AzureSignTool icon indicating copy to clipboard operation
AzureSignTool copied to clipboard
verified publisher icon vcsjones

fix: handle azure keyvault throttling with retry logic

Open thomas-rabiller opened this issue 1 year ago • 9 comments

Include retry logic to deal with Azure KeyVault throttling errors that may occur during large sign batches, as described in Microsoft docs: https://learn.microsoft.com/en-us/azure/key-vault/general/overview-throttling

thomas-rabiller avatar Mar 15 '24 13:03 thomas-rabiller

#135

thomas-rabiller avatar Mar 15 '24 13:03 thomas-rabiller

This also looks like a solution for #249

PhonicUK avatar May 15 '24 16:05 PhonicUK

I am looking forward to this PR getting approved.

fabricioferreira avatar Aug 21 '24 02:08 fabricioferreira

Hi @vcsjones , any reason not to proceed with this merge? Azure's key vault throttling is insane and keeps failing our pipelines. Thanks!

fabricioferreira avatar Oct 08 '24 23:10 fabricioferreira

I believe this issue was addressed in https://github.com/vcsjones/AzureSignTool/pull/251. It’s included in v6.0.0-beta1 (check the release announcement here: https://github.com/vcsjones/AzureSignTool/releases/tag/v6.0.0-beta1).

casuffitsharp avatar Oct 09 '24 00:10 casuffitsharp

We still have this issue on 6.0.1

larde avatar Mar 05 '25 14:03 larde

Me too, retry mechanism does not seem to work.

ldaniels-dennemeyer avatar Mar 14 '25 16:03 ldaniels-dennemeyer

The retry mechanism is indeed part of 6.0.0. See release notes or the notes of the beta mentioned above (link: #271):

Concurrency

By far one issue that gets reported that most are failures from excessive concurrency. There are two parts that can result failures from throttling. The first is Azure. Azure limits the number of operations a KeyVault can perform in a given period. The second is timestamping from a Certificate Authority.

There are two changes in this release to help with this.

  1. The --max-degree-of-parallelism (-mdop) now defaults to 4, meaning no more than 4 sign operations will happen concurrently. To revert back to the previous behavior, set --max-degree-of-parallelism to 0, or a higher number if you still want some limit on concurrent operations.
  2. The signing operation will now retry failed signing operations if the failure was the result of Azure performing throttling.

So, it must be the CA throttling that limits the signing throughput.

This PR should be abandoned.

fedorbirjukov avatar Apr 01 '25 07:04 fedorbirjukov

For us it does seem to be the timestamp service that's causing throttling failures. The Azure retry mechanism in v6.0.1 doesn't kick in at all for these.

I've pulled v6.x into this change and created a build here: https://github.com/bdagnin/AzureSignTool/releases/download/v6.0.2-alpha.1.retry/AzureSignTool.exe This and -mdop 1 has solved our signing failures.

bdagnin avatar Apr 03 '25 20:04 bdagnin