Closed rvadim closed 3 years ago
Interesting, I wasn't aware of the request limit. I can add a cache in GoogleCloudSigningService
, but that won't work for repeated calls from the command line. Out of curiosity, how many files are you signing usually?
I've made a couple of changes that should improve the situation:
jsign [OPTIONS] file1.exe file2.exe ...
)So if you sign n files this results in two requests to fetch the private key + n signing requests (instead of 3*n requests previously).
Out of curiosity, how many files are you signing usually?
More then 100k per month ( Near 1000 files per pipeline, few piplines per day.
I've made a couple of changes that should improve the situation:
Wow! Thank you for such fast response. It's good feature actually. I will think how to use it in our pipelines)
More then 100k per month ( Near 1000 files per pipeline, few piplines per day.
Impressive, you could consider buying your own HSM at this point ;)
I've added another tweak, you can now append the key algorithm to the key alias (only if the version is specified), this saves one more request: --alias mykey/cryptoKeyVersions/2:ECDSA
There is still one extra request to fetch all the keys available that could be removed.
The request to get all the keys has been removed, there is now only one request per file signed.
I'd still recommend signing multiple files with a single invocation of jsign from the command line, it should be slightly faster.
Impressive, you could consider buying your own HSM at this point ;)
Yes) We are thinking about it, but for now we will use Cloud HSM for a reason.
I've added another tweak, you can now append the key algorithm to the key alias (only if the version is specified), this saves one more request: --alias mykey/cryptoKeyVersions/2:ECDSA
The request to get all the keys has been removed, there is now only one request per file signed. I'd still recommend signing multiple files with a single invocation of jsign from the command line, it should be slightly faster.
You have greatly accelerated our work! Thank you very much. We will do performance testing and I will share the results here.
2 peaks:
We don't have reads at all! Now we are limited only by the number of cryptographic operations per region. I will also try to use bulk signing.
Thank you again :+1:
Nice! Thank you for torturing testing Jsign thoroughly.
STR:
Expected result: Binary signed
Actual result:
So, each run of jsign makes 2 reading and 1 crypto operation. But default quotas are:
Also jsign require a lot of permissions for one signing For key:
For keyring:
Actually only one permission required
cloudkms.cryptoKeyVersions.useToSign
and only 2 parameters to run key.id (example:projects/<project id>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key name>/cryptoKeyVersions/<version>
and algorithm (example: RSA).I have 2 suggestions:
I will try to implement second.