Skip to content

SignRepositoryIndex can pick up signing_keys configuration from non-containing archives

This code in the SignRepositoryIndex task isn't quite right:

        signing_keys: list[str] | None = None
        if suite.data.get("signing_keys") is not None:
            signing_keys = suite.data["signing_keys"]
        else:
            archive = task_database.lookup_singleton_collection(
                CollectionCategory.ARCHIVE
            )
            if archive is not None:
                signing_keys = archive.data.get("signing_keys")

While the suite can't be a member of any other archive (due to a matching-workspace constraint), it might not necessarily be a member of this archive. (Yes, this is a bit awkward.)

This is difficult to fix right now because TaskDatabaseInterface doesn't provide a way to do so. I suppose we could add a lookup on the suite collection that returns the containing archive, if any? For now, I'm just adding a TODO command as a drive-by change in !2171 (merged).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information