setup-java/src/gpg.ts
2026-06-17 14:21:38 +00:00

94 lines
2.1 KiB
TypeScript

import * as fs from 'fs';
import * as path from 'path';
import * as io from '@actions/io';
import * as exec from '@actions/exec';
import * as tc from '@actions/tool-cache';
import * as util from './util';
import {ExecOptions} from '@actions/exec/lib/interfaces';
export const PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc');
export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT =
'3B04D753C9050D9A5D343F39843C48A565F8F04B';
const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/;
export async function importKey(privateKey: string) {
fs.writeFileSync(PRIVATE_KEY_FILE, privateKey, {
encoding: 'utf-8',
flag: 'w'
});
let output = '';
const options: ExecOptions = {
silent: true,
listeners: {
stdout: (data: Buffer) => {
output += data.toString();
}
}
};
await exec.exec(
'gpg',
[
'--batch',
'--import-options',
'import-show',
'--import',
PRIVATE_KEY_FILE
],
options
);
await io.rmRF(PRIVATE_KEY_FILE);
const match = output.match(PRIVATE_KEY_FINGERPRINT_REGEX);
return match && match[0];
}
export async function deleteKey(keyFingerprint: string) {
await exec.exec(
'gpg',
['--batch', '--yes', '--delete-secret-and-public-key', keyFingerprint],
{
silent: true
}
);
}
export async function verifyPackageSignature(
archivePath: string,
signatureUrl: string,
keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT
) {
const signaturePath = await tc.downloadTool(signatureUrl);
const gpgHome = fs.mkdtempSync(
path.join(util.getTempDir(), 'verify-signature-gpg-home-')
);
const env = {...process.env, GNUPGHOME: gpgHome};
try {
const options: ExecOptions = {silent: true, env};
await exec.exec(
'gpg',
[
'--batch',
'--keyserver',
'keyserver.ubuntu.com',
'--recv-keys',
keyFingerprint
],
options
);
await exec.exec(
'gpg',
['--batch', '--verify', signaturePath, archivePath],
options
);
} finally {
await io.rmRF(signaturePath);
await io.rmRF(gpgHome);
}
}