From 70770c9dd21ad78995646be99e6ccb448da0f441 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:26:14 +0000 Subject: [PATCH] Refine signature verification errors and regenerate dist --- __tests__/distributors/temurin-installer.test.ts | 2 +- dist/cleanup/index.js | 9 ++++++++- dist/setup/index.js | 11 +++++++++-- src/distributions/temurin/installer.ts | 2 +- src/gpg.ts | 16 +++++++++++++--- 5 files changed, 32 insertions(+), 8 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index 995cdd99..f4dd02c7 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -235,7 +235,7 @@ describe('findPackageForDownload', () => { distribution['getAvailableVersions'] = async () => manifestData as any; const resolvedVersion = await distribution['findPackageForDownload'](input); expect(resolvedVersion.version).toBe(expected); - expect(resolvedVersion.signatureUrl).toBeTruthy(); + expect(resolvedVersion.signatureUrl).toBeDefined(); }); it('version is found but binaries list is empty', async () => { diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index c489afa2..f4ff7e96 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52116,12 +52116,19 @@ exports.deleteKey = deleteKey; function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); - const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + let gpgHome; + try { + gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + } + catch (error) { + throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); + } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); try { const options = { silent: true, env }; yield exec.exec('gpg', [ '--batch', + // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', diff --git a/dist/setup/index.js b/dist/setup/index.js index 98a96e6e..9fe3700c 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -80310,7 +80310,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); } catch (error) { - throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version}: ${error.message}`); + throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); } } core.info(`Extracting Java archive...`); @@ -80673,12 +80673,19 @@ exports.deleteKey = deleteKey; function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); - const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + let gpgHome; + try { + gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + } + catch (error) { + throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); + } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); try { const options = { silent: true, env }; yield exec.exec('gpg', [ '--batch', + // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index 6e0ba16f..68750aaa 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -97,7 +97,7 @@ export class TemurinDistribution extends JavaBase { ); } catch (error) { throw new Error( - `Failed to verify signature for Temurin version ${javaRelease.version}: ${ + `Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${ (error as Error).message }` ); diff --git a/src/gpg.ts b/src/gpg.ts index 32b9559d..0a38c71a 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -63,9 +63,18 @@ export async function verifyPackageSignature( keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT ) { const signaturePath = await tc.downloadTool(signatureUrl); - const gpgHome = fs.mkdtempSync( - path.join(util.getTempDir(), 'verify-signature-gpg-home-') - ); + let gpgHome: string; + try { + gpgHome = fs.mkdtempSync( + path.join(util.getTempDir(), 'verify-signature-gpg-home-') + ); + } catch (error) { + throw new Error( + `Failed to create temporary GPG home directory for signature verification: ${ + (error as Error).message + }` + ); + } const env = {...process.env, GNUPGHOME: gpgHome}; try { @@ -74,6 +83,7 @@ export async function verifyPackageSignature( 'gpg', [ '--batch', + // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys',