SQSCANGHA-146 Add proxy support for GPG keyserver access

[m4s-b3n]

Add proxy support for GPG keyserver access

Motivation

When the action runs on self-hosted runners behind a corporate proxy, GPG signature verification fails because gpg --recv-keys cannot reach the keyserver. This change makes the GPG key import step automatically pick up the standard proxy environment variables (HTTPS_PROXY, https_proxy) so that signature verification works transparently in proxy-restricted environments.

Changes

• src/main/gpg-verification.js – Added getProxyFromEnv() helper and wired it into tryImportKey() via --keyserver-options http-proxy=….
• src/main/__tests__/gpg-verification-mocked.test.js – Added tests for getProxyFromEnv (5 tests) and proxy propagation in tryImportKey (6 tests).
• README.md – Added a note in the skipSignatureVerification section mentioning automatic proxy detection.
• dist/ – Rebuilt bundle.

Checklist

• Explains the problem: GPG keyserver access fails behind a corporate proxy
• All new code is covered by tests (11 new tests, 98 total passing)
• No Jira ticket available – using NO-JIRA prefix

[sonar-review-alpha]

Summary

This PR adds automatic proxy detection for GPG keyserver access, enabling signature verification to work transparently in corporate proxy-restricted environments.

What changed:

• gpg-verification.js: Added getProxyFromEnv() helper and integrated it into tryImportKey() to pass proxy settings to GPG via the --keyserver-options http-proxy=… flag
• Tests: 11 new tests covering both the proxy detection logic (5 tests) and proxy propagation in key import (6 tests)
• Docs: README updated to explain automatic proxy detection and clarify why only HTTPS_PROXY is used

Key design decision: Only HTTPS_PROXY/https_proxy environment variables are checked; HTTP_PROXY is intentionally ignored since keyservers use TLS (hkps://) and routing HTTPS traffic through an HTTP-only proxy could bypass intended security controls.

What reviewers should know

Start here: Review the core logic in src/main/gpg-verification.js lines 136–172:

• getProxyFromEnv() (lines 136–138): Simple env var detection with clear precedence
• tryImportKey() (lines 148–173): Shows where the proxy flag is injected into the GPG command

Test coverage: src/main/__tests__/gpg-verification-mocked.test.js lines 487–702 contain two test suites:

• getProxyFromEnv tests (487–537): Verify environment variable detection, precedence, and intentional HTTP_PROXY exclusion
• tryImportKey with proxy tests (538–702): Confirm the flag is correctly passed (or omitted) in GPG commands based on env state

Things to verify:

• The GPG flag format --keyserver-options http-proxy=<url> is correct for your GPG version
• Test assertions confirm that when both HTTPS_PROXY and https_proxy are set, only HTTPS_PROXY is used
• Proxy is logged at info level (line 154) so it's visible in runner logs without exposing credentials
• The conditional ...(proxyUrl ? [...] : []) correctly avoids passing empty flags when no proxy is set

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[m4s-b3n]

Hello @tiegz , @Godin , @katzj

is anybody taking care of pull requests?
Just ran into a proxy issue at a customer site and wanted to contribute...

Cheers

[meiswjn]

We would also be interested in having this merged. Alternatively, an analogous setting to scannerBinariesUrl for the GPG Key.

Thanks @m4s-b3n for fixing!

[pierre-guillot-gh]

Hi, I flagged this internally for review. Thanks for your patience.

[henryju]

I applied some changes in a separate branch, please follow #244

Thanks for your contribution

[henryju]

Released as part of v8.1.0