Fix: Create a static copy of signatures as part of verification. #2287

mattmoor · 2022-09-27T04:18:00Z

🐛 As part of verifying signatures and annotations create copies of what we are downloading to avoid later calls to Payload() redownloading the signature blob.

Examining trace data for policy-controller downstream, I observed that the same signature blob data was being fetched three times as part of verification. I believe for attestations this may be even worse because we have an additional call to Payload() where we parse out the contents of the attestation's predicate for policy evaluation.

This change eagerly fetches the signature metadata and stores it in a clone via static.Copy. This clone is what we verify, and if it fails verification is it immediately discarded. However, if it passes verification this clone is returned as one of the "verified signatures" that the downstream logic can now access without refetching data from the registry.

UPDATE: I have confirmed downstream by manually vendoring this in that the redundant blob fetches go away and the admission webhook requests are noticeably faster. It isn't quite 3x because of other overheads, but it is pretty considerable.

/kind bug

Signed-off-by: Matt Moore mattmoor@chainguard.dev

Release Note

Speed up some of the verification methods by eliminating redundant fetches of the signature blob data from the registry using a temporary in-memory copy.

Documentation

🐛 As part of verifying signatures and annotations create copies of what we are downloading to avoid later calls to `Payload()` redownloading the signature blob. Examining trace data for policy-controller downstream, I observed that the same signature blob data was being fetched three times as part of verification. I believe for attestations this may be even worse because we have an additional call to `Payload()` where we parse out the contents of the attestation's predicate for policy evaluation. This change eagerly fetches the signature metadata and stores it in a clone via `static.Copy`. This clone is what we verify, and if it fails verification is it immediately discarded. However, if it passes verification this clone is returned as one of the "verified signatures" that the downstream logic can now access without refetching data from the registry. /kind bug Signed-off-by: Matt Moore <mattmoor@chainguard.dev>

codecov-commenter · 2022-09-27T04:20:24Z

Codecov Report

Merging #2287 (17156ca) into main (d720f04) will decrease coverage by 0.20%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2287      +/-   ##
==========================================
- Coverage   29.02%   28.82%   -0.21%     
==========================================
  Files         131      131              
  Lines        7872     7928      +56     
==========================================
  Hits         2285     2285              
- Misses       5275     5331      +56     
  Partials      312      312

Impacted Files	Coverage Δ
pkg/cosign/verify.go	`31.71% <0.00%> (-0.37%)`	⬇️
pkg/oci/static/signature.go	`50.00% <0.00%> (-44.45%)`	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/sigstore/cosign](https://togithub.com/sigstore/cosign) | require | minor | `v1.12.1` -> `v1.13.0` | --- ### Release Notes <details> <summary>sigstore/cosign</summary> ### [`v1.13.0`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v1130) [Compare Source](https://togithub.com/sigstore/cosign/compare/v1.12.1...v1.13.0) > # Highlights > > - For users who have deployed a private instance of Fulcio release v0.6.x and issue certificates with the Username identity, you will need to upgrade to use this version." #### Enhancements - Add support for Fulcio username identity in SAN ([/~https://github.com/sigstore/cosign/pull/2291](https://togithub.com/sigstore/cosign/pull/2291)) - Data race in FetchSignaturesForReference ([/~https://github.com/sigstore/cosign/pull/2283](https://togithub.com/sigstore/cosign/pull/2283)) - Check error on chain verification failure ([/~https://github.com/sigstore/cosign/pull/2284](https://togithub.com/sigstore/cosign/pull/2284)) - feat: improve the verification message ([/~https://github.com/sigstore/cosign/pull/2268](https://togithub.com/sigstore/cosign/pull/2268)) - feat: use stdin as an input for predicate ([/~https://github.com/sigstore/cosign/pull/2269](https://togithub.com/sigstore/cosign/pull/2269)) #### Bug Fixes - fix: make tlog entry lookups for online verification shard-aware ([/~https://github.com/sigstore/cosign/pull/2297](https://togithub.com/sigstore/cosign/pull/2297)) - Fix: Create a static copy of signatures as part of verification. ([/~https://github.com/sigstore/cosign/pull/2287](https://togithub.com/sigstore/cosign/pull/2287)) - Fix: Remove an extra registry request from verification path. ([/~https://github.com/sigstore/cosign/pull/2285](https://togithub.com/sigstore/cosign/pull/2285)) - fix pivtool generate key touch policy ([/~https://github.com/sigstore/cosign/pull/2282](https://togithub.com/sigstore/cosign/pull/2282)) #### Others - use scaffolding 0.4.8 for tests. ([/~https://github.com/sigstore/cosign/pull/2280](https://togithub.com/sigstore/cosign/pull/2280)) #### Contributors - Asra Ali ([@asraa](https://togithub.com/asraa)) - Batuhan Apaydın ([@developer-guy](https://togithub.com/developer-guy)) - Carlos Tadeu Panato Junior ([@cpanato](https://togithub.com/cpanato)) - Hayden Blauzvern ([@haydentherapper](https://togithub.com/haydentherapper)) - Matt Moore ([@mattmoor](https://togithub.com/mattmoor)) - Ross Tannenbaum ([@RTann](https://togithub.com/RTann)) - Ville Aikas ([@vaikas](https://togithub.com/vaikas)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/defenseunicorns/zarf).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

mattmoor changed the title ~~[WIP] Fix: Create a static copy of signatures as part of verification.~~ Fix: Create a static copy of signatures as part of verification. Sep 27, 2022

mattmoor requested review from dlorenc and vaikas September 27, 2022 04:49

mattmoor enabled auto-merge (squash) September 27, 2022 04:58

dlorenc approved these changes Sep 27, 2022

View reviewed changes

mattmoor merged commit 6486a08 into sigstore:main Sep 27, 2022

github-actions bot added this to the v1.13.0 milestone Sep 27, 2022

mattmoor deleted the copy-signatures branch September 27, 2022 15:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix: Create a static copy of signatures as part of verification. #2287

Fix: Create a static copy of signatures as part of verification. #2287

mattmoor commented Sep 27, 2022 •

edited

Loading

codecov-commenter commented Sep 27, 2022 •

edited

Loading

Fix: Create a static copy of signatures as part of verification. #2287

Fix: Create a static copy of signatures as part of verification. #2287

Conversation

mattmoor commented Sep 27, 2022 • edited Loading

Release Note

Documentation

codecov-commenter commented Sep 27, 2022 • edited Loading

Codecov Report

mattmoor commented Sep 27, 2022 •

edited

Loading

codecov-commenter commented Sep 27, 2022 •

edited

Loading