Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
A lot of reading of Google Cloud KMS keyrings and keys during signing
See original GitHub issueSTR:
- Generate asymmetric key and CA
gcloud kms keyrings create test --location <region>```
gcloud kms keys create my-key --keyring test --location <region> --purpose "asymmetric-signing" --default-algorithm "rsa-sign-pkcs1-2048-sha256"
openssl genrsa -out ca.key 2048
- Create CSR and Certificate
git clone https://github.com/mattes/google-cloud-kms-csr
cd google-cloud-kms-csr
go build -o csr
./csr -key $(gcloud kms keys versions list --key my-key --keyring test --location=<region>) -out my.csr --common-name MyOrg
openssl -req -in my.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out my.crt
- Run jsign
for i in {1..1000}; do
jsign --storetype GOOGLECLOUD
--storepass "$(gcloud auth print-access-token)"
--keystore "projects/<project>/locations/<location>/keyRings/test"
--alias "my-key"
--certfile my.crt
my.exe
done
Expected result: Binary signed
Actual result:
java.io.IOException: 429 - RESOURCE_EXHAUSTED: Quota exceeded for quota metric 'Read requests' and limit 'Read requests per minute' of service 'cloudkms.googleapis.com' for consumer 'project_number:<project-id>
So, each run of jsign makes 2 reading and 1 crypto operation. But default quotas are:
- Cryptographic requests per minute: 60,000
- Read requests per minute: 300
Also jsign require a lot of permissions for one signing For key:
cloudkms.cryptoKeyVersions.list
cloudkms.cryptoKeyVersions.useToSign
cloudkms.locations.get
cloudkms.locations.list
resourcemanager.projects.get
For keyring:
cloudkms.cryptoKeys.list
Actually only one permission required cloudkms.cryptoKeyVersions.useToSign and only 2 parameters to run key.id (example: projects/<project id>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key name>/cryptoKeyVersions/<version> and algorithm (example: RSA).
I have 2 suggestions:
- Cache keys list and keys versions list between runs of jsign
- Add ability to specify only key.id and algorithm
I will try to implement second.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The request to get all the keys has been removed, there is now only one request per file signed.
I’d still recommend signing multiple files with a single invocation of jsign from the command line, it should be slightly faster.
Nice! Thank you for
torturingtesting Jsign thoroughly.