new file mode 100644

@@ -0,0 +1,41 @@

+package identitycache

+

+import (

+	"context"

+	"time"

+

+	imagetypes "github.com/moby/moby/api/types/image"

+)

+

+// Entry contains a persisted image signature cache record.

+type Entry struct {

+	CachedAt  time.Time

+	ExpiresAt time.Time

+	Signature *imagetypes.SignatureIdentity

+}

+

+// Backend is a persistent storage backend for image signature cache entries.

+type Backend interface {

+	Load(ctx context.Context, cacheKey string, now time.Time) (Entry, bool, error)

+	Store(ctx context.Context, cacheKey string, entry Entry, now time.Time) error

+	Close() error

+}

+

+type nopBackend struct{}

+

+// NewNopBackend returns a backend that never persists or returns entries.

+func NewNopBackend() Backend {

+	return nopBackend{}

+}

+

+func (nopBackend) Load(context.Context, string, time.Time) (Entry, bool, error) {

+	return Entry{}, false, nil

+}

+

+func (nopBackend) Store(context.Context, string, Entry, time.Time) error {

+	return nil

+}

+

+func (nopBackend) Close() error {

+	return nil

+}

new file mode 100644

@@ -0,0 +1,180 @@

+package identitycache

+

+import (

+	"context"

+	"crypto/rand"

+	"encoding/json"

+	"math/big"

+	"os"

+	"path/filepath"

+	"sync"

+	"time"

+

+	boltdb "github.com/moby/buildkit/util/db"

+	"github.com/moby/buildkit/util/db/boltutil"

+	bolt "go.etcd.io/bbolt"

+)

+

+var bboltCacheBucket = []byte("image-identity-cache-v1")

+

+const (

+	// 15m matches the shortest cache TTL (imageIdentityErrorCacheTTL), so

+	// prune won't lag far behind shortest-lived entries.

+	pruneIntervalMin    = 15 * time.Minute

+	pruneIntervalSpread = 15 * time.Minute

+)

+

+type boltBackend struct {

+	db        boltdb.DB

+	closeOnce sync.Once

+	closeErr  error

+	stopPrune chan struct{}

+	pruneDone chan struct{}

+}

+

+// NewBoltDBBackend creates a bbolt-backed persistent cache backend.

+func NewBoltDBBackend(root string) (Backend, error) {

+	if root == "" {

+		return NewNopBackend(), nil

+	}

+	cacheDir := filepath.Join(root, "image")

+	if err := os.MkdirAll(cacheDir, 0o700); err != nil {

+		return nil, err

+	}

+	db, err := boltutil.SafeOpen(filepath.Join(cacheDir, "identity-cache.db"), 0o600, nil)

+	if err != nil {

+		return nil, err

+	}

+	b := &boltBackend{db: db}

+	if err := b.db.Update(func(tx *bolt.Tx) error {

+		_, err := tx.CreateBucketIfNotExists(bboltCacheBucket)

+		return err

+	}); err != nil {

+		_ = db.Close()

+		return nil, err

+	}

+	b.startPrune()

+	return b, nil

+}

+

+func (b *boltBackend) Load(_ context.Context, cacheKey string, now time.Time) (Entry, bool, error) {

+	var (

+		entry   Entry

+		payload []byte

+	)

+	err := b.db.View(func(tx *bolt.Tx) error {

+		bucket := tx.Bucket(bboltCacheBucket)

+		if bucket == nil {

+			return nil

+		}

+		value := bucket.Get([]byte(cacheKey))

+		if value == nil {

+			return nil

+		}

+		payload = append([]byte(nil), value...)

