Add verify_sig option

Bug: #87
Bug: #90
Signed-off-by: Andrei Horodniceanu <[email protected]>

Author: the-horo

.github/actions/verify-d-compiler/action.yml

@@ -12,6 +12,10 @@ inputs:
   gdmd_sha:
     descript: "Commit in D-programming-gdc/gdmd"
     default: 'latest'
+  verify_sig:
+    description: "Use .sig file to verify downloaded archives"
+    type: boolean
+    default: true
 runs:
   using: "composite"
   steps:
@@ -21,6 +25,7 @@ runs:
         compiler: ${{ inputs.dc }}
         gh_token: ${{ inputs.gh_token }}
         gdmd_sha: ${{ inputs.gdmd_sha }}
+        verify_sig: ${{ inputs.verify_sig }}
 
     - name: Verify D compiler ($DC)
       shell: bash

.github/workflows/test.yml

@@ -119,6 +119,21 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/verify-d-compiler
 
+  verify-sig:
+    needs: verify-index-js-up-to-date
+    name: Check verify_sig input
+    strategy:
+      max-parallel: 5
+      fail-fast: false
+      matrix:
+        verify_sig: [ true, false ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/verify-d-compiler
+        with:
+          verify_sig: ${{ matrix.verify_sig }}
+
   dub:
     name: Verify standalone DUB install
     needs: verify-index-js-up-to-date

README.md

@@ -108,6 +108,8 @@ Examples:
     # Install gdmd from https://github.com/D-Programming-GDC/gdmd/blob/0a64b92ec5ad1177988496df4f3ca47c47580501/dmd-script
     # instead of the master branch
     gdmd_sha: '0a64b92ec5ad1177988496df4f3ca47c47580501'
+    # turn off gpg verification (only dmd archives currently undergo this verification)
+    verify_sig: false
 ```
 
 ### compiler
@@ -184,6 +186,12 @@ Take as an example that upstream may rename the development branch to `main` or
 
 The default value for this input is `latest` and it is required when using GDC.
 
+### verify_sig
+
+Use this boolean to disable gpg verification of downloaded artifacts. Currently, only dmd releases from https://download.dlang.org have a signature file.
+
+The default value is `true`.
+
 ## Compiler support
 
 ### DMD
@@ -259,3 +267,5 @@ This means that one no longer needs to set `NODE_OPTIONS=--openssl-legacy-provid
 
 Added unittests.
 To run them use `npm test`.
+
+Added the `verify_sig` option. It can be used to disable the gpg verification of the downloaded dmd archives. The option is meant to be used in edge-case scenarios when the [d-keyring](https://github.com/dlang/dlang.org/blob/master/d-keyring.gpg) is not updated alongside the dmd releases (#87). Requested in #90.

__tests__/d-dmd.test.ts

@@ -1,4 +1,5 @@
-import { DMD } from '../src/d'
+import { DMD, SETTINGS } from '../src/d'
+import * as gpg from '../src/gpg'
 import * as utils from '../src/utils'
 import * as testUtils from './test-helpers.test'
 import * as tc from '@actions/tool-cache'
@@ -495,4 +496,31 @@ describe('Test makeAvailable', () => {
 	expect(process.env['DC']).toBe(root + `\\dmd2\\windows\\bin64${sep}dmd${exeExt}`)
 	expect(process.env['DMD']).toBe(root + `\\dmd2\\windows\\bin64${sep}dmd${exeExt}`)
     })
+
+    describe('Check that verify_sig is respected', () => {
+        const save = SETTINGS.verify_sig
+        const gpgSpy = jest.spyOn(gpg, 'verify').mockResolvedValue(undefined)
+
+        beforeEach(() => {
+            jest.spyOn(tc, 'find').mockReturnValue(false)
+            jest.spyOn(utils, 'downloadTool').mockResolvedValue('/tmp/p1')
+            jest.spyOn(utils, 'extract').mockResolvedValue('/tmp/p2')
+            jest.spyOn(tc, 'cacheDir').mockResolvedValue('/tmp/p3')
+        })
+        afterEach(() => SETTINGS.verify_sig = save)
+
+        test('verify_sig === false', async () => {
+            SETTINGS.verify_sig = false
+            const dmd = await init('dmd-2.109.1')
+            await dmd.makeAvailable()
+            expect(gpgSpy).not.toHaveBeenCalled()
+        })
+
+        test('verify_sig === true', async () => {
+            SETTINGS.verify_sig = true
+            const dmd = await init('dmd-2.109.1')
+            await dmd.makeAvailable()
+            expect(gpgSpy).toHaveBeenCalled()
+        })
+    })
 })

action.yml

@@ -15,6 +15,11 @@ inputs:
   gdmd_sha:
     description: "Commit sha in https://github.com/D-Programming-GDC/gdmd, used only by the gdmd compiler"
     default: 'latest'
+  verify_sig:
+    description: "Verify downloaded artifacts, if a signature file is present"
+    default: true
+    required: false
+    type: boolean
 runs:
   using: "node20"
   main: "dist/index.js"

dist/index.js

@@ -9,6 +9,10 @@ import * as exec from '@actions/exec'
 const sep = (process.platform == 'win32' ? '\\' : '/')
 const exeExt = (process.platform == 'win32' ? '.exe' : '')
 
+export const SETTINGS = {
+    verify_sig: core.getInput('verify_sig') !== 'false'
+}
+
 /** Base interface for all D tools */
 export interface ITool {
     makeAvailable(): Promise<void>
@@ -101,7 +105,7 @@ export class Compiler implements ITool {
 	} else {
             console.log(`Downloading ${this.url}`);
         const archive = await utils.downloadTool(this.url)
-            if (this.sig) {
+            if (SETTINGS.verify_sig && this.sig) {
                 console.log("Verifying the download with GPG");
                 await gpg.verify(archive, this.sig);
             }