Known issues
This section describes the MSR known issues with available workarounds, along with a list of current product limitations:
(ENGDTR-5013) Cosign signature details not listed in v1 API response
The signatures array returned by the MSR v1 repositories/tags API
does not include entries for Cosign signatures. Only DCT/Notary
signatures are listed there. The cosignSigned field still
correctly reports whether an image has one or more Cosign signatures,
but individual signature details are not enumerated for Cosign.
Workaround
Cosign signing and verification are client-side operations by design.
Use the cosign CLI (for example, cosign tree or cosign
verify) as the source of truth for inspecting and validating Cosign
signatures on an image.