Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Export function to verify individual signature #1334

Merged
merged 1 commit into from
Jan 18, 2022

Conversation

ribbybibby
Copy link
Contributor

Summary

Calling the existing VerifyImageSignatures function multiple times for the same image with different verifiers will download the OCI manifest multiple times. This is inefficient and slow.

Exporting a function that verifies a single signature allows the decoupling of the fetch and verification stages.

Release Note


Calling the existing VerifyImageSignatures function multiple times for
the same image with different verifiers will download the OCI manifest
multiple times. This is inefficient and slow.

Exporting a function that verifies a single signature allows the
decoupling of the OCI manifest fetch and verification stages.

Signed-off-by: Rob Best <[email protected]>
@ribbybibby
Copy link
Contributor Author

I don't think the test failure is related to the changes in the PR:

--- FAIL: TestReadWrite (0.07s)
    write_test.go:36: appending signatures: error writing layer: rename C:\Users\RUNNER~1\AppData\Local\Temp\TestReadWrite2597293721\001\blobs\sha256\e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b8551856907808 C:\Users\RUNNER~1\AppData\Local\Temp\TestReadWrite2597293721\001\blobs\sha256\e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: Access is denied.
FAIL
FAIL	github.com/sigstore/cosign/pkg/oci/layout	0.111s

@dlorenc
Copy link
Member

dlorenc commented Jan 17, 2022

Seems reasonable to me!

Any objections to the new public API anyone?

@dlorenc
Copy link
Member

dlorenc commented Jan 18, 2022

OK then, merging!

@dlorenc dlorenc merged commit bca7ba6 into sigstore:main Jan 18, 2022
@github-actions github-actions bot added this to the v1.5.0 milestone Jan 18, 2022
@ribbybibby ribbybibby deleted the verify-signature branch January 18, 2022 21:49
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
Calling the existing VerifyImageSignatures function multiple times for
the same image with different verifiers will download the OCI manifest
multiple times. This is inefficient and slow.

Exporting a function that verifies a single signature allows the
decoupling of the OCI manifest fetch and verification stages.

Signed-off-by: Rob Best <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants