Delete signed images
In Mirantis Secure Registry (MSR), Cosign signatures are stored as
standard OCI artifacts. When you delete a primary container image tag
(for example, app:latest), MSR performs a cascade deletion to
clean up the repository and prevent orphaned signature data,
automatically removing the following related Cosign artifact tags:
Tag-based artifacts:
<tag>.sig(the image signature) and<tag>.att(any associated image attestations).Digest-based artifacts: If no other non-Cosign tags in the repository point to the underlying image digest, MSR also removes
sha256-<hex>,sha256-<hex>.sig, andsha256-<hex>.att.
After this workflow completes, the primary image tag and all corresponding Cosign signature data are purged from MSR storage.
Delete a signature without deleting the image
You may need to strip a signature from an image, for example, to invalidate a bad deployment pipeline stage, while keeping the original container image tag intact. Because Cosign signatures are stored as individual OCI tags, you can remove them independently using the MSR Tag DELETE API:
DELETE /api/v0/repositories/<namespace>/<repo>/tags/sha256-<imageDigestHex>.sig
Removing the signature tag reverts the image cosignSigned status
to false in the MSR catalog. The image remains in the repository
as an unsigned artifact. For more details, see the API Reference.
Deletion caveats
While Cosign does not prevent you from removing an image or its signature, a deletion request to MSR can still fail due to the following system constraints:
If an image has both DCT/Notary and Cosign signatures attached, the legacy Notary signature triggers a
409 Conflicterror. You must clear the Notary metadata before deleting.If the target repository has an immutable tags policy enabled, tag deletions are blocked regardless of the signing method used.
You must have write or administrative access in the MKE Role-Based Access Control engine for the target namespace to perform a deletion.