Skip to content

feat: store and verify PGP signatures #1631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

feat: store and verify PGP signatures #1631

wants to merge 11 commits into from

Conversation

ctron
Copy link
Contributor

@ctron ctron commented May 14, 2025
edited
Loading

Open items (not necessarily to be fixed in this PR):

  • Signature validation with sequoia pgp requires access to the content. Which means, retrieving it from the storage. This can be costly. So we might want to consider storing the verification result. Which would also mean that we need to freeze trust anchor payload. Something similar may be the case for sigstore.
  • Which information do we want to return from the verification process?
  • Do we want to be able to retrieve failed validations too?
  • PGP signatures are there for securing the transport. With compressed files, they can be the signature of the compressed file, but not of the one we store (uncompressed). Leading to an invalid signature.

@ctron ctron force-pushed the feature/check_sig_1 branch 6 times, most recently from a604256 to 1c792b5 Compare May 27, 2025 07:11
@ctron ctron changed the title feat: store signatures feat: store and verify PGP signatures May 27, 2025
@ctron ctron force-pushed the feature/check_sig_1 branch from 1c792b5 to c4f5d83 Compare May 27, 2025 07:56
@ctron ctron force-pushed the feature/check_sig_1 branch 3 times, most recently from 25427ac to 8066a3d Compare June 4, 2025 14:37
@ctron ctron marked this pull request as ready for review June 4, 2025 14:40
@codecov Codecov
Copy link

codecov bot commented Jun 5, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 79.72603% with 74 lines in your changes missing coverage. Please review.

Project coverage is 65.78%. Comparing base (ae658b5) to head (cc3e969).

Files with missing lines Patch % Lines
modules/importer/src/runner/quay/walker.rs 0.00% 6 Missing ⚠️
...mporter/src/runner/clearly_defined_curation/mod.rs 0.00% 5 Missing ⚠️
modules/importer/src/runner/csaf/storage.rs 0.00% 5 Missing ⚠️
modules/importer/src/runner/cve/mod.rs 0.00% 5 Missing ⚠️
modules/importer/src/runner/cwe/walker.rs 0.00% 5 Missing ⚠️
modules/importer/src/runner/osv/mod.rs 0.00% 5 Missing ⚠️
modules/importer/src/runner/sbom/storage.rs 0.00% 5 Missing ⚠️
modules/ingestor/src/service/dataset/mod.rs 82.14% 5 Missing ⚠️
common/auth/src/permission.rs 0.00% 4 Missing ⚠️
...dules/ingestor/src/service/advisory/csaf/loader.rs 75.00% 3 Missing ⚠️
... and 11 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1631      +/-   ##
==========================================
+ Coverage   65.25%   65.78%   +0.52%     
==========================================
  Files         358      371      +13     
  Lines       14821    15383     +562     
==========================================
+ Hits         9672    10119     +447     
- Misses       5149     5264     +115

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ctron ctron force-pushed the feature/check_sig_1 branch from cd7dccc to 1a62930 Compare June 5, 2025 09:44
@ctron
Copy link
Contributor Author

ctron commented Jun 5, 2025

/scale-test

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025

🛠️ Scale test has started! Follow the progress here: Workflow Run

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2025

Goose Report

Goose Attack Report

Plan Overview

Action Started Stopped Elapsed Users
Increasing 25-06-05 10:33:18 25-06-05 10:33:23 00:00:05 0 → 5
Maintaining 25-06-05 10:33:23 25-06-05 10:38:23 00:05:00 5
Decreasing 25-06-05 10:38:23 25-06-05 10:38:24 00:00:01 0 ← 5

