From 4ce47868f6bf4f13e9d086ea3317fe5a180064bf Mon Sep 17 00:00:00 2001 From: Qi Wang Date: Mon, 27 Oct 2025 19:43:33 -0400 Subject: [PATCH] Updated the `isSignatureAuthorAccepted` to use timeout to prevent indefinite hanging. This mitigates the impact of bug OCPBUGS-57893 where CRI-O image pulls with signature verification would hang indefinitely. Signed-off-by: Qi Wang --- signature/policy_eval_signedby.go | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/signature/policy_eval_signedby.go b/signature/policy_eval_signedby.go index 18124a613..a23646143 100644 --- a/signature/policy_eval_signedby.go +++ b/signature/policy_eval_signedby.go @@ -6,6 +6,7 @@ import ( "context" "errors" "fmt" + "time" "github.com/containers/image/v5/internal/multierr" "github.com/containers/image/v5/internal/private" @@ -40,7 +41,8 @@ func (pr *prSignedBy) isSignatureAuthorAccepted(ctx context.Context, image priva } // FIXME: move this to per-context initialization - mech, trustedIdentities, err := newEphemeralGPGSigningMechanism(data) + // Import the keys with a 60s timeout to avoid hanging indefinitely. see issues.redhat.com/browse/OCPBUGS-57893 + mech, trustedIdentities, err := newEphemeralGPGSigningMechanismWithTimeout(data, 60*time.Second) if err != nil { return sarRejected, nil, err } @@ -114,3 +116,24 @@ func (pr *prSignedBy) isRunningImageAllowed(ctx context.Context, image private.U } return false, summary } + +func newEphemeralGPGSigningMechanismWithTimeout(blobs [][]byte, timeout time.Duration) (signingMechanismWithPassphrase, []string, error) { + type result struct { + mech signingMechanismWithPassphrase + keys []string + err error + } + done := make(chan result, 1) + + go func() { + mech, keys, err := newEphemeralGPGSigningMechanism(blobs) + done <- result{mech, keys, err} + }() + + select { + case <-time.After(timeout): + return nil, nil, fmt.Errorf("GPG/OpenPGP key import timed out after %s", timeout) + case r := <-done: + return r.mech, r.keys, r.err + } +}