This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-release.git
The following commit(s) were added to refs/heads/main by this push:
new feb6c99 Permit uploaded GitHub Actions keys to be used in signatures
feb6c99 is described below
commit feb6c9905b94f982b686f8f207ab17f9989dfa71
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Jun 17 16:25:37 2025 +0100
Permit uploaded GitHub Actions keys to be used in signatures
---
atr/tasks/checks/signature.py | 18 +++++++++++++++++-
atr/util.py | 3 +--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/atr/tasks/checks/signature.py b/atr/tasks/checks/signature.py
index 39a534e..016b2f2 100644
--- a/atr/tasks/checks/signature.py
+++ b/atr/tasks/checks/signature.py
@@ -26,6 +26,7 @@ import sqlmodel
import atr.db as db
import atr.db.models as models
import atr.tasks.checks as checks
+import atr.util as util
_LOGGER: Final = logging.getLogger(__name__)
@@ -87,7 +88,22 @@ async def _check_core_logic(committee_name: str,
artifact_path: str, signature_p
result = await session.execute(statement)
db_public_keys = result.scalars().all()
_LOGGER.info(f"Found {len(db_public_keys)} public keys for committee_name:
'{committee_name}'")
- apache_uid_map = {key.fingerprint.lower(): bool(key.apache_uid) for key in
db_public_keys if key.fingerprint}
+ apache_uid_map = {}
+ for key in db_public_keys:
+ if key.fingerprint:
+ apache_uid_map[key.fingerprint.lower()] = False
+ if key.apache_uid:
+ apache_uid_map[key.fingerprint.lower()] = True
+ elif key.primary_declared_uid:
+ if email := util.email_from_uid(key.primary_declared_uid):
+ # Allow uploaded keys of the form
private@<committee_name>.apache.org
+ allowed_github_key_email =
f"private@{committee_name}.apache.org"
+ _LOGGER.info(
+ f"Comparing {key.fingerprint} with email {email} to
allowed {allowed_github_key_email}"
+ )
+ if email == allowed_github_key_email:
+ apache_uid_map[key.fingerprint.lower()] = True
+
public_keys = [key.ascii_armored_key for key in db_public_keys]
return await asyncio.to_thread(
diff --git a/atr/util.py b/atr/util.py
index 39cba67..0c4df87 100644
--- a/atr/util.py
+++ b/atr/util.py
@@ -158,8 +158,7 @@ async def asf_uid_from_uids(
# Determine ASF UID if not provided
emails = []
for uid_str in uids:
- if match := re.search(r"<([^>]+)>", uid_str):
- email = match.group(1).lower()
+ if email := email_from_uid(uid_str):
if email.endswith("@apache.org"):
return email.removesuffix("@apache.org")
emails.append(email)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
