Garbage collection does not delete untagged images of they are signed using CoSign

[marvinpeter-kisters]

Expected behavior and actual behavior:
Expected
Harbor garbage collection should remove untagged images even if they have a signature attached to them.

Actual
Deleting untagged images with CoSign signature attach fails.

2022-12-19T13:20:49Z [INFO] [/jobservice/job/impl/gc/garbage_collection.go:143]: Garbage Collection parameters: [delete_untagged: true, dry_run: false, time_window: 2]
2022-12-19T13:20:49Z [INFO] [/jobservice/job/impl/gc/garbage_collection.go:153]: start to run gc in job.
2022-12-19T13:20:49Z [INFO] [/jobservice/job/impl/gc/garbage_collection.go:459]: start to delete untagged artifact (no actually deletion for dry-run mode)
2022-12-19T13:20:49Z [ERROR] [/jobservice/job/impl/gc/garbage_collection.go:476]: failed to delete untagged:3621 artifact in DB, error, the artifact 3621 is referenced by other resources
2022-12-19T13:20:49Z [ERROR] [/jobservice/job/impl/gc/garbage_collection.go:476]: failed to delete untagged:3519 artifact in DB, error, the artifact 3519 is referenced by other resources

Steps to reproduce the problem:

• Push a container image to Harbor
• Sign container image using CoSign
• Push a new container image to Harbor reusing the same tag, making the old image untagged
• Run garbage collection

Versions:

• harbor version: v2.6.2-498e7e2
• docker engine version: None, running in K8s 1.24
• docker-compose version: None, running in K8s 1.24

Related Issus
#16418

[AllForNothing]

@marvinpeter-kisters
Currently, this is a designed behavior. GC will not delete referred images(co-signed means referred).

Could you share your story of why you want to GC a co-signed image?

[marvinpeter-kisters]

@AllForNothing We have a handful repositories where we only use the latest tag and do not version images. Before we started using signing, Harbor would delete the old now untagged images of such repositories once a week.
Since switching to signing images this no longer works, resulting in a ton of untagged images that are no longer used. At the moment I delete these by hand once a week.

[wy65701436]

@marvinpeter-kisters This is a designed behavior where you have to remove the signature first and then perform the GC.
Let's keep collecting more comments and maybe we can provide an option to allow the user to delete untagged images with a signature.

[fpoirotte]

We have a similar need: we publish images routinely (every week) in a private registry using a constant tag ("latest"). The images are signed using cosign and we would like to automatically delete obsolete images (those that lost the "latest" tag when a new image was published under that tag).

I'm +1 on having the option to delete untagged images that are still referenced by a signature