feat: support add apt key via download or from a server

Author: aminya

cspell.config.yaml

@@ -12,6 +12,9 @@ words:
   - aarch
   - aminya
   - applellvm
+  - bazel
+  - copr
+  - vbatts
   - buildtools
   - caxa
   - ccache

dist/setup_cpp.js

@@ -1,4 +1,4 @@
-import { setupAptPack } from "../utils/setup/setupAptPack"
+import { addAptKeyViaDownload, setupAptPack } from "../utils/setup/setupAptPack"
 import { setupBrewPack } from "../utils/setup/setupBrewPack"
 import { setupChocoPack } from "../utils/setup/setupChocoPack"
 import { isArch } from "../utils/env/isArch"
@@ -26,14 +26,13 @@ export async function setupBazel(version: string, _setupDir: string, _arch: stri
         return setupDnfPack("bazel4", undefined)
       } else if (isUbuntu()) {
         // https://bazel.build/install/ubuntu
+        const keyFileName = await addAptKeyViaDownload(
+          "bazel-archive-keyring.gpg",
+          "https://bazel.build/bazel-release.pub.gpg"
+        )
         execSudo("bash", [
           "-c",
-          "wget -qO - https://bazel.build/bazel-release.pub.gpg | gpg --dearmor >bazel-archive-keyring.gpg > /dev/null",
-        ])
-        execSudo("bash", ["-c", "mv bazel-archive-keyring.gpg /usr/share/keyrings"])
-        execSudo("bash", [
-          "-c",
-          'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/bazel-archive-keyring.gpg] https://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list',
+          `echo "deb [arch=amd64 signed-by=${keyFileName}] https://storage.googleapis.com/bazel-apt stable jdk1.8" | tee /etc/apt/sources.list.d/bazel.list`,
         ])
         return setupAptPack("bazel", version, [], true)
       }

dist/setup_cpp.js.map

@@ -2,7 +2,7 @@ import { dirname } from "path"
 import which from "which"
 import { isUbuntu } from "../utils/env/isUbuntu"
 import { execSudo } from "../utils/exec/sudo"
-import { setupAptPack } from "../utils/setup/setupAptPack"
+import { addAptKeyViaDownload, setupAptPack } from "../utils/setup/setupAptPack"
 
 let binDir: string | undefined
 
@@ -22,15 +22,11 @@ export async function setupNala(version: string, _setupDir: string, _arch: strin
   }
 
   // https://github.com/volitank/nala#-installation
-  await setupAptPack("wget")
-  execSudo("/bin/bash", [
-    "-c",
-    `wget -qO - https://deb.volian.org/volian/scar.key | tee /etc/apt/trusted.gpg.d/volian-archive-scar-unstable.gpg > /dev/null`,
-  ])
-  execSudo("/bin/bash", [
-    "-c",
-    `echo "deb http://deb.volian.org/volian/ scar main" | tee /etc/apt/sources.list.d/volian-archive-scar-unstable.list`,
-  ])
+  const keyFileName = await addAptKeyViaDownload(
+    "volian-archive-scar-unstable.gpg",
+    "https://deb.volian.org/volian/scar.key"
+  )
+  execSudo("/bin/bash", ["-c", `echo "deb http://deb.volian.org/volian/ scar main" | tee ${keyFileName}`])
 
   try {
     if (version !== "legacy") {

dist/setup_cpp.mjs

@@ -2,7 +2,6 @@
 import { InstallationInfo } from "./setupBin"
 import { execSudo } from "../exec/sudo"
 import { info } from "@actions/core"
-import { warning } from "../io/io"
 import { isGitHubCI } from "../env/isCI"
 import { addEnv, cpprc_path, setupCppInProfile } from "../env/addEnv"
 import { appendFileSync, existsSync } from "fs"
@@ -18,10 +17,10 @@ export async function setupAptPack(
   repositories: string[] = [],
   update = false
 ): Promise<InstallationInfo> {
-  info(`Installing ${name} ${version ?? ""} via apt`)
-
   const apt: string = getApt()
 
+  info(`Installing ${name} ${version ?? ""} via ${apt}`)
+
   process.env.DEBIAN_FRONTEND = "noninteractive"
 
   if (!didUpdate || update) {
@@ -80,33 +79,42 @@ async function initApt(apt: string) {
     "ca-certificates",
     "gnupg",
   ])
-  addAptKey(["3B4FE6ACC0B21F32", "40976EAF437D05B5"], "setup-cpp-ubuntu-archive.gpg")
-  addAptKey(["1E9377A2BA9EF27F"], "setup-cpp-launchpad-toolchain.gpg")
+  addAptKeyViaServer(["3B4FE6ACC0B21F32", "40976EAF437D05B5"], "setup-cpp-ubuntu-archive.gpg")
+  addAptKeyViaServer(["1E9377A2BA9EF27F"], "launchpad-toolchain.gpg")
   if (apt === "nala") {
     // enable utf8 otherwise it fails because of the usage of ASCII encoding
     await addEnv("LANG", "C.UTF-8")
     await addEnv("LC_ALL", "C.UTF-8")
   }
 }
 
-function addAptKey(keys: string[], name: string) {
-  try {
-    if (!existsSync(`/root/.gnupg/${name}`)) {
-      for (const key of keys) {
-        execSudo("gpg", [
-          "--no-default-keyring",
-          "--keyring",
-          name,
-          "--keyserver",
-          "keyserver.ubuntu.com",
-          "--recv-keys",
-          key,
-        ])
-      }
+export function addAptKeyViaServer(keys: string[], name: string, server = "keyserver.ubuntu.com") {
+  const fileName = `/etc/apt/trusted.gpg.d/${name}`
+  if (!existsSync(fileName)) {
+    for (const key of keys) {
+      execSudo("gpg", [
+        "--no-default-keyring",
+        "--keyring",
+        `gnupg-ring:${fileName}`,
+        "--keyserver",
+        server,
+        "--recv-keys",
+        key,
+      ])
+      execSudo("chmod", ["644", fileName])
     }
-  } catch (err) {
-    warning(`Failed to add keys: ${err}`)
   }
+  return fileName
+}
+
+export async function addAptKeyViaDownload(name: string, url: string) {
+  const fileName = `/etc/apt/trusted.gpg.d/${name}`
+  if (!existsSync(fileName)) {
+    await setupAptPack("curl", undefined)
+    execSudo("bash", ["-c", `curl -s ${url} | gpg --no-default-keyring --keyring gnupg-ring:${fileName} --import`])
+    execSudo("chmod", ["644", fileName])
+  }
+  return fileName
 }
 
 export function updateAptAlternatives(name: string, path: string) {