Clarification on annotation for io.cncf.notary.x509chain.thumbprint#S256

[plooploops]

Per the storage section of the signature specification, the annotation io.cncf.notary.x509chain.thumbprint#S256 is "A REQUIRED annotation whose value contains the list of SHA-256 fingerprint of signing certificate and certificate chain (including root) used for signature generation."

I wanted to understand if the annotation io.cncf.notary.x509chain.thumbprint#S256 is still required, as I have been able to attach an artifact without this annotation and then later verify using notation v1.0.0-rc.2.

• In this scenario, the annotation appears to be optional which aligns with this earlier signature spec which includes the following for the annotation: "This OPTIONAL property contains arbitrary metadata for the image manifest."
• Also, it would be helpful to understand if the annotation io.cncf.notary.x509chain.thumbprint#S256 is required (e.g. as of a certain released notation version), or if it's required for the future

[yizha1]

@plooploops This annotation is required per Notary signature spec. It is not enforced in the implementation yet.

@gokarnm, @priteshbandi and @shizhMSFT do you have any comments?

[yizha1]

Similar to this issue https://github.com/notaryproject/notation/issues/475, there is a need for users to push/attach notary compliant signature to container images.

[shizhMSFT]

It is required for the future. Basically, it will be used for signature filtering.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.