Add hkps://keys.openpgp.org as fallback keyserver to improve reliability
when the primary keyserver (keyserver.ubuntu.com) is unavailable due to
outages, network issues, or rate limiting.
Changes:
- Extract key import logic into tryImportKey() helper function
- Implement automatic fallback in importSonarSourceKey()
- Add comprehensive error messages showing both keyserver failures
- Add integration tests verifying fallback mechanism
- Update JSDoc to document fallback behavior
- Rebuild distribution
The implementation maintains backward compatibility with no changes to
function signatures or default behavior. Primary keyserver is always
attempted first.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add GPG signature verification to ensure downloaded Sonar Scanner CLI binaries
are authentic and haven't been tampered with. This implements supply chain
security by verifying signatures against SonarSource's public key.
Changes:
- Add gpg-verification.js module with signature verification logic
- Download and verify .asc signature files alongside scanner ZIPs
- Import SonarSource public key from keyserver.ubuntu.com
- Add skipSignatureVerification input parameter (default: false)
- Add @actions/exec dependency for cross-platform GPG execution
- Add comprehensive unit tests for verification functions
- Update dist with bundled changes
Verification is enabled by default and uses an isolated temporary GPG home
directory to avoid polluting user's keyring. All temporary files are cleaned
up properly, even on errors.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
