You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When artifacts and their associated targets metadata move between registries, how do we ensure the targets metadata remains valid. Options include:
Mirroring: in some cases, all metadata from a repository may be copied, and can be verified by using the original root metadata and delegations.
Re-signing: If images are validated before being moved into a private repo, it makes sense for them to be re-signed by the new repository. The old targets metadata can be additionally verified to show the artifact's provenance.
Adding delegation/image to targets metadata on new repository: When the artifact is copied, the receiving repository may add a delegation to the existing targets metadata, or add the artifact as a target. If the repository has online keys, this may be done automatically.
The solution is likely going to include more than one of the above options for different types of artifact movement.
When artifacts and their associated targets metadata move between registries, how do we ensure the targets metadata remains valid. Options include:
The solution is likely going to include more than one of the above options for different types of artifact movement.
This issue is part of #2
The text was updated successfully, but these errors were encountered: