From 1436e9003ca25606e6f8565978b26613ab2c2474 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:21:38 +0000 Subject: [PATCH 01/22] Add verify-signature plumbing and Temurin verification support --- README.md | 2 + __tests__/data/temurin.json | 297 ++++++++++++------ __tests__/distributors/base-installer.test.ts | 18 ++ .../distributors/temurin-installer.test.ts | 80 +++++ __tests__/gpg.test.ts | 39 +++ action.yml | 4 + src/constants.ts | 1 + src/distributions/base-installer.ts | 12 + src/distributions/base-models.ts | 2 + src/distributions/temurin/installer.ts | 30 +- src/distributions/temurin/models.ts | 1 + src/gpg.ts | 38 +++ src/setup-java.ts | 8 + 13 files changed, 432 insertions(+), 100 deletions(-) diff --git a/README.md b/README.md index 8a7392a9f..9b3cfe2f6 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,8 @@ For information about the latest releases, recent updates, and newly supported d - `check-latest`: Setting this option makes the action to check for the latest available version for the version spec. + - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails. + - `cache`: Quick [setup caching](#caching-packages-dependencies) for the dependencies managed through one of the predefined package managers. It can be one of "maven", "gradle" or "sbt". - `cache-dependency-path`: The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies. diff --git a/__tests__/data/temurin.json b/__tests__/data/temurin.json index 7ce00d2c7..cec2c631a 100644 --- a/__tests__/data/temurin.json +++ b/__tests__/data/temurin.json @@ -15,7 +15,8 @@ "link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz", "metadata_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz.json", "name": "OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz", - "size": 205463525 + "size": 205463525, + "signature_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-16.0.2+7_adopt", @@ -44,7 +45,8 @@ "link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz", "metadata_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz.json", "name": "OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz", - "size": 206621395 + "size": 206621395, + "signature_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-16.0.2+7_adopt", @@ -73,7 +75,8 @@ "link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip", "metadata_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip.json", "name": "OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip", - "size": 203448494 + "size": 203448494, + "signature_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip.sig" }, "project": "jdk", "scm_ref": "jdk-16.0.2+7_adopt", @@ -113,7 +116,8 @@ "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz", "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.json", "name": "OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz", - "size": 102954777 + "size": 102954777, + "signature_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk8u302-b08", @@ -142,7 +146,8 @@ "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz", "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz.json", "name": "OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz", - "size": 107303398 + "size": 107303398, + "signature_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk8u302-b08", @@ -171,7 +176,8 @@ "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip", "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip.json", "name": "OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip", - "size": 104297671 + "size": 104297671, + "signature_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip.sig" }, "project": "jdk", "scm_ref": "jdk8u302-b08", @@ -211,7 +217,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 188909250 + "size": 188909250, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-16-ge39bf269d60", @@ -240,7 +247,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz", - "size": 192952713 + "size": 192952713, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -260,7 +268,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 188816971 + "size": 188816971, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-16-ge39bf269d60", @@ -280,7 +289,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz", - "size": 182299353 + "size": 182299353, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -300,7 +310,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 187674392 + "size": 187674392, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-46-gea8d2c72e83", @@ -320,7 +331,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 179501342 + "size": 179501342, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-21-ge39bf269d60", @@ -340,7 +352,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz", - "size": 192126971 + "size": 192126971, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -360,7 +373,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 192015878 + "size": 192015878, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-21-ge39bf269d60", @@ -389,7 +403,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz", - "size": 192422068 + "size": 192422068, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -418,7 +433,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip", - "size": 188694175 + "size": 188694175, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -447,7 +463,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip", - "size": 184618115 + "size": 184618115, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -489,7 +506,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz", - "size": 192125161 + "size": 192125161, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-242-gce1857dd7a1", @@ -531,7 +549,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 188911467 + "size": 188911467, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-42-g4596b4e9d4e", @@ -560,7 +579,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz", - "size": 192950510 + "size": 192950510, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -580,7 +600,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 188815685 + "size": 188815685, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-36-g4596b4e9d4e", @@ -600,7 +621,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz", - "size": 182307654 + "size": 182307654, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -620,7 +642,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 187698851 + "size": 187698851, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-36-g4596b4e9d4e", @@ -640,7 +663,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 179501218 + "size": 179501218, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-40-g4596b4e9d4e", @@ -660,7 +684,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz", - "size": 192124471 + "size": 192124471, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -680,7 +705,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 192015026 + "size": 192015026, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-40-g4596b4e9d4e", @@ -709,7 +735,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz", - "size": 193003513 + "size": 193003513, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -738,7 +765,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip", - "size": 188694996 + "size": 188694996, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -767,7 +795,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip", - "size": 184626937 + "size": 184626937, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -809,7 +838,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 188891565 + "size": 188891565, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "a342f28aaec", @@ -829,7 +859,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 188790907 + "size": 188790907, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "a342f28aaec", @@ -849,7 +880,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz", - "size": 182276594 + "size": 182276594, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -869,7 +901,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 187678422 + "size": 187678422, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-26-ga342f28aaec", @@ -889,7 +922,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 179475721 + "size": 179475721, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-26-ga342f28aaec", @@ -909,7 +943,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz", - "size": 192104689 + "size": 192104689, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -929,7 +964,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 191982821 + "size": 191982821, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "a342f28aaec", @@ -958,7 +994,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip", - "size": 188685330 + "size": 188685330, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -987,7 +1024,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip", - "size": 184607457 + "size": 184607457, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -1029,7 +1067,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 188896773 + "size": 188896773, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-14-g20418a26958", @@ -1058,7 +1097,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz", - "size": 192948484 + "size": 192948484, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1078,7 +1118,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 188791964 + "size": 188791964, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-14-g20418a26958", @@ -1098,7 +1139,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz", - "size": 182281944 + "size": 182281944, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1118,7 +1160,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 187650365 + "size": 187650365, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-23-g20418a26958", @@ -1138,7 +1181,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 179483622 + "size": 179483622, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-55-g20418a26958", @@ -1158,7 +1202,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz", - "size": 192108731 + "size": 192108731, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1178,7 +1223,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 191985123 + "size": 191985123, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-14-g20418a26958", @@ -1207,7 +1253,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip", - "size": 188688539 + "size": 188688539, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1236,7 +1283,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip", - "size": 184612045 + "size": 184612045, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1278,7 +1326,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 188899456 + "size": 188899456, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1307,7 +1356,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz", - "size": 192953428 + "size": 192953428, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1327,7 +1377,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 188792852 + "size": 188792852, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-66-gce22197617d", @@ -1347,7 +1398,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 187678600 + "size": 187678600, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1367,7 +1419,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 179480996 + "size": 179480996, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1387,7 +1440,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz", - "size": 192105446 + "size": 192105446, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1407,7 +1461,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 191986856 + "size": 191986856, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1436,7 +1491,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz", - "size": 192995067 + "size": 192995067, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1465,7 +1521,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip", - "size": 188686556 + "size": 188686556, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1494,7 +1551,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip", - "size": 184620492 + "size": 184620492, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1536,7 +1594,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 188896299 + "size": 188896299, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1565,7 +1624,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz", - "size": 192941671 + "size": 192941671, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1585,7 +1645,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 188838708 + "size": 188838708, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-161-g3e7e5bc2003", @@ -1605,7 +1666,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz", - "size": 182274073 + "size": 182274073, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-40-g3e7e5bc2003", @@ -1625,7 +1687,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 187666608 + "size": 187666608, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-40-g3e7e5bc2003", @@ -1645,7 +1708,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 179472325 + "size": 179472325, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-30-g3e7e5bc2003", @@ -1665,7 +1729,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz", - "size": 192098387 + "size": 192098387, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1685,7 +1750,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 191983708 + "size": 191983708, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1714,7 +1780,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz", - "size": 193004476 + "size": 193004476, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1743,7 +1810,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip", - "size": 188681640 + "size": 188681640, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1772,7 +1840,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip", - "size": 184605514 + "size": 184605514, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1823,7 +1892,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz", - "size": 192962903 + "size": 192962903, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1843,7 +1913,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 188800217 + "size": 188800217, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "06428c22b61", @@ -1863,7 +1934,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 187663978 + "size": 187663978, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-78-g06428c22b61", @@ -1883,7 +1955,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 179496669 + "size": 179496669, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-78-g06428c22b61", @@ -1903,7 +1976,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz", - "size": 192113242 + "size": 192113242, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1923,7 +1997,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 192021951 + "size": 192021951, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1952,7 +2027,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz", - "size": 193018554 + "size": 193018554, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1981,7 +2057,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip", - "size": 188702463 + "size": 188702463, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -2023,7 +2100,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 188953178 + "size": 188953178, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2052,7 +2130,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz", - "size": 192957934 + "size": 192957934, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2072,7 +2151,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 188797466 + "size": 188797466, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-43-g6d3debb5c12", @@ -2092,7 +2172,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz", - "size": 182292580 + "size": 182292580, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2112,7 +2193,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 187684930 + "size": 187684930, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-64-g6d3debb5c12", @@ -2132,7 +2214,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 179484390 + "size": 179484390, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-54-g6d3debb5c12", @@ -2152,7 +2235,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz", - "size": 192114561 + "size": 192114561, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2172,7 +2256,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 192014644 + "size": 192014644, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2201,7 +2286,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz", - "size": 192425033 + "size": 192425033, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2230,7 +2316,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip", - "size": 188697393 + "size": 188697393, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2259,7 +2346,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip", - "size": 184618232 + "size": 184618232, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2301,7 +2389,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 188940191 + "size": 188940191, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2330,7 +2419,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz", - "size": 192953718 + "size": 192953718, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2350,7 +2440,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 188795343 + "size": 188795343, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2370,7 +2461,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz", - "size": 182285782 + "size": 182285782, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2390,7 +2482,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 187652430 + "size": 187652430, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2410,7 +2503,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 179489547 + "size": 179489547, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2430,7 +2524,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz", - "size": 192109453 + "size": 192109453, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2450,7 +2545,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 192013559 + "size": 192013559, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2479,7 +2575,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz", - "size": 192419518 + "size": 192419518, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2508,7 +2605,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip", - "size": 188672489 + "size": 188672489, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2537,7 +2635,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip", - "size": 184626094 + "size": 184626094, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-132-g23fbf51b850", diff --git a/__tests__/distributors/base-installer.test.ts b/__tests__/distributors/base-installer.test.ts index 2a0b13ab1..7497b06a3 100644 --- a/__tests__/distributors/base-installer.test.ts +++ b/__tests__/distributors/base-installer.test.ts @@ -464,6 +464,24 @@ describe('setupJava', () => { } ); + it('should fail when verify-signature is enabled for unsupported distributions', async () => { + mockJavaBase = new EmptyJavaBase({ + version: '11', + architecture: 'x86', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }); + + await expect(mockJavaBase.setupJava()).rejects.toThrow( + "Input 'verify-signature' is not supported for distribution 'Empty'." + ); + expect(spyTcFindAllVersions).not.toHaveBeenCalled(); + expect(spyCoreAddPath).not.toHaveBeenCalled(); + expect(spyCoreExportVariable).not.toHaveBeenCalled(); + expect(spyCoreSetOutput).not.toHaveBeenCalled(); + }); + it.each([ [ { diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index 161a2d087..995cdd992 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -1,10 +1,14 @@ import {HttpClient} from '@actions/http-client'; +import * as tc from '@actions/tool-cache'; +import fs from 'fs'; import os from 'os'; import { TemurinDistribution, TemurinImplementation } from '../../src/distributions/temurin/installer'; import {JavaInstallerOptions} from '../../src/distributions/base-models'; +import * as util from '../../src/util'; +import * as gpg from '../../src/gpg'; import manifestData from '../data/temurin.json'; import * as core from '@actions/core'; @@ -231,6 +235,7 @@ describe('findPackageForDownload', () => { distribution['getAvailableVersions'] = async () => manifestData as any; const resolvedVersion = await distribution['findPackageForDownload'](input); expect(resolvedVersion.version).toBe(expected); + expect(resolvedVersion.signatureUrl).toBeTruthy(); }); it('version is found but binaries list is empty', async () => { @@ -281,3 +286,78 @@ describe('findPackageForDownload', () => { ); }); }); + +describe('downloadTool', () => { + let spyDownloadTool: jest.SpyInstance; + let spyVerifySignature: jest.SpyInstance; + let spyExtractJdkFile: jest.SpyInstance; + let spyCacheDir: jest.SpyInstance; + let spyReadDirSync: jest.SpyInstance; + + beforeEach(() => { + spyDownloadTool = jest.spyOn(tc, 'downloadTool'); + spyDownloadTool.mockResolvedValue('/tmp/jdk.tar.gz'); + spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature'); + spyVerifySignature.mockResolvedValue(undefined); + spyExtractJdkFile = jest.spyOn(util, 'extractJdkFile'); + spyExtractJdkFile.mockResolvedValue('/tmp/extracted'); + spyCacheDir = jest.spyOn(tc, 'cacheDir'); + spyCacheDir.mockResolvedValue('/tmp/toolcache'); + spyReadDirSync = jest.spyOn(fs, 'readdirSync'); + spyReadDirSync.mockReturnValue(['jdk-17'] as any); + }); + + afterEach(() => { + jest.resetAllMocks(); + jest.clearAllMocks(); + jest.restoreAllMocks(); + }); + + it('verifies signature when enabled', async () => { + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }, + TemurinImplementation.Hotspot + ); + + await distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ); + }); + + it('fails when signature is missing and verification is enabled', async () => { + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }, + TemurinImplementation.Hotspot + ); + + await expect( + distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz' + }) + ).rejects.toThrow( + "Input 'verify-signature' is enabled, but no signature URL was found" + ); + expect(spyVerifySignature).not.toHaveBeenCalled(); + }); +}); diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index 1c981b3f5..f9b227ce5 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -1,6 +1,7 @@ import * as path from 'path'; import * as io from '@actions/io'; import * as exec from '@actions/exec'; +import * as tc from '@actions/tool-cache'; import * as gpg from '../src/gpg'; jest.mock('@actions/exec', () => { @@ -9,6 +10,12 @@ jest.mock('@actions/exec', () => { }; }); +jest.mock('@actions/tool-cache', () => { + return { + downloadTool: jest.fn() + }; +}); + const tempDir = path.join(__dirname, 'runner', 'temp'); process.env['RUNNER_TEMP'] = tempDir; @@ -51,5 +58,37 @@ describe('gpg tests', () => { expect.anything() ); }); + + describe('verifyPackageSignature', () => { + it('downloads signature and verifies package', async () => { + (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig'); + await gpg.verifyPackageSignature( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig' + ); + + expect(tc.downloadTool).toHaveBeenCalledWith( + 'https://example.com/jdk.tar.gz.sig' + ); + expect(exec.exec).toHaveBeenNthCalledWith( + 1, + 'gpg', + [ + '--batch', + '--keyserver', + 'keyserver.ubuntu.com', + '--recv-keys', + gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ], + expect.objectContaining({silent: true}) + ); + expect(exec.exec).toHaveBeenNthCalledWith( + 2, + 'gpg', + ['--batch', '--verify', '/tmp/jdk.tar.gz.sig', '/tmp/jdk.tar.gz'], + expect.objectContaining({silent: true}) + ); + }); + }); }); }); diff --git a/action.yml b/action.yml index 21a4269d7..10f237589 100644 --- a/action.yml +++ b/action.yml @@ -24,6 +24,10 @@ inputs: description: 'Set this option if you want the action to check for the latest available version that satisfies the version spec' required: false default: false + verify-signature: + description: 'Verify downloaded Java package signatures when supported by the selected distribution' + required: false + default: false server-id: description: 'ID of the distributionManagement repository in the pom.xml file. Default is `github`' diff --git a/src/constants.ts b/src/constants.ts index 93af286f8..e80ad07de 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -6,6 +6,7 @@ export const INPUT_JAVA_PACKAGE = 'java-package'; export const INPUT_DISTRIBUTION = 'distribution'; export const INPUT_JDK_FILE = 'jdkFile'; export const INPUT_CHECK_LATEST = 'check-latest'; +export const INPUT_VERIFY_SIGNATURE = 'verify-signature'; export const INPUT_SERVER_ID = 'server-id'; export const INPUT_SERVER_USERNAME = 'server-username'; export const INPUT_SERVER_PASSWORD = 'server-password'; diff --git a/src/distributions/base-installer.ts b/src/distributions/base-installer.ts index 5d9f3c82a..7c485e7ad 100644 --- a/src/distributions/base-installer.ts +++ b/src/distributions/base-installer.ts @@ -20,6 +20,7 @@ export abstract class JavaBase { protected packageType: string; protected stable: boolean; protected checkLatest: boolean; + protected verifySignature: boolean; constructor( protected distribution: string, @@ -36,6 +37,7 @@ export abstract class JavaBase { this.architecture = installerOptions.architecture || os.arch(); this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; + this.verifySignature = installerOptions.verifySignature ?? false; } protected abstract downloadTool( @@ -46,6 +48,12 @@ export abstract class JavaBase { ): Promise; public async setupJava(): Promise { + if (this.verifySignature && !this.supportsSignatureVerification()) { + throw new Error( + `Input 'verify-signature' is not supported for distribution '${this.distribution}'.` + ); + } + let foundJava = this.findInToolcache(); if (foundJava && !this.checkLatest) { core.info(`Resolved Java ${foundJava.version} from tool-cache`); @@ -179,6 +187,10 @@ export abstract class JavaBase { return `Java_${this.distribution}_${this.packageType}`; } + protected supportsSignatureVerification(): boolean { + return false; + } + protected getToolcacheVersionName(version: string): string { if (!this.stable) { if (version.includes('+')) { diff --git a/src/distributions/base-models.ts b/src/distributions/base-models.ts index 82344d585..0945d3067 100644 --- a/src/distributions/base-models.ts +++ b/src/distributions/base-models.ts @@ -3,6 +3,7 @@ export interface JavaInstallerOptions { architecture: string; packageType: string; checkLatest: boolean; + verifySignature?: boolean; } export interface JavaInstallerResults { @@ -13,4 +14,5 @@ export interface JavaInstallerResults { export interface JavaDownloadRelease { version: string; url: string; + signatureUrl?: string; } diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index 109c2d413..6e0ba16fd 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -4,6 +4,7 @@ import * as tc from '@actions/tool-cache'; import fs from 'fs'; import path from 'path'; import semver from 'semver'; +import * as gpg from '../../gpg'; import {JavaBase} from '../base-installer'; import {ITemurinAvailableVersions} from './models'; @@ -50,7 +51,8 @@ export class TemurinDistribution extends JavaBase { : item.version_data.semver.replace('-beta+', '+'); return { version: formattedVersion, - url: item.binaries[0].package.link + url: item.binaries[0].package.link, + signatureUrl: item.binaries[0].package.signature_link } as JavaDownloadRelease; }); @@ -80,6 +82,28 @@ export class TemurinDistribution extends JavaBase { ); let javaArchivePath = await tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error( + `Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.` + ); + } + core.info(`Verifying Java package signature...`); + try { + await gpg.verifyPackageSignature( + javaArchivePath, + javaRelease.signatureUrl, + gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ); + } catch (error) { + throw new Error( + `Failed to verify signature for Temurin version ${javaRelease.version}: ${ + (error as Error).message + }` + ); + } + } + core.info(`Extracting Java archive...`); const extension = getDownloadArchiveExtension(); if (process.platform === 'win32') { @@ -105,6 +129,10 @@ export class TemurinDistribution extends JavaBase { return super.toolcacheFolderName; } + protected supportsSignatureVerification(): boolean { + return true; + } + private async getAvailableVersions(): Promise { const platform = this.getPlatformOption(); const arch = this.distributionArchitecture(); diff --git a/src/distributions/temurin/models.ts b/src/distributions/temurin/models.ts index eb4b49b7b..c5bff9020 100644 --- a/src/distributions/temurin/models.ts +++ b/src/distributions/temurin/models.ts @@ -11,6 +11,7 @@ export interface ITemurinAvailableVersions { package: { checksum: string; checksum_link: string; + signature_link?: string; download_count: number; link: string; metadata_link: string; diff --git a/src/gpg.ts b/src/gpg.ts index 3b74c1516..32b9559d0 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -2,10 +2,13 @@ import * as fs from 'fs'; import * as path from 'path'; import * as io from '@actions/io'; import * as exec from '@actions/exec'; +import * as tc from '@actions/tool-cache'; import * as util from './util'; import {ExecOptions} from '@actions/exec/lib/interfaces'; export const PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); +export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = + '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; @@ -53,3 +56,38 @@ export async function deleteKey(keyFingerprint: string) { } ); } + +export async function verifyPackageSignature( + archivePath: string, + signatureUrl: string, + keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT +) { + const signaturePath = await tc.downloadTool(signatureUrl); + const gpgHome = fs.mkdtempSync( + path.join(util.getTempDir(), 'verify-signature-gpg-home-') + ); + const env = {...process.env, GNUPGHOME: gpgHome}; + + try { + const options: ExecOptions = {silent: true, env}; + await exec.exec( + 'gpg', + [ + '--batch', + '--keyserver', + 'keyserver.ubuntu.com', + '--recv-keys', + keyFingerprint + ], + options + ); + await exec.exec( + 'gpg', + ['--batch', '--verify', signaturePath, archivePath], + options + ); + } finally { + await io.rmRF(signaturePath); + await io.rmRF(gpgHome); + } +} diff --git a/src/setup-java.ts b/src/setup-java.ts index 73baf33a7..529314178 100644 --- a/src/setup-java.ts +++ b/src/setup-java.ts @@ -28,6 +28,10 @@ async function run() { constants.INPUT_CACHE_DEPENDENCY_PATH ); const checkLatest = getBooleanInput(constants.INPUT_CHECK_LATEST, false); + const verifySignature = getBooleanInput( + constants.INPUT_VERIFY_SIGNATURE, + false + ); let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); @@ -44,6 +48,7 @@ async function run() { architecture, packageType, checkLatest, + verifySignature, distributionName, jdkFile, toolchainIds @@ -100,6 +105,7 @@ async function installVersion( architecture, packageType, checkLatest, + verifySignature, toolchainIds } = options; @@ -107,6 +113,7 @@ async function installVersion( architecture, packageType, checkLatest, + verifySignature, version }; @@ -141,6 +148,7 @@ interface installerInputsOptions { architecture: string; packageType: string; checkLatest: boolean; + verifySignature: boolean; distributionName: string; jdkFile: string; toolchainIds: Array; From 39460f2cc0f16ec5e0c114bab4a99b3901fdf69e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:23:46 +0000 Subject: [PATCH 02/22] Rebuild dist after signature verification changes --- dist/cleanup/index.js | 30 +++++++++++++++++++-- dist/setup/index.js | 62 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 86 insertions(+), 6 deletions(-) diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 4f3f4f1ae..c489afa28 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -51996,7 +51996,7 @@ else { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -52005,6 +52005,7 @@ exports.INPUT_JAVA_PACKAGE = 'java-package'; exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; +exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -52066,13 +52067,15 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); const exec = __importStar(__nccwpck_require__(95236)); +const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); +exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { @@ -52110,6 +52113,29 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; +function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { + return __awaiter(this, void 0, void 0, function* () { + const signaturePath = yield tc.downloadTool(signatureUrl); + const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + try { + const options = { silent: true, env }; + yield exec.exec('gpg', [ + '--batch', + '--keyserver', + 'keyserver.ubuntu.com', + '--recv-keys', + keyFingerprint + ], options); + yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + } + finally { + yield io.rmRF(signaturePath); + yield io.rmRF(gpgHome); + } + }); +} +exports.verifyPackageSignature = verifyPackageSignature; /***/ }), diff --git a/dist/setup/index.js b/dist/setup/index.js index f393386bb..98a96e6eb 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -77755,7 +77755,7 @@ function isProbablyGradleDaemonProblem(packageManager, error) { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -77764,6 +77764,7 @@ exports.INPUT_JAVA_PACKAGE = 'java-package'; exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; +exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -78063,6 +78064,7 @@ const constants_1 = __nccwpck_require__(27242); const os_1 = __importDefault(__nccwpck_require__(70857)); class JavaBase { constructor(distribution, installerOptions) { + var _a; this.distribution = distribution; this.http = new httpm.HttpClient('actions/setup-java', undefined, { allowRetries: true, @@ -78072,10 +78074,14 @@ class JavaBase { this.architecture = installerOptions.architecture || os_1.default.arch(); this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; + this.verifySignature = (_a = installerOptions.verifySignature) !== null && _a !== void 0 ? _a : false; } setupJava() { var _a, _b; return __awaiter(this, void 0, void 0, function* () { + if (this.verifySignature && !this.supportsSignatureVerification()) { + throw new Error(`Input 'verify-signature' is not supported for distribution '${this.distribution}'.`); + } let foundJava = this.findInToolcache(); if (foundJava && !this.checkLatest) { core.info(`Resolved Java ${foundJava.version} from tool-cache`); @@ -78195,6 +78201,9 @@ class JavaBase { get toolcacheFolderName() { return `Java_${this.distribution}_${this.packageType}`; } + supportsSignatureVerification() { + return false; + } getToolcacheVersionName(version) { if (!this.stable) { if (version.includes('+')) { @@ -80244,6 +80253,7 @@ const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); const path_1 = __importDefault(__nccwpck_require__(16928)); const semver_1 = __importDefault(__nccwpck_require__(62088)); +const gpg = __importStar(__nccwpck_require__(88343)); const base_installer_1 = __nccwpck_require__(79935); const util_1 = __nccwpck_require__(54527); var TemurinImplementation; @@ -80270,7 +80280,8 @@ class TemurinDistribution extends base_installer_1.JavaBase { : item.version_data.semver.replace('-beta+', '+'); return { version: formattedVersion, - url: item.binaries[0].package.link + url: item.binaries[0].package.link, + signatureUrl: item.binaries[0].package.signature_link }; }); const satisfiedVersions = availableVersionsWithBinaries @@ -80290,6 +80301,18 @@ class TemurinDistribution extends base_installer_1.JavaBase { return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.`); + } + core.info(`Verifying Java package signature...`); + try { + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); + } + catch (error) { + throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version}: ${error.message}`); + } + } core.info(`Extracting Java archive...`); const extension = (0, util_1.getDownloadArchiveExtension)(); if (process.platform === 'win32') { @@ -80306,6 +80329,9 @@ class TemurinDistribution extends base_installer_1.JavaBase { get toolcacheFolderName() { return super.toolcacheFolderName; } + supportsSignatureVerification() { + return true; + } getAvailableVersions() { return __awaiter(this, void 0, void 0, function* () { const platform = this.getPlatformOption(); @@ -80598,13 +80624,15 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); const exec = __importStar(__nccwpck_require__(95236)); +const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); +exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { @@ -80642,6 +80670,29 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; +function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { + return __awaiter(this, void 0, void 0, function* () { + const signaturePath = yield tc.downloadTool(signatureUrl); + const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + try { + const options = { silent: true, env }; + yield exec.exec('gpg', [ + '--batch', + '--keyserver', + 'keyserver.ubuntu.com', + '--recv-keys', + keyFingerprint + ], options); + yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + } + finally { + yield io.rmRF(signaturePath); + yield io.rmRF(gpgHome); + } + }); +} +exports.verifyPackageSignature = verifyPackageSignature; /***/ }), @@ -80710,6 +80761,7 @@ function run() { const cache = core.getInput(constants.INPUT_CACHE); const cacheDependencyPath = core.getInput(constants.INPUT_CACHE_DEPENDENCY_PATH); const checkLatest = (0, util_1.getBooleanInput)(constants.INPUT_CHECK_LATEST, false); + const verifySignature = (0, util_1.getBooleanInput)(constants.INPUT_VERIFY_SIGNATURE, false); let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); if (versions.length !== toolchainIds.length) { @@ -80722,6 +80774,7 @@ function run() { architecture, packageType, checkLatest, + verifySignature, distributionName, jdkFile, toolchainIds @@ -80755,11 +80808,12 @@ function run() { run(); function installVersion(version, options, toolchainId = 0) { return __awaiter(this, void 0, void 0, function* () { - const { distributionName, jdkFile, architecture, packageType, checkLatest, toolchainIds } = options; + const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, toolchainIds } = options; const installerOptions = { architecture, packageType, checkLatest, + verifySignature, version }; const distribution = (0, distribution_factory_1.getJavaDistribution)(distributionName, installerOptions, jdkFile); From 70770c9dd21ad78995646be99e6ccb448da0f441 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:26:14 +0000 Subject: [PATCH 03/22] Refine signature verification errors and regenerate dist --- __tests__/distributors/temurin-installer.test.ts | 2 +- dist/cleanup/index.js | 9 ++++++++- dist/setup/index.js | 11 +++++++++-- src/distributions/temurin/installer.ts | 2 +- src/gpg.ts | 16 +++++++++++++--- 5 files changed, 32 insertions(+), 8 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index 995cdd992..f4dd02c75 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -235,7 +235,7 @@ describe('findPackageForDownload', () => { distribution['getAvailableVersions'] = async () => manifestData as any; const resolvedVersion = await distribution['findPackageForDownload'](input); expect(resolvedVersion.version).toBe(expected); - expect(resolvedVersion.signatureUrl).toBeTruthy(); + expect(resolvedVersion.signatureUrl).toBeDefined(); }); it('version is found but binaries list is empty', async () => { diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index c489afa28..f4ff7e96e 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52116,12 +52116,19 @@ exports.deleteKey = deleteKey; function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); - const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + let gpgHome; + try { + gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + } + catch (error) { + throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); + } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); try { const options = { silent: true, env }; yield exec.exec('gpg', [ '--batch', + // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', diff --git a/dist/setup/index.js b/dist/setup/index.js index 98a96e6eb..9fe3700ca 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -80310,7 +80310,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); } catch (error) { - throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version}: ${error.message}`); + throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); } } core.info(`Extracting Java archive...`); @@ -80673,12 +80673,19 @@ exports.deleteKey = deleteKey; function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); - const gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + let gpgHome; + try { + gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + } + catch (error) { + throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); + } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); try { const options = { silent: true, env }; yield exec.exec('gpg', [ '--batch', + // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index 6e0ba16fd..68750aaa2 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -97,7 +97,7 @@ export class TemurinDistribution extends JavaBase { ); } catch (error) { throw new Error( - `Failed to verify signature for Temurin version ${javaRelease.version}: ${ + `Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${ (error as Error).message }` ); diff --git a/src/gpg.ts b/src/gpg.ts index 32b9559d0..0a38c71ab 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -63,9 +63,18 @@ export async function verifyPackageSignature( keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT ) { const signaturePath = await tc.downloadTool(signatureUrl); - const gpgHome = fs.mkdtempSync( - path.join(util.getTempDir(), 'verify-signature-gpg-home-') - ); + let gpgHome: string; + try { + gpgHome = fs.mkdtempSync( + path.join(util.getTempDir(), 'verify-signature-gpg-home-') + ); + } catch (error) { + throw new Error( + `Failed to create temporary GPG home directory for signature verification: ${ + (error as Error).message + }` + ); + } const env = {...process.env, GNUPGHOME: gpgHome}; try { @@ -74,6 +83,7 @@ export async function verifyPackageSignature( 'gpg', [ '--batch', + // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', From b2f4bcbe5fc942968b2ff3ddec0c70b1e930d4a4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:35:08 +0000 Subject: [PATCH 04/22] refactor: make gpg.ts generic, move Adoptium-specific constant to temurin distribution --- __tests__/distributors/temurin-installer.test.ts | 5 +++-- __tests__/gpg.test.ts | 6 ++++-- dist/cleanup/index.js | 6 ++---- dist/setup/index.js | 11 +++++------ src/distributions/temurin/installer.ts | 5 ++++- src/gpg.ts | 5 +---- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index f4dd02c75..c9d992bb6 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -4,7 +4,8 @@ import fs from 'fs'; import os from 'os'; import { TemurinDistribution, - TemurinImplementation + TemurinImplementation, + ADOPTIUM_SIGNATURE_KEY_FINGERPRINT } from '../../src/distributions/temurin/installer'; import {JavaInstallerOptions} from '../../src/distributions/base-models'; import * as util from '../../src/util'; @@ -334,7 +335,7 @@ describe('downloadTool', () => { expect(spyVerifySignature).toHaveBeenCalledWith( '/tmp/jdk.tar.gz', 'https://example.com/jdk.tar.gz.sig', - gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_SIGNATURE_KEY_FINGERPRINT ); }); diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index f9b227ce5..9649c7c83 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -61,10 +61,12 @@ describe('gpg tests', () => { describe('verifyPackageSignature', () => { it('downloads signature and verifies package', async () => { + const testFingerprint = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig'); await gpg.verifyPackageSignature( '/tmp/jdk.tar.gz', - 'https://example.com/jdk.tar.gz.sig' + 'https://example.com/jdk.tar.gz.sig', + testFingerprint ); expect(tc.downloadTool).toHaveBeenCalledWith( @@ -78,7 +80,7 @@ describe('gpg tests', () => { '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', - gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + testFingerprint ], expect.objectContaining({silent: true}) ); diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index f4ff7e96e..c11397fc3 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52067,7 +52067,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); @@ -52075,7 +52075,6 @@ const exec = __importStar(__nccwpck_require__(95236)); const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); -exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { @@ -52113,7 +52112,7 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; -function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { +function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); let gpgHome; @@ -52128,7 +52127,6 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = expo const options = { silent: true, env }; yield exec.exec('gpg', [ '--batch', - // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', diff --git a/dist/setup/index.js b/dist/setup/index.js index 9fe3700ca..b1658252f 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -80247,7 +80247,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.TemurinDistribution = exports.TemurinImplementation = void 0; +exports.TemurinDistribution = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.TemurinImplementation = void 0; const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); @@ -80260,6 +80260,7 @@ var TemurinImplementation; (function (TemurinImplementation) { TemurinImplementation["Hotspot"] = "Hotspot"; })(TemurinImplementation || (exports.TemurinImplementation = TemurinImplementation = {})); +exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; class TemurinDistribution extends base_installer_1.JavaBase { constructor(installerOptions, jvmImpl) { super(`Temurin-${jvmImpl}`, installerOptions); @@ -80307,7 +80308,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { } core.info(`Verifying Java package signature...`); try { - yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); } catch (error) { throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); @@ -80624,7 +80625,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); @@ -80632,7 +80633,6 @@ const exec = __importStar(__nccwpck_require__(95236)); const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); -exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { @@ -80670,7 +80670,7 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; -function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT) { +function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); let gpgHome; @@ -80685,7 +80685,6 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint = expo const options = { silent: true, env }; yield exec.exec('gpg', [ '--batch', - // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index 68750aaa2..bb22cc438 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -27,6 +27,9 @@ export enum TemurinImplementation { Hotspot = 'Hotspot' } +export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = + '3B04D753C9050D9A5D343F39843C48A565F8F04B'; + export class TemurinDistribution extends JavaBase { constructor( installerOptions: JavaInstallerOptions, @@ -93,7 +96,7 @@ export class TemurinDistribution extends JavaBase { await gpg.verifyPackageSignature( javaArchivePath, javaRelease.signatureUrl, - gpg.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_SIGNATURE_KEY_FINGERPRINT ); } catch (error) { throw new Error( diff --git a/src/gpg.ts b/src/gpg.ts index 0a38c71ab..e346b5c69 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -7,8 +7,6 @@ import * as util from './util'; import {ExecOptions} from '@actions/exec/lib/interfaces'; export const PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); -export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = - '3B04D753C9050D9A5D343F39843C48A565F8F04B'; const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; @@ -60,7 +58,7 @@ export async function deleteKey(keyFingerprint: string) { export async function verifyPackageSignature( archivePath: string, signatureUrl: string, - keyFingerprint = ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + keyFingerprint: string ) { const signaturePath = await tc.downloadTool(signatureUrl); let gpgHome: string; @@ -83,7 +81,6 @@ export async function verifyPackageSignature( 'gpg', [ '--batch', - // Adoptium release-signing docs recommend keyserver.ubuntu.com for key retrieval. '--keyserver', 'keyserver.ubuntu.com', '--recv-keys', From fc8acd099a63b3872b1483d05682a17656f7a3f8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:52:21 +0000 Subject: [PATCH 05/22] fix: mock renameWinArchive in temurin tests and add signature e2e job --- .github/workflows/e2e-versions.yml | 23 +++++++++++++++++++ .../distributors/temurin-installer.test.ts | 3 +++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/e2e-versions.yml b/.github/workflows/e2e-versions.yml index 7dc8d8a71..47eaf0218 100644 --- a/.github/workflows/e2e-versions.yml +++ b/.github/workflows/e2e-versions.yml @@ -292,6 +292,29 @@ jobs: run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" shell: bash + setup-java-temurin-signature-verification: + name: temurin ${{ matrix.version }} signature verification - ${{ matrix.os }} + needs: setup-java-major-minor-versions + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [macos-latest, windows-latest, ubuntu-latest] + version: ['21', '17'] + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: setup-java with signature verification + uses: ./ + id: setup-java + with: + java-version: ${{ matrix.version }} + distribution: temurin + verify-signature: true + - name: Verify Java + run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + shell: bash + setup-java-ea-versions-sapmachine: name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }} needs: setup-java-major-minor-versions diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index c9d992bb6..0e168446b 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -294,6 +294,7 @@ describe('downloadTool', () => { let spyExtractJdkFile: jest.SpyInstance; let spyCacheDir: jest.SpyInstance; let spyReadDirSync: jest.SpyInstance; + let spyRenameWinArchive: jest.SpyInstance; beforeEach(() => { spyDownloadTool = jest.spyOn(tc, 'downloadTool'); @@ -306,6 +307,8 @@ describe('downloadTool', () => { spyCacheDir.mockResolvedValue('/tmp/toolcache'); spyReadDirSync = jest.spyOn(fs, 'readdirSync'); spyReadDirSync.mockReturnValue(['jdk-17'] as any); + spyRenameWinArchive = jest.spyOn(util, 'renameWinArchive'); + spyRenameWinArchive.mockReturnValue('/tmp/jdk.tar.gz.zip'); }); afterEach(() => { From a3589a9fc68b4d9053a0fc89659d7a00d27e929c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:17:06 +0000 Subject: [PATCH 06/22] refactor: bundle Adoptium public key, replace keyserver lookup with local import --- .../distributors/temurin-installer.test.ts | 4 +- __tests__/gpg.test.ts | 14 ++---- dist/cleanup/index.js | 12 ++--- dist/setup/index.js | 50 +++++++++++++++---- src/distributions/temurin/installer.ts | 37 ++++++++++++-- src/gpg.ts | 16 ++---- 6 files changed, 87 insertions(+), 46 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index 0e168446b..e3b67d9a4 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -5,7 +5,7 @@ import os from 'os'; import { TemurinDistribution, TemurinImplementation, - ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_PUBLIC_KEY } from '../../src/distributions/temurin/installer'; import {JavaInstallerOptions} from '../../src/distributions/base-models'; import * as util from '../../src/util'; @@ -338,7 +338,7 @@ describe('downloadTool', () => { expect(spyVerifySignature).toHaveBeenCalledWith( '/tmp/jdk.tar.gz', 'https://example.com/jdk.tar.gz.sig', - ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_PUBLIC_KEY ); }); diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index 9649c7c83..655077fb5 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -60,13 +60,13 @@ describe('gpg tests', () => { }); describe('verifyPackageSignature', () => { - it('downloads signature and verifies package', async () => { - const testFingerprint = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; + it('imports bundled key and verifies package', async () => { + const publicKeyContent = '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----'; (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig'); await gpg.verifyPackageSignature( '/tmp/jdk.tar.gz', 'https://example.com/jdk.tar.gz.sig', - testFingerprint + publicKeyContent ); expect(tc.downloadTool).toHaveBeenCalledWith( @@ -75,13 +75,7 @@ describe('gpg tests', () => { expect(exec.exec).toHaveBeenNthCalledWith( 1, 'gpg', - [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - testFingerprint - ], + ['--batch', '--import', expect.stringContaining('public-key.asc')], expect.objectContaining({silent: true}) ); expect(exec.exec).toHaveBeenNthCalledWith( diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index c11397fc3..76511f989 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52112,7 +52112,7 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; -function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { +function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); let gpgHome; @@ -52123,15 +52123,11 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true, env }; - yield exec.exec('gpg', [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - keyFingerprint - ], options); + yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); } finally { diff --git a/dist/setup/index.js b/dist/setup/index.js index b1658252f..f22f71bfe 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -80247,7 +80247,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.TemurinDistribution = exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = exports.TemurinImplementation = void 0; +exports.TemurinDistribution = exports.ADOPTIUM_PUBLIC_KEY = exports.TemurinImplementation = void 0; const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); @@ -80260,7 +80260,39 @@ var TemurinImplementation; (function (TemurinImplementation) { TemurinImplementation["Hotspot"] = "Hotspot"; })(TemurinImplementation || (exports.TemurinImplementation = TemurinImplementation = {})); -exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = '3B04D753C9050D9A5D343F39843C48A565F8F04B'; +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +exports.ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; class TemurinDistribution extends base_installer_1.JavaBase { constructor(installerOptions, jvmImpl) { super(`Temurin-${jvmImpl}`, installerOptions); @@ -80308,7 +80340,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { } core.info(`Verifying Java package signature...`); try { - yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_SIGNATURE_KEY_FINGERPRINT); + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_PUBLIC_KEY); } catch (error) { throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); @@ -80670,7 +80702,7 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; -function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { +function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { return __awaiter(this, void 0, void 0, function* () { const signaturePath = yield tc.downloadTool(signatureUrl); let gpgHome; @@ -80681,15 +80713,11 @@ function verifyPackageSignature(archivePath, signatureUrl, keyFingerprint) { throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true, env }; - yield exec.exec('gpg', [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - keyFingerprint - ], options); + yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); } finally { diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index bb22cc438..a1a52ee3c 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -27,8 +27,39 @@ export enum TemurinImplementation { Hotspot = 'Hotspot' } -export const ADOPTIUM_SIGNATURE_KEY_FINGERPRINT = - '3B04D753C9050D9A5D343F39843C48A565F8F04B'; +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; export class TemurinDistribution extends JavaBase { constructor( @@ -96,7 +127,7 @@ export class TemurinDistribution extends JavaBase { await gpg.verifyPackageSignature( javaArchivePath, javaRelease.signatureUrl, - ADOPTIUM_SIGNATURE_KEY_FINGERPRINT + ADOPTIUM_PUBLIC_KEY ); } catch (error) { throw new Error( diff --git a/src/gpg.ts b/src/gpg.ts index e346b5c69..02ed7a3de 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -58,7 +58,7 @@ export async function deleteKey(keyFingerprint: string) { export async function verifyPackageSignature( archivePath: string, signatureUrl: string, - keyFingerprint: string + publicKeyContent: string ) { const signaturePath = await tc.downloadTool(signatureUrl); let gpgHome: string; @@ -74,20 +74,12 @@ export async function verifyPackageSignature( ); } const env = {...process.env, GNUPGHOME: gpgHome}; + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'}); const options: ExecOptions = {silent: true, env}; - await exec.exec( - 'gpg', - [ - '--batch', - '--keyserver', - 'keyserver.ubuntu.com', - '--recv-keys', - keyFingerprint - ], - options - ); + await exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); await exec.exec( 'gpg', ['--batch', '--verify', signaturePath, archivePath], From 33264d64767ade021759c2801365a46eaac4aeb1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:19:49 +0000 Subject: [PATCH 07/22] feat: add verify-signature-public-key input to allow custom GPG key override --- .../distributors/temurin-installer.test.ts | 28 +++++++++++++++++++ action.yml | 3 ++ dist/cleanup/index.js | 3 +- dist/setup/index.js | 12 ++++++-- src/constants.ts | 1 + src/distributions/base-installer.ts | 2 ++ src/distributions/base-models.ts | 1 + src/distributions/temurin/installer.ts | 2 +- src/setup-java.ts | 6 ++++ 9 files changed, 53 insertions(+), 5 deletions(-) diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index e3b67d9a4..ddf707eb5 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -364,4 +364,32 @@ describe('downloadTool', () => { ); expect(spyVerifySignature).not.toHaveBeenCalled(); }); + + it('uses custom public key when verifySignaturePublicKey is provided', async () => { + const customKey = + '-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----'; + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true, + verifySignaturePublicKey: customKey + }, + TemurinImplementation.Hotspot + ); + + await distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + customKey + ); + }); }); diff --git a/action.yml b/action.yml index 10f237589..cd200f457 100644 --- a/action.yml +++ b/action.yml @@ -28,6 +28,9 @@ inputs: description: 'Verify downloaded Java package signatures when supported by the selected distribution' required: false default: false + verify-signature-public-key: + description: 'ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution.' + required: false server-id: description: 'ID of the distributionManagement repository in the pom.xml file. Default is `github`' diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 76511f989..b9673a0b1 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -51996,7 +51996,7 @@ else { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -52006,6 +52006,7 @@ exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; +exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; diff --git a/dist/setup/index.js b/dist/setup/index.js index f22f71bfe..15de2de44 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -77755,7 +77755,7 @@ function isProbablyGradleDaemonProblem(packageManager, error) { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -77765,6 +77765,7 @@ exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; +exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -78075,6 +78076,7 @@ class JavaBase { this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; this.verifySignature = (_a = installerOptions.verifySignature) !== null && _a !== void 0 ? _a : false; + this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey; } setupJava() { var _a, _b; @@ -80331,6 +80333,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { }); } downloadTool(javaRelease) { + var _a; return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); @@ -80340,7 +80343,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { } core.info(`Verifying Java package signature...`); try { - yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, exports.ADOPTIUM_PUBLIC_KEY); + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : exports.ADOPTIUM_PUBLIC_KEY); } catch (error) { throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); @@ -80796,6 +80799,7 @@ function run() { const cacheDependencyPath = core.getInput(constants.INPUT_CACHE_DEPENDENCY_PATH); const checkLatest = (0, util_1.getBooleanInput)(constants.INPUT_CHECK_LATEST, false); const verifySignature = (0, util_1.getBooleanInput)(constants.INPUT_VERIFY_SIGNATURE, false); + const verifySignaturePublicKey = core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined; let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); if (versions.length !== toolchainIds.length) { @@ -80809,6 +80813,7 @@ function run() { packageType, checkLatest, verifySignature, + verifySignaturePublicKey, distributionName, jdkFile, toolchainIds @@ -80842,12 +80847,13 @@ function run() { run(); function installVersion(version, options, toolchainId = 0) { return __awaiter(this, void 0, void 0, function* () { - const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, toolchainIds } = options; + const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, verifySignaturePublicKey, toolchainIds } = options; const installerOptions = { architecture, packageType, checkLatest, verifySignature, + verifySignaturePublicKey, version }; const distribution = (0, distribution_factory_1.getJavaDistribution)(distributionName, installerOptions, jdkFile); diff --git a/src/constants.ts b/src/constants.ts index e80ad07de..5b0188965 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -7,6 +7,7 @@ export const INPUT_DISTRIBUTION = 'distribution'; export const INPUT_JDK_FILE = 'jdkFile'; export const INPUT_CHECK_LATEST = 'check-latest'; export const INPUT_VERIFY_SIGNATURE = 'verify-signature'; +export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; export const INPUT_SERVER_ID = 'server-id'; export const INPUT_SERVER_USERNAME = 'server-username'; export const INPUT_SERVER_PASSWORD = 'server-password'; diff --git a/src/distributions/base-installer.ts b/src/distributions/base-installer.ts index 7c485e7ad..4494019cd 100644 --- a/src/distributions/base-installer.ts +++ b/src/distributions/base-installer.ts @@ -21,6 +21,7 @@ export abstract class JavaBase { protected stable: boolean; protected checkLatest: boolean; protected verifySignature: boolean; + protected verifySignaturePublicKey: string | undefined; constructor( protected distribution: string, @@ -38,6 +39,7 @@ export abstract class JavaBase { this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; this.verifySignature = installerOptions.verifySignature ?? false; + this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey; } protected abstract downloadTool( diff --git a/src/distributions/base-models.ts b/src/distributions/base-models.ts index 0945d3067..867a058af 100644 --- a/src/distributions/base-models.ts +++ b/src/distributions/base-models.ts @@ -4,6 +4,7 @@ export interface JavaInstallerOptions { packageType: string; checkLatest: boolean; verifySignature?: boolean; + verifySignaturePublicKey?: string; } export interface JavaInstallerResults { diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index a1a52ee3c..58b19874e 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -127,7 +127,7 @@ export class TemurinDistribution extends JavaBase { await gpg.verifyPackageSignature( javaArchivePath, javaRelease.signatureUrl, - ADOPTIUM_PUBLIC_KEY + this.verifySignaturePublicKey ?? ADOPTIUM_PUBLIC_KEY ); } catch (error) { throw new Error( diff --git a/src/setup-java.ts b/src/setup-java.ts index 529314178..e4ec400b2 100644 --- a/src/setup-java.ts +++ b/src/setup-java.ts @@ -32,6 +32,8 @@ async function run() { constants.INPUT_VERIFY_SIGNATURE, false ); + const verifySignaturePublicKey = + core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined; let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); @@ -49,6 +51,7 @@ async function run() { packageType, checkLatest, verifySignature, + verifySignaturePublicKey, distributionName, jdkFile, toolchainIds @@ -106,6 +109,7 @@ async function installVersion( packageType, checkLatest, verifySignature, + verifySignaturePublicKey, toolchainIds } = options; @@ -114,6 +118,7 @@ async function installVersion( packageType, checkLatest, verifySignature, + verifySignaturePublicKey, version }; @@ -149,6 +154,7 @@ interface installerInputsOptions { packageType: string; checkLatest: boolean; verifySignature: boolean; + verifySignaturePublicKey: string | undefined; distributionName: string; jdkFile: string; toolchainIds: Array; From 40f7b5c4bb1f77d9639450e1921bfa4ad0d27a02 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:23:56 +0000 Subject: [PATCH 08/22] refactor: extract Adoptium public key to adoptium-key.ts; tighten gpg.ts cleanup scope --- dist/cleanup/index.js | 2 +- dist/setup/index.js | 86 +++++++++++++---------- src/distributions/temurin/adoptium-key.ts | 33 +++++++++ src/distributions/temurin/installer.ts | 37 +--------- src/gpg.ts | 2 +- 5 files changed, 88 insertions(+), 72 deletions(-) create mode 100644 src/distributions/temurin/adoptium-key.ts diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index b9673a0b1..085148bf3 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52124,8 +52124,8 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); - const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true, env }; yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); diff --git a/dist/setup/index.js b/dist/setup/index.js index 15de2de44..0453e6bca 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -80206,6 +80206,50 @@ class SemeruDistribution extends base_installer_1.JavaBase { exports.SemeruDistribution = SemeruDistribution; +/***/ }), + +/***/ 80877: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.ADOPTIUM_PUBLIC_KEY = void 0; +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +exports.ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; + + /***/ }), /***/ 91986: @@ -80249,52 +80293,22 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.TemurinDistribution = exports.ADOPTIUM_PUBLIC_KEY = exports.TemurinImplementation = void 0; +exports.TemurinDistribution = exports.TemurinImplementation = exports.ADOPTIUM_PUBLIC_KEY = void 0; const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); const path_1 = __importDefault(__nccwpck_require__(16928)); const semver_1 = __importDefault(__nccwpck_require__(62088)); const gpg = __importStar(__nccwpck_require__(88343)); +const adoptium_key_1 = __nccwpck_require__(80877); const base_installer_1 = __nccwpck_require__(79935); const util_1 = __nccwpck_require__(54527); +var adoptium_key_2 = __nccwpck_require__(80877); +Object.defineProperty(exports, "ADOPTIUM_PUBLIC_KEY", ({ enumerable: true, get: function () { return adoptium_key_2.ADOPTIUM_PUBLIC_KEY; } })); var TemurinImplementation; (function (TemurinImplementation) { TemurinImplementation["Hotspot"] = "Hotspot"; })(TemurinImplementation || (exports.TemurinImplementation = TemurinImplementation = {})); -// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) -// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B -exports.ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- - -xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT -QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ -PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a -9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf -+11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa -Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL -ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y -Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH -AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG -7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk -kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj -pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju -NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf -l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ -Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj -SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl -UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z -E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q -VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f -B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg -FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ -Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF -yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 -hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj -0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU -6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ -wI4qF/KKq9BfyfucAs0ykA== -=XLag ------END PGP PUBLIC KEY BLOCK-----`; class TemurinDistribution extends base_installer_1.JavaBase { constructor(installerOptions, jvmImpl) { super(`Temurin-${jvmImpl}`, installerOptions); @@ -80343,7 +80357,7 @@ class TemurinDistribution extends base_installer_1.JavaBase { } core.info(`Verifying Java package signature...`); try { - yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : exports.ADOPTIUM_PUBLIC_KEY); + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : adoptium_key_1.ADOPTIUM_PUBLIC_KEY); } catch (error) { throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); @@ -80716,8 +80730,8 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); - const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true, env }; yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); diff --git a/src/distributions/temurin/adoptium-key.ts b/src/distributions/temurin/adoptium-key.ts new file mode 100644 index 000000000..f7466e5e2 --- /dev/null +++ b/src/distributions/temurin/adoptium-key.ts @@ -0,0 +1,33 @@ +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index 58b19874e..16a896f60 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -6,6 +6,7 @@ import path from 'path'; import semver from 'semver'; import * as gpg from '../../gpg'; +import {ADOPTIUM_PUBLIC_KEY} from './adoptium-key'; import {JavaBase} from '../base-installer'; import {ITemurinAvailableVersions} from './models'; import { @@ -23,44 +24,12 @@ import { validatePaginationUrl } from '../../util'; +export {ADOPTIUM_PUBLIC_KEY} from './adoptium-key'; + export enum TemurinImplementation { Hotspot = 'Hotspot' } -// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) -// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B -export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- - -xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT -QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ -PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a -9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf -+11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa -Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL -ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y -Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH -AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG -7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk -kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj -pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju -NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf -l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ -Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj -SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl -UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z -E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q -VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f -B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg -FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ -Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF -yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 -hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj -0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU -6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ -wI4qF/KKq9BfyfucAs0ykA== -=XLag ------END PGP PUBLIC KEY BLOCK-----`; - export class TemurinDistribution extends JavaBase { constructor( installerOptions: JavaInstallerOptions, diff --git a/src/gpg.ts b/src/gpg.ts index 02ed7a3de..6f4a8aa11 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -74,9 +74,9 @@ export async function verifyPackageSignature( ); } const env = {...process.env, GNUPGHOME: gpgHome}; - const publicKeyFile = path.join(gpgHome, 'public-key.asc'); try { + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'}); const options: ExecOptions = {silent: true, env}; await exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); From 3f3ac234a14ed451845dcb81d881841e2ea4327b Mon Sep 17 00:00:00 2001 From: John <1615532+johnoliver@users.noreply.github.com> Date: Wed, 24 Jun 2026 10:46:56 +0000 Subject: [PATCH 09/22] Add verify-signature plumbing and Temurin verification support --- .github/workflows/e2e-versions.yml | 23 ++ README.md | 2 + __tests__/data/temurin.json | 297 ++++++++++++------ __tests__/distributors/base-installer.test.ts | 18 ++ .../distributors/temurin-installer.test.ts | 114 ++++++- __tests__/gpg.test.ts | 35 +++ action.yml | 7 + dist/cleanup/index.js | 32 +- dist/setup/index.js | 118 ++++++- src/constants.ts | 2 + src/distributions/base-installer.ts | 14 + src/distributions/base-models.ts | 3 + src/distributions/temurin/adoptium-key.ts | 33 ++ src/distributions/temurin/installer.ts | 33 +- src/distributions/temurin/models.ts | 1 + src/gpg.ts | 37 +++ src/setup-java.ts | 14 + 17 files changed, 675 insertions(+), 108 deletions(-) create mode 100644 src/distributions/temurin/adoptium-key.ts diff --git a/.github/workflows/e2e-versions.yml b/.github/workflows/e2e-versions.yml index c384d4023..cc15a0258 100644 --- a/.github/workflows/e2e-versions.yml +++ b/.github/workflows/e2e-versions.yml @@ -328,6 +328,29 @@ jobs: run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash + setup-java-temurin-signature-verification: + name: temurin ${{ matrix.version }} signature verification - ${{ matrix.os }} + needs: setup-java-major-minor-versions + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [macos-latest, windows-latest, ubuntu-latest] + version: ['21', '17'] + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: setup-java with signature verification + uses: ./ + id: setup-java + with: + java-version: ${{ matrix.version }} + distribution: temurin + verify-signature: true + - name: Verify Java + run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + shell: bash + setup-java-ea-versions-sapmachine: name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }} needs: setup-java-major-minor-versions diff --git a/README.md b/README.md index b79760e94..397f1d566 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,8 @@ For more details, see the full release notes on the [releases page](https://git - `check-latest`: Setting this option makes the action to check for the latest available version for the version spec. + - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails. + - `cache`: Quick [setup caching](#caching-packages-dependencies) for the dependencies managed through one of the predefined package managers. It can be one of "maven", "gradle" or "sbt". - `cache-dependency-path`: The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies. diff --git a/__tests__/data/temurin.json b/__tests__/data/temurin.json index 7ce00d2c7..cec2c631a 100644 --- a/__tests__/data/temurin.json +++ b/__tests__/data/temurin.json @@ -15,7 +15,8 @@ "link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz", "metadata_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz.json", "name": "OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz", - "size": 205463525 + "size": 205463525, + "signature_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_linux_hotspot_16.0.2_7.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-16.0.2+7_adopt", @@ -44,7 +45,8 @@ "link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz", "metadata_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz.json", "name": "OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz", - "size": 206621395 + "size": 206621395, + "signature_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_mac_hotspot_16.0.2_7.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-16.0.2+7_adopt", @@ -73,7 +75,8 @@ "link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip", "metadata_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip.json", "name": "OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip", - "size": 203448494 + "size": 203448494, + "signature_link": "https://github.com/adoptium/temurin16-binaries/releases/download/jdk-16.0.2%2B7/OpenJDK16U-jdk_x64_windows_hotspot_16.0.2_7.zip.sig" }, "project": "jdk", "scm_ref": "jdk-16.0.2+7_adopt", @@ -113,7 +116,8 @@ "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz", "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.json", "name": "OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz", - "size": 102954777 + "size": 102954777, + "signature_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_linux_hotspot_8u302b08.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk8u302-b08", @@ -142,7 +146,8 @@ "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz", "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz.json", "name": "OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz", - "size": 107303398 + "size": 107303398, + "signature_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_mac_hotspot_8u302b08.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk8u302-b08", @@ -171,7 +176,8 @@ "link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip", "metadata_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip.json", "name": "OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip", - "size": 104297671 + "size": 104297671, + "signature_link": "https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u302-b08/OpenJDK8U-jdk_x64_windows_hotspot_8u302b08.zip.sig" }, "project": "jdk", "scm_ref": "jdk8u302-b08", @@ -211,7 +217,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 188909250 + "size": 188909250, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-16-ge39bf269d60", @@ -240,7 +247,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz", - "size": 192952713 + "size": 192952713, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -260,7 +268,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 188816971 + "size": 188816971, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-16-ge39bf269d60", @@ -280,7 +289,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz", - "size": 182299353 + "size": 182299353, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -300,7 +310,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 187674392 + "size": 187674392, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-46-gea8d2c72e83", @@ -320,7 +331,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 179501342 + "size": 179501342, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-21-ge39bf269d60", @@ -340,7 +352,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz", - "size": 192126971 + "size": 192126971, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-29-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -360,7 +373,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz", - "size": 192015878 + "size": 192015878, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-21-ge39bf269d60", @@ -389,7 +403,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz", - "size": 192422068 + "size": 192422068, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-31-00-07.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -418,7 +433,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip", - "size": 188694175 + "size": 188694175, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-31-00-07.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -447,7 +463,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip", - "size": 184618115 + "size": 184618115, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-31-00-07.