Delete images

To delete an image, navigate to the Tags tab of the repository page on the MSR web interface. In the Tags tab, select all the image tags you want to delete, and click Delete.

You can also delete all image versions by deleting the repository. To delete a repository, navigate to Settings and click Delete under Delete Repository.

Delete signed images

MSR only allows deleting images if the image has not been signed. You first need to delete all the trust data associated with the image before you are able to delete the image.

There are three steps to delete a signed image:

  1. Find which roles signed the image.

  2. Remove the trust data for each role.

  3. The image is now unsigned, so you can delete it.

Find which roles signed an image

To find which roles signed an image, you first need to learn which roles are trusted to sign the image.

Configure your Notary client and run:

notary delegation list msr-example.com/library/wordpress

In this example, the repository owner delegated trust to the targets/releases and targets/qa roles:

ROLE                PATHS             KEY IDS                  THRESHOLD
----                -----             -------                  ---------
targets/releases    "" <all paths>    c3470c45cefde5...2ea9bc8    1
targets/qa          "" <all paths>    c3470c45cefde5...2ea9bc8    1

Now that you know which roles are allowed to sign images in this repository, you can learn which roles actually signed it:

# Check if the image was signed by the "targets" role
notary list msr-example.com/library/wordpress

# Check if the image was signed by a specific role
notary list msr-example.com/library/wordpress --roles <role-name>

In this example the image was signed by three roles: targets, targets/releases, and targets/qa.

Remove trust data for a role

Once you know which roles signed an image, you’ll be able to remove trust data for those roles. Only users with private keys that have the roles are able to do this operation.

For each role that signed the image, run:

notary remove msr-example.com/library/wordpress <tag> \
  --roles <role-name> --publish

Once you’ve removed trust data for all roles, MSR shows the image as unsigned. Then you can delete it.

Where to go next