Sign images with Cosign

Mirantis Secure Registry (MSR) natively supports Cosign, providing a seamless way to store and manage signed images. Cosign allows you to sign image tags on the client side, giving consumers a way to verify the integrity of your images.

Because Cosign signatures are stored directly in the registry as standard OCI artifacts, MSR does not require a dedicated signing server. All cryptographic signing operations are performed entirely on the client side using the Cosign CLI. After the client generates the signature, it is pushed directly to your MSR repository alongside the image.

Cosign integrates with container workflows and allows you to configure repositories, manage keys, and sign images using the cosign sign command.

Upgrade from MSR 2.9

When upgrading from MSR 2.9 to MSR 2.10, MSR provides a conditional backward-compatibility path for Docker Content Trust (DCT) to ensure your existing workflows do not break while you plan your migration to Cosign.

The upgrade behavior depends entirely on whether you have active DCT signatures in your MSR 2.9 environment:

DCT upgrade behavior

MSR 2.9 state

MSR 2.10 upgrade behavior

Action required

Active DCT signatures present

The Notary server and Notary signer components are preserved. Existing DCT signatures remain valid and you can continue using docker trust commands.

Plan your migration to Cosign. The Notary/DCT stack is deprecated and will be removed in a future release.

No DCT signatures present

The Notary server and Notary signer components are removed from the cluster during the upgrade.

None. Use Cosign for all new image signing requirements.

For more details about DCT usage, refer to Sign images with Docker Content Trust.