Skip to content

Cache registry token during Notation verification#2098

Merged
dipti-pai merged 1 commit into
fluxcd:mainfrom
dipti-pai:cache-notation-verify
Jul 2, 2026
Merged

Cache registry token during Notation verification#2098
dipti-pai merged 1 commit into
fluxcd:mainfrom
dipti-pai:cache-notation-verify

Conversation

@dipti-pai

Copy link
Copy Markdown
Member

The ORAS auth.Client used for Notation signature verification was constructed without a Cache, which ORAS treats as no caching. As a result every request in a single verification (manifest resolve, signature listing, signature manifest and blob fetches) performed its own token exchange against the registry, multiplying token-endpoint traffic by roughly five for each verified artifact.

Set Cache to auth.NewCache() so the registry authorization token is fetched once and reused across the requests of a verification. This matches the ORAS and Notation reference clients and does not change verification behaviour or credential resolution; token staleness is still handled by ORAS on a 401.

Add unit tests asserting the cache is wired and that the token endpoint is hit once instead of per request.

Assisted-by: GitHub Copilot/Claude Opus 4.8

@matheuscscp matheuscscp added bug Something isn't working area/oci OCI related issues and pull requests backport:release/v1.9.x To be backported to release/v1.9.x labels Jun 30, 2026

@matheuscscp matheuscscp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dipti-pai dipti-pai marked this pull request as ready for review July 2, 2026 17:18
The ORAS auth.Client used for Notation signature verification was
constructed without a Cache, which ORAS treats as no caching. As a
result every request in a single verification (manifest resolve,
signature listing, signature manifest and blob fetches) performed its
own token exchange against the registry, multiplying token-endpoint
traffic by roughly five for each verified artifact.

Set Cache to auth.NewCache() so the registry authorization token is
fetched once and reused across the requests of a verification. This
matches the ORAS and Notation reference clients and does not change
verification behaviour or credential resolution; token staleness is
still handled by ORAS on a 401.

Add unit tests asserting the cache is wired and that the token
endpoint is hit once instead of per request.

Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Assisted-by: GitHub Copilot/Claude Opus 4.8
@dipti-pai dipti-pai force-pushed the cache-notation-verify branch from 14582b5 to 69305ed Compare July 2, 2026 17:29
@dipti-pai dipti-pai merged commit 39b711b into fluxcd:main Jul 2, 2026
6 checks passed
@fluxcdbot

Copy link
Copy Markdown
Member

Successfully created backport PR for release/v1.9.x:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/oci OCI related issues and pull requests backport:release/v1.9.x To be backported to release/v1.9.x bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants