fix: Verify after sign not executing

[ok-nick]

Verify after sign is currently never ran regardless of the verify.verify_after_sign setting.

There exists a check to ensure we do not verify an empty stream (such as when io::empty is supplied), it involves ensuring the stream length is non-zero. However, in the current logic we rewind the stream beforehand resulting in the length always being set to 0. The fix is to seek to the end of the stream to properly read the length.

[codspeed-hq]

CodSpeed Performance Report

Merging this PR will degrade performance by 39.4%

_{Comparing ok-nick/fix-verify-after-sign (64333c9) with main (a4fbcdb)}

Summary

❌ 8 regressed benchmarks
✅ 8 untouched benchmarks
⏩ 2 skipped benchmarks¹

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	sign 100kb mp4	5.6 ms	8.1 ms	-31.55%
❌	sign 100kb mp3	4.5 ms	7.4 ms	-39.4%
❌	sign 100kb png	5.6 ms	8.6 ms	-34.43%
❌	sign 100kb svg	16.8 ms	22 ms	-23.73%
❌	sign 100kb tiff	2 ms	2.6 ms	-24.83%
❌	sign 100kb wav	4.7 ms	7.2 ms	-34.62%
❌	sign 100kb jpeg	5.1 ms	7.7 ms	-33.51%
❌	sign 100kb gif	3.8 ms	6.1 ms	-38.01%

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[tmathern]

Are there settings changes already in main that change the auto-add behavior of actions?
Because I would expect we don't need set_intent everywhere yet (this is a big breaking change). If we say the setting is gone it's fine, but we should be clear that it is gone then.

[tmathern]

The changes in tests is partially due to a default behavior/settings change from #1586. Settings change + this should be accordingly clearly and very obviously flagged as breaking changes once this releases.

This will break downstream SDKs, and their tests (at least for Python i am 100% sure there will be breakages).

[tmathern]

(I think you will still need to look into the benchmarks though, they seem quite unhappy right now).

[ok-nick]

@tmathern That's expected if we are doing validation after signing. Maybe we should consider disabling validation after signing for those benchmarks since we are more concerned about the signing performance there?

[tmathern]

@tmathern That's expected if we are doing validation after signing. Maybe we should consider disabling validation after signing for those benchmarks since we are more concerned about the signing performance there?

I'm just pointing out they seem unhappy and we can't merge like that. How you fix is dealer's choice. Can we have benchmarks with and without validation? So we'll also see the impact of the fix, and can track that in the future if we make more changes and it varies. Also I assume most people would have validate-after-sign on (isn't it going to be default behavior?), so not having benchmarks may be a bit misleading regarding perf. Middleground is to ahve data for both cases.

[gpeacock]

This is a good catch, if we were not validating, then the updated tests were already producing invalid claims