-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
3
-
False
-
-
False
-
Not Selected
-
rhel-container-tools
-
-
As an engineering team member preparing for Post-Quantum Cryptography (PQC) readiness, I want to test how major public container registries handle images pushed with unrecognized/extra fields in their manifest, so that we can determine the viability of adding new fields (e.g., simultaneous SHA512 hashes) for PQC support while maintaining backward compatibility (with SHA256).
Context: This research is preparatory work for our PQC readiness initiative. The proposed strategy involves modifying the OCI image manifest to include multiple hashes for layers (e.g., existing SHA256 for legacy clients and a new field for SHA512 for PQC-safe verification).
Before proceeding, we must understand if registries will:
- Reject images with these new, unrecognized fields.
- Accept the images but strip the new fields, defeating the purpose.
- Accept the images and preserve the new fields (the ideal outcome).
Acceptance Criteria:
- A test script (or manual procedure) is created to:
-
- Take a standard Linux image (e.g., hello-world or alpine).
-
- Modify its local manifest file (e.g., index.json or manifest.json) to include an arbitrary, non-standard test field (e.g., "pqcTestField": "true").
- The following public container registries are provisioned for testing:
-
- [ ] Docker Hub
-
- [ ] AWS ECR (Elastic Container Registry)
-
- [ ] Google Artifact Registry (or GCR)
-
- [ ] Quay.io
-
- [ ] GitHub Container Registry (GHCR)
-
- [ ] Microsoft Azure Container Registry (ACR)
- For each of the target registries, the following test workflow is executed and documented:
-
- [ ] Test 1: Push Image: The modified image (with the extra manifest field) is pushed to the registry.
-
- [ ] Test 2: Record Push Result: The result of the push (Success or Failure) is recorded.
-
- [ ] Test 3: Pull Image: If the push was successful, the same image tag is pulled to a clean local environment (to ensure it's not using a local cache).
-
- [ ] Test 4: Inspect Manifest: The manifest of the pulled image is inspected.
-
- [ ] Test 5: Record Preservation: It is recorded whether the custom "pqcTestField" is still present and unmodified in the pulled manifest.
- A final summary table is created and attached to this story, detailing the results for each registry
- is related to
-
RUN-3890 sha512/configurable digest readiness Tracker for container-tools [Q2-2026]
-
- New
-
-
-
- Planning
-
-
-
- In Progress
-
-
RUN-3891 [PQC] Test SHA512 and configurable digest against local registry
-
- To Do
-