Open mtrmac opened 8 years ago
mtrmac
commented
7 years ago Most of the delay seems to come from gnupg’s common/asshelp.c:start_new_gpg_agent, which creates a new gpg-agent process and then waits a whole second before trying to connect to the agent.
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1431749 .
Creating the ephemeral GPG mechanisms once per PolicyContext instead of once per verification would still help.
rhatdan
commented
5 years ago @mtrmac @vrothberg Since this bugzilla was closed a while ago, can we close this issue?
vrothberg
commented
5 years ago I'll take the shot and close.
mtrmac
commented
5 years ago That bug fix helps only on Fedora distributions, it still has not been merged upstream, so e.g. Mac users are still slowed down.
And while that does help a lot, we still potentially do a lot of redundant work (including spawning gnupg* subprocesses), so keeping state over the lifetime of the PolicyContext still should be done.
https://github.com/mtrmac/image/tree/signature-caching is a very rough start of implementing this.
mtrmac
commented
2 months ago The time to launch gpg-agent has been improved upstream now ( https://dev.gnupg.org/T3490 ).
The signature-caching branch linked above would still avoid some of the redundant work.
After policy evaluation is merged (but filing now as a reminder to myself), signature verification in policy evaluation, with its temporary directory creation, will take about a second per case. Both general performance and test suite interactivity would greatly benefit from speeding this up.
At the very least we can reuse the temporary directories across all verifications with a single policy; that’s why
PolicyContextexists in the first place. Also look into speeding up the verification as such, there might be a cheap optimization somewhere.