fix(supervisor): stop signature-failure log storm (dedup + backoff + quarantine)#32
Merged
Merged
Conversation
…ailure When a catalogue app's manifest failed ed25519 signature (or trust-anchor) verification, scanInstalled logged "signature verification failed" and skipped the app. Because a skipped app is never registered in the installed map, the rescan ticker re-examined and re-logged it on every cycle — a ~2s hot loop that produced hundreds of thousands of identical log lines (683k observed in a local daemon.log). Add signature-failure state keyed by (install dir, manifest content hash): - Log the failure at most ONCE per manifest hash. An identical failure on the next rescan tick is silent; a NEW/changed manifest (different hash) re-attempts and re-logs. - Apply capped exponential backoff (2s → doubling → 5m) between re-verifications instead of re-checking every tick. - Quarantine after 5 consecutive same-hash failures: retried only on the slow backoff tier. The supervisor is never crashed — the bad app is merely isolated. - A later success clears the state (recovery), so a re-install or a fixed manifest is picked up cleanly and a future transient failure re-logs. Both catalogue failure modes (VerifySignature and VerifyTrustAnchor) are routed through the same throttling path. Adds zz5_sigstorm_test.go reproducing the storm and asserting: a repeatedly-failing manifest is logged exactly once across 200 rescans, backoff grows, the app is quarantined, a changed hash re-logs, recovery clears state, and the trust-anchor failure mode is throttled too. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
TeoSlayer
enabled auto-merge (squash)
July 13, 2026 12:51
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a catalogue app's manifest failed ed25519 signature (or trust-anchor) verification,
scanInstalledloggedsignature verification failedand skipped the app. A skipped app is never registered in the installed map, so the rescan ticker re-examined and re-logged it on every cycle — a ~2s hot loop that produced hundreds of thousands of identical log lines (683k observed in a localdaemon.log). No backoff, no dedup, no quarantine.Fix
Track signature-failure state keyed by
(install dir, manifest content hash):2s → doubling → 5m) between re-verifications instead of re-checking every tick.Both catalogue failure modes (
VerifySignatureandVerifyTrustAnchor) route through the same throttling path.Test
plugin/appstore/zz5_sigstorm_test.goreproduces the storm and asserts:go build ./...,go test ./..., andgo test -race ./plugin/appstore/all pass.🤖 Generated with Claude Code