Request Metrics

Method Name # Requests # Fails Average (ms) Min (ms) Max (ms) RPS Failures/s
GET get_advisory_by_doc_id 105 (0) 0 18.16 (+6.58) 4 (+1) 83 (+18) 0.35 (+0.00) 0.00 (+0.00)
GET get_sbom[sha256:f293eb89…6720f692ec5f3081] 104 (0) 104 7.84 (-1078.21) 1 (-425) 54 (-2453) 0.35 (+0.00) 0.35 (+0.35)
GET get_sbom_license_ids[0195baea-42e3-7…0e3-4c7874263954] 104 104 1.73 1 9 0.35 0.35
GET list_advisory 106 (+2) 0 2943.04 (+208.52) 1717 (+13) 3893 (+386) 0.35 (+0.01) 0.00 (+0.00)
GET list_advisory_paginated 106 (+1) 0 2947.66 (+402.77) 2003 (+649) 4131 (+454) 0.35 (+0.00) 0.00 (+0.00)
GET list_importer 104 (-2) 0 7.96 (+4.08) 1 (0) 62 (+11) 0.35 (-0.01) 0.00 (+0.00)
GET list_organizations 104 (+1) 0 10.64 (-3.84) 1 (0) 51 (-4) 0.35 (+0.00) 0.00 (+0.00)
GET list_packages 104 (-2) 0 376.54 (+30.10) 148 (+78) 948 (+176) 0.35 (-0.01) 0.00 (+0.00)
GET list_packages_paginated 104 (-2) 0 349.15 (+11.80) 109 (-2) 553 (-217) 0.35 (-0.01) 0.00 (+0.00)
GET list_products 105 (0) 0 12.05 (+1.46) 2 (-1) 76 (+17) 0.35 (+0.00) 0.00 (+0.00)
GET list_sboms 105 (0) 0 718.43 (-568.14) 485 (-205) 969 (-938) 0.35 (+0.00) 0.00 (+0.00)
GET list_sboms_paginated 104 (0) 0 637.80 (-265.46) 413 (+31) 961 (-1119) 0.35 (+0.00) 0.00 (+0.00)
GET list_vulnerabilities 104 (-2) 0 261.87 (+7.13) 87 (+13) 626 (+86) 0.35 (-0.01) 0.00 (+0.00)
GET list_vulnerabilities_paginated 104 (-2) 0 186.28 (-10.22) 41 (+8) 358 (-22) 0.35 (-0.01) 0.00 (+0.00)
GET sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f] 104 (+1) 0 39.66 (-37.28) 13 (-2) 83 (-116) 0.35 (+0.00) 0.00 (+0.00)
GET search_advisory 105 (-1) 0 1834.23 (+666.95) 900 (+492) 2596 (+978) 0.35 (-0.00) 0.00 (+0.00)
GET search_exact_purl 105 (0) 0 9.86 (-3.17) 2 (0) 58 (-12) 0.35 (+0.00) 0.00 (+0.00)
GET search_purls 105 (-3) 0 3965.02 (+672.49) 1618 (+490) 12600 (-2808) 0.35 (-0.01) 0.00 (+0.00)
Aggregated 1882 (+95) 208 801.51 (-41.66) 1 (0) 12600 (-2808) 6.27 (+0.32) 0.69 (+0.69)

Response Time Metrics

Method Name 50%ile (ms) 60%ile (ms) 70%ile (ms) 80%ile (ms) 90%ile (ms) 95%ile (ms) 99%ile (ms) 100%ile (ms)
GET get_advisory_by_doc_id 8 (+2) 9 (+1) 12 (+3) 47 (+36) 55 (+38) 57 (+1) 65 (+4) 83 (+18)
GET get_sbom[sha256:f293eb89…6720f692ec5f3081] 3 (-997) 4 (-996) 4 (-996) 6 (-994) 23 (-1,977) 49 (-1,951) 54 (-1,946) 54 (-2,453)
GET get_sbom_license_ids[0195baea-42e3-7…0e3-4c7874263954] 1 1 2 2 3 4 9 9
GET list_advisory 3,000 (0) 3,000 (0) 3,000 (0) 3,000 (0) 3,000 (0) 3,893 (+893) 3,893 (+893) 3,893 (+386)
GET list_advisory_paginated 3,000 (0) 3,000 (0) 3,000 (0) 3,000 (0) 4,000 (+1,000) 4,000 (+1,000) 4,000 (+1,000) 4,000 (+323)
GET list_importer 3 (+1) 4 (+1) 5 (+2) 6 (+2) 18 (+13) 52 (+44) 55 (+6) 62 (+11)
GET list_organizations 4 (-1) 5 (0) 7 (0) 10 (-32) 40 (-7) 46 (-4) 48 (-6) 51 (-4)
GET list_packages 380 (+50) 390 (+20) 400 (+20) 410 (+20) 460 (+40) 480 (+20) 900 (+400) 900 (+128)
GET list_packages_paginated 360 (+40) 380 (+20) 400 (+20) 410 (+20) 450 (+40) 490 (+70) 500 (0) 553 (-217)
GET list_products 7 (+1) 8 (+2) 9 (+2) 10 (+1) 22 (+2) 56 (+2) 62 (+3) 76 (+17)
GET list_sboms 700 (-300) 700 (-300) 800 (-200) 800 (-200) 900 (-1,007) 900 (-1,007) 969 (-938) 969 (-938)
GET list_sboms_paginated 600 (-200) 700 (-200) 700 (-300) 700 (-300) 800 (-200) 800 (-1,200) 900 (-1,100) 961 (-1,039)
GET list_vulnerabilities 260 (+30) 270 (0) 280 (0) 290 (-10) 370 (+50) 430 (0) 600 (+100) 600 (+100)
GET list_vulnerabilities_paginated 200 (+10) 200 (0) 200 (-10) 210 (-10) 240 (-30) 270 (-10) 280 (-10) 358 (-22)
GET sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f] 29 (-42) 40 (-35) 61 (-19) 67 (-53) 71 (-99) 75 (-105) 78 (-121) 83 (-116)
GET search_advisory 2,000 (+1,000) 2,000 (+1,000) 2,000 (+1,000) 2,000 (+1,000) 2,000 (+1,000) 2,000 (+1,000) 2,596 (+978) 2,596 (+978)
GET search_exact_purl 6 (0) 7 (0) 7 (-1) 8 (-3) 12 (-36) 48 (-6) 57 (-9) 58 (-12)
GET search_purls 2,000 (0) 2,000 (0) 4,000 (+2,000) 8,000 (+5,000) 9,000 (+2,000) 9,000 (-1,000) 11,000 (-3,000) 12,600 (-2,400)
Aggregated 210 (-100) 370 (-130) 600 (-400) 2,000 (0) 3,000 (+1,000) 3,000 (0) 8,000 (+4,000) 12,600 (-2,400)

Status Code Metrics

Method Name Status Codes
GET get_advisory_by_doc_id 105 [200]
GET get_sbom[sha256:f293eb89…6720f692ec5f3081] 104 [404]
GET get_sbom_license_ids[0195baea-42e3-7…0e3-4c7874263954] 104 [404]
GET list_advisory 106 [200]
GET list_advisory_paginated 106 [200]
GET list_importer 104 [200]
GET list_organizations 104 [200]
GET list_packages 104 [200]
GET list_packages_paginated 104 [200]
GET list_products 105 [200]
GET list_sboms 105 [200]
GET list_sboms_paginated 104 [200]
GET list_vulnerabilities 104 [200]
GET list_vulnerabilities_paginated 104 [200]
GET sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f] 104 [200]
GET search_advisory 105 [200]
GET search_exact_purl 105 [200]
GET search_purls 105 [200]
Aggregated 1,674 [200], 208 [404]

Transaction Metrics

Transaction # Times Run # Fails Average (ms) Min (ms) Max (ms) RPS Failures/s
WebsiteUser
0.0 logon 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
0.1 website_index 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
0.2 website_openapi 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
0.3 website_sboms 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
0.4 website_packages 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
0.5 website_advisories 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
0.6 website_importers 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
RestAPIUser
1.0 logon 104 (+1) 0 (0) 12.73 (-1.45) 7 (0) 20 (-6) 0.35 (+0.00) 0.00 (+0.00)
1.1 list_organizations 104 (+1) 0 (0) 10.79 (-3.91) 1 (0) 51 (-4) 0.35 (+0.00) 0.00 (+0.00)
1.2 list_advisory 106 (+2) 0 (0) 2943.08 (+208.50) 1717 (+13) 3895 (+388) 0.35 (+0.01) 0.00 (+0.00)
1.3 list_advisory_paginated 106 (+1) 0 (0) 2947.81 (+402.86) 2003 (+649) 4131 (+454) 0.35 (+0.00) 0.00 (+0.00)
1.4 get_advisory_by_doc_id 105 (0) 0 (0) 18.25 (+6.62) 4 (+1) 83 (+18) 0.35 (+0.00) 0.00 (+0.00)
1.5 search_advisory 105 (-1) 0 (0) 1834.24 (+666.82) 900 (+492) 2596 (+978) 0.35 (-0.00) 0.00 (+0.00)
1.6 list_vulnerabilities 104 (-2) 0 (0) 261.96 (+7.13) 87 (+13) 626 (+86) 0.35 (-0.01) 0.00 (+0.00)
1.7 list_vulnerabilities_paginated 104 (-2) 0 (0) 186.36 (-10.21) 41 (+8) 358 (-22) 0.35 (-0.01) 0.00 (+0.00)
1.8 list_importer 104 (-2) 0 (0) 8.03 (+4.12) 1 (0) 62 (+11) 0.35 (-0.01) 0.00 (+0.00)
1.9 list_packages 104 (-2) 0 (0) 376.58 (+30.07) 148 (+78) 948 (+176) 0.35 (-0.01) 0.00 (+0.00)
1.10 list_packages_paginated 104 (-2) 0 (0) 349.17 (+11.74) 109 (-2) 553 (-217) 0.35 (-0.01) 0.00 (+0.00)
1.11 search_purls 105 (-3) 0 (0) 3965.10 (+672.52) 1618 (+489) 12600 (-2808) 0.35 (-0.01) 0.00 (+0.00)
1.12 search_exact_purl 105 (0) 0 (0) 9.88 (-3.23) 2 (0) 58 (-12) 0.35 (+0.00) 0.00 (+0.00)
1.13 list_products 105 (0) 0 (0) 12.11 (+1.46) 3 (0) 76 (+17) 0.35 (+0.00) 0.00 (+0.00)
1.14 list_sboms 105 (0) 0 (0) 718.47 (-568.19) 485 (-205) 970 (-937) 0.35 (+0.00) 0.00 (+0.00)
1.15 list_sboms_paginated 104 (0) 0 (0) 637.88 (-265.43) 413 (+31) 961 (-1119) 0.35 (+0.00) 0.00 (+0.00)
1.16 get_sbom[sha256:f293eb89…6720f692ec5f3081] 104 (0) 0 (0) 7.86 (-1078.25) 1 (-425) 54 (-2453) 0.35 (+0.00) 0.00 (+0.00)
1.17 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f] 104 (+1) 0 (0) 39.71 (-37.36) 13 (-2) 83 (-116) 0.35 (+0.00) 0.00 (+0.00)
1.18 get_sbom_license_ids[0195baea-42e3-7…0e3-4c7874263954] 104 0 1.79 1 10 0.35 0.00
Aggregated 1986 (+96) 0 (0) 759.54 (-37.68) 1 (0) 12600 (-2808) 6.62 (+0.32) 0.00 (+0.00)

Scenario Metrics

Transaction # Users # Times Run Average (ms) Min (ms) Max (ms) Scenarios/s Iterations
WebsiteUser 0 (0) 0 (0) 0.00 (+0.00) 0 (0) 0 (0) 0.00 (+0.00) 0.00 (+0.00)
RestAPIUser 5 (0) 104 (+1) 14283.64 (+44.49) 11658 (+50) 19353 (-2952) 0.35 (+0.00) 20.80 (+0.20)
Aggregated 5 (0) 104 (+1) 14283.64 (+44.49) 11658 (+50) 19353 (-2952) 0.35 (+0.00) 20.80 (+0.20)

Error Metrics

Method Name # Error
GET get_sbom[sha256:f293eb89…6720f692ec5f3081] 104 404 Not Found: get_sbom[sha256:f293eb89…6720f692ec5f3081]
GET get_sbom_license_ids[0195baea-42e3-7…0e3-4c7874263954] 104 404 Not Found: get_sbom_license_ids[0195baea-42e3-7…0e3-4c7874263954]

📄 Full Report (Go to "Artifacts" and download report)

@ctron ctron force-pushed the feature/check_sig_1 branch from 1a62930 to cc3e969 Compare July 7, 2025 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dejanb dejanb Awaiting requested review from dejanb

@mrizzi mrizzi Awaiting requested review from mrizzi

@carlosthe19916 carlosthe19916 Awaiting requested review from carlosthe19916

@JimFuller-RedHat JimFuller-RedHat Awaiting requested review from JimFuller-RedHat

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ctron