Story #9512
Updated by ipanova@redhat.com about 3 years ago
Container signature has a specific path structure `base/namespaces/name@digest-algo=digest-value/signature-index`
**Example of the URL the client calls during signature verification process** GET https://registry.redhat.io/containers/sigstore/ubi8/ubi-micro@sha256=43520d9634eaaa007a697be79eb604fcbfd348afe5e620c1407629bf20ced542/signature-1
Within the URL, `index` is a decimal integer (in the canonical form), starting with 1. Signatures are stored at URLs with successive index values; to read all of them, clients start with index=1, and continue reading signatures and increasing index as long as signatures with these index values exist.
Similarly, to add one more signatures to an image, one would need find the first index which does not exist, and then store the new signature using that index value.
For these reasons, it is not advised to provide a DELETE API, and the only way a signature would be removed from the sigstore would be with the image removal itself.
**More info on the signature protocols** https://github.com/containers/image/blob/main/docs/signature-protocols.md