Merge pull request #1558 from aquaproj/feat/lock-cosign

fix: Get a lock when running Cosign
aquaproj · Jan 12, 2023 · 12eee7b · 12eee7b
2 parents 45b88ee + d1d09a5
commit 12eee7b
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 17 deletions.
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"math/rand"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/aquaproj/aqua/pkg/config"
@@ -25,6 +26,7 @@ type VerifierImpl struct {
 	downloader    download.ClientAPI
 	cosignExePath string
 	disabled      bool
+	mutex         *sync.Mutex
 }
 
 func NewVerifier(executor Executor, fs afero.Fs, downloader download.ClientAPI, param *config.Param) *VerifierImpl {
@@ -39,6 +41,7 @@ func NewVerifier(executor Executor, fs afero.Fs, downloader download.ClientAPI,
 		}),
 		// assets for windows/arm64 aren't released.
 		disabled: rt.GOOS == "windows" && rt.GOARCH == "arm64",
+		mutex:    &sync.Mutex{},
 	}
 }
 
@@ -133,7 +136,6 @@ func (verifier *VerifierImpl) Verify(ctx context.Context, logE *logrus.Entry, rt
 }
 
 type Executor interface {
-	ExecWithEnvs(ctx context.Context, exePath string, args, envs []string) (int, error)
 	ExecWithEnvsAndGetCombinedOutput(ctx context.Context, exePath string, args, envs []string) (string, int, error)
 }
 
@@ -148,14 +150,36 @@ const tempErrMsg = "resource temporarily unavailable"
 
 var errVerify = errors.New("verify with Cosign")
 
+func (verifier *VerifierImpl) exec(ctx context.Context, args, envs []string) (string, error) {
+	// https://github.com/aquaproj/aqua/issues/1555
+	verifier.mutex.Lock()
+	defer verifier.mutex.Unlock()
+	out, _, err := verifier.executor.ExecWithEnvsAndGetCombinedOutput(ctx, verifier.cosignExePath, args, envs)
+	return out, err //nolint:wrapcheck
+}
+
+func wait(ctx context.Context, logE *logrus.Entry, retryCount int) error {
+	rand.Seed(time.Now().UnixNano())
+	waitTime := time.Duration(rand.Intn(1000)) * time.Millisecond //nolint:gosec,gomnd
+	logE.WithFields(logrus.Fields{
+		"retry_count": retryCount,
+		"wait_time":   waitTime,
+	}).Info("Verification by Cosign failed temporarily, retring")
+	if err := util.Wait(ctx, waitTime); err != nil {
+		return fmt.Errorf("wait running Cosign: %w", err)
+	}
+	return nil
+}
+
 func (verifier *VerifierImpl) verify(ctx context.Context, logE *logrus.Entry, param *ParamVerify) error {
 	envs := []string{}
 	if param.CosignExperimental {
 		envs = []string{"COSIGN_EXPERIMENTAL=1"}
 	}
+	args := append([]string{"verify-blob"}, append(param.Opts, param.Target)...)
 	for i := 0; i < 5; i++ {
 		// https://github.com/aquaproj/aqua/issues/1554
-		out, _, err := verifier.executor.ExecWithEnvsAndGetCombinedOutput(ctx, verifier.cosignExePath, append([]string{"verify-blob"}, append(param.Opts, param.Target)...), envs)
+		out, err := verifier.exec(ctx, args, envs)
 		if err == nil {
 			return nil
 		}
@@ -166,14 +190,8 @@ func (verifier *VerifierImpl) verify(ctx context.Context, logE *logrus.Entry, pa
 			// skip last wait
 			break
 		}
-		rand.Seed(time.Now().UnixNano())
-		waitTime := time.Duration(rand.Intn(1000)) * time.Millisecond //nolint:gosec,gomnd
-		logE.WithFields(logrus.Fields{
-			"retry_count": i + 1,
-			"wait_time":   waitTime,
-		}).Info("Verification by Cosign failed temporarily, retring")
-		if err := util.Wait(ctx, waitTime); err != nil {
-			return fmt.Errorf("wait 1 second: %w", err)
+		if err := wait(ctx, logE, i+1); err != nil {
+			return err
 		}
 	}
 	return errVerify

diff --git a/tests/cosign/aqua.yaml b/tests/cosign/aqua.yaml
@@ -14,10 +14,9 @@ packages:
   - name: terraform-linters/tflint
     version: v0.44.1
     registry: local
-  # Comment out flaky test
-  # Verification with Cosign frequently failed.
-  # > Error: verifying blob [/tmp/482325480]: getting Fulcio roots: error getting targets: error getting target fulcio.crt.pem by usage: open /home/runner/.sigstore/root/targets/fulcio.crt.pem: no such file or directory
-  # > main.go:62: error during command execution: verifying blob [/tmp/482325480]: getting Fulcio roots: error getting targets: error getting target fulcio.crt.pem by usage: open /home/runner/.sigstore/root/targets/fulcio.crt.pem: no such file or directory
-  # - name: aquaproj/aqua-installer
-  #   version: v1.1.3-3
-  #   registry: local
+  # https://github.com/sigstore/cosign/issues/2576
+  # https://github.com/aquaproj/aqua/issues/1555
+  # https://github.com/aquaproj/aqua/issues/1554
+  - name: aquaproj/aqua-installer
+    version: v1.1.3-3
+    registry: local