Docker Community Forums

Share and learn in the Docker community.

Image Manifest V 2, Schema 2 does not contain signature metadata

Whilst looking at how to use asymmetric keys to sign and verify the mainfest file I found the Image Manifest V2, Schema 1, which contains a signature section, once checked provides assurance that the layer SHA hashes are correct.

Is Schema 2 lacking documentation in this feature or is it intentionally removed?

What is the current recommended way for me to insert a signature into a manifest file which can be stored in a registry. Ideally I would like to contain my signature in the manifest file so that I do not have to have a separate server to maintain a list of hashes / signatures

Thanks!

schemaVersion int

This field specifies the image manifest schema version as an integer. This schema uses version 2.

mediaType string

The MIME type of the manifest. This should be set to application/vnd.docker.distribution.manifest.v2+json.

config object

The config field references a configuration object for a container, by digest. This configuration item is a JSON blob that the runtime uses to set up the container. This new schema uses a tweaked version of this configuration to allow image content-addressability on the daemon side.

Fields of a config object are:

mediaType string

The MIME type of the referenced object. This should generally be application/vnd.docker.container.image.v1+json.

size int

The size in bytes of the object. This field exists so that a client will have an expected size for the content before validating. If the length of the retrieved content does not match the specified length, the content should not be trusted.

digest string

The digest of the content, as defined by the Registry V2 HTTP API Specificiation.

layers array

The layer list is ordered starting from the base image (opposite order of schema1).

Fields of an item in the layers list are:

mediaType string

The MIME type of the referenced object. This should generally be application/vnd.docker.image.rootfs.diff.tar.gzip. Layers of type application/vnd.docker.image.rootfs.foreign.diff.tar.gzip may be pulled from a remote location but they should never be pushed.

size int

The size in bytes of the object. This field exists so that a client will have an expected size for the content before validating. If the length of the retrieved content does not match the specified length, the content should not be trusted.

digest string

The digest of the content, as defined by the Registry V2 HTTP API Specificiation.

urls array

Provides a list of URLs from which the content may be fetched. Content should be verified against the digest and size. This field is optional and uncommon.