Delete signed images

To delete a signed image, you must first remove trust data for all of the roles that have signed the image. After you remove the trust data, proceed to deleting the image, as described in Delete images.

To identify the roles that signed an image:

  1. Determine the roles that are trusted to sign the image:

  2. Configure your Notary client.

  3. List the trusted roles:

    notary delegation list <registry-host-name>/<namespace>/<repository>

    Example output:

    ROLE                PATHS             KEY IDS                  THRESHOLD
    ----                -----             -------                  ---------
    targets/releases    "" <all paths>    c3470c45cefde5...2ea9bc8    1
    targets/qa          "" <all paths>    c3470c45cefde5...2ea9bc8    1

    In this example, the repository owner delegated trust to the targets/releases and targets/qa roles.

  4. For each role listed in the previous step, identify whether it signed the image:

    notary list <registry-host-name>/<namespace>/<repository> --roles <role-name>

To remove trust data for a role:


Only users with private keys that have the required roles can perform this operation.

For each role that signed the image, remove the trust data for that role:

notary remove <registry-host-name>/<namespace>/<repository> <tag> \
--roles <role-name> --publish

The image will display as unsigned once the trust data has been removed for all of the roles that signed the image.