(tooling-trusted-release) branch main updated: Validate that a user uploaded signing key is associated with their account

Wed, 18 Jun 2025 06:55:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-release.git


The following commit(s) were added to refs/heads/main by this push:
     new c5f99f7  Validate that a user uploaded signing key is associated with 
their account
c5f99f7 is described below

commit c5f99f798246a8f2675cad098eb85094deae5383
Author: Sean B. Palmer <[email protected]>
AuthorDate: Wed Jun 18 14:54:31 2025 +0100

    Validate that a user uploaded signing key is associated with their account
---
 atr/db/interaction.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/atr/db/interaction.py b/atr/db/interaction.py
index 32ae0ee..51f1201 100644
--- a/atr/db/interaction.py
+++ b/atr/db/interaction.py
@@ -69,19 +69,26 @@ async def ephemeral_gpg_home() -> AsyncGenerator[str]:
 
 
 async def key_user_add(
-    asf_uid: str | None, public_key: str, selected_committees: list[str], 
ldap_data: dict[str, str] | None = None
+    session_asf_uid: str | None,
+    public_key: str,
+    selected_committees: list[str],
+    ldap_data: dict[str, str] | None = None,
 ) -> list[dict]:
     if not public_key:
         raise PublicKeyError("Public key is required")
 
     # Validate the key using GPG and get its properties
+    # This does not add it to the database, only validates and gets its 
properties
     keys = await _key_user_add_validate_key_properties(public_key)
 
     added_keys = []
     for key in keys:
         asf_uid = await util.asf_uid_from_uids(key.get("uids", []), 
ldap_data=ldap_data)
-        # Store key in database
+        if session_asf_uid and (asf_uid != session_asf_uid):
+            # TODO: Give a more detailed error message about why and what to do
+            raise InteractionError(f"Key {key.get('fingerprint')} is not 
associated with your ASF account")
         async with db.session() as data:
+            # Store the key in the database
             added = await key_user_session_add(asf_uid, public_key, key, 
selected_committees, data)
             if added:
                 added_keys.append(added)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to