Hi,
I have currently an issue with a 3PP company that hosts Docker registries.

Until the latest version of the 3PP (for many years), the following response has been given when re-pushing an identical Docker image (example):

$ docker push <url>/<path>/<image name>:1.133.0-80
5f70bf18a086: Preparing
0134d5635165: Preparing
ec8a1cb3a1d6: Preparing
5f70bf18a086: Layer already exists
0134d5635165: Layer already exists
ec8a1cb3a1d6: Layer already exists
1.133.0-80: digest: sha256:<shasum>

Now after the latest release, the following response is instead received:

$ docker push <url>/<path>/<image name>:1.133.0-80
5f70bf18a086: Preparing
0134d5635165: Preparing
ec8a1cb3a1d6: Preparing
5f70bf18a086: Layer already exists
0134d5635165: Layer already exists
ec8a1cb3a1d6: Layer already exists
**unauthorized: The client does not have permission for manifest: No permission to overwrite manifest '<url>/<path>/<image name>/1.134.0-21/manifest.json'**

The permission for the Docker registry/repository has no delete/overwrite permissions.

What is the correct behavior according to the Docker specification?
Is there any link that can give proof for the correct behavior?

I’m not aware of any restrictions like that. Normally you could push the same image (not Docker, Docker is the daemon, the software) using the same tag as many times as you want. It is actually done when you override the latest tag or when you have a new patch version and v1.2.3 is added so v1.2 should point to the new patch version. If it is not allowed in your case, I assume there is a restriction implemented in the registry you are using. It could be a good idea to protect specific versions so you can make sure an existing specific version is not overridden only the more general aliases to point to new versions

PS: I edited your post, please use code blocks as described in our formatting guide to avoid missing parts in your posts that only moderators could see and edit :How to format your forum posts