asf-tooling opened a new issue, #959:
URL: https://github.com/apache/tooling-trusted-releases/issues/959
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The key management writer module contains an explicit '# TODO: Add auditing'
comment on line 20. None of the security-critical operations — key deletion,
insertion, association with committees, or import from files — call
`self.__write_as.append_to_audit_log()`, despite this facility being available
and consistently used in other writer modules. OpenPGP signing keys are the
foundation of Apache release artifact verification, making their lifecycle
events critical to audit.
### Details
**Affected Files and Lines:**
- `atr/storage/writers/keys.py:20-350` - Key management without audit logging
The TODO comment acknowledges the gap but no implementation exists. All key
lifecycle operations (delete, insert, associate, import) lack audit trails,
making forensic investigation impossible.
### Recommended Remediation
Add `self.__write_as.append_to_audit_log()` calls to all key management
operations:
```python
# delete_key
self.__write_as.append_to_audit_log(
operation='key_delete',
fingerprint=fingerprint,
key_owner=key.owner_uid,
committees=key.committees
)
# __database_add_model
self.__write_as.append_to_audit_log(
operation='key_insert',
fingerprint=model.fingerprint,
key_type=model.key_type
)
# associate_fingerprint
self.__write_as.append_to_audit_log(
operation='key_associate_committee',
fingerprint=fingerprint,
committee_key=committee_key
)
```
Apply to: `delete_key`, `__database_add_model`, `associate_fingerprint`,
`ensure_stored_one`, `import_keys_file`, and `test_user_delete_all`. Remove
TODO comment on line 20 once implemented.
### Acceptance Criteria
- [ ] Audit logging added to delete_key
- [ ] Audit logging added to insert operations
- [ ] Audit logging added to association operations
- [ ] Audit logging added to import operations
- [ ] TODO comment removed
- [ ] Unit test verifying the fix
### References
- Source reports: L2:16.1.1.md, L2:16.2.1.md
- Related findings: FINDING-017, FINDING-018, FINDING-057
- ASVS sections: 16.1.1, 16.2.1
### Priority
Critical
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
