Delete signed images

Before you can delete signed images, you must first identify the roles that signed the images and remove the trust data for each of those roles.

To identify the roles that signed an image:

1. Determine the roles that are trusted to sign the image:

   1. Configure your Notary client, as described in the official Docker documentation, `Delegations for content trust

<https://docs.docker.com/engine/security/trust/trust_delegation/>`__.

1. List the trusted roles:

   notary delegation list <registry-host-name>/<namespace>/<repository>
   

   Example output:

   ROLE                PATHS             KEY IDS                  THRESHOLD
   ----                -----             -------                  ---------
   targets/releases    "" <all paths>    c3470c45cefde5...2ea9bc8    1
   targets/qa          "" <all paths>    c3470c45cefde5...2ea9bc8    1
   

1. For each role listed, identify whether it signed the image:

   notary list <registry-host-name>/<namespace>/<repository> --roles <role-name>
   

To remove trust data for a role:

Note

Only users with private keys that have the required roles can remove trust data for a role.

For each role that signed the image, remove the trust data for that role:

notary remove <registry-host-name>/<namespace>/<repository> <tag> \
--roles <role-name> --publish

The image displays as unsigned once the trust data has been removed for all of the roles that signed the image. At this point, you can delete the image.