feat: Add verify-signature plumbing and Temurin+Microsoft verification support#1060
Open
johnoliver wants to merge 25 commits into
Open
feat: Add verify-signature plumbing and Temurin+Microsoft verification support#1060johnoliver wants to merge 25 commits into
johnoliver wants to merge 25 commits into
Conversation
…urin distribution
…failure Fix Windows test failure for temurin signature verification and add e2e coverage
….ts cleanup scope
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds optional GPG signature verification for downloaded Temurin JDK archives in actions/setup-java, including new action inputs, Temurin manifest plumbing for signature URLs, and CI/tests to validate the behavior.
Changes:
- Add
verify-signature(and public-key override plumbing) to installer options and enforce “unsupported distribution” failures centrally inJavaBase. - Implement Temurin signature verification using a bundled Adoptium public key (with an optional user-provided override key) and new
signature_linkmanifest support. - Extend unit tests, Temurin test manifest data, and E2E workflow coverage to exercise signature verification.
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/setup-java.ts | Reads new inputs and forwards signature-verification options into installer configuration. |
| src/gpg.ts | Adds verifyPackageSignature() helper that downloads a detached signature and verifies it via gpg. |
| src/distributions/temurin/models.ts | Extends Temurin manifest typing with optional signature_link. |
| src/distributions/temurin/installer.ts | Plumbs signatureUrl into releases and performs verification when enabled; declares Temurin supports verification. |
| src/distributions/temurin/adoptium-key.ts | Adds bundled Adoptium ASCII-armored public key for default verification. |
| src/distributions/base-models.ts | Extends installer options and download release model with signature-related fields. |
| src/distributions/base-installer.ts | Adds centralized guard to fail when verification is enabled for unsupported distributions. |
| src/constants.ts | Adds new input name constants for signature verification. |
| README.md | Documents the new verify-signature input (but currently misses the public-key override input). |
| action.yml | Adds new action inputs verify-signature and verify-signature-public-key. |
| .github/workflows/e2e-versions.yml | Adds an E2E job matrix to validate Temurin signature verification across OSes and JDK versions. |
| tests/gpg.test.ts | Adds unit coverage for verifyPackageSignature() behavior. |
| tests/distributors/temurin-installer.test.ts | Adds unit coverage for Temurin verification flow and key override behavior. |
| tests/distributors/base-installer.test.ts | Adds unit coverage ensuring unsupported distributions fail when verification is enabled. |
| tests/data/temurin.json | Adds signature_link fields to Temurin test data entries for verification tests. |
| dist/setup/index.js | Updates bundled build output to include new inputs and verification logic. |
| dist/cleanup/index.js | Updates bundled build output to include new constants and GPG helper. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
brunoborges
added
maintenance
Contributor
|
@johnoliver can you check the failing builds? |
brunoborges
added
the
feature request
brunoborges
changed the title
…cation' into signature-4
johnoliver
changed the title
…compatibility The Git-bundled GPG on Windows (MSYS2-based) does not automatically convert Windows-style paths in environment variables like GNUPGHOME. This caused GPG to fail with exit code 2 when verifying Microsoft JDK signatures on Windows, because the GNUPGHOME path (D:\a\_temp\...) was not recognized as a valid POSIX path. Fix: pass --homedir as an explicit command-line argument to both gpg --import and gpg --verify. MSYS2 does correctly convert Windows paths in command-line arguments, so this approach works reliably on Windows, Linux, and macOS.
brunoborges
previously approved these changes
Jun 25, 2026
The Git-bundled GPG on Windows (C:\Program Files\Git\usr\bin\gpg.exe) is an MSYS2-based binary that uses POSIX path conventions internally. When Windows-style paths with backslashes and drive letters (D:\a\_temp\...) are passed as arguments, GPG may fail to resolve them correctly, resulting in a fatal error (exit code 2). Fix: add a toGpgPath() helper that converts Windows paths to MSYS2 POSIX format (/d/a/_temp/...) before passing them to any gpg command. On Linux and macOS the helper is a no-op. Applied to all four paths used in verifyPackageSignature: - gpgHome (--homedir argument) - publicKeyFile (--import argument) - signaturePath (--verify signature argument) - archivePath (--verify data argument)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for signature verification of downloaded Java packages from the Temurin distribution. It adds a new option to enable signature verification, updates the documentation to reflect this feature, and extends the test data and CI workflows to validate this functionality.
Key changes:
Feature: Signature Verification for Temurin
verify-signatureoption to enable signature verification for Java packages when using the Temurin distribution. If enabled for unsupported distributions, the action will fail. (README.md)Continuous Integration / Testing
setup-java-temurin-signature-verification) that runs signature verification tests for Temurin Java versions 17 and 21 across major operating systems. (.github/workflows/e2e-versions.yml)Test Data Updates
temurin.json) to includesignature_linkfields for all relevant Java package entries, enabling automated tests to access signature files for verification. (__tests__/data/temurin.json) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21]Description:Describe your changes.
Related issue:
Add link to the related issue.
Check list: