck_require__(70857)); class JavaBase { constructor(distribution, installerOptions) { + var _a; this.distribution = distribution; this.http = new httpm.HttpClient('actions/setup-java', undefined, { allowRetries: true, @@ -78072,10 +78074,14 @@ class JavaBase { this.architecture = installerOptions.architecture || os_1.default.arch(); this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; + this.verifySignature = (_a = installerOptions.verifySignature) !== null && _a !== void 0 ? _a : false; } setupJava() { var _a, _b; return __awaiter(this, void 0, void 0, function* () { + if (this.verifySignature && !this.supportsSignatureVerification()) { + throw new Error(`Input 'verify-signature' is not supported for distribution '${this.distribution}'.`); + } let foundJava = this.findInToolcache(); if (foundJava && !this.checkLatest) { core.info(`Resolved Java ${foundJava.version} from tool-cache`); @@ -78195,6 +78201,9 @@ class JavaBase { get toolcacheFolderName() { return `Java_${this.distribution}_${this.packageType}`; } + supportsSignatureVerification() { + return false; + } getToolcacheVersionName(version) { if (!this.stable) { if (version.includes('+')) { @@ -80244,6 +80253,7 @@ const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); const path_1 = __importDefault(__nccwpck_require__(16928)); const semver_1 = __importDefault(__nccwpck_require__(62088)); +const gpg = __importStar(__nccwpck_require__(88343)); const base_installer_1 = __nccwpck_require__(79935); const util_1 = __nccwpck_require__(54527); var TemurinImplementation; @@ -80270,7 +80280,8 @@ class TemurinDistribution extends base_installer_1.JavaBase { : item.version_data.semver.replace('-beta+', '+'); return { version: formattedVersion, - url: item.binaries[0].package.link + url: item.binaries[0].package.link, + signatureUrl: item.binaries[0].package.signature_link }; }); const satisfiedVersions = availableVersionsWithBinaries @@ -80290,6 +80301,18 @@ class TemurinDistribution extends base_installer_1.JavaBase { return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.`); + } + core.info(`Verifying Java package signature...`); + try { + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); + } + catch (error) { + throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version}: ${error.message}`); + } + } core.info(`Extracting Java archive...`); const extension = (0, util_1.getDownloadArchiveExtension)(); if (process.platform === 'win32') { @@ -80306,6 +80329,9 @@ class TemurinDistribution extends base_installer_1.JavaBase { get toolcacheFolderName() { return super.toolcacheFolderName; } + supportsSignatureVerification() { + return true; + } getAvailableVersions() { return __awaiter(this, void 0, void 0, function* () { const platform = this.getPlatformOption(); @@ -80598,13 +80624,15 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); const exec = __importStar(__nccwpck_require__(95236)); +const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); +exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { @@ -80642,6 +80670,29 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; +function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { + return __awaiter(this, void 0, void 0, function* () { + const signaturePath = yield tc.downloadTool(signatureUrl); + const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + try { + const options = { silent: true, env }; + yield exec.exec('gpg', [ + '--batch', + '--keyserver', + 'keyserver.ubuntu.com', + '--recv-keys', + keyFingerprint + ], options); + yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + } + finally { + yield io.rmRF(signaturePath); + yield io.rmRF(gpgHome); + } + }); +} +exports.verifyPackageSignature = verifyPackageSignature; /***/ }), @@ -80710,6 +80761,7 @@ function run() { const cache = core.getInput(constants.INPUT_CACHE); const cacheDependencyPath = core.getInput(constants.INPUT_CACHE_DEPENDENCY_PATH); const checkLatest = (0, util_1.getBooleanInput)(constants.INPUT_CHECK_LATEST, false); + const verifySignature = (0, util_1.getBooleanInput)(constants.INPUT_VERIFY_SIGNATURE, false); let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); if (versions.length !== toolchainIds.length) { @@ -80722,6 +80774,7 @@ function run() { architecture, packageType, checkLatest, + verifySignature, distributionName, jdkFile, toolchainIds @@ -80755,11 +80808,12 @@ function run() { run(); function installVersion(version, options, toolchainId = 0) { return __awaiter(this, void 0, void 0, function* () { - const { distributionName, jdkFile, architecture, packageType, checkLatest, toolchainIds } = options; + const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, toolchainIds } = options; const installerOptions = { architecture, packageType, checkLatest, + verifySignature, version }; const distribution = (0, distribution_factory_1.getJavaDistribution)(distributionName, installerOptions, jdkFile);