mirror of
https://github.com/actions/setup-java.git
synced 2026-07-08 14:21:50 +00:00
Refine signature verification errors and regenerate dist
This commit is contained in:
parent
39460f2cc0
commit
70770c9dd2
@ -235,7 +235,7 @@ describe('findPackageForDownload', () => {
|
|||||||
distribution['getAvailableVersions'] = async () => manifestData as any;
|
distribution['getAvailableVersions'] = async () => manifestData as any;
|
||||||
const resolvedVersion = await distribution['findPackageForDownload'](input);
|
const resolvedVersion = await distribution['findPackageForDownload'](input);
|
||||||
expect(resolvedVersion.version).toBe(expected);
|
expect(resolvedVersion.version).toBe(expected);
|
||||||
expect(resolvedVersion.signatureUrl).toBeTruthy();
|
expect(resolvedVersion.signatureUrl).toBeDefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('version is found but binaries list is empty', async () => {
|
it('version is found but binaries list is empty', async () => {
|
||||||
|
|||||||
9
dist/cleanup/index.js
vendored
9
dist/cleanup/index.js
vendored
@ -52116,12 +52116,19 @@ exports.deleteKey = deleteKey;
|
|||||||
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) {
|
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) {
|
||||||
return __awaiter(this, void 0, void 0, function* () {
|
return __awaiter(this, void 0, void 0, function* () {
|
||||||
const signaturePath = yield tc.downloadTool(signatureUrl);
|
const signaturePath = yield tc.downloadTool(signatureUrl);
|
||||||
const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
let gpgHome;
|
||||||
|
try {
|
||||||
|
gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
||||||
|
}
|
||||||
|
catch (error) {
|
||||||
|
throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`);
|
||||||
|
}
|
||||||
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
|
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
|
||||||
try {
|
try {
|
||||||
const options = { silent: true, env };
|
const options = { silent: true, env };
|
||||||
yield exec.exec('gpg', [
|
yield exec.exec('gpg', [
|
||||||
'--batch',
|
'--batch',
|
||||||
|
// Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval.
|
||||||
'--keyserver',
|
'--keyserver',
|
||||||
'keyserver.ubuntu.com',
|
'keyserver.ubuntu.com',
|
||||||
'--recv-keys',
|
'--recv-keys',
|
||||||
|
|||||||
11
dist/setup/index.js
vendored
11
dist/setup/index.js
vendored
@ -80310,7 +80310,7 @@ class TemurinDistribution extends base_installer_1.JavaBase {
|
|||||||
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT);
|
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT);
|
||||||
}
|
}
|
||||||
catch (error) {
|
catch (error) {
|
||||||
throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version}: ${error.message}`);
|
throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
core.info(`Extracting Java archive...`);
|
core.info(`Extracting Java archive...`);
|
||||||
@ -80673,12 +80673,19 @@ exports.deleteKey = deleteKey;
|
|||||||
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) {
|
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) {
|
||||||
return __awaiter(this, void 0, void 0, function* () {
|
return __awaiter(this, void 0, void 0, function* () {
|
||||||
const signaturePath = yield tc.downloadTool(signatureUrl);
|
const signaturePath = yield tc.downloadTool(signatureUrl);
|
||||||
const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
let gpgHome;
|
||||||
|
try {
|
||||||
|
gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-'));
|
||||||
|
}
|
||||||
|
catch (error) {
|
||||||
|
throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`);
|
||||||
|
}
|
||||||
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
|
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
|
||||||
try {
|
try {
|
||||||
const options = { silent: true, env };
|
const options = { silent: true, env };
|
||||||
yield exec.exec('gpg', [
|
yield exec.exec('gpg', [
|
||||||
'--batch',
|
'--batch',
|
||||||
|
// Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval.
|
||||||
'--keyserver',
|
'--keyserver',
|
||||||
'keyserver.ubuntu.com',
|
'keyserver.ubuntu.com',
|
||||||
'--recv-keys',
|
'--recv-keys',
|
||||||
|
|||||||
@ -97,7 +97,7 @@ export class TemurinDistribution extends JavaBase {
|
|||||||
);
|
);
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
throw new Error(
|
throw new Error(
|
||||||
`Failed to verify signature for Temurin version ${javaRelease.version}: ${
|
`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${
|
||||||
(error as Error).message
|
(error as Error).message
|
||||||
}`
|
}`
|
||||||
);
|
);
|
||||||
|
|||||||
16
src/gpg.ts
16
src/gpg.ts
@ -63,9 +63,18 @@ export async function verifyPackageSignature(
|
|||||||
keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
|
keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
|
||||||
) {
|
) {
|
||||||
const signaturePath = await tc.downloadTool(signatureUrl);
|
const signaturePath = await tc.downloadTool(signatureUrl);
|
||||||
const gpgHome = fs.mkdtempSync(
|
let gpgHome: string;
|
||||||
path.join(util.getTempDir(), 'verify-signature-gpg-home-')
|
try {
|
||||||
);
|
gpgHome = fs.mkdtempSync(
|
||||||
|
path.join(util.getTempDir(), 'verify-signature-gpg-home-')
|
||||||
|
);
|
||||||
|
} catch (error) {
|
||||||
|
throw new Error(
|
||||||
|
`Failed to create temporary GPG home directory for signature verification: ${
|
||||||
|
(error as Error).message
|
||||||
|
}`
|
||||||
|
);
|
||||||
|
}
|
||||||
const env = {...process.env, GNUPGHOME: gpgHome};
|
const env = {...process.env, GNUPGHOME: gpgHome};
|
||||||
|
|
||||||
try {
|
try {
|
||||||
@ -74,6 +83,7 @@ export async function verifyPackageSignature(
|
|||||||
'gpg',
|
'gpg',
|
||||||
[
|
[
|
||||||
'--batch',
|
'--batch',
|
||||||
|
// Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval.
|
||||||
'--keyserver',
|
'--keyserver',
|
||||||
'keyserver.ubuntu.com',
|
'keyserver.ubuntu.com',
|
||||||
'--recv-keys',
|
'--recv-keys',
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user