Known issues

This section describes the MSR known issues with available workarounds, along with a list of current product limitations:

(ENGDTR-5013) Cosign signature details not listed in v1 API response

The signatures array returned by the MSR v1 repositories/tags API does not include entries for Cosign signatures. Only DCT/Notary signatures are listed there. The cosignSigned field still correctly reports whether an image has one or more Cosign signatures, but individual signature details are not enumerated for Cosign.

Workaround

Cosign signing and verification are client-side operations by design. Use the cosign CLI (for example, cosign tree or cosign verify) as the source of truth for inspecting and validating Cosign signatures on an image.