mirror of
https://github.com/SonarSource/sonarqube-scan-action.git
synced 2026-05-22 18:05:57 +00:00
e1c6b579ce
Implemented OpenPGP signature verification to ensure the integrity and authenticity of downloaded SonarQube scanner packages. This security enhancement protects against supply chain attacks. Key implementation decisions: - GPG verification runs by default for all scanner downloads, with an optional skipSignatureVerification flag for environments where GPG is unavailable - Dual keyserver strategy: attempts primary keyserver (keyserver.ubuntu.com) with automatic fallback to keys.openpgp.org if the primary fails, improving reliability across different network environments - Platform-specific path handling: converts Windows paths to Unix-style format for GPG compatibility, as GPG from Git for Windows expects Unix-style paths even on Windows systems - Isolated verification: uses temporary GPG home directories to avoid polluting user keyring, with guaranteed cleanup in finally blocks to prevent temp file leakage even on verification failures - Security-first error handling: throws clear errors when GPG is absent or signatures fail, preventing silent security bypasses Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" |
||
|---|---|---|
| .. | ||
| core-DpWEmnbG.js | ||
| core-DpWEmnbG.js.map | ||
| exec-BTlTa8sL.js | ||
| exec-BTlTa8sL.js.map | ||
| exec-zlpfwmpH.js | ||
| exec-zlpfwmpH.js.map | ||
| index.js | ||
| index.js.map | ||
| install-build-wrapper.js | ||
| install-build-wrapper.js.map | ||