Skip to content

Referrer digests are not copied when publishing #1999

Closed
Bug
#2003
Closed
Referrer digests are not copied when publishing#1999
Bug
#2003
Assignees
lbussell
Labels
untriaged
@lbussell

Description

@lbussell
lbussell
opened on Mar 4, 2026

ImageBuilder images are now being signed, but the signatures (OCI referrer artifacts) are not copied to the production ACR on publish. Example from our testing ACRs:

Check what got built/staged:

$ oras discover $TEST_STAGING_ACR/build-staging/2916804/dotnet-buildtools/image-builder:linux-amd64-2916804
  $TEST_STAGING_ACR/build-staging/2916804/dotnet-buildtools/image-builder@sha256:fb614cb5643ca75835b3ab1ef307eb01f8e4b83878d62736f11bab5fa02ef50c
   application/vnd.cncf.notary.signature
       sha256:4c77315ec4e3c6629bb9ed6a5690801409e78c226483fbad443ff81eb629e6fd
           [annotations]
               org.opencontainers.image.created: "2026-03-03T17:19:19.9833777Z"
               io.cncf.notary.x509chain.thumbprint#S256: '["<snip/>"]'

Check what got published:

$ oras discover $TEST_PROD_ACR/public/dotnet-buildtools/image-builder:linux-amd64-2916804
  $TEST_PROD_ACR/public/dotnet-buildtools/image-builder@sha256:fb614cb5643ca75835b3ab1ef307eb01f8e4b83878d62736f11bab5fa02ef50c

Related:

Metadata

Metadata

Assignees

Labels

untriaged

Type

Bug

Projects

.NET Docker

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions