Delete signed images¶
To delete a signed image, you must first remove trust data for all of the roles that have signed the image. After you remove the trust data, proceed to deleting the image, as described in Delete images.
To identify the roles that signed an image:
Determine the roles that are trusted to sign the image:
List the trusted roles:
notary delegation list <registry-host-name>/<namespace>/<repository>
Example output:
ROLE PATHS KEY IDS THRESHOLD ---- ----- ------- --------- targets/releases "" <all paths> c3470c45cefde5...2ea9bc8 1 targets/qa "" <all paths> c3470c45cefde5...2ea9bc8 1
In this example, the repository owner delegated trust to the
targets/releasesandtargets/qaroles.For each role listed in the previous step, identify whether it signed the image:
notary list <registry-host-name>/<namespace>/<repository> --roles <role-name>
To remove trust data for a role:
Note
Only users with private keys that have the required roles can perform this operation.
For each role that signed the image, remove the trust data for that role:
notary remove <registry-host-name>/<namespace>/<repository> <tag> \
--roles <role-name> --publish
The image will display as unsigned once the trust data has been removed for all of the roles that signed the image.