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+33_adopt-219-ge39bf269d60", @@ -489,7 +506,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz", - "size": 192125161 + "size": 192125161, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-31-00-07-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-27-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-242-gce1857dd7a1", @@ -531,7 +549,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 188911467 + "size": 188911467, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-42-g4596b4e9d4e", @@ -560,7 +579,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz", - "size": 192950510 + "size": 192950510, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -580,7 +600,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 188815685 + "size": 188815685, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-36-g4596b4e9d4e", @@ -600,7 +621,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz", - "size": 182307654 + "size": 182307654, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -620,7 +642,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 187698851 + "size": 187698851, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-36-g4596b4e9d4e", @@ -640,7 +663,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 179501218 + "size": 179501218, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-40-g4596b4e9d4e", @@ -660,7 +684,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz", - "size": 192124471 + "size": 192124471, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-22-23-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -680,7 +705,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz", - "size": 192015026 + "size": 192015026, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-40-g4596b4e9d4e", @@ -709,7 +735,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz", - "size": 193003513 + "size": 193003513, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-23-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -738,7 +765,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip", - "size": 188694996 + "size": 188694996, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-23-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -767,7 +795,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip", - "size": 184626937 + "size": 184626937, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-23-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-23-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+32_adopt-217-g4596b4e9d4e", @@ -809,7 +838,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 188891565 + "size": 188891565, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "a342f28aaec", @@ -829,7 +859,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 188790907 + "size": 188790907, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "a342f28aaec", @@ -849,7 +880,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz", - "size": 182276594 + "size": 182276594, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -869,7 +901,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 187678422 + "size": 187678422, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-26-ga342f28aaec", @@ -889,7 +922,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 179475721 + "size": 179475721, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-26-ga342f28aaec", @@ -909,7 +943,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz", - "size": 192104689 + "size": 192104689, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-20-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -929,7 +964,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz", - "size": 191982821 + "size": 191982821, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-21-03-09.tar.gz.sig" }, "project": "jdk", "scm_ref": "a342f28aaec", @@ -958,7 +994,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip", - "size": 188685330 + "size": 188685330, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-21-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -987,7 +1024,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip", - "size": 184607457 + "size": 184607457, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-21-03-09-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-21-03-09.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-191-ga342f28aaec", @@ -1029,7 +1067,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 188896773 + "size": 188896773, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-14-g20418a26958", @@ -1058,7 +1097,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz", - "size": 192948484 + "size": 192948484, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1078,7 +1118,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 188791964 + "size": 188791964, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-14-g20418a26958", @@ -1098,7 +1139,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz", - "size": 182281944 + "size": 182281944, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1118,7 +1160,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 187650365 + "size": 187650365, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-23-g20418a26958", @@ -1138,7 +1181,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 179483622 + "size": 179483622, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-55-g20418a26958", @@ -1158,7 +1202,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz", - "size": 192108731 + "size": 192108731, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-15-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1178,7 +1223,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz", - "size": 191985123 + "size": 191985123, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-16-10-58.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-14-g20418a26958", @@ -1207,7 +1253,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip", - "size": 188688539 + "size": 188688539, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-16-10-58.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1236,7 +1283,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip", - "size": 184612045 + "size": 184612045, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-16-10-58-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-16-10-58.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+31_adopt-179-g20418a26958", @@ -1278,7 +1326,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 188899456 + "size": 188899456, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1307,7 +1356,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz", - "size": 192953428 + "size": 192953428, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1327,7 +1377,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 188792852 + "size": 188792852, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-66-gce22197617d", @@ -1347,7 +1398,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 187678600 + "size": 187678600, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1367,7 +1419,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 179480996 + "size": 179480996, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1387,7 +1440,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz", - "size": 192105446 + "size": 192105446, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-13-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1407,7 +1461,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz", - "size": 191986856 + "size": 191986856, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "ce22197617d", @@ -1436,7 +1491,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz", - "size": 192995067 + "size": 192995067, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-14-11-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1465,7 +1521,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip", - "size": 188686556 + "size": 188686556, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-14-11-30.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1494,7 +1551,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip", - "size": 184620492 + "size": 184620492, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-14-11-30-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-14-11-30.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-200-gce22197617d", @@ -1536,7 +1594,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 188896299 + "size": 188896299, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1565,7 +1624,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz", - "size": 192941671 + "size": 192941671, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1585,7 +1645,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 188838708 + "size": 188838708, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-161-g3e7e5bc2003", @@ -1605,7 +1666,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz", - "size": 182274073 + "size": 182274073, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-40-g3e7e5bc2003", @@ -1625,7 +1687,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 187666608 + "size": 187666608, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-40-g3e7e5bc2003", @@ -1645,7 +1708,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 179472325 + "size": 179472325, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-30-g3e7e5bc2003", @@ -1665,7 +1729,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz", - "size": 192098387 + "size": 192098387, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-08-23-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1685,7 +1750,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz", - "size": 191983708 + "size": 191983708, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1714,7 +1780,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz", - "size": 193004476 + "size": 193004476, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-09-12-54.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1743,7 +1810,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip", - "size": 188681640 + "size": 188681640, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-09-12-54.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1772,7 +1840,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip", - "size": 184605514 + "size": 184605514, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-09-12-54-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-09-12-54.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+30_adopt-164-g3e7e5bc2003", @@ -1823,7 +1892,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz", - "size": 192962903 + "size": 192962903, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1843,7 +1913,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 188800217 + "size": 188800217, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "06428c22b61", @@ -1863,7 +1934,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 187663978 + "size": 187663978, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-78-g06428c22b61", @@ -1883,7 +1955,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 179496669 + "size": 179496669, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-78-g06428c22b61", @@ -1903,7 +1976,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz", - "size": 192113242 + "size": 192113242, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-06-23-34.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1923,7 +1997,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz", - "size": 192021951 + "size": 192021951, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1952,7 +2027,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz", - "size": 193018554 + "size": 193018554, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-07-11-35.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -1981,7 +2057,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip", - "size": 188702463 + "size": 188702463, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-07-11-35-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-07-11-35.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-172-g06428c22b61", @@ -2023,7 +2100,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 188953178 + "size": 188953178, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2052,7 +2130,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz", - "size": 192957934 + "size": 192957934, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2072,7 +2151,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 188797466 + "size": 188797466, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-43-g6d3debb5c12", @@ -2092,7 +2172,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz", - "size": 182292580 + "size": 182292580, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2112,7 +2193,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 187684930 + "size": 187684930, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-64-g6d3debb5c12", @@ -2132,7 +2214,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 179484390 + "size": 179484390, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-54-g6d3debb5c12", @@ -2152,7 +2235,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz", - "size": 192114561 + "size": 192114561, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-07-01-23-30.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2172,7 +2256,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz", - "size": 192014644 + "size": 192014644, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2201,7 +2286,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz", - "size": 192425033 + "size": 192425033, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-07-02-12-00.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2230,7 +2316,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip", - "size": 188697393 + "size": 188697393, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-07-02-12-00.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2259,7 +2346,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip", - "size": 184618232 + "size": 184618232, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-07-02-12-00-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-07-02-12-00.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+29_adopt-138-g6d3debb5c12", @@ -2301,7 +2389,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 188940191 + "size": 188940191, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2330,7 +2419,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz", - "size": 192953718 + "size": 192953718, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_aarch64_mac_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2350,7 +2440,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 188795343 + "size": 188795343, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_arm_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2370,7 +2461,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz", - "size": 182285782 + "size": 182285782, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64_aix_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2390,7 +2482,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 187652430 + "size": 187652430, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_ppc64le_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2410,7 +2503,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 179489547 + "size": 179489547, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_s390x_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "0fe0d0825e7", @@ -2430,7 +2524,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz.json", "name": "OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz", - "size": 192109453 + "size": 192109453, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_alpine-linux_hotspot_2021-06-29-23-33.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2450,7 +2545,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz", - "size": 192013559 + "size": 192013559, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_linux_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2479,7 +2575,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz.json", "name": "OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz", - "size": 192419518 + "size": 192419518, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_mac_hotspot_2021-06-30-09-16.tar.gz.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2508,7 +2605,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip.json", "name": "OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip", - "size": 188672489 + "size": 188672489, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x64_windows_hotspot_2021-06-30-09-16.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-130-g0fe0d0825e7", @@ -2537,7 +2635,8 @@ "link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip", "metadata_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip.json", "name": "OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip", - "size": 184626094 + "size": 184626094, + "signature_link": "https://github.com/adoptium/temurin17-binaries/releases/download/jdk17-2021-06-30-09-16-beta/OpenJDK17-jdk_x86-32_windows_hotspot_2021-06-30-09-16.zip.sig" }, "project": "jdk", "scm_ref": "jdk-17+28_adopt-132-g23fbf51b850", diff --git a/__tests__/distributors/base-installer.test.ts b/__tests__/distributors/base-installer.test.ts index 2a0b13ab1..7497b06a3 100644 --- a/__tests__/distributors/base-installer.test.ts +++ b/__tests__/distributors/base-installer.test.ts @@ -464,6 +464,24 @@ describe('setupJava', () => { } ); + it('should fail when verify-signature is enabled for unsupported distributions', async () => { + mockJavaBase = new EmptyJavaBase({ + version: '11', + architecture: 'x86', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }); + + await expect(mockJavaBase.setupJava()).rejects.toThrow( + "Input 'verify-signature' is not supported for distribution 'Empty'." + ); + expect(spyTcFindAllVersions).not.toHaveBeenCalled(); + expect(spyCoreAddPath).not.toHaveBeenCalled(); + expect(spyCoreExportVariable).not.toHaveBeenCalled(); + expect(spyCoreSetOutput).not.toHaveBeenCalled(); + }); + it.each([ [ { diff --git a/__tests__/distributors/temurin-installer.test.ts b/__tests__/distributors/temurin-installer.test.ts index 161a2d087..ddf707eb5 100644 --- a/__tests__/distributors/temurin-installer.test.ts +++ b/__tests__/distributors/temurin-installer.test.ts @@ -1,10 +1,15 @@ import {HttpClient} from '@actions/http-client'; +import * as tc from '@actions/tool-cache'; +import fs from 'fs'; import os from 'os'; import { TemurinDistribution, - TemurinImplementation + TemurinImplementation, + ADOPTIUM_PUBLIC_KEY } from '../../src/distributions/temurin/installer'; import {JavaInstallerOptions} from '../../src/distributions/base-models'; +import * as util from '../../src/util'; +import * as gpg from '../../src/gpg'; import manifestData from '../data/temurin.json'; import * as core from '@actions/core'; @@ -231,6 +236,7 @@ describe('findPackageForDownload', () => { distribution['getAvailableVersions'] = async () => manifestData as any; const resolvedVersion = await distribution['findPackageForDownload'](input); expect(resolvedVersion.version).toBe(expected); + expect(resolvedVersion.signatureUrl).toBeDefined(); }); it('version is found but binaries list is empty', async () => { @@ -281,3 +287,109 @@ describe('findPackageForDownload', () => { ); }); }); + +describe('downloadTool', () => { + let spyDownloadTool: jest.SpyInstance; + let spyVerifySignature: jest.SpyInstance; + let spyExtractJdkFile: jest.SpyInstance; + let spyCacheDir: jest.SpyInstance; + let spyReadDirSync: jest.SpyInstance; + let spyRenameWinArchive: jest.SpyInstance; + + beforeEach(() => { + spyDownloadTool = jest.spyOn(tc, 'downloadTool'); + spyDownloadTool.mockResolvedValue('/tmp/jdk.tar.gz'); + spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature'); + spyVerifySignature.mockResolvedValue(undefined); + spyExtractJdkFile = jest.spyOn(util, 'extractJdkFile'); + spyExtractJdkFile.mockResolvedValue('/tmp/extracted'); + spyCacheDir = jest.spyOn(tc, 'cacheDir'); + spyCacheDir.mockResolvedValue('/tmp/toolcache'); + spyReadDirSync = jest.spyOn(fs, 'readdirSync'); + spyReadDirSync.mockReturnValue(['jdk-17'] as any); + spyRenameWinArchive = jest.spyOn(util, 'renameWinArchive'); + spyRenameWinArchive.mockReturnValue('/tmp/jdk.tar.gz.zip'); + }); + + afterEach(() => { + jest.resetAllMocks(); + jest.clearAllMocks(); + jest.restoreAllMocks(); + }); + + it('verifies signature when enabled', async () => { + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }, + TemurinImplementation.Hotspot + ); + + await distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + ADOPTIUM_PUBLIC_KEY + ); + }); + + it('fails when signature is missing and verification is enabled', async () => { + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }, + TemurinImplementation.Hotspot + ); + + await expect( + distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz' + }) + ).rejects.toThrow( + "Input 'verify-signature' is enabled, but no signature URL was found" + ); + expect(spyVerifySignature).not.toHaveBeenCalled(); + }); + + it('uses custom public key when verifySignaturePublicKey is provided', async () => { + const customKey = + '-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----'; + const distribution = new TemurinDistribution( + { + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true, + verifySignaturePublicKey: customKey + }, + TemurinImplementation.Hotspot + ); + + await distribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + customKey + ); + }); +}); diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index 1c981b3f5..655077fb5 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -1,6 +1,7 @@ import * as path from 'path'; import * as io from '@actions/io'; import * as exec from '@actions/exec'; +import * as tc from '@actions/tool-cache'; import * as gpg from '../src/gpg'; jest.mock('@actions/exec', () => { @@ -9,6 +10,12 @@ jest.mock('@actions/exec', () => { }; }); +jest.mock('@actions/tool-cache', () => { + return { + downloadTool: jest.fn() + }; +}); + const tempDir = path.join(__dirname, 'runner', 'temp'); process.env['RUNNER_TEMP'] = tempDir; @@ -51,5 +58,33 @@ describe('gpg tests', () => { expect.anything() ); }); + + describe('verifyPackageSignature', () => { + it('imports bundled key and verifies package', async () => { + const publicKeyContent = '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----'; + (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig'); + await gpg.verifyPackageSignature( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + publicKeyContent + ); + + expect(tc.downloadTool).toHaveBeenCalledWith( + 'https://example.com/jdk.tar.gz.sig' + ); + expect(exec.exec).toHaveBeenNthCalledWith( + 1, + 'gpg', + ['--batch', '--import', expect.stringContaining('public-key.asc')], + expect.objectContaining({silent: true}) + ); + expect(exec.exec).toHaveBeenNthCalledWith( + 2, + 'gpg', + ['--batch', '--verify', '/tmp/jdk.tar.gz.sig', '/tmp/jdk.tar.gz'], + expect.objectContaining({silent: true}) + ); + }); + }); }); }); diff --git a/action.yml b/action.yml index d5f46bbed..cc1a541b2 100644 --- a/action.yml +++ b/action.yml @@ -26,6 +26,13 @@ inputs: description: 'Set this option if you want the action to check for the latest available version that satisfies the version spec' required: false default: false + verify-signature: + description: 'Verify downloaded Java package signatures when supported by the selected distribution' + required: false + default: false + verify-signature-public-key: + description: 'ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution.' + required: false server-id: description: 'ID of the distributionManagement repository in the pom.xml file. Default is `github`' diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 0c3278164..2cd3c3252 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52241,7 +52241,7 @@ else { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -52250,6 +52250,8 @@ exports.INPUT_JAVA_PACKAGE = 'java-package'; exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; +exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; +exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -52311,11 +52313,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); const exec = __importStar(__nccwpck_require__(95236)); +const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; @@ -52355,6 +52358,31 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; +function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { + return __awaiter(this, void 0, void 0, function* () { + const signaturePath = yield tc.downloadTool(signatureUrl); + let gpgHome; + try { + gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + } + catch (error) { + throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); + } + const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + try { + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); + fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); + const options = { silent: true, env }; + yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); + yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + } + finally { + yield io.rmRF(signaturePath); + yield io.rmRF(gpgHome); + } + }); +} +exports.verifyPackageSignature = verifyPackageSignature; /***/ }), diff --git a/dist/setup/index.js b/dist/setup/index.js index bbf320ebb..c29c01af4 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -78000,7 +78000,7 @@ function isProbablyGradleDaemonProblem(packageManager, error) { "use strict"; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; +exports.DISTRIBUTIONS_ONLY_MAJOR_VERSION = exports.INPUT_MVN_TOOLCHAIN_VENDOR = exports.INPUT_MVN_TOOLCHAIN_ID = exports.MVN_TOOLCHAINS_FILE = exports.MVN_SETTINGS_FILE = exports.M2_DIR = exports.STATE_GPG_PRIVATE_KEY_FINGERPRINT = exports.INPUT_JOB_STATUS = exports.INPUT_CACHE_DEPENDENCY_PATH = exports.INPUT_CACHE = exports.INPUT_DEFAULT_GPG_PASSPHRASE = exports.INPUT_DEFAULT_GPG_PRIVATE_KEY = exports.INPUT_GPG_PASSPHRASE = exports.INPUT_GPG_PRIVATE_KEY = exports.INPUT_OVERWRITE_SETTINGS = exports.INPUT_SETTINGS_PATH = exports.INPUT_SERVER_PASSWORD = exports.INPUT_SERVER_USERNAME = exports.INPUT_SERVER_ID = exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = exports.INPUT_VERIFY_SIGNATURE = exports.INPUT_CHECK_LATEST = exports.INPUT_JDK_FILE = exports.INPUT_DISTRIBUTION = exports.INPUT_JAVA_PACKAGE = exports.INPUT_ARCHITECTURE = exports.INPUT_JAVA_VERSION_FILE = exports.INPUT_JAVA_VERSION = exports.MACOS_JAVA_CONTENT_POSTFIX = void 0; exports.MACOS_JAVA_CONTENT_POSTFIX = 'Contents/Home'; exports.INPUT_JAVA_VERSION = 'java-version'; exports.INPUT_JAVA_VERSION_FILE = 'java-version-file'; @@ -78009,6 +78009,8 @@ exports.INPUT_JAVA_PACKAGE = 'java-package'; exports.INPUT_DISTRIBUTION = 'distribution'; exports.INPUT_JDK_FILE = 'jdkFile'; exports.INPUT_CHECK_LATEST = 'check-latest'; +exports.INPUT_VERIFY_SIGNATURE = 'verify-signature'; +exports.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; exports.INPUT_SERVER_ID = 'server-id'; exports.INPUT_SERVER_USERNAME = 'server-username'; exports.INPUT_SERVER_PASSWORD = 'server-password'; @@ -78308,6 +78310,7 @@ const constants_1 = __nccwpck_require__(27242); const os_1 = __importDefault(__nccwpck_require__(70857)); class JavaBase { constructor(distribution, installerOptions) { + var _a; this.distribution = distribution; this.http = new httpm.HttpClient('actions/setup-java', undefined, { allowRetries: true, @@ -78317,10 +78320,15 @@ class JavaBase { this.architecture = installerOptions.architecture || os_1.default.arch(); this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; + this.verifySignature = (_a = installerOptions.verifySignature) !== null && _a !== void 0 ? _a : false; + this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey; } setupJava() { var _a, _b; return __awaiter(this, void 0, void 0, function* () { + if (this.verifySignature && !this.supportsSignatureVerification()) { + throw new Error(`Input 'verify-signature' is not supported for distribution '${this.distribution}'.`); + } let foundJava = this.findInToolcache(); if (foundJava && !this.checkLatest) { core.info(`Resolved Java ${foundJava.version} from tool-cache`); @@ -78440,6 +78448,9 @@ class JavaBase { get toolcacheFolderName() { return `Java_${this.distribution}_${this.packageType}`; } + supportsSignatureVerification() { + return false; + } getToolcacheVersionName(version) { if (!this.stable) { if (version.includes('+')) { @@ -80558,6 +80569,50 @@ class SemeruDistribution extends base_installer_1.JavaBase { exports.SemeruDistribution = SemeruDistribution; +/***/ }), + +/***/ 80877: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.ADOPTIUM_PUBLIC_KEY = void 0; +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +exports.ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; + + /***/ }), /***/ 91986: @@ -80601,14 +80656,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.TemurinDistribution = exports.TemurinImplementation = void 0; +exports.TemurinDistribution = exports.TemurinImplementation = exports.ADOPTIUM_PUBLIC_KEY = void 0; const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); const path_1 = __importDefault(__nccwpck_require__(16928)); const semver_1 = __importDefault(__nccwpck_require__(62088)); +const gpg = __importStar(__nccwpck_require__(88343)); +const adoptium_key_1 = __nccwpck_require__(80877); const base_installer_1 = __nccwpck_require__(79935); const util_1 = __nccwpck_require__(54527); +var adoptium_key_2 = __nccwpck_require__(80877); +Object.defineProperty(exports, "ADOPTIUM_PUBLIC_KEY", ({ enumerable: true, get: function () { return adoptium_key_2.ADOPTIUM_PUBLIC_KEY; } })); var TemurinImplementation; (function (TemurinImplementation) { TemurinImplementation["Hotspot"] = "Hotspot"; @@ -80633,7 +80692,8 @@ class TemurinDistribution extends base_installer_1.JavaBase { : item.version_data.semver.replace('-beta+', '+'); return { version: formattedVersion, - url: item.binaries[0].package.link + url: item.binaries[0].package.link, + signatureUrl: item.binaries[0].package.signature_link }; }); const satisfiedVersions = availableVersionsWithBinaries @@ -80650,9 +80710,22 @@ class TemurinDistribution extends base_installer_1.JavaBase { }); } downloadTool(javaRelease) { + var _a; return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.`); + } + core.info(`Verifying Java package signature...`); + try { + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : adoptium_key_1.ADOPTIUM_PUBLIC_KEY); + } + catch (error) { + throw new Error(`Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); + } + } core.info(`Extracting Java archive...`); const extension = (0, util_1.getDownloadArchiveExtension)(); if (process.platform === 'win32') { @@ -80669,6 +80742,9 @@ class TemurinDistribution extends base_installer_1.JavaBase { get toolcacheFolderName() { return super.toolcacheFolderName; } + supportsSignatureVerification() { + return true; + } getAvailableVersions() { return __awaiter(this, void 0, void 0, function* () { const platform = this.getPlatformOption(); @@ -80961,11 +81037,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); const exec = __importStar(__nccwpck_require__(95236)); +const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; @@ -81005,6 +81082,31 @@ function deleteKey(keyFingerprint) { }); } exports.deleteKey = deleteKey; +function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { + return __awaiter(this, void 0, void 0, function* () { + const signaturePath = yield tc.downloadTool(signatureUrl); + let gpgHome; + try { + gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); + } + catch (error) { + throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); + } + const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); + try { + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); + fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); + const options = { silent: true, env }; + yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); + yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + } + finally { + yield io.rmRF(signaturePath); + yield io.rmRF(gpgHome); + } + }); +} +exports.verifyPackageSignature = verifyPackageSignature; /***/ }), @@ -81073,6 +81175,8 @@ function run() { const cache = core.getInput(constants.INPUT_CACHE); const cacheDependencyPath = core.getInput(constants.INPUT_CACHE_DEPENDENCY_PATH); const checkLatest = (0, util_1.getBooleanInput)(constants.INPUT_CHECK_LATEST, false); + const verifySignature = (0, util_1.getBooleanInput)(constants.INPUT_VERIFY_SIGNATURE, false); + const verifySignaturePublicKey = core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined; let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); if (versions.length !== toolchainIds.length) { @@ -81085,6 +81189,8 @@ function run() { architecture, packageType, checkLatest, + verifySignature, + verifySignaturePublicKey, distributionName, jdkFile, toolchainIds @@ -81118,11 +81224,13 @@ function run() { run(); function installVersion(version, options, toolchainId = 0) { return __awaiter(this, void 0, void 0, function* () { - const { distributionName, jdkFile, architecture, packageType, checkLatest, toolchainIds } = options; + const { distributionName, jdkFile, architecture, packageType, checkLatest, verifySignature, verifySignaturePublicKey, toolchainIds } = options; const installerOptions = { architecture, packageType, checkLatest, + verifySignature, + verifySignaturePublicKey, version }; const distribution = (0, distribution_factory_1.getJavaDistribution)(distributionName, installerOptions, jdkFile); diff --git a/src/constants.ts b/src/constants.ts index 93af286f8..5b0188965 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -6,6 +6,8 @@ export const INPUT_JAVA_PACKAGE = 'java-package'; export const INPUT_DISTRIBUTION = 'distribution'; export const INPUT_JDK_FILE = 'jdkFile'; export const INPUT_CHECK_LATEST = 'check-latest'; +export const INPUT_VERIFY_SIGNATURE = 'verify-signature'; +export const INPUT_VERIFY_SIGNATURE_PUBLIC_KEY = 'verify-signature-public-key'; export const INPUT_SERVER_ID = 'server-id'; export const INPUT_SERVER_USERNAME = 'server-username'; export const INPUT_SERVER_PASSWORD = 'server-password'; diff --git a/src/distributions/base-installer.ts b/src/distributions/base-installer.ts index 5d9f3c82a..4494019cd 100644 --- a/src/distributions/base-installer.ts +++ b/src/distributions/base-installer.ts @@ -20,6 +20,8 @@ export abstract class JavaBase { protected packageType: string; protected stable: boolean; protected checkLatest: boolean; + protected verifySignature: boolean; + protected verifySignaturePublicKey: string | undefined; constructor( protected distribution: string, @@ -36,6 +38,8 @@ export abstract class JavaBase { this.architecture = installerOptions.architecture || os.arch(); this.packageType = installerOptions.packageType; this.checkLatest = installerOptions.checkLatest; + this.verifySignature = installerOptions.verifySignature ?? false; + this.verifySignaturePublicKey = installerOptions.verifySignaturePublicKey; } protected abstract downloadTool( @@ -46,6 +50,12 @@ export abstract class JavaBase { ): Promise; public async setupJava(): Promise { + if (this.verifySignature && !this.supportsSignatureVerification()) { + throw new Error( + `Input 'verify-signature' is not supported for distribution '${this.distribution}'.` + ); + } + let foundJava = this.findInToolcache(); if (foundJava && !this.checkLatest) { core.info(`Resolved Java ${foundJava.version} from tool-cache`); @@ -179,6 +189,10 @@ export abstract class JavaBase { return `Java_${this.distribution}_${this.packageType}`; } + protected supportsSignatureVerification(): boolean { + return false; + } + protected getToolcacheVersionName(version: string): string { if (!this.stable) { if (version.includes('+')) { diff --git a/src/distributions/base-models.ts b/src/distributions/base-models.ts index 82344d585..867a058af 100644 --- a/src/distributions/base-models.ts +++ b/src/distributions/base-models.ts @@ -3,6 +3,8 @@ export interface JavaInstallerOptions { architecture: string; packageType: string; checkLatest: boolean; + verifySignature?: boolean; + verifySignaturePublicKey?: string; } export interface JavaInstallerResults { @@ -13,4 +15,5 @@ export interface JavaInstallerResults { export interface JavaDownloadRelease { version: string; url: string; + signatureUrl?: string; } diff --git a/src/distributions/temurin/adoptium-key.ts b/src/distributions/temurin/adoptium-key.ts new file mode 100644 index 000000000..f7466e5e2 --- /dev/null +++ b/src/distributions/temurin/adoptium-key.ts @@ -0,0 +1,33 @@ +// Adoptium GPG signing key (fingerprint: 3B04D753C9050D9A5D343F39843C48A565F8F04B) +// Retrieved from: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3B04D753C9050D9A5D343F39843C48A565F8F04B +export const ADOPTIUM_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsBNBGGTvTQBCAC6ey144n7CG8foafF6mwgIBN1fIm1ILZDuGS4tMr0/XI8pgJnT +QvsPxZWEvtSm7bEMObzEoZJcXwjBcJl1B0ui8k5kHMTI75gCmZPsoKLFWIEpuRBQ +PBocusw80apDmLnNDQLVQvDFtEua5gaNa/fRw9YsmBoXBqvgrjFUIdGyWoQvH5+a +9OYlWD9n5VV0gnVMb+aclwVzB/zJw3kHGSgzuMtlAHeQiah7Y8yomQn/UIX8yqDf ++11sP3+c87YcjkRqImRTtmKEDcEtGPAIXC6SYA+uEEkbYE0Fy0chkvtnVWJ597fa +Epai4rnICU8zoJ6X5z3v1aM2WerhX9oq9X8PABEBAAHNQEFkb3B0aXVtIEdQRyBL +ZXkgKERFQi9SUE0gU2lnbmluZyBLZXkpIDx0ZW11cmluLWRldkBlY2xpcHNlLm9y +Zz7CwJIEEwEIADwWIQQ7BNdTyQUNml00PzmEPEilZfjwSwUCYZO9NAIbAwULCQgH +AgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQhDxIpWX48Et4AggAjjJzYWuKV3nG +7ngInngl8G/m9JoHr7BmwgcQXYhdy5hVkMcUx5JLeXz2LMBUH/F2nD595hgjMabk +kVib20X8lq9RsNbdfc2hBcWU6qyHKxsIqT4boI2/XDyEzzMyyZWWNGo/27Ci7Xmj +pWu31nh0pDdPqdyWDIKojbVVnxlCRY8as8Sm+1ufi709KCi4MuwHNsUlCSwb/fju +NKeHkrHbLcHKUUIEcmTSKRWrpMYBzm1HYOGBz4xPuELwUfUp71ehfoyBZlp6RDRf +l5TYI1FmCyHuvjNhrJgWv7bOTcf8yObGY+TEUhzc4xQqCrF4ur9d3opvsuPBQsv+ +Klqi5KSZgs7ATQRhk700AQgAq14okly8cFrpYVenEQPiB75AUZfKRpMduiR6IxAj +SKcH7aSoFZ9AubUEBVpZsyT5svxoEPe1i4TdbF+m9FGy42EcOlLa3ArLTj5H8FRl +UdGZB9I5mk4GptOzPM+aHMMu92vW/ZwjuS8DvOiQSp+cUmG1EqOMJSM7e/4BM71z +E+OKaVJCj79pEzhG3SK/IC/OlxxyETT66NSfYJd7Sw5R6Vr19am/uNU690W0CJ+q +VQeFpmDMr7LnfdFRIh+lJe05+PvWXeidkGjox5cbG52wf8aRIR/FgkfcFvqRMN1f +B+dVOWueloUeVAnzcUznOKmUEs7LP9ObJhYHHgup4IAU2wARAQABwsB2BBgBCAAg +FiEEOwTXU8kFDZpdND85hDxIpWX48EsFAmGTvTQCGwwACgkQhDxIpWX48EvXHQf/ +Q0nZsGDXnZHiBoojeSdpkO7WBjMIP3w1GdLvRpPQrS8TfOPbZuoevzCNh38Y3gwF +yelJspvzDQrBXhgkzAGlucYg8Y7KHa5Ebm7iDgMzc37L1hYSZTYCqwd7aowfgy34 +hOk3B67LffkJpIh738Oa9CtlwxQ9xcytmBmQ1fBBOwm/9IhAwHPQuydYIs4DxWbj +0MGSP4fDntU7e4UjsHNmhudDcYol0FaqdHHIIB9C/G4CzetRwHFOn3b4JwXMU7YU +6aJA3mXhi3hggMC3wkT2HHZ/TquuOdNc02fypWOCDOHz0alBBJNqoVUNFNqU3tfJ +wI4qF/KKq9BfyfucAs0ykA== +=XLag +-----END PGP PUBLIC KEY BLOCK-----`; diff --git a/src/distributions/temurin/installer.ts b/src/distributions/temurin/installer.ts index 109c2d413..16a896f60 100644 --- a/src/distributions/temurin/installer.ts +++ b/src/distributions/temurin/installer.ts @@ -4,7 +4,9 @@ import * as tc from '@actions/tool-cache'; import fs from 'fs'; import path from 'path'; import semver from 'semver'; +import * as gpg from '../../gpg'; +import {ADOPTIUM_PUBLIC_KEY} from './adoptium-key'; import {JavaBase} from '../base-installer'; import {ITemurinAvailableVersions} from './models'; import { @@ -22,6 +24,8 @@ import { validatePaginationUrl } from '../../util'; +export {ADOPTIUM_PUBLIC_KEY} from './adoptium-key'; + export enum TemurinImplementation { Hotspot = 'Hotspot' } @@ -50,7 +54,8 @@ export class TemurinDistribution extends JavaBase { : item.version_data.semver.replace('-beta+', '+'); return { version: formattedVersion, - url: item.binaries[0].package.link + url: item.binaries[0].package.link, + signatureUrl: item.binaries[0].package.signature_link } as JavaDownloadRelease; }); @@ -80,6 +85,28 @@ export class TemurinDistribution extends JavaBase { ); let javaArchivePath = await tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error( + `Input 'verify-signature' is enabled, but no signature URL was found for Temurin version ${javaRelease.version}.` + ); + } + core.info(`Verifying Java package signature...`); + try { + await gpg.verifyPackageSignature( + javaArchivePath, + javaRelease.signatureUrl, + this.verifySignaturePublicKey ?? ADOPTIUM_PUBLIC_KEY + ); + } catch (error) { + throw new Error( + `Failed to verify signature for Temurin version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${ + (error as Error).message + }` + ); + } + } + core.info(`Extracting Java archive...`); const extension = getDownloadArchiveExtension(); if (process.platform === 'win32') { @@ -105,6 +132,10 @@ export class TemurinDistribution extends JavaBase { return super.toolcacheFolderName; } + protected supportsSignatureVerification(): boolean { + return true; + } + private async getAvailableVersions(): Promise { const platform = this.getPlatformOption(); const arch = this.distributionArchitecture(); diff --git a/src/distributions/temurin/models.ts b/src/distributions/temurin/models.ts index eb4b49b7b..c5bff9020 100644 --- a/src/distributions/temurin/models.ts +++ b/src/distributions/temurin/models.ts @@ -11,6 +11,7 @@ export interface ITemurinAvailableVersions { package: { checksum: string; checksum_link: string; + signature_link?: string; download_count: number; link: string; metadata_link: string; diff --git a/src/gpg.ts b/src/gpg.ts index 3b74c1516..6f4a8aa11 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -2,6 +2,7 @@ import * as fs from 'fs'; import * as path from 'path'; import * as io from '@actions/io'; import * as exec from '@actions/exec'; +import * as tc from '@actions/tool-cache'; import * as util from './util'; import {ExecOptions} from '@actions/exec/lib/interfaces'; @@ -53,3 +54,39 @@ export async function deleteKey(keyFingerprint: string) { } ); } + +export async function verifyPackageSignature( + archivePath: string, + signatureUrl: string, + publicKeyContent: string +) { + const signaturePath = await tc.downloadTool(signatureUrl); + let gpgHome: string; + try { + gpgHome = fs.mkdtempSync( + path.join(util.getTempDir(), 'verify-signature-gpg-home-') + ); + } catch (error) { + throw new Error( + `Failed to create temporary GPG home directory for signature verification: ${ + (error as Error).message + }` + ); + } + const env = {...process.env, GNUPGHOME: gpgHome}; + + try { + const publicKeyFile = path.join(gpgHome, 'public-key.asc'); + fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'}); + const options: ExecOptions = {silent: true, env}; + await exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); + await exec.exec( + 'gpg', + ['--batch', '--verify', signaturePath, archivePath], + options + ); + } finally { + await io.rmRF(signaturePath); + await io.rmRF(gpgHome); + } +} diff --git a/src/setup-java.ts b/src/setup-java.ts index 73baf33a7..e4ec400b2 100644 --- a/src/setup-java.ts +++ b/src/setup-java.ts @@ -28,6 +28,12 @@ async function run() { constants.INPUT_CACHE_DEPENDENCY_PATH ); const checkLatest = getBooleanInput(constants.INPUT_CHECK_LATEST, false); + const verifySignature = getBooleanInput( + constants.INPUT_VERIFY_SIGNATURE, + false + ); + const verifySignaturePublicKey = + core.getInput(constants.INPUT_VERIFY_SIGNATURE_PUBLIC_KEY) || undefined; let toolchainIds = core.getMultilineInput(constants.INPUT_MVN_TOOLCHAIN_ID); core.startGroup('Installed distributions'); @@ -44,6 +50,8 @@ async function run() { architecture, packageType, checkLatest, + verifySignature, + verifySignaturePublicKey, distributionName, jdkFile, toolchainIds @@ -100,6 +108,8 @@ async function installVersion( architecture, packageType, checkLatest, + verifySignature, + verifySignaturePublicKey, toolchainIds } = options; @@ -107,6 +117,8 @@ async function installVersion( architecture, packageType, checkLatest, + verifySignature, + verifySignaturePublicKey, version }; @@ -141,6 +153,8 @@ interface installerInputsOptions { architecture: string; packageType: string; checkLatest: boolean; + verifySignature: boolean; + verifySignaturePublicKey: string | undefined; distributionName: string; jdkFile: string; toolchainIds: Array; From c2ac82fe110ec61e3b7d09b26af175c26012ea70 Mon Sep 17 00:00:00 2001 From: John <1615532+johnoliver@users.noreply.github.com> Date: Wed, 24 Jun 2026 12:20:45 +0100 Subject: [PATCH 10/22] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- src/gpg.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/gpg.ts b/src/gpg.ts index 6f4a8aa11..650476a1a 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -67,6 +67,11 @@ export async function verifyPackageSignature( path.join(util.getTempDir(), 'verify-signature-gpg-home-') ); } catch (error) { + try { + await io.rmRF(signaturePath); + } catch { + // ignore cleanup failures + } throw new Error( `Failed to create temporary GPG home directory for signature verification: ${ (error as Error).message From 03daa994329d6a7c3116778378fc4801f09263a8 Mon Sep 17 00:00:00 2001 From: John <1615532+johnoliver@users.noreply.github.com> Date: Wed, 24 Jun 2026 12:29:40 +0100 Subject: [PATCH 11/22] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 397f1d566..f17065cd3 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,8 @@ For more details, see the full release notes on the [releases page](https://git - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails. + - `verify-signature-public-key`: ASCII-armored GPG public key used to verify the downloaded package signature. Overrides the default bundled key for the selected distribution. + - `cache`: Quick [setup caching](#caching-packages-dependencies) for the dependencies managed through one of the predefined package managers. It can be one of "maven", "gradle" or "sbt". - `cache-dependency-path`: The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies. From db1f1b87544f03c66ad108ff152c3e03c87c9c0a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 10:09:03 +0000 Subject: [PATCH 12/22] Add Microsoft signature verification support --- README.md | 2 +- .../distributors/microsoft-installer.test.ts | 125 +++++++++++++++++- src/distributions/microsoft/installer.ts | 31 +++++ src/distributions/microsoft/microsoft-key.ts | 21 +++ 4 files changed, 177 insertions(+), 2 deletions(-) create mode 100644 src/distributions/microsoft/microsoft-key.ts diff --git a/README.md b/README.md index 9b3cfe2f6..6241efa22 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ For information about the latest releases, recent updates, and newly supported d - `check-latest`: Setting this option makes the action to check for the latest available version for the version spec. - - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin`. If set to `true` for unsupported distributions, the action fails. + - `verify-signature`: Verifies downloaded Java package signatures when supported by the selected distribution. Currently supported for `temurin` and `microsoft`. If set to `true` for unsupported distributions, the action fails. - `cache`: Quick [setup caching](#caching-packages-dependencies) for the dependencies managed through one of the predefined package managers. It can be one of "maven", "gradle" or "sbt". diff --git a/__tests__/distributors/microsoft-installer.test.ts b/__tests__/distributors/microsoft-installer.test.ts index a971dc7fb..d2b12da78 100644 --- a/__tests__/distributors/microsoft-installer.test.ts +++ b/__tests__/distributors/microsoft-installer.test.ts @@ -1,8 +1,15 @@ -import {MicrosoftDistributions} from '../../src/distributions/microsoft/installer'; +import { + MicrosoftDistributions, + MICROSOFT_PUBLIC_KEY +} from '../../src/distributions/microsoft/installer'; import os from 'os'; import data from '../data/microsoft.json'; import * as httpm from '@actions/http-client'; import * as core from '@actions/core'; +import * as tc from '@actions/tool-cache'; +import * as gpg from '../../src/gpg'; +import * as util from '../../src/util'; +import fs from 'fs'; describe('findPackageForDownload', () => { let distribution: MicrosoftDistributions; @@ -97,6 +104,7 @@ describe('findPackageForDownload', () => { .replace('{{OS_TYPE}}', os) .replace('{{ARCHIVE_TYPE}}', archive); expect(result.url).toBe(url); + expect(result.signatureUrl).toBe(`${url}.sig`); }); it.each([ @@ -183,3 +191,118 @@ describe('findPackageForDownload', () => { ); }); }); + +describe('downloadTool', () => { + let spyDownloadTool: jest.SpyInstance; + let spyExtractJdkFile: jest.SpyInstance; + let spyCacheDir: jest.SpyInstance; + let spyVerifySignature: jest.SpyInstance; + let distribution: MicrosoftDistributions; + + beforeEach(() => { + jest + .spyOn(os, 'platform') + .mockReturnValue(process.platform as ReturnType); + + distribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false + }); + + spyDownloadTool = jest.spyOn(tc, 'downloadTool'); + spyDownloadTool.mockImplementation(async () => { + return '/tmp/jdk.tar.gz'; + }); + + spyExtractJdkFile = jest.spyOn(util, 'extractJdkFile'); + spyExtractJdkFile.mockImplementation(async () => { + return '/tmp/unpacked'; + }); + + jest.spyOn(fs, 'readdirSync').mockReturnValue(['jdk'] as any); + spyCacheDir = jest.spyOn(tc, 'cacheDir'); + spyCacheDir.mockImplementation(async () => { + return '/tmp/cached'; + }); + + spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature'); + spyVerifySignature.mockImplementation(async () => {}); + }); + + afterEach(() => { + jest.restoreAllMocks(); + }); + + it('verifies signature when enabled', async () => { + const signedDistribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }); + + await signedDistribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + MICROSOFT_PUBLIC_KEY + ); + }); + + it('uses custom public key when verifySignaturePublicKey is provided', async () => { + const customKey = + '-----BEGIN PGP PUBLIC KEY BLOCK-----\ncustom\n-----END PGP PUBLIC KEY BLOCK-----'; + const signedDistribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true, + verifySignaturePublicKey: customKey + }); + + await signedDistribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz', + signatureUrl: 'https://example.com/jdk.tar.gz.sig' + }); + + expect(spyVerifySignature).toHaveBeenCalledWith( + '/tmp/jdk.tar.gz', + 'https://example.com/jdk.tar.gz.sig', + customKey + ); + }); + + it('fails when signature is missing and verification is enabled', async () => { + const signedDistribution = new MicrosoftDistributions({ + version: '17', + architecture: 'x64', + packageType: 'jdk', + checkLatest: false, + verifySignature: true + }); + + await expect( + signedDistribution['downloadTool']({ + version: '17.0.14+7', + url: 'https://example.com/jdk.tar.gz' + }) + ).rejects.toThrow( + "Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version 17.0.14+7." + ); + expect(spyVerifySignature).not.toHaveBeenCalled(); + }); + + it('supports signature verification', () => { + expect(distribution['supportsSignatureVerification']()).toBe(true); + }); +}); diff --git a/src/distributions/microsoft/installer.ts b/src/distributions/microsoft/installer.ts index a48a3c2a3..b6f0c8811 100644 --- a/src/distributions/microsoft/installer.ts +++ b/src/distributions/microsoft/installer.ts @@ -10,12 +10,16 @@ import { getGitHubHttpHeaders, renameWinArchive } from '../../util'; +import * as gpg from '../../gpg'; +import {MICROSOFT_PUBLIC_KEY} from './microsoft-key'; import * as core from '@actions/core'; import * as tc from '@actions/tool-cache'; import fs from 'fs'; import path from 'path'; import {TypedResponse} from '@actions/http-client/lib/interfaces'; +export {MICROSOFT_PUBLIC_KEY} from './microsoft-key'; + export class MicrosoftDistributions extends JavaBase { constructor(installerOptions: JavaInstallerOptions) { super('Microsoft', installerOptions); @@ -29,6 +33,28 @@ export class MicrosoftDistributions extends JavaBase { ); let javaArchivePath = await tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error( + `Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.` + ); + } + core.info(`Verifying Java package signature...`); + try { + await gpg.verifyPackageSignature( + javaArchivePath, + javaRelease.signatureUrl, + this.verifySignaturePublicKey ?? MICROSOFT_PUBLIC_KEY + ); + } catch (error) { + throw new Error( + `Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${ + (error as Error).message + }` + ); + } + } + core.info(`Extracting Java archive...`); const extension = getDownloadArchiveExtension(); if (process.platform === 'win32') { @@ -82,10 +108,15 @@ export class MicrosoftDistributions extends JavaBase { return { url: foundRelease.files[0].download_url, + signatureUrl: `${foundRelease.files[0].download_url}.sig`, version: foundRelease.version }; } + protected supportsSignatureVerification(): boolean { + return true; + } + private async getAvailableVersions(): Promise { // TODO get these dynamically! // We will need Microsoft to add an endpoint where we can query for versions. diff --git a/src/distributions/microsoft/microsoft-key.ts b/src/distributions/microsoft/microsoft-key.ts new file mode 100644 index 000000000..3cb1f42c4 --- /dev/null +++ b/src/distributions/microsoft/microsoft-key.ts @@ -0,0 +1,21 @@ +// Microsoft Build of OpenJDK GPG signing key +// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc +export const MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL +RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+ +UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl +/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6 +r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx +fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh +IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB +CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB +icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL +MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ +EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq +yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy +JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4 +Fa133tP85xzJEq1XeXm8WeLFo2wV +=rHCS +-----END PGP PUBLIC KEY BLOCK-----`; From 2b15efdc039ec218422b71082c5f8b7bf0a65b9f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 10:10:54 +0000 Subject: [PATCH 13/22] Regenerate dist bundles for Microsoft signature checks --- dist/setup/index.js | 55 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/dist/setup/index.js b/dist/setup/index.js index 0453e6bca..a0c3dcf01 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -79560,21 +79560,38 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.MicrosoftDistributions = void 0; +exports.MicrosoftDistributions = exports.MICROSOFT_PUBLIC_KEY = void 0; const base_installer_1 = __nccwpck_require__(79935); const util_1 = __nccwpck_require__(54527); +const gpg = __importStar(__nccwpck_require__(88343)); +const microsoft_key_1 = __nccwpck_require__(56286); const core = __importStar(__nccwpck_require__(37484)); const tc = __importStar(__nccwpck_require__(33472)); const fs_1 = __importDefault(__nccwpck_require__(79896)); const path_1 = __importDefault(__nccwpck_require__(16928)); +var microsoft_key_2 = __nccwpck_require__(56286); +Object.defineProperty(exports, "MICROSOFT_PUBLIC_KEY", ({ enumerable: true, get: function () { return microsoft_key_2.MICROSOFT_PUBLIC_KEY; } })); class MicrosoftDistributions extends base_installer_1.JavaBase { constructor(installerOptions) { super('Microsoft', installerOptions); } downloadTool(javaRelease) { + var _a; return __awaiter(this, void 0, void 0, function* () { core.info(`Downloading Java ${javaRelease.version} (${this.distribution}) from ${javaRelease.url} ...`); let javaArchivePath = yield tc.downloadTool(javaRelease.url); + if (this.verifySignature) { + if (!javaRelease.signatureUrl) { + throw new Error(`Input 'verify-signature' is enabled, but no signature URL was found for Microsoft Build of OpenJDK version ${javaRelease.version}.`); + } + core.info(`Verifying Java package signature...`); + try { + yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY); + } + catch (error) { + throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); + } + } core.info(`Extracting Java archive...`); const extension = (0, util_1.getDownloadArchiveExtension)(); if (process.platform === 'win32') { @@ -79610,10 +79627,14 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { } return { url: foundRelease.files[0].download_url, + signatureUrl: `${foundRelease.files[0].download_url}.sig`, version: foundRelease.version }; }); } + supportsSignatureVerification() { + return true; + } getAvailableVersions() { return __awaiter(this, void 0, void 0, function* () { // TODO get these dynamically! @@ -79656,6 +79677,38 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { exports.MicrosoftDistributions = MicrosoftDistributions; +/***/ }), + +/***/ 56286: +/***/ ((__unused_webpack_module, exports) => { + +"use strict"; + +Object.defineProperty(exports, "__esModule", ({ value: true })); +exports.MICROSOFT_PUBLIC_KEY = void 0; +// Microsoft Build of OpenJDK GPG signing key +// Retrieved from: https://download.visualstudio.microsoft.com/download/pr/b90071e2-e0cf-4411-98be-dbeb09d67bf0/8622862bcd54206e158c5abca0582c9b/464279_464280_aoc_20210208.asc +exports.MICROSOFT_PUBLIC_KEY = `-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: BSN Pgp v1.1.0.0 + +mQENBGAhlWcBCADCQjj6huLTenvZSLej35e9YKEHm4lix2uvPOONexMaU8V2v7KL +RGdoXF7jwHci7efnPZ+9zpS2+g3rhvv8M7yWy9E/1psEtGzvmp1IL/qIabMEQqi+ +UlhPGh7MQ/BkXAlic8Dyl3XYqr0EXS11iCiTr6Zkxs9Ee4V54gxL4gogRn4wk9sl +/nrjgDzMsUwla0pynoQQvYpqCdiAr3gKKllT1skCDqgVOMMyZxsx9HjZxg/3AJz6 +r5i512L2R+3Hkv+XmxT+mnGBCFcny0DM7PjNXEmIK3ZSkro1tQML90zx3Fyh5esx +fpVvuIXGFV75o35VVCBZoiD3hcfOnIJsPQ9nABEBAAG0OE1pY3Jvc29mdCBKYXZh +IEVuZ2luZWVyaW5nIDxqYXZhcGxhdGluZnJhQG1pY3Jvc29mdC5jb20+iQE4BBMB +CAAiBQJgIZVnAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRA1Ux0xWyHB +icwTCACJO2FGNocNvdUtAb+eDKuGwt0chAJdCES2ZtgBScwrwDyWpxpRznoXWBHL +MJeLyxJoKsCG3vVlY4uh48psCzVm3OKvi7MCPT955t8W6TzfSBxTpjR8zRgJkjPJ +EGhHTlusUfz7TtM5etJF0qscSJH1grcNsgtee97mk4QyEzT8Di83NQmYxKcBrliq +yK/SWWt8VkTyYAEO6L5PoB4L9r8ka27uQs+jgCw+/Z0JMtNmmhyNGY3+a1YtPeoy +JdQaI9LphfKGbVaz6SK2aol7vj+c2TG3TLUYdOYGMH1OZlri2GTkCVjwna2GC7p4 +Fa133tP85xzJEq1XeXm8WeLFo2wV +=rHCS +-----END PGP PUBLIC KEY BLOCK-----`; + + /***/ }), /***/ 11182: From 5dab176365295db744f9ab25be8b255077a03f17 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 10:15:48 +0000 Subject: [PATCH 14/22] Harden Microsoft signature URL handling --- .../distributors/microsoft-installer.test.ts | 28 +++++++++++++++++++ dist/setup/index.js | 9 ++++-- src/distributions/microsoft/installer.ts | 14 ++++++---- 3 files changed, 43 insertions(+), 8 deletions(-) diff --git a/__tests__/distributors/microsoft-installer.test.ts b/__tests__/distributors/microsoft-installer.test.ts index d2b12da78..e8e4c4bfc 100644 --- a/__tests__/distributors/microsoft-installer.test.ts +++ b/__tests__/distributors/microsoft-installer.test.ts @@ -190,6 +190,34 @@ describe('findPackageForDownload', () => { /No matching version found for SemVer */ ); }); + + it('uses manifest-provided signature URL when available', async () => { + spyGetManifestFromRepo.mockReturnValue({ + result: [ + { + version: '17.0.10', + stable: true, + release_url: 'https://example.test', + files: [ + { + filename: 'microsoft-jdk-17.0.10-linux-x64.tar.gz', + arch: 'x64', + platform: 'linux', + download_url: 'https://example.test/jdk.tar.gz', + signature_url: 'https://example.test/jdk.tar.gz.custom.sig' + } + ] + } + ], + statusCode: 200, + headers: {} + }); + jest.spyOn(os, 'platform').mockReturnValue('linux'); + + const result = await distribution['findPackageForDownload']('17.0.10'); + + expect(result.signatureUrl).toBe('https://example.test/jdk.tar.gz.custom.sig'); + }); }); describe('downloadTool', () => { diff --git a/dist/setup/index.js b/dist/setup/index.js index a0c3dcf01..78b8a652d 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -79589,7 +79589,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY); } catch (error) { - throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); + throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${error.message}`); } } core.info(`Extracting Java archive...`); @@ -79605,6 +79605,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { }); } findPackageForDownload(range) { + var _a; return __awaiter(this, void 0, void 0, function* () { const arch = this.distributionArchitecture(); if (arch !== 'x64' && arch !== 'aarch64') { @@ -79625,9 +79626,11 @@ class MicrosoftDistributions extends base_installer_1.JavaBase { const availableVersionStrings = manifest.map(item => item.version); throw this.createVersionNotFoundError(range, availableVersionStrings); } + const file = foundRelease.files[0]; + const signatureUrl = (_a = file.signature_url) !== null && _a !== void 0 ? _a : `${file.download_url}.sig`; return { - url: foundRelease.files[0].download_url, - signatureUrl: `${foundRelease.files[0].download_url}.sig`, + url: file.download_url, + signatureUrl, version: foundRelease.version }; }); diff --git a/src/distributions/microsoft/installer.ts b/src/distributions/microsoft/installer.ts index b6f0c8811..9e8e03388 100644 --- a/src/distributions/microsoft/installer.ts +++ b/src/distributions/microsoft/installer.ts @@ -48,9 +48,7 @@ export class MicrosoftDistributions extends JavaBase { ); } catch (error) { throw new Error( - `Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${ - (error as Error).message - }` + `Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}` ); } } @@ -106,9 +104,15 @@ export class MicrosoftDistributions extends JavaBase { throw this.createVersionNotFoundError(range, availableVersionStrings); } + const file = foundRelease.files[0] as { + download_url: string; + signature_url?: string; + }; + const signatureUrl = file.signature_url ?? `${file.download_url}.sig`; + return { - url: foundRelease.files[0].download_url, - signatureUrl: `${foundRelease.files[0].download_url}.sig`, + url: file.download_url, + signatureUrl, version: foundRelease.version }; } From 776fcf9e4102eeb3c50fe12d13103b5d30d755ea Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 10:36:05 +0000 Subject: [PATCH 15/22] Add setup-java-microsoft-signature-verification e2e job --- .github/workflows/e2e-versions.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/e2e-versions.yml b/.github/workflows/e2e-versions.yml index 47eaf0218..bcca25517 100644 --- a/.github/workflows/e2e-versions.yml +++ b/.github/workflows/e2e-versions.yml @@ -315,6 +315,29 @@ jobs: run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" shell: bash + setup-java-microsoft-signature-verification: + name: microsoft ${{ matrix.version }} signature verification - ${{ matrix.os }} + needs: setup-java-major-minor-versions + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [macos-latest, windows-latest, ubuntu-latest] + version: ['21', '17'] + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: setup-java with signature verification + uses: ./ + id: setup-java + with: + java-version: ${{ matrix.version }} + distribution: microsoft + verify-signature: true + - name: Verify Java + run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + shell: bash + setup-java-ea-versions-sapmachine: name: sapmachine ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }} needs: setup-java-major-minor-versions From 45cdfed0360c9651a4fd47f0dfd7ba87487e4191 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 10:39:37 +0000 Subject: [PATCH 16/22] chore: regenerate dist files --- dist/cleanup/index.js | 6 ++++++ dist/setup/index.js | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 2cd3c3252..18ac0774e 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52366,6 +52366,12 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); } catch (error) { + try { + yield io.rmRF(signaturePath); + } + catch (_a) { + // ignore cleanup failures + } throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); diff --git a/dist/setup/index.js b/dist/setup/index.js index e47320402..4c999d797 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -81146,6 +81146,12 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { gpgHome = fs.mkdtempSync(path.join(util.getTempDir(), 'verify-signature-gpg-home-')); } catch (error) { + try { + yield io.rmRF(signaturePath); + } + catch (_a) { + // ignore cleanup failures + } throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); From 673ccf9f5b64407c6cf04319a9bb23c11a0d16f9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 10:52:09 +0000 Subject: [PATCH 17/22] Fix e2e-versions: remove duplicate job, update signature jobs to checkout@v7 with env vars --- .github/workflows/e2e-versions.yml | 39 ++++++++++-------------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/.github/workflows/e2e-versions.yml b/.github/workflows/e2e-versions.yml index 097bf6bbc..4ea83d8b8 100644 --- a/.github/workflows/e2e-versions.yml +++ b/.github/workflows/e2e-versions.yml @@ -339,30 +339,9 @@ jobs: version: ['21', '17'] steps: - name: Checkout - uses: actions/checkout@v6 - - name: setup-java with signature verification - uses: ./ - id: setup-java + uses: actions/checkout@v7 with: - java-version: ${{ matrix.version }} - distribution: temurin - verify-signature: true - - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" - shell: bash - - setup-java-temurin-signature-verification: - name: temurin ${{ matrix.version }} signature verification - ${{ matrix.os }} - needs: setup-java-major-minor-versions - runs-on: ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - os: [macos-latest, windows-latest, ubuntu-latest] - version: ['21', '17'] - steps: - - name: Checkout - uses: actions/checkout@v6 + persist-credentials: false - name: setup-java with signature verification uses: ./ id: setup-java @@ -371,7 +350,10 @@ jobs: distribution: temurin verify-signature: true - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-microsoft-signature-verification: @@ -385,7 +367,9 @@ jobs: version: ['21', '17'] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v7 + with: + persist-credentials: false - name: setup-java with signature verification uses: ./ id: setup-java @@ -394,7 +378,10 @@ jobs: distribution: microsoft verify-signature: true - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-ea-versions-sapmachine: From e2b889947bc1b450cc3fdb050f65408504f023ce Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 11:00:17 +0000 Subject: [PATCH 18/22] Fix Prettier formatting in test files --- __tests__/distributors/microsoft-installer.test.ts | 4 +++- __tests__/gpg.test.ts | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/__tests__/distributors/microsoft-installer.test.ts b/__tests__/distributors/microsoft-installer.test.ts index 6eb2b58e9..6b08d65fc 100644 --- a/__tests__/distributors/microsoft-installer.test.ts +++ b/__tests__/distributors/microsoft-installer.test.ts @@ -221,7 +221,9 @@ describe('findPackageForDownload', () => { const result = await distribution['findPackageForDownload']('17.0.10'); - expect(result.signatureUrl).toBe('https://example.test/jdk.tar.gz.custom.sig'); + expect(result.signatureUrl).toBe( + 'https://example.test/jdk.tar.gz.custom.sig' + ); }); }); diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index 655077fb5..cf72803e3 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -61,7 +61,8 @@ describe('gpg tests', () => { describe('verifyPackageSignature', () => { it('imports bundled key and verifies package', async () => { - const publicKeyContent = '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----'; + const publicKeyContent = + '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----'; (tc.downloadTool as jest.Mock).mockResolvedValue('/tmp/jdk.tar.gz.sig'); await gpg.verifyPackageSignature( '/tmp/jdk.tar.gz', From 730e373df50564b3de1a81ddabc042a582c26563 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 11:45:37 +0000 Subject: [PATCH 19/22] fix: mock renameWinArchive in microsoft-installer tests to fix Windows CI failure --- __tests__/distributors/microsoft-installer.test.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/__tests__/distributors/microsoft-installer.test.ts b/__tests__/distributors/microsoft-installer.test.ts index 6b08d65fc..d2527f6f7 100644 --- a/__tests__/distributors/microsoft-installer.test.ts +++ b/__tests__/distributors/microsoft-installer.test.ts @@ -262,6 +262,10 @@ describe('downloadTool', () => { return '/tmp/cached'; }); + jest + .spyOn(util, 'renameWinArchive') + .mockImplementation((archivePath: string) => `${archivePath}.zip`); + spyVerifySignature = jest.spyOn(gpg, 'verifyPackageSignature'); spyVerifySignature.mockImplementation(async () => {}); }); From 801240703eb78c8e46323cacad5c5f9196c598a1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 12:40:04 +0000 Subject: [PATCH 20/22] fix: use --homedir flag instead of GNUPGHOME env var for Windows GPG compatibility The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert Windows-style paths in environment variables like GNUPGHOME. This caused GPG to fail with exit code 2 when verifying Microsoft JDK signatures on Windows, because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid POSIX path. Fix: pass --homedir as an explicit command-line argument to both gpg --import and gpg --verify. MSYS2 does correctly convert Windows paths in command-line arguments, so this approach works reliably on Windows, Linux, and macOS. --- __tests__/gpg.test.ts | 17 +++++++++++++++-- dist/cleanup/index.js | 7 +++---- dist/setup/index.js | 7 +++---- src/gpg.ts | 12 +++++++----- 4 files changed, 28 insertions(+), 15 deletions(-) diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index cf72803e3..d8f144948 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -76,13 +76,26 @@ describe('gpg tests', () => { expect(exec.exec).toHaveBeenNthCalledWith( 1, 'gpg', - ['--batch', '--import', expect.stringContaining('public-key.asc')], + [ + '--homedir', + expect.any(String), + '--batch', + '--import', + expect.stringContaining('public-key.asc') + ], expect.objectContaining({silent: true}) ); expect(exec.exec).toHaveBeenNthCalledWith( 2, 'gpg', - ['--batch', '--verify', '/tmp/jdk.tar.gz.sig', '/tmp/jdk.tar.gz'], + [ + '--homedir', + expect.any(String), + '--batch', + '--verify', + '/tmp/jdk.tar.gz.sig', + '/tmp/jdk.tar.gz' + ], expect.objectContaining({silent: true}) ); }); diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index 18ac0774e..c32109fdf 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52374,13 +52374,12 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { } throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } - const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); try { const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); - const options = { silent: true, env }; - yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); - yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + const options = { silent: true }; + yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--import', publicKeyFile], options); + yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--verify', signaturePath, archivePath], options); } finally { yield io.rmRF(signaturePath); diff --git a/dist/setup/index.js b/dist/setup/index.js index 4c999d797..f8d12d872 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -81154,13 +81154,12 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { } throw new Error(`Failed to create temporary GPG home directory for signature verification: ${error.message}`); } - const env = Object.assign(Object.assign({}, process.env), { GNUPGHOME: gpgHome }); try { const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); - const options = { silent: true, env }; - yield exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); - yield exec.exec('gpg', ['--batch', '--verify', signaturePath, archivePath], options); + const options = { silent: true }; + yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--import', publicKeyFile], options); + yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--verify', signaturePath, archivePath], options); } finally { yield io.rmRF(signaturePath); diff --git a/src/gpg.ts b/src/gpg.ts index 650476a1a..1086fdce7 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -78,16 +78,18 @@ export async function verifyPackageSignature( }` ); } - const env = {...process.env, GNUPGHOME: gpgHome}; - try { const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, {encoding: 'utf-8'}); - const options: ExecOptions = {silent: true, env}; - await exec.exec('gpg', ['--batch', '--import', publicKeyFile], options); + const options: ExecOptions = {silent: true}; + await exec.exec( + 'gpg', + ['--homedir', gpgHome, '--batch', '--import', publicKeyFile], + options + ); await exec.exec( 'gpg', - ['--batch', '--verify', signaturePath, archivePath], + ['--homedir', gpgHome, '--batch', '--verify', signaturePath, archivePath], options ); } finally { From 2c986902654c7f6c01ea008ca584899d8cf15db1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 16:54:37 +0000 Subject: [PATCH 21/22] fix: convert Windows paths to POSIX format for MSYS2 GPG on Windows The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is an MSYS2-based binary that uses POSIX path conventions internally. When Windows-style paths with backslashes and drive letters (D:\a\_temp\...) are passed as arguments, GPG may fail to resolve them correctly, resulting in a fatal error (exit code 2). Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX format (/d/a/_temp/...) before passing them to any gpg command. On Linux and macOS the helper is a no-op. Applied to all four paths used in verifyPackageSignature: - gpgHome (--homedir argument) - publicKeyFile (--import argument) - signaturePath (--verify signature argument) - archivePath (--verify data argument) --- __tests__/gpg.test.ts | 29 +++++++++++++++++++++++++++++ dist/cleanup/index.js | 31 ++++++++++++++++++++++++++++--- dist/setup/index.js | 31 ++++++++++++++++++++++++++++--- src/gpg.ts | 28 ++++++++++++++++++++++++++-- 4 files changed, 111 insertions(+), 8 deletions(-) diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index d8f144948..f5882e29a 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -32,6 +32,35 @@ describe('gpg tests', () => { } }); + describe('toGpgPath', () => { + const originalPlatform = process.platform; + + afterEach(() => { + Object.defineProperty(process, 'platform', {value: originalPlatform}); + }); + + it('returns path unchanged on non-Windows platforms', () => { + Object.defineProperty(process, 'platform', {value: 'linux'}); + expect(gpg.toGpgPath('/tmp/some/path')).toBe('/tmp/some/path'); + expect(gpg.toGpgPath('D:\\a\\_temp\\file')).toBe('D:\\a\\_temp\\file'); + }); + + it('converts Windows backslashes and drive letter to POSIX path on Windows', () => { + Object.defineProperty(process, 'platform', {value: 'win32'}); + expect(gpg.toGpgPath('D:\\a\\_temp\\gpg-home')).toBe( + '/d/a/_temp/gpg-home' + ); + expect(gpg.toGpgPath('C:\\Users\\runner\\AppData\\Local\\Temp\\key.asc')).toBe( + '/c/Users/runner/AppData/Local/Temp/key.asc' + ); + }); + + it('handles uppercase and lowercase drive letters on Windows', () => { + Object.defineProperty(process, 'platform', {value: 'win32'}); + expect(gpg.toGpgPath('d:\\a\\_temp\\file')).toBe('/d/a/_temp/file'); + }); + }); + describe('importKey', () => { it('attempts to import private key and returns null key id on failure', async () => { const privateKey = 'KEY CONTENTS'; diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index c32109fdf..d962852b5 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -52313,7 +52313,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.toGpgPath = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); @@ -52322,6 +52322,18 @@ const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; +// Convert a Windows path (D:\a\_temp\...) to a POSIX path (/d/a/_temp/...). +// The Git-bundled GPG on Windows (MSYS2-based) uses POSIX path conventions +// internally. Passing Windows paths with backslashes can cause fatal GPG errors +// (exit code 2), so all paths passed to GPG must be in POSIX format on Windows. +function toGpgPath(p) { + if (process.platform !== 'win32') + return p; + return p + .replace(/\\/g, '/') + .replace(/^([A-Za-z]):\//, (_, drive) => `/${drive.toLowerCase()}/`); +} +exports.toGpgPath = toGpgPath; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { fs.writeFileSync(exports.PRIVATE_KEY_FILE, privateKey, { @@ -52378,8 +52390,21 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true }; - yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--import', publicKeyFile], options); - yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--verify', signaturePath, archivePath], options); + yield exec.exec('gpg', [ + '--homedir', + toGpgPath(gpgHome), + '--batch', + '--import', + toGpgPath(publicKeyFile) + ], options); + yield exec.exec('gpg', [ + '--homedir', + toGpgPath(gpgHome), + '--batch', + '--verify', + toGpgPath(signaturePath), + toGpgPath(archivePath) + ], options); } finally { yield io.rmRF(signaturePath); diff --git a/dist/setup/index.js b/dist/setup/index.js index f8d12d872..54ced2b5f 100644 --- a/dist/setup/index.js +++ b/dist/setup/index.js @@ -81093,7 +81093,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge }); }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.PRIVATE_KEY_FILE = void 0; +exports.verifyPackageSignature = exports.deleteKey = exports.importKey = exports.toGpgPath = exports.PRIVATE_KEY_FILE = void 0; const fs = __importStar(__nccwpck_require__(79896)); const path = __importStar(__nccwpck_require__(16928)); const io = __importStar(__nccwpck_require__(94994)); @@ -81102,6 +81102,18 @@ const tc = __importStar(__nccwpck_require__(33472)); const util = __importStar(__nccwpck_require__(54527)); exports.PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; +// Convert a Windows path (D:\a\_temp\...) to a POSIX path (/d/a/_temp/...). +// The Git-bundled GPG on Windows (MSYS2-based) uses POSIX path conventions +// internally. Passing Windows paths with backslashes can cause fatal GPG errors +// (exit code 2), so all paths passed to GPG must be in POSIX format on Windows. +function toGpgPath(p) { + if (process.platform !== 'win32') + return p; + return p + .replace(/\\/g, '/') + .replace(/^([A-Za-z]):\//, (_, drive) => `/${drive.toLowerCase()}/`); +} +exports.toGpgPath = toGpgPath; function importKey(privateKey) { return __awaiter(this, void 0, void 0, function* () { fs.writeFileSync(exports.PRIVATE_KEY_FILE, privateKey, { @@ -81158,8 +81170,21 @@ function verifyPackageSignature(archivePath, signatureUrl, publicKeyContent) { const publicKeyFile = path.join(gpgHome, 'public-key.asc'); fs.writeFileSync(publicKeyFile, publicKeyContent, { encoding: 'utf-8' }); const options = { silent: true }; - yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--import', publicKeyFile], options); - yield exec.exec('gpg', ['--homedir', gpgHome, '--batch', '--verify', signaturePath, archivePath], options); + yield exec.exec('gpg', [ + '--homedir', + toGpgPath(gpgHome), + '--batch', + '--import', + toGpgPath(publicKeyFile) + ], options); + yield exec.exec('gpg', [ + '--homedir', + toGpgPath(gpgHome), + '--batch', + '--verify', + toGpgPath(signaturePath), + toGpgPath(archivePath) + ], options); } finally { yield io.rmRF(signaturePath); diff --git a/src/gpg.ts b/src/gpg.ts index 1086fdce7..3472e3b96 100644 --- a/src/gpg.ts +++ b/src/gpg.ts @@ -10,6 +10,17 @@ export const PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc'); const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/; +// Convert a Windows path (D:\a\_temp\...) to a POSIX path (/d/a/_temp/...). +// The Git-bundled GPG on Windows (MSYS2-based) uses POSIX path conventions +// internally. Passing Windows paths with backslashes can cause fatal GPG errors +// (exit code 2), so all paths passed to GPG must be in POSIX format on Windows. +export function toGpgPath(p: string): string { + if (process.platform !== 'win32') return p; + return p + .replace(/\\/g, '/') + .replace(/^([A-Za-z]):\//, (_, drive) => `/${drive.toLowerCase()}/`); +} + export async function importKey(privateKey: string) { fs.writeFileSync(PRIVATE_KEY_FILE, privateKey, { encoding: 'utf-8', @@ -84,12 +95,25 @@ export async function verifyPackageSignature( const options: ExecOptions = {silent: true}; await exec.exec( 'gpg', - ['--homedir', gpgHome, '--batch', '--import', publicKeyFile], + [ + '--homedir', + toGpgPath(gpgHome), + '--batch', + '--import', + toGpgPath(publicKeyFile) + ], options ); await exec.exec( 'gpg', - ['--homedir', gpgHome, '--batch', '--verify', signaturePath, archivePath], + [ + '--homedir', + toGpgPath(gpgHome), + '--batch', + '--verify', + toGpgPath(signaturePath), + toGpgPath(archivePath) + ], options ); } finally { From 165ecdd7eeab7be61fde8ee964ea97586790d70d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 18:34:18 +0000 Subject: [PATCH 22/22] Fix gpg test formatting --- __tests__/gpg.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/__tests__/gpg.test.ts b/__tests__/gpg.test.ts index f5882e29a..bfc5be741 100644 --- a/__tests__/gpg.test.ts +++ b/__tests__/gpg.test.ts @@ -50,9 +50,9 @@ describe('gpg tests', () => { expect(gpg.toGpgPath('D:\\a\\_temp\\gpg-home')).toBe( '/d/a/_temp/gpg-home' ); - expect(gpg.toGpgPath('C:\\Users\\runner\\AppData\\Local\\Temp\\key.asc')).toBe( - '/c/Users/runner/AppData/Local/Temp/key.asc' - ); + expect( + gpg.toGpgPath('C:\\Users\\runner\\AppData\\Local\\Temp\\key.asc') + ).toBe('/c/Users/runner/AppData/Local/Temp/key.asc'); }); it('handles uppercase and lowercase drive letters on Windows', () => {