Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: Create a static copy of signatures as part of verification.
🐛 As part of verifying signatures and annotations create copies of what we are downloading to avoid later calls to `Payload()` redownloading the signature blob. Examining trace data for policy-controller downstream, I observed that the same signature blob data was being fetched three times as part of verification. I believe for attestations this may be even worse because we have an additional call to `Payload()` where we parse out the contents of the attestation's predicate for policy evaluation. This change eagerly fetches the signature metadata and stores it in a clone via `static.Copy`. This clone is what we verify, and if it fails verification is it immediately discarded. However, if it passes verification this clone is returned as one of the "verified signatures" that the downstream logic can now access without refetching data from the registry. /kind bug Signed-off-by: Matt Moore <[email protected]>
- Loading branch information