Additional tag pushed to registry during signature

[dalarson]

Hello,

I am attempting to add a signature step to my build pipeline using notation. The docker image gets build and tagged with the semantic version of the code repository, so in the container registry we have a series of tags that map directly to commits in the git repo. The notation cli step that I've added to the build pipeline seems to sign images correctly, but for some reason it also seems to be pushing another tag to the container registry. The result is that the image initially built and tagged is signed, but there's another copy of the same signed image with the digest as the tag as shown here:

My question is how can I prevent the additional tag from being pushed? The behavior I would like would be that the existing image tag gets signed, and no additional tags are pushed to the registry.

Guidance would be greatly appreciated

[FeynmanZhou]

Hi @dalarson ,

This is because notation uses the tag schema to store the signature in registry.

The signature is configurable. You can choose to sign an image with referrers API if your registry is compliant with OCI v1.1.

May I know which registry you are using and your notation version?

[dalarson]

Hello @FeynmanZhou! Thank you for your response. I am using Azure Container Registry and notation v 1.1.0. I believe the registry should be OCI compliant. I need to read a bit about the referrers API to understand what it's all about.

[FeynmanZhou]

@dalarson
Ah, ACR is an OCI v1.1 compliant registry so you can switch to use referrers API to store the signature. Learn how OCI v1.1 and referrers API benefits ACR: https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-support-of-oci-v1-1-specification-in-azure-container/ba-p/4177906

This feature is still an experimental feature in Notation v1.1.x, you can resign images using referrers API by following these steps:

1. To enable experimental features, set the NOTATION_EXPERIMENTAL environment variable to 1,

export NOTATION_EXPERIMENTAL=1

2. Sign an image using referrers API

notation sign --allow-referrers-api <registry>/<repository>@<digest>

[FeynmanZhou]

Hi @dalarson , does the guidance above work for you?

[dalarson]

Thank you for the information. Yes this is working beautifully for me. :)

Cheers!

[FeynmanZhou]

Cool. Thanks for confirming it! @dalarson

[TnGadaria]

Hi @dalarson,
Alternatively, you can use this: https://github.com/notaryproject/notation/tree/v1.2.0-alpha.1