SQSCANGHA-140 Add GPG signature verification for scanner downloads

Implemented OpenPGP signature verification to ensure the integrity and authenticity of downloaded SonarQube scanner packages. This security enhancement protects against supply chain attacks. Key implementation decisions: - GPG verification runs by default for all scanner downloads, with an optional skipSignatureVerification flag for environments where GPG is unavailable - Dual keyserver strategy: attempts primary keyserver (keyserver.ubuntu.com) with automatic fallback to keys.openpgp.org if the primary fails, improving reliability across different network environments - Platform-specific path handling: converts Windows paths to Unix-style format for GPG compatibility, as GPG from Git for Windows expects Unix-style paths even on Windows systems - Isolated verification: uses temporary GPG home directories to avoid polluting user keyring, with guaranteed cleanup in finally blocks to prevent temp file leakage even on verification failures - Security-first error handling: throws clear errors when GPG is absent or signatures fail, preventing silent security bypasses Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>"
2026-05-23 02:15:55 +00:00 · 2026-04-27 17:54:16 +02:00 · 2026-04-27 17:54:16 +02:00 · e1c6b579ce
commit e1c6b579ce
parent 30dbe5c9ee
17 changed files with 33778 additions and 41 deletions
--- a/package.json
+++ b/package.json
@ -6,11 +6,12 @@
  "main": "src/main/index.js",
  "scripts": {
    "build": "rollup --config rollup.config.js",
-    "test": "node --test"
+    "test": "node --experimental-test-module-mocks --test"
  },
  "license": "LGPL-3.0-only",
  "dependencies": {
    "@actions/core": "3.0.0",
+    "@actions/exec": "2.0.0",
    "@actions/github": "9.0.0",
    "@actions/tool-cache": "4.0.0",
    "string-argv": "0.3.2"