+		return nil

+	})

+	if err != nil {

+		return Entry{}, false, err

+	}

+	if len(payload) == 0 {

+		return Entry{}, false, nil

+	}

+	if err := json.Unmarshal(payload, &entry); err != nil {

+		_ = b.delete(cacheKey)

+		return Entry{}, false, nil

+	}

+	if now.After(entry.ExpiresAt) {

+		if err := b.delete(cacheKey); err != nil {

+			return Entry{}, false, err

+		}

+		return Entry{}, false, nil

+	}

+	return entry, true, nil

+}

+

+func (b *boltBackend) Store(_ context.Context, cacheKey string, entry Entry, _ time.Time) error {

+	payload, err := json.Marshal(entry)

+	if err != nil {

+		return err

+	}

+	return b.db.Update(func(tx *bolt.Tx) error {

+		bucket, err := tx.CreateBucketIfNotExists(bboltCacheBucket)

+		if err != nil {

+			return err

+		}

+		return bucket.Put([]byte(cacheKey), payload)

+	})

+}

+

+func (b *boltBackend) Close() error {

+	if b == nil || b.db == nil {

+		return nil

+	}

+	b.closeOnce.Do(func() {

+		if b.stopPrune != nil {

+			close(b.stopPrune)

+		}

+		if b.pruneDone != nil {

+			<-b.pruneDone

+		}

+		b.closeErr = b.db.Close()

+	})

+	return b.closeErr

+}

+

+func (b *boltBackend) delete(cacheKey string) error {

+	return b.db.Update(func(tx *bolt.Tx) error {

+		bucket := tx.Bucket(bboltCacheBucket)

+		if bucket == nil {

+			return nil

+		}

+		return bucket.Delete([]byte(cacheKey))

+	})

+}

+

+func (b *boltBackend) startPrune() {

+	b.stopPrune = make(chan struct{})

+	b.pruneDone = make(chan struct{})

+	go func() {

+		defer close(b.pruneDone)

+		timer := time.NewTimer(nextPruneDelay())

+		defer timer.Stop()

+		for {

+			select {

+			case <-b.stopPrune:

+				return

+			case <-timer.C:

+				_ = b.pruneExpiredEntries(time.Now().UTC())

+				timer.Reset(nextPruneDelay())

+			}

+		}

+	}()

+}

+

+func nextPruneDelay() time.Duration {

+	n, err := rand.Int(rand.Reader, big.NewInt(int64(pruneIntervalSpread)))

+	if err != nil {

+		return pruneIntervalMin

+	}

+	return pruneIntervalMin + time.Duration(n.Int64())

+}

+

+func (b *boltBackend) pruneExpiredEntries(now time.Time) error {

+	return b.db.Update(func(tx *bolt.Tx) error {

+		bucket := tx.Bucket(bboltCacheBucket)

+		if bucket == nil {

+			return nil

+		}

+		cursor := bucket.Cursor()

+		for key, value := cursor.First(); key != nil; key, value = cursor.Next() {

+			var entry Entry

+			if err := json.Unmarshal(value, &entry); err != nil || now.After(entry.ExpiresAt) {

+				if err := cursor.Delete(); err != nil {

+					return err

+				}

+			}

+		}

+		return nil

+	})

+}

@@ -4,34 +4,121 @@ import (

 	"cmp"

 	"context"

 	"encoding/json"

+	"net"

+	"net/url"

 	"slices"

 	"strings"

+	"sync"

 	"time"

 	"github.com/containerd/containerd/v2/core/content"

+	c8dimages "github.com/containerd/containerd/v2/core/images"

 	"github.com/containerd/containerd/v2/core/remotes"

 	"github.com/containerd/containerd/v2/pkg/labels"

 	"github.com/containerd/log"

+	"github.com/containerd/platforms"

 	"github.com/distribution/reference"

 	imagetypes "github.com/moby/moby/api/types/image"

+	"github.com/moby/moby/v2/daemon/containerd/identitycache"

 	"github.com/moby/moby/v2/daemon/internal/builder-next/exporter"

 	policyimage "github.com/moby/policy-helpers/image"

 	policytypes "github.com/moby/policy-helpers/types"

 	"github.com/opencontainers/go-digest"

 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 	"github.com/pkg/errors"

