Skip to content

Feature: Add fast single-pass C2PA signing for BMFF, RIFF, and TIFF formats - 2x + signing speed#2010

Open
peekmoar wants to merge 2 commits into
contentauth:mainfrom
peekmoar:feature/fast-sign-all
Open

Feature: Add fast single-pass C2PA signing for BMFF, RIFF, and TIFF formats - 2x + signing speed#2010
peekmoar wants to merge 2 commits into
contentauth:mainfrom
peekmoar:feature/fast-sign-all

Conversation

@peekmoar
Copy link
Copy Markdown

@peekmoar peekmoar commented Apr 5, 2026

Changes in this pull request

Summary

  • Adds single-pass streaming signing for BMFF (MP4/HEIF), RIFF (WAV/WebP/AVI), and TIFF/DNG formats that reads source once, writes output once, and computes the hash simultaneously, replacing the standard 7-pass flow
  • 2-3x faster on large files (277MB MP4: 297ms → 120ms, 50MB WAV: 67ms → 22ms, 23MB TIFF: 27ms → 11ms)

Test plan:

  • 20 integration tests across all three formats (6 BMFF, 8 RIFF, 6 TIFF) covering fresh signing, re-signing, deterministic output, multi-ingredient, and round-trip validation
  • 21 unit tests for output planning, exclusion computation, offset patching, and streaming hasher
  • Criterion benchmarks comparing standard vs fast signing at 100KB (included fixtures)
  • Large file benchmarks run automatically if files exist at /tmp/test_large.{mp4,wav,tif}. To generate them:
    ffmpeg -f lavfi -i testsrc=duration=60:size=1920x1080:rate=30 -c:v libx264 /tmp/test_large.mp4
    ffmpeg -f lavfi -i sine=frequency=440:duration=300 -ar 44100 /tmp/test_large.wav
    ffmpeg -f lavfi -i testsrc=size=4096x4096 -frames:v 1 /tmp/test_large.tif

Checklist

  • This PR represents a single feature, fix, or change.
  • All applicable changes have been documented.
  • Any TO DO items (or similar) have been entered as GitHub issues and the link to that issue has been included in a comment.

@peekmoar peekmoar changed the title Feature: Add fast single-pass C2PA signing for BMFF, RIFF, and TIFF formats Feature: Add fast single-pass C2PA signing for BMFF, RIFF, and TIFF formats - 2x + signing speed Apr 5, 2026
peekmoar added 2 commits April 5, 2026 20:38
@peekmoar
feat: Add fast single-pass C2PA signing for BMFF, RIFF, and TIFF formats
dc82c96 
Replace the standard 7-pass signing flow with a single-pass approach that
reads the source once, writes the output once, computes the content hash
simultaneously during the write pass, then seek-patches the signed JUMBF.

Benchmarks show 2-4x speedup on large files:
- BMFF (MP4): 3.77x faster (466ms -> 124ms on 277MB)
- RIFF (WAV): 3.20x faster (81ms -> 25ms on 50MB)
- TIFF:       2.05x faster (24ms -> 12ms on 24MB)

New public API:
- sign_bmff_fast() for MP4/HEIF/AVIF
- sign_riff_fast() for WAV/WebP/AVI
- sign_tiff_fast() for TIFF/DNG

All three fall back to Builder::sign() for non-matching formats.

Security hardening:
- Bounded entry_count validation for stco/co64/iloc/saio boxes
- IFD chain cycle detection (MAX_IFD_COUNT)
- RIFF recursion depth limit (MAX_CHUNK_DEPTH)
- Checked arithmetic for all offset patch operations
- Input validation for all parsed fields from untrusted data

41 tests (21 unit + 20 integration), all passing.
@peekmoar
fix: Harden fast-sign modules after 6-pass security+logic review
c58c847 
39 issues found and fixed across 5 review passes:
- Overflow-safe arithmetic (checked_add/checked_sub) throughout
- Bounded allocations from untrusted BMFF/RIFF/TIFF fields
- iloc/saio/stco/co64/tfra entry count validation against box size
- Minimum box size validation before parsing
- Runtime hash algorithm dispatch (DynHasher) instead of hardcoded SHA-256
- TIFF re-sign always appends fresh IFD (fixes orphaned chain bug)
- Deterministic salting support for RIFF and TIFF
- Missing tfra moof_offset patching for fragmented MP4
- Reserve size caching to prevent inconsistent signer behavior
- No-panic feed() for library safety
@peekmoar peekmoar force-pushed the feature/fast-sign-all branch from bfd5cb7 to c58c847 Compare April 6, 2026 03:39
meta-codesync Bot pushed a commit to facebook/sapling that referenced this pull request Apr 9, 2026
@peekmoar @meta-codesync
Switch c2pa patch.crates-io to upstream PR fork
07ba200 
Summary:
Replace dhruvmongia fork with peekmoar fork pointing to upstream PR
contentauth/c2pa-rs#2010 for the O(2^N)
manifest dedup fix. Uses git dependency instead of overlay per
third-party Rust policy.

After landing the upstream PR, bump c2pa to the release containing
the fix and remove this patch entry.

Reviewed By: dtolnay

Differential Revision: D99923178

fbshipit-source-id: 27d0c2fb295cd5ff2be25d3584c17af2322c8206
meta-codesync Bot pushed a commit to facebookexperimental/rust-shed that referenced this pull request Apr 9, 2026
@peekmoar @meta-codesync
Switch c2pa patch.crates-io to upstream PR fork
31bb34b 
Summary:
Replace dhruvmongia fork with peekmoar fork pointing to upstream PR
contentauth/c2pa-rs#2010 for the O(2^N)
manifest dedup fix. Uses git dependency instead of overlay per
third-party Rust policy.

After landing the upstream PR, bump c2pa to the release containing
the fix and remove this patch entry.

Reviewed By: dtolnay

Differential Revision: D99923178

fbshipit-source-id: 27d0c2fb295cd5ff2be25d3584c17af2322c8206
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peekmoar