Skip to content

[release/v1.9.x] Cache registry token during Notation verification#2105

Merged
matheuscscp merged 1 commit into
release/v1.9.xfrom
backport-2098-to-release/v1.9.x
Jul 2, 2026
Merged

[release/v1.9.x] Cache registry token during Notation verification#2105
matheuscscp merged 1 commit into
release/v1.9.xfrom
backport-2098-to-release/v1.9.x

Conversation

@fluxcdbot

Copy link
Copy Markdown
Member

Automated backport to release/v1.9.x, triggered by a label in #2098.

The ORAS auth.Client used for Notation signature verification was
constructed without a Cache, which ORAS treats as no caching. As a
result every request in a single verification (manifest resolve,
signature listing, signature manifest and blob fetches) performed its
own token exchange against the registry, multiplying token-endpoint
traffic by roughly five for each verified artifact.

Set Cache to auth.NewCache() so the registry authorization token is
fetched once and reused across the requests of a verification. This
matches the ORAS and Notation reference clients and does not change
verification behaviour or credential resolution; token staleness is
still handled by ORAS on a 401.

Add unit tests asserting the cache is wired and that the token
endpoint is hit once instead of per request.

Signed-off-by: Dipti Pai <diptipai89@outlook.com>
Assisted-by: GitHub Copilot/Claude Opus 4.8
(cherry picked from commit 69305ed)
@matheuscscp matheuscscp merged commit c4adb7f into release/v1.9.x Jul 2, 2026
3 checks passed
@matheuscscp matheuscscp deleted the backport-2098-to-release/v1.9.x branch July 2, 2026 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants