fix: remove openpgp dep due to licensing and use gpg (#1218)

2026-02-11 04:41:38 +00:00 · 2024-01-19 09:23:04 -08:00
parent 22b99ac1d7
commit 240e6ae968
6 changed files with 561 additions and 5682 deletions
--- a/src/validate.ts
+++ b/src/validate.ts
@@ -1,9 +1,9 @@
 import * as crypto from 'crypto';
 import * as fs from 'fs';
+import * as gpg from 'gpg';
 import * as path from 'path';

 import * as core from '@actions/core';
-import * as openpgp from 'openpgp';
 import {request} from 'undici';

 import {
@@ -22,12 +22,6 @@ const verify = async (
  try {
    const uploaderName = getUploaderName(platform);

-    // Read in public key
-    const publicKeyArmored = await fs.readFileSync(
-        path.join(__dirname, 'pgp_keys.asc'),
-        'utf-8',
-    );
-
    // Get SHASUM and SHASUM signature files
    console.log(`${getBaseUrl(platform, version)}.SHA256SUM`);
    const shasumRes = await request(
@@ -37,6 +31,10 @@ const verify = async (
    if (verbose) {
      console.log(`Received SHA256SUM ${shasum}`);
    }
+    await fs.writeFileSync(
+        path.join(__dirname, `${uploaderName}.SHA256SUM`),
+        shasum,
+    );

    const shaSigRes = await request(
        `${getBaseUrl(platform, version)}.SHA256SUM.sig`,
@@ -45,45 +43,69 @@ const verify = async (
    if (verbose) {
      console.log(`Received SHA256SUM signature ${shaSig}`);
    }
+    await fs.writeFileSync(
+        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
+        shaSig,
+    );

-    // Verify shasum
-    const verified = await openpgp.verify({
-      message: await openpgp.createMessage({text: shasum}),
-      signature: await openpgp.readSignature({armoredSignature: shaSig}),
-      verificationKeys: await openpgp.readKeys({armoredKeys: publicKeyArmored}),
-    });
-    const valid = await verified.signatures[0].verified;
-    if (valid) {
-      core.info('==> SHASUM file signed by key id ' +
-          verified.signatures[0].keyID.toHex(),
+    const validateSha = async () => {
+      const calculateHash = async (filename: string) => {
+        const stream = fs.createReadStream(filename);
+        const uploaderSha = crypto.createHash(`sha256`);
+        stream.pipe(uploaderSha);
+
+        return new Promise((resolve, reject) => {
+          stream.on('end', () => resolve(
+              `${uploaderSha.digest('hex')}  ${uploaderName}`,
+          ));
+          stream.on('error', reject);
+        });
+      };
+
+      const hash = await calculateHash(
+          path.join(__dirname, `${uploaderName}`),
      );
-    } else {
-      setFailure('Codecov: Error validating SHASUM signature', failCi);
-    }
+      if (hash === shasum) {
+        core.info(`==> Uploader SHASUM verified (${hash})`);
+      } else {
+        setFailure(
+            'Codecov: Uploader shasum does not match -- ' +
+              `uploader hash: ${hash}, public hash: ${shasum}`,
+            failCi,
+        );
+      }
+    };

-    const calculateHash = async (filename: string) => {
-      const stream = fs.createReadStream(filename);
-      const uploaderSha = crypto.createHash(`sha256`);
-      stream.pipe(uploaderSha);
-
-      return new Promise((resolve, reject) => {
-        stream.on('end', () => resolve(
-            `${uploaderSha.digest('hex')}  ${uploaderName}`,
-        ));
-        stream.on('error', reject);
+    const verifySignature = () => {
+      gpg.call('', [
+        '--logger-fd',
+        '1',
+        '--verify',
+        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
+        path.join(__dirname, `${uploaderName}.SHA256SUM`),
+      ], async (err, verifyResult) => {
+        if (err) {
+          setFailure('Codecov: Error importing pgp key', failCi);
+        }
+        core.info(verifyResult);
+        await validateSha();
      });
    };

-    const hash = await calculateHash(filename);
-    if (hash === shasum) {
-      core.info(`==> Uploader SHASUM verified (${hash})`);
-    } else {
-      setFailure(
-          'Codecov: Uploader shasum does not match -- ' +
-            `uploader hash: ${hash}, public hash: ${shasum}`,
-          failCi,
-      );
-    }
+    // Import gpg key
+    gpg.call('', [
+      '--logger-fd',
+      '1',
+      '--no-default-keyring',
+      '--import',
+      path.join(__dirname, 'pgp_keys.asc'),
+    ], async (err, importResult) => {
+      if (err) {
+        setFailure('Codecov: Error importing pgp key', failCi);
+      }
+      core.info(importResult);
+      verifySignature();
+    });
  } catch (err) {
    setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
  }
--- a/src/version.ts
+++ b/src/version.ts
@@ -10,7 +10,7 @@ const versionInfo = async (
  }

  try {
-    const metadataRes = await request(`https://uploader.codecov.io/${platform}/latest`, {
+    const metadataRes = await request(`https://cli.codecov.io/${platform}/latest`, {
      headers: {'Accept': 'application/json'},
    });
    const metadata = await metadataRes.body.json();