Introduction While doing a deep dive on Sigstore and TUF, a question hit me out of nowhere. "OK, but how exactly are container images protected from tampering?" If you understand TUF, you'd guess: "You write the container image hash into targets.json , sign it with an offline key, done." And in 2015, that's exactly how it worked. But today, that mental model is completely outdated . The container signing architecture in the Docker world has gone through a turbulent decade: "They tried to do it the TUF way, developers refused to play along, the whole thing imploded, and the industry pivoted to a totally different approach." And that "different approach" turned out to be two competing approaches released around the same time, both fighting for dominance. Trying to keep up with this is exhausting. Background: What "Signing a Container Image" Actually Means Before diving into history, we need to nail down what "signing a container image" actually does. If this is fuzzy, the rest of the story will be too.…