mirror of
https://github.com/actions/setup-java.git
synced 2026-07-08 14:21:50 +00:00
Refine signature verification errors and regenerate dist
This commit is contained in:
parent
39460f2cc0
commit
70770c9dd2
@ -235,7 +235,7 @@ describe('findPackageForDownload', () => {
|
||||
distribution['getAvailableVersions'] = async () => manifestData as any;
|
||||
const resolvedVersion = await distribution['findPackageForDownload'](input);
|
||||
expect(resolvedVersion.version).toBe(expected);
|
||||
expect(resolvedVersion.signatureUrl).toBeTruthy();
|
||||
expect(resolvedVersion.signatureUrl).toBeDefined();
|
||||
});
|
||||
|
||||
it('version is found but binaries list is empty', async () => {
|
||||
|
||||
9
dist/cleanup/index.js
vendored
9
dist/cleanup/index.js
vendored
@ -52116,12 +52116,19 @@ exports.deleteKey = deleteKey;
|
||||
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const signaturePath = yield tc.downloadTool(signatureUrl);
|
||||
const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
||||
let gpgHome;
|
||||
try {
|
||||
gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
||||
}
|
||||
catch (error) {
|
||||
throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`);
|
||||
}
|
||||
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
|
||||
try {
|
||||
const options = { silent: true, env };
|
||||
yield exec.exec('gpg', [
|
||||
'--batch',
|
||||
// Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval.
|
||||
'--keyserver',
|
||||
'keyserver.ubuntu.com',
|
||||
'--recv-keys',
|
||||
|
||||
11
dist/setup/index.js
vendored
11
dist/setup/index.js
vendored
@ -80310,7 +80310,7 @@ class TemurinDistribution extends base_installer_1.JavaBase {
|
||||
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT);
|
||||
}
|
||||
catch (error) {
|
||||
throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version}: ${error.message}`);
|
||||
throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`);
|
||||
}
|
||||
}
|
||||
core.info(`Extracting Java archive...`);
|
||||
@ -80673,12 +80673,19 @@ exports.deleteKey = deleteKey;
|
||||
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const signaturePath = yield tc.downloadTool(signatureUrl);
|
||||
const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
||||
let gpgHome;
|
||||
try {
|
||||
gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
||||
}
|
||||
catch (error) {
|
||||
throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`);
|
||||
}
|
||||
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
|
||||
try {
|
||||
const options = { silent: true, env };
|
||||
yield exec.exec('gpg', [
|
||||
'--batch',
|
||||
// Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval.
|
||||
'--keyserver',
|
||||
'keyserver.ubuntu.com',
|
||||
'--recv-keys',
|
||||
|
||||
@ -97,7 +97,7 @@ export class TemurinDistribution extends JavaBase {
|
||||
);
|
||||
} catch (error) {
|
||||
throw new Error(
|
||||
`Failed to verify signature for Temurin version ${javaRelease.version}: ${
|
||||
`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${
|
||||
(error as Error).message
|
||||
}`
|
||||
);
|
||||
|
||||
16
src/gpg.ts
16
src/gpg.ts
@ -63,9 +63,18 @@ export async function verifyPackageSignature(
|
||||
keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
|
||||
) {
|
||||
const signaturePath = await tc.downloadTool(signatureUrl);
|
||||
const gpgHome = fs.mkdtempSync(
|
||||
path.join(util.getTempDir(), 'verify-signature-gpg-home-')
|
||||
);
|
||||
let gpgHome: string;
|
||||
try {
|
||||
gpgHome = fs.mkdtempSync(
|
||||
path.join(util.getTempDir(), 'verify-signature-gpg-home-')
|
||||
);
|
||||
} catch (error) {
|
||||
throw new Error(
|
||||
`Failed to create temporary GPG home directory for signature verification: ${
|
||||
(error as Error).message
|
||||
}`
|
||||
);
|
||||
}
|
||||
const env = {...process.env, GNUPGHOME: gpgHome};
|
||||
|
||||
try {
|
||||
@ -74,6 +83,7 @@ export async function verifyPackageSignature(
|
||||
'gpg',
|
||||
[
|
||||
'--batch',
|
||||
// Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval.
|
||||
'--keyserver',
|
||||
'keyserver.ubuntu.com',
|
||||
'--recv-keys',
|
||||
|
||||
Loading…
Reference in New Issue
Block a user