cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

verify-blob laods entire payload into memory

Open ramonpetgrave64 opened this issue 9 months ago • 3 comments

Description

Currently, when calling cosign’s verify-blob subcommand, it will actually load the entire message into memory first, before passing it to the SignerVerifier.VerifySignature() method. This means that verifying a 1GB file will use an additional 1GB of memory. This is likely undesirable, so this issue is requesting that it instead pass along an io.Reader of the file, so it can be streamed, instead of pre-loaded.

  • https://github.com/sigstore/cosign/blob/647eca1376ea75b3af88cd65f8f35f9e37ecd671/cmd/cosign/cli/verify/verify_blob.go#L181

ramonpetgrave64 avatar Mar 12 '25 18:03 ramonpetgrave64

I am working on this

krisharyan avatar Mar 13 '25 05:03 krisharyan

@ramonpetgrave64 how big do you want me to make the buffer?

krisharyan avatar Mar 16 '25 15:03 krisharyan

@krisharyan117 Can you explain a bit more, or open a draft PR, if you're ready?

1KB sounds like an okay buffer size, if the performance is still good.

ramonpetgrave64 avatar Mar 17 '25 16:03 ramonpetgrave64