+	"golang.org/x/sync/singleflight"

 )

+const (

+	imageIdentityCacheTTL      = 48 * time.Hour

+	imageIdentityErrorCacheTTL = 15 * time.Minute

+	imageIdentityWarmupTimeout = 2 * time.Minute

+)

+

+type imageIdentityCacheEntry = identitycache.Entry

+

+type imageIdentityState struct {

+	flight     singleflight.Group

+	cacheMu    sync.Mutex

+	cache      map[string]imageIdentityCacheEntry

+	cacheStore identitycache.Backend

+}

+

 func (i *ImageService) imageIdentity(ctx context.Context, desc ocispec.Descriptor, multi *multiPlatformSummary) (*imagetypes.Identity, error) {

+	return i.imageIdentityWithCachePolicy(ctx, desc, multi, true)

+}

+

+func (i *ImageService) imageIdentityFromCache(ctx context.Context, desc ocispec.Descriptor, multi *multiPlatformSummary) (*imagetypes.Identity, error) {

+	return i.imageIdentityWithCachePolicy(ctx, desc, multi, false)

+}

+

+func (i *ImageService) imageIdentityWithCachePolicy(ctx context.Context, desc ocispec.Descriptor, multi *multiPlatformSummary, computeOnCacheMiss bool) (*imagetypes.Identity, error) {

 	info, err := i.content.Info(ctx, desc.Digest)

 	if err != nil {

 		return nil, err

 	}

-	identity := &imagetypes.Identity{}

+	identity := imageIdentityFromLabels(ctx, info.Labels)

+	bestDigest, bestPlatform := imageIdentityBestMatch(multi)

+	cacheKey := imageIdentityCacheKey(desc.Digest.String(), bestDigest, bestPlatform)

+	signature, ok, err := i.imageSignatureIdentityFromCache(ctx, cacheKey)

+	if err != nil {

+		log.G(ctx).WithError(err).WithField("image", desc.Digest).Debug("failed to load image identity cache entry")

+	}

+	if !ok && computeOnCacheMiss {

+		v, err, _ := i.identity.flight.Do(cacheKey, func() (any, error) {

+			if cached, ok, err := i.imageSignatureIdentityFromCache(ctx, cacheKey); err == nil && ok {

+				return cached, nil

+			} else if err != nil {

+				log.G(ctx).WithError(err).WithField("image", desc.Digest).Debug("failed to refresh image identity cache entry")

+			}

+

+			computedSignature, hasTransientVerificationError := i.computeSignatureIdentity(ctx, desc, multi)

+			ttl := imageIdentityCacheTTL

+			if hasTransientVerificationError {

+				// signature verification errors can be temporary (e.g. no network),

+				// so cache these for a shorter period

+				ttl = imageIdentityErrorCacheTTL

+			}

+			if err := i.updateImageIdentityCache(ctx, cacheKey, computedSignature, ttl); err != nil {

+				log.G(ctx).WithError(err).WithField("image", desc.Digest).Debug("failed to update image identity cache entry")

+			}

+

+			return computedSignature, nil

+		})

+		if err != nil {

+			return nil, err

+		}

+		cachedSignature, ok := v.(*imagetypes.SignatureIdentity)

+		if !ok {

+			return nil, errors.Errorf("unexpected cached signature identity type %T", v)

+		}

+		signature = cachedSignature

+	}

+

+	if signature != nil {

+		identity.Signature = append(identity.Signature, *signature)

+	}

+

+	if len(identity.Build) == 0 && len(identity.Pull) == 0 && len(identity.Signature) == 0 {

+		return nil, nil

+	}

+

+	return identity, nil

+}

+

+func imageIdentityBestMatch(multi *multiPlatformSummary) (bestDigest string, bestPlatform string) {

+	if multi == nil || multi.Best == nil {

+		return "", ""

+	}

+	return multi.Best.Target().Digest.String(), platforms.FormatAll(multi.BestPlatform)

+}

+

+func imageIdentityFromLabels(ctx context.Context, labelsByDigest map[string]string) *imagetypes.Identity {

+	identity := &imagetypes.Identity{}

 	seenRepos := make(map[string]struct{})

-	for k, v := range info.Labels {

+	for k, v := range labelsByDigest {

 		if ref, ok := strings.CutPrefix(k, exporter.BuildRefLabel); ok {

 			var val exporter.BuildRefLabelValue

 			if err := json.Unmarshal([]byte(v), &val); err == nil {

@@ -64,26 +151,185 @@ func (i *ImageService) imageIdentity(ctx context.Context, desc ocispec.Descripto

 		}

 	}

-	if multi.Best != nil {

-		si, err := i.signatureIdentity(ctx, desc, multi.Best, multi.BestPlatform)

-		if err != nil {

-			log.G(ctx).WithError(err).Error("failed to validate image signature")

+	slices.SortFunc(identity.Build, func(a, b imagetypes.BuildIdentity) int {

+		return cmp.Compare(a.Ref, b.Ref)

+	})

+

+	return identity

+}

+

+func (i *ImageService) computeSignatureIdentity(ctx context.Context, desc ocispec.Descriptor, multi *multiPlatformSummary) (*imagetypes.SignatureIdentity, bool) {

+	if multi == nil || multi.Best == nil {

+		return nil, false

+	}

+

+	signatureIdentity, err := i.signatureIdentity(ctx, desc, multi.Best, multi.BestPlatform)

+	if err != nil {

+		log.G(ctx).WithError(err).Error("failed to validate image signature")

+		return nil, signatureVerificationErrorIsTransient(err)

+	}

+

+	// verification errors are represented as a payload field. Treat only

+	// network-like errors as transient so deterministic verification failures

+	// remain cached with the normal TTL

+	hasTransientVerificationError := signatureIdentity != nil && signatureVerificationMessageIsTransient(signatureIdentity.Error)

+	return signatureIdentity, hasTransientVerificationError

+}

+

+func signatureVerificationErrorIsTransient(err error) bool {

+	if err == nil {

+		return false

+	}

+	if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {

+		return true

+	}

+

+	var netErr net.Error

+	if errors.As(err, &netErr) {

+		if netErr.Timeout() {

+			return true

 		}

-		if si != nil {

-			identity.Signature = append(identity.Signature, *si)

+	}

+

+	var dnsErr *net.DNSError

+	if errors.As(err, &dnsErr) {

+		return true

+	}

+

+	var urlErr *url.Error

+	if errors.As(err, &urlErr) {

+		return signatureVerificationErrorIsTransient(urlErr.Err)

+	}

+

+	return signatureVerificationMessageIsTransient(err.Error())

+}

+

+func signatureVerificationMessageIsTransient(msg string) bool {

+	msg = strings.ToLower(msg)

+	// TODO: replace message-based transient detection with structured error

+	//  classification from policy-helpers / signature verification (e.g. typed

+	//  retryable errors), so cache TTL decisions do not depend on string

+	//  matching.

+	for _, transient := range []string{

+		"context deadline exceeded",

+		"i/o timeout",

+		"tls handshake timeout",

+		"no such host",

+		"temporary failure in name resolution",

+		"connection refused",

+		"connection reset by peer",

+		"network is unreachable",

+		"dial tcp",

+	} {

+		if strings.Contains(msg, transient) {

+			return true

 		}

 	}

+	return false

+}

-	// return nil if there is no identity information

-	if len(identity.Build) == 0 && len(identity.Pull) == 0 && len(identity.Signature) == 0 {

-		return nil, nil

+func imageIdentityCacheKey(imageDigest, bestDigest, bestPlatform string) string {

+	return strings.Join([]string{imageDigest, bestDigest, bestPlatform}, "|")

+}

+

+func (i *ImageService) imageSignatureIdentityFromCache(ctx context.Context, cacheKey string) (*imagetypes.SignatureIdentity, bool, error) {

+	now := time.Now()

+

+	i.identity.cacheMu.Lock()

+	if cached, ok := i.identity.cache[cacheKey]; ok {

+		if now.After(cached.ExpiresAt) {

+			delete(i.identity.cache, cacheKey)

+		} else {

+			i.identity.cacheMu.Unlock()

+			return cloneSignatureIdentity(cached.Signature), true, nil

+		}

 	}

+	i.identity.cacheMu.Unlock()

-	slices.SortFunc(identity.Build, func(a, b imagetypes.BuildIdentity) int {

-		return cmp.Compare(a.Ref, b.Ref)

-	})

+	if i.identity.cacheStore == nil {

+		return nil, false, nil

+	}

+	cached, ok, err := i.identity.cacheStore.Load(ctx, cacheKey, now)

+	if err != nil {

+		return nil, false, err

+	}

+	if !ok {

+		return nil, false, nil

+	}

-	return identity, nil

+	i.identity.cacheMu.Lock()

+	if i.identity.cache == nil {

+		i.identity.cache = map[string]imageIdentityCacheEntry{}

+	}

+	i.identity.cache[cacheKey] = cached

+	i.identity.cacheMu.Unlock()

+	return cloneSignatureIdentity(cached.Signature), true, nil

+}

+

+func (i *ImageService) updateImageIdentityCache(ctx context.Context, cacheKey string, signature *imagetypes.SignatureIdentity, ttl time.Duration) error {

+	if ttl <= 0 {

+		return nil

+	}

+

+	now := time.Now()

+	entry := imageIdentityCacheEntry{

+		CachedAt:  now,

+		ExpiresAt: now.Add(ttl),

+		Signature: cloneSignatureIdentity(signature),

+	}

+

+	i.identity.cacheMu.Lock()

+	if i.identity.cache == nil {

+		i.identity.cache = map[string]imageIdentityCacheEntry{}

+	}

+	i.identity.cache[cacheKey] = entry

+	pruneImageIdentityCacheEntries(i.identity.cache, now)

+	i.identity.cacheMu.Unlock()

+

+	if i.identity.cacheStore == nil {

+		return nil

+	}

+	return i.identity.cacheStore.Store(ctx, cacheKey, entry, now)

+}

+

+func cloneSignatureIdentity(s *imagetypes.SignatureIdentity) *imagetypes.SignatureIdentity {

+	if s == nil {

+		return nil

+	}

+	out := *s

+	out.Timestamps = slices.Clone(s.Timestamps)

+	out.Warnings = slices.Clone(s.Warnings)

+	if s.Signer != nil {

+		signer := *s.Signer

+		out.Signer = &signer

+	}

+	return &out

+}

+

+func pruneImageIdentityCacheEntries(entries map[string]imageIdentityCacheEntry, now time.Time) {

+	for key, entry := range entries {

+		if now.After(entry.ExpiresAt) {

+			delete(entries, key)

+		}

+	}

+}

+

+func (i *ImageService) warmImageIdentityCache(ctx context.Context, img c8dimages.Image) {

+	if i.policyVerifier == nil {

+		return

+	}

+	go func() {

+		warmCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), imageIdentityWarmupTimeout)

+		defer cancel()

+		multi, err := i.multiPlatformSummary(warmCtx, img, matchAnyWithPreference(platforms.Default(), nil))

+		if err != nil {

+			log.G(warmCtx).WithError(err).WithField("image", img.Name).Debug("failed to build image identity cache in background")

+			return

+		}

+		if _, err := i.imageIdentity(warmCtx, img.Target, multi); err != nil {

+			log.G(warmCtx).WithError(err).WithField("image", img.Name).Debug("failed to build image identity cache in background")

+		}

+	}()

 }

 func (i *ImageService) signatureIdentity(ctx context.Context, desc ocispec.Descriptor, img *ImageManifest, platform ocispec.Platform) (*imagetypes.SignatureIdentity, error) {

@@ -101,6 +347,10 @@ func (i *ImageService) signatureIdentity(ctx context.Context, desc ocispec.Descr

 		return nil, nil

 	}

+	if i.policyVerifier == nil {

+		return nil, nil

+	}

+

 	v, err := i.policyVerifier()

 	if err != nil {

 		return nil, err

@@ -15,6 +15,7 @@ import (

 	"github.com/containerd/log"

 	"github.com/containerd/platforms"

 	"github.com/moby/moby/v2/daemon/container"

+	"github.com/moby/moby/v2/daemon/containerd/identitycache"

 	daemonevents "github.com/moby/moby/v2/daemon/events"

 	dimages "github.com/moby/moby/v2/daemon/images"

 	"github.com/moby/moby/v2/daemon/internal/distribution"

@@ -42,6 +43,7 @@ type ImageService struct {

 	refCountMounter     snapshotter.Mounter

 	idMapping           user.IdentityMapping

 	policyVerifier      func() (*policyverifier.Verifier, error)

+	identity            imageIdentityState

 	// defaultPlatformOverride is used in tests to override the host platform.

 	defaultPlatformOverride platforms.MatchComparer

@@ -51,6 +53,7 @@ type ImageServiceConfig struct {

 	Client                 *containerd.Client

 	Containers             container.Store

 	Snapshotter            string

+	IdentityCacheBackend   identitycache.Backend

 	RegistryHosts          docker.RegistryHosts

 	Registry               distribution.RegistryResolver

 	EventsService          *daemonevents.Events

@@ -76,6 +79,15 @@ func NewService(config ImageServiceConfig) *ImageService {

 		refCountMounter: config.RefCountMounter,

 		idMapping:       config.IDMapping,

 		policyVerifier:  config.PolicyVerifierProvider,

+		identity: imageIdentityState{

+			cache: make(map[string]imageIdentityCacheEntry),

+			cacheStore: func() identitycache.Backend {

+				if config.IdentityCacheBackend != nil {

+					return config.IdentityCacheBackend

+				}

+				return identitycache.NewNopBackend()

+			}(),

+		},

 	}

 }

@@ -132,6 +144,9 @@ func (i *ImageService) GetLayerMountID(cid string) (string, error) {

 // Cleanup resources before the process is shutdown.

 // called from daemon.go Daemon.Shutdown()

 func (i *ImageService) Cleanup() error {

+	if i.identity.cacheStore != nil {

+		return i.identity.cacheStore.Close()

+	}

 	return nil

 }

@@ -53,6 +53,7 @@ import (

 	"github.com/moby/moby/v2/daemon/config"

 	"github.com/moby/moby/v2/daemon/container"

 	ctrd "github.com/moby/moby/v2/daemon/containerd"

+	"github.com/moby/moby/v2/daemon/containerd/identitycache"

 	"github.com/moby/moby/v2/daemon/containerd/migration"

 	"github.com/moby/moby/v2/daemon/events"

 	_ "github.com/moby/moby/v2/daemon/graphdriver/register" // register graph drivers

@@ -1273,11 +1274,17 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S

 		if err := configureKernelSecuritySupport(&cfgStore.Config, driverName); err != nil {

 			return nil, err

 		}

+		identityCacheBackend, err := identitycache.NewBoltDBBackend(config.Root)

+		if err != nil {

+			log.G(ctx).WithError(err).Warn("failed to initialize image identity bbolt cache backend")

+			identityCacheBackend = identitycache.NewNopBackend()

+		}

 		d.usesSnapshotter = true

 		d.imageService = ctrd.NewService(ctrd.ImageServiceConfig{

 			Client:                 d.containerdClient,

 			Containers:             d.containers,

 			Snapshotter:            driverName,

+			IdentityCacheBackend:   identityCacheBackend,

 			RegistryHosts:          d.RegistryHosts,

 			Registry:               d.registryService,

 			EventsService:          d.EventsService,