refactor: bundle Adoptium public key, replace keyserver lookup with local import

This commit is contained in:
copilot-swe-agent[bot] 2026-06-24 10:17:06 +00:00 committed by GitHub
parent c607d20ead
commit a3589a9fc6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 87 additions and 46 deletions

View File

@ -5,7 +5,7 @@ import os from 'os';
import {
TemurinDistribution,
TemurinImplementation,
ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
ADOPTIUM_PUBLIC_KEY
} from '../../src/distributions/temurin/installer';
import {JavaInstallerOptions} from '../../src/distributions/base-models';
import * as util from '../../src/util';
@ -338,7 +338,7 @@ describe('downloadTool', () => {
expect(spyVerifySignature).toHaveBeenCalledWith(
'/tmp/jdk.tar.gz',
'https://example.com/jdk.tar.gz.sig',
ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
ADOPTIUM_PUBLIC_KEY
);
});

View File

@ -60,13 +60,13 @@ describe('gpg tests', () => {
});
describe('verifyPackageSignature', () => {
it('downloads signature and verifies package', async () => {
const testFingerprint = '3B04D753C9050D9A5D343F39843C48A565F8F04B';
it('imports bundled key and verifies package', async () => {
const publicKeyContent = '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----';
(tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig');
await gpg.verifyPackageSignature(
'/tmp/jdk.tar.gz',
'https://example.com/jdk.tar.gz.sig',
testFingerprint
publicKeyContent
);
expect(tc.downloadTool).toHaveBeenCalledWith(
@ -75,13 +75,7 @@ describe('gpg tests', () => {
expect(exec.exec).toHaveBeenNthCalledWith(
1,
'gpg',
[
'--batch',
'--keyserver',
'keyserver.ubuntu.com',
'--recv-keys',
testFingerprint
],
['--batch', '--import', expect.stringContaining('public-key.asc')],
expect.objectContaining({silent: true})
);
expect(exec.exec).toHaveBeenNthCalledWith(

12
dist/cleanup/index.js vendored
View File

@ -52112,7 +52112,7 @@ function deleteKey(keyFingerprint) {
});
}
exports.deleteKey = deleteKey;
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) {
function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) {
return __awaiter(this, void 0, void 0, function* () {
const signaturePath = yield tc.downloadTool(signatureUrl);
let gpgHome;
@ -52123,15 +52123,11 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) {
throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`);
}
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
const publicKeyFile = path.join(gpgHome, 'public-key.asc');
try {
fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' });
const options = { silent: true, env };
yield exec.exec('gpg', [
'--batch',
'--keyserver',
'keyserver.ubuntu.com',
'--recv-keys',
keyFingerprint
], options);
yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options);
yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options);
}
finally {

50
dist/setup/index.js vendored
View File

@ -80247,7 +80247,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.TemurinDistribution = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.TemurinImplementation = void 0;
exports.TemurinDistribution = exports.ADOPTIUM_PUBLIC_KEY = exports.TemurinImplementation = void 0;
const core = __importStar(__nccwpck_require__(37484));
const tc = __importStar(__nccwpck_require__(33472));
const fs_1 = __importDefault(__nccwpck_require__(79896));
@ -80260,7 +80260,39 @@ var TemurinImplementation;
(function (TemurinImplementation) {
TemurinImplementation["Hotspot"] = "Hotspot";
})(TemurinImplementation || (exports.TemurinImplementation = TemurinImplementation = {}));
exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B';
// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B)
// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B
exports.ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT
QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ
PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a
9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf
+11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa
Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL
ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y
Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH
AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG
7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk
kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj
pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju
NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf
l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+
Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj
SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl
UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z
E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q
VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f
B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg
FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/
Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF
yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34
hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj
0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU
6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ
wI4qF/KKq9BfyfucAs0ykA==
=XLag
-----END PGP PUBLIC KEY BLOCK-----`;
class TemurinDistribution extends base_installer_1.JavaBase {
constructor(installerOptions, jvmImpl) {
super(`Temurin-${jvmImpl}`, installerOptions);
@ -80308,7 +80340,7 @@ class TemurinDistribution extends base_installer_1.JavaBase {
}
core.info(`Verifying Java package signature...`);
try {
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT);
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_PUBLIC_KEY);
}
catch (error) {
throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`);
@ -80670,7 +80702,7 @@ function deleteKey(keyFingerprint) {
});
}
exports.deleteKey = deleteKey;
function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) {
function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) {
return __awaiter(this, void 0, void 0, function* () {
const signaturePath = yield tc.downloadTool(signatureUrl);
let gpgHome;
@ -80681,15 +80713,11 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) {
throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`);
}
const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome });
const publicKeyFile = path.join(gpgHome, 'public-key.asc');
try {
fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' });
const options = { silent: true, env };
yield exec.exec('gpg', [
'--batch',
'--keyserver',
'keyserver.ubuntu.com',
'--recv-keys',
keyFingerprint
], options);
yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options);
yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options);
}
finally {

View File

@ -27,8 +27,39 @@ export enum TemurinImplementation {
Hotspot = 'Hotspot'
}
export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT =
'3B04D753C9050D9A5D343F39843C48A565F8F04B';
// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B)
// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B
export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK-----
xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT
QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ
PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a
9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf
+11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa
Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL
ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y
Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH
AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG
7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk
kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj
pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju
NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf
l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+
Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj
SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl
UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z
E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q
VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f
B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg
FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/
Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF
yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34
hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj
0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU
6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ
wI4qF/KKq9BfyfucAs0ykA==
=XLag
-----END PGP PUBLIC KEY BLOCK-----`;
export class TemurinDistribution extends JavaBase {
constructor(
@ -96,7 +127,7 @@ export class TemurinDistribution extends JavaBase {
await gpg.verifyPackageSignature(
javaArchivePath,
javaRelease.signatureUrl,
ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
ADOPTIUM_PUBLIC_KEY
);
} catch (error) {
throw new Error(

View File

@ -58,7 +58,7 @@ export async function deleteKey(keyFingerprint: string) {
export async function verifyPackageSignature(
archivePath: string,
signatureUrl: string,
keyFingerprint: string
publicKeyContent: string
) {
const signaturePath = await tc.downloadTool(signatureUrl);
let gpgHome: string;
@ -74,20 +74,12 @@ export async function verifyPackageSignature(
);
}
const env = {...process.env, GNUPGHOME: gpgHome};
const publicKeyFile = path.join(gpgHome, 'public-key.asc');
try {
fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'});
const options: ExecOptions = {silent: true, env};
await exec.exec(
'gpg',
[
'--batch',
'--keyserver',
'keyserver.ubuntu.com',
'--recv-keys',
keyFingerprint
],
options
);
await exec.exec('gpg', ['--batch', '--import', publicKeyFile], options);
await exec.exec(
'gpg',
['--batch', '--verify', signaturePath, archivePath],