Harden Microsoft signature URL handling

This commit is contained in:
copilot-swe-agent[bot] 2026-06-25 10:15:48 +00:00 committed by GitHub
parent 2b15efdc03
commit 5dab176365
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 43 additions and 8 deletions

View File

@ -190,6 +190,34 @@ describe('findPackageForDownload', () => {
/No matching version found for SemVer */ /No matching version found for SemVer */
); );
}); });
it('uses manifest-provided signature URL when available', async () => {
spyGetManifestFromRepo.mockReturnValue({
result: [
{
version: '17.0.10',
stable: true,
release_url: 'https://example.test',
files: [
{
filename: 'microsoft-jdk-17.0.10-linux-x64.tar.gz',
arch: 'x64',
platform: 'linux',
download_url: 'https://example.test/jdk.tar.gz',
signature_url: 'https://example.test/jdk.tar.gz.custom.sig'
}
]
}
],
statusCode: 200,
headers: {}
});
jest.spyOn(os, 'platform').mockReturnValue('linux');
const result = await distribution['findPackageForDownload']('17.0.10');
expect(result.signatureUrl).toBe('https://example.test/jdk.tar.gz.custom.sig');
});
}); });
describe('downloadTool', () => { describe('downloadTool', () => {

9
dist/setup/index.js vendored
View File

@ -79589,7 +79589,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY); yield gpg.verifyPackageSignature(javaArchivePath, javaRelease.signatureUrl, (_a = this.verifySignaturePublicKey) !== null && _a !== void 0 ? _a : microsoft_key_1.MICROSOFT_PUBLIC_KEY);
} }
catch (error) { catch (error) {
throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${error.message}`); throw new Error(`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${error.message}`);
} }
} }
core.info(`Extracting Java archive...`); core.info(`Extracting Java archive...`);
@ -79605,6 +79605,7 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
}); });
} }
findPackageForDownload(range) { findPackageForDownload(range) {
var _a;
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const arch = this.distributionArchitecture(); const arch = this.distributionArchitecture();
if (arch !== 'x64' && arch !== 'aarch64') { if (arch !== 'x64' && arch !== 'aarch64') {
@ -79625,9 +79626,11 @@ class MicrosoftDistributions extends base_installer_1.JavaBase {
const availableVersionStrings = manifest.map(item => item.version); const availableVersionStrings = manifest.map(item => item.version);
throw this.createVersionNotFoundError(range, availableVersionStrings); throw this.createVersionNotFoundError(range, availableVersionStrings);
} }
const file = foundRelease.files[0];
const signatureUrl = (_a = file.signature_url) !== null && _a !== void 0 ? _a : `${file.download_url}.sig`;
return { return {
url: foundRelease.files[0].download_url, url: file.download_url,
signatureUrl: `${foundRelease.files[0].download_url}.sig`, signatureUrl,
version: foundRelease.version version: foundRelease.version
}; };
}); });

View File

@ -48,9 +48,7 @@ export class MicrosoftDistributions extends JavaBase {
); );
} catch (error) { } catch (error) {
throw new Error( throw new Error(
`Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version} from ${javaRelease.signatureUrl}: ${ `Failed to verify signature for Microsoft Build of OpenJDK version ${javaRelease.version}. Signature URL: ${javaRelease.signatureUrl}. Error: ${(error as Error).message}`
(error as Error).message
}`
); );
} }
} }
@ -106,9 +104,15 @@ export class MicrosoftDistributions extends JavaBase {
throw this.createVersionNotFoundError(range, availableVersionStrings); throw this.createVersionNotFoundError(range, availableVersionStrings);
} }
const file = foundRelease.files[0] as {
download_url: string;
signature_url?: string;
};
const signatureUrl = file.signature_url ?? `${file.download_url}.sig`;
return { return {
url: foundRelease.files[0].download_url, url: file.download_url,
signatureUrl: `${foundRelease.files[0].download_url}.sig`, signatureUrl,
version: foundRelease.version version: foundRelease.version
}; };
} }