Clarify signed: false in ACR with notation v2 #23
Description
When you remotely sign the images in ACR it adds the signature to the manifest, but it doesn't update the signed: field in the manifest. Notary v1 supports this - see Managed Signed images article.
notation sign $IMAGE
sha256:effba96d9b7092a0de4fa6710f6e73bf8c838e4fbd536e95de94915777b18613
notation verify $IMAGE
sha256:effba96d9b7092a0de4fa6710f6e73bf8c838e4fbd536e95de94915777b18613
However, when you run the az acr manifest - one of the fields says "signed": false.
az acr manifest show-metadata $IMAGE -o jsonc
Command group 'acr manifest' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
{
"changeableAttributes": {
"deleteEnabled": true,
"listEnabled": true,
"readEnabled": true,
"writeEnabled": true
},
"createdTime": "2022-05-13T23:15:54.3478293Z",
"digest": "sha256:effba96d9b7092a0de4fa6710f6e73bf8c838e4fbd536e95de94915777b18613",
"lastUpdateTime": "2022-05-13T23:15:54.3478293Z",
"name": "v1",
"quarantineState": "Passed",
"signed": false
}
oras discover -o tree $IMAGE
daveteacr.azurecr.io/net-monitor:v1
├── signature/example
│ └── sha256:6dcae102039d2a770a0df6d20834a3506870bf88c732b5508431a04f7b4a2cfb
├── readme/example
│ └── sha256:9b575d41c5e5dfe2535a04fbfa4ad8df6b8cb2948a171370e1c6681feed3337f
├── sbom/example
│ └── sha256:b25c74b18603ce1bc92dd3c64c005538777ca7e1347d769623b7c68d93abb9d2
└── application/vnd.cncf.notary.v2.signature
├── sha256:7fa8ccc2cca8da0fd158f809857d1fbffac428e411f9c3fe25bc88b3393e7c5e
├── sha256:577b8edaa5995404b5e365acf63671dc416a34c7314fab511d2db3f5ce82148d
└── sha256:569363022bd37dc17c95815eebd10151d4504651908b835f7970f74115386633
Metadata
Metadata
Assignees
Labels
No labels