Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export function to verify individual signature #1334

Merged
merged 1 commit into from
Jan 18, 2022
Merged

Export function to verify individual signature #1334

merged 1 commit into from
Jan 18, 2022

Conversation

ribbybibby
Copy link
Contributor

Summary

Calling the existing VerifyImageSignatures function multiple times for the same image with different verifiers will download the OCI manifest multiple times. This is inefficient and slow.

Exporting a function that verifies a single signature allows the decoupling of the fetch and verification stages.

Release Note

@ribbybibby
Export function to verify individual signature
f9dac40 
Calling the existing VerifyImageSignatures function multiple times for
the same image with different verifiers will download the OCI manifest
multiple times. This is inefficient and slow.

Exporting a function that verifies a single signature allows the
decoupling of the OCI manifest fetch and verification stages.

Signed-off-by: Rob Best <robertbest89@gmail.com>
@ribbybibby ribbybibby mentioned this pull request Jan 17, 2022
Open
@ribbybibby
Copy link
Contributor Author

I don't think the test failure is related to the changes in the PR:

--- FAIL: TestReadWrite (0.07s)
    write_test.go:36: appending signatures: error writing layer: rename C:\Users\RUNNER~1\AppData\Local\Temp\TestReadWrite2597293721\001\blobs\sha256\e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b8551856907808 C:\Users\RUNNER~1\AppData\Local\Temp\TestReadWrite2597293721\001\blobs\sha256\e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: Access is denied.
FAIL
FAIL	github.com/sigstore/cosign/pkg/oci/layout	0.111s

@dlorenc
Copy link
Member

dlorenc commented Jan 17, 2022

Seems reasonable to me!

Any objections to the new public API anyone?

@dlorenc
Copy link
Member

dlorenc commented Jan 18, 2022

OK then, merging!

@dlorenc dlorenc merged commit bca7ba6 into sigstore:main Jan 18, 2022
@github-actions github-actions bot added this to the v1.5.0 milestone Jan 18, 2022
@ribbybibby ribbybibby deleted the verify-signature branch January 18, 2022 21:49
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@ribbybibby @mlieberman85
Export function to verify individual signature (sigstore#1334)
0e6fe21 
Calling the existing VerifyImageSignatures function multiple times for
the same image with different verifiers will download the OCI manifest
multiple times. This is inefficient and slow.

Exporting a function that verifies a single signature allows the
decoupling of the OCI manifest fetch and verification stages.

Signed-off-by: Rob Best <robertbest89@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ribbybibby @dlorenc