From a3589a9fc68b4d9053a0fc89659d7a00d27e929c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:17:06 +0000 Subject: [PATCH] refactor: bundle Adoptium public key, replace keyserver lookup with local import --- .../distributors/temurin-installer.test.ts | 4 +- __tests__/gpg.test.ts | 14 ++---- dist/cleanup/index.js | 12 ++--- dist/setup/index.js | 50 +++++++++++++++---- src/distributions/temurin/installer.ts | 37 ++++++++++++-- src/gpg.ts | 16 ++---- 6 files changed, 87 insertions(+), 46 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index 0e168446..e3b67d9a 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -5,7 +5,7 @@ import os from 'os'; import { TemurinDistribution, TemurinImplementation, - ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_PUBLIC_KEY } from '../../src/distributions/temurin/installer'; import {JavaInstallerOptions} from '../../src/distributions/base-models'; import * as util from '../../src/util'; @@ -338,7 +338,7 @@ describe('downloadTool', () => { expect(spyVerifySignature).toHaveBeenCalledWith( '/tmp/jdk.tar.gz', 'https://example.com/jdk.tar.gz.sig', - ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_PUBLIC_KEY ); }); diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index 9649c7c8..655077fb 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -60,13 +60,13 @@ describe('gpg tests', () => { }); describe('verifyPackageSignature', () => { - it('downloads signature and verifies package', async () => { - const testFingerprint = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; + it('imports bundled key and verifies package', async () => { + const publicKeyContent = '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----'; (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig'); await gpg.verifyPackageSignature( '/tmp/jdk.tar.gz', 'https://example.com/jdk.tar.gz.sig', - testFingerprint + publicKeyContent ); expect(tc.downloadTool).toHaveBeenCalledWith( @@ -75,13 +75,7 @@ describe('gpg tests', () => { expect(exec.exec).toHaveBeenNthCalledWith( 1, 'gpg', - [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - testFingerprint - ], + ['--batch', '--import', expect.stringContaining('public-key.asc')], expect.objectContaining({silent: true}) ); expect(exec.exec).toHaveBeenNthCalledWith( diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index c11397fc..76511f98 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52112,7 +52112,7 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; -function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { +function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); let gpgHome; @@ -52123,15 +52123,11 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true, env }; - yield exec.exec('gpg', [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - keyFingerprint - ], options); + yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); } finally { diff --git a/dist/setup/index.js b/dist/setup/index.js index b1658252..f22f71bf 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -80247,7 +80247,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.TemurinDistribution = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.TemurinImplementation = void 0; +exports.TemurinDistribution = exports.ADOPTIUM_PUBLIC_KEY = exports.TemurinImplementation = void 0; const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); @@ -80260,7 +80260,39 @@ var TemurinImplementation; (function (TemurinImplementation) { TemurinImplementation["Hotspot"] = "Hotspot"; })(TemurinImplementation || (exports.TemurinImplementation = TemurinImplementation = {})); -exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +exports.ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; class TemurinDistribution extends base_installer_1.JavaBase { constructor(installerOptions, jvmImpl) { super(`Temurin-${jvmImpl}`, installerOptions); @@ -80308,7 +80340,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { } core.info(`Verifying Java package signature...`); try { - yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_PUBLIC_KEY); } catch (error) { throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); @@ -80670,7 +80702,7 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; -function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { +function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); let gpgHome; @@ -80681,15 +80713,11 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true, env }; - yield exec.exec('gpg', [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - keyFingerprint - ], options); + yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); } finally { diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index bb22cc43..a1a52ee3 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -27,8 +27,39 @@ export enum TemurinImplementation { Hotspot = 'Hotspot' } -export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = - '3B04D753C9050D9A5D343F39843C48A565F8F04B'; +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; export class TemurinDistribution extends JavaBase { constructor( @@ -96,7 +127,7 @@ export class TemurinDistribution extends JavaBase { await gpg.verifyPackageSignature( javaArchivePath, javaRelease.signatureUrl, - ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_PUBLIC_KEY ); } catch (error) { throw new Error( diff --git a/src/gpg.ts b/src/gpg.ts index e346b5c6..02ed7a3d 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -58,7 +58,7 @@ export async function deleteKey(keyFingerprint: string) { export async function verifyPackageSignature( archivePath: string, signatureUrl: string, - keyFingerprint: string + publicKeyContent: string ) { const signaturePath = await tc.downloadTool(signatureUrl); let gpgHome: string; @@ -74,20 +74,12 @@ export async function verifyPackageSignature( ); } const env = {...process.env, GNUPGHOME: gpgHome}; + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'}); const options: ExecOptions = {silent: true, env}; - await exec.exec( - 'gpg', - [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - keyFingerprint - ], - options - ); + await exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); await exec.exec( 'gpg', ['--batch', '--verify', signaturePath, archivePath],