asf-tooling commented on issue #1034:
URL:
https://github.com/apache/tooling-trusted-releases/issues/1034#issuecomment-4409900902
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@2da7807a`
**Type:** `unclear` • **Classification:** `no_action` • **Confidence:**
`low`
**Application domain(s):** `cryptographic_keys`
### Summary
Issue #1034 titled 'GPG detection' has no body text, no description, and no
prior discussion. The title alone is too vague to determine what is being
requested. It could refer to: (1) detecting whether the `gpg` binary is
installed on the system, (2) detecting GPG private keys in uploads (already
implemented via `util.contains_private_key_text()`), (3) detecting/validating
GPG key properties during upload, or (4) detecting GPG signatures on release
artifacts. Without clarification from the author, no actionable work can be
scoped.
### Where this lives in the code today
#### `atr/post/keys.py` — `PrivateKeyUploadError` (lines 53-54)
_currently does this_
Already implements one form of 'GPG detection' - detecting when a private
key is accidentally uploaded instead of a public key.
```python
class PrivateKeyUploadError(Exception):
pass
```
#### `atr/storage/writers/keys.py` — `FoundationCommitter.__block_model`
(lines 443-457)
_currently does this_
Parses and validates OpenPGP key blocks, detecting algorithm and key
strength - a form of GPG detection.
```python
def __block_model(self, key_block: str, ldap_data: dict[str, str]) ->
types.Key:
# This cache is only held for the session
if key_block in self.__key_block_models_cache:
cached_key_models = self.__key_block_models_cache[key_block]
if len(cached_key_models) == 1:
return cached_key_models[0]
else:
raise ValueError("Expected one key block, got none or
multiple")
public_key, _ = openpgp.PublicKey.from_armor(key_block)
key_model = self.public_key_model(public_key, ldap_data,
original_key_block=key_block)
_validate_key_strength(key_model.algorithm, key_model.length,
key_model.created)
key = types.Key(status=types.KeyStatus.PARSED, key_model=key_model)
self.__key_block_models_cache[key_block] = [key]
return key
```
### Proposed approach
Cannot determine an approach without clarification on what 'GPG detection'
means in this context. The issue author should be asked to provide details on:
(1) what specific aspect of GPG should be detected, (2) whether this is about
detecting the gpg binary availability, detecting key types/properties, or
detecting private key material, and (3) what the expected behavior should be
when detection succeeds or fails.
### Open questions
- What does 'GPG detection' refer to? Private key detection? Binary
availability? Key algorithm detection? Signature detection?
- Is this related to the existing `util.contains_private_key_text()`
functionality or something entirely new?
- Is there an internal tracking system or Slack thread that provides context
for this terse issue title?
- Could this be related to detecting whether uploaded content is a valid
GPG/OpenPGP key block vs arbitrary text?
- Is this about detecting GPG signatures on release artifacts during the
automated checks phase?
_The agent reviewed this issue and is not proposing patches in this run.
Review the existing-code citations and open questions above before deciding
next steps._
### Files examined
- `atr/storage/writers/keys.py`
- `atr/ssh.py`
- `atr/storage/writers/ssh.py`
- `atr/post/keys.py`
- `atr/get/keys.py`
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
