# Pattern: Signed Container Images Status: seed Readiness target: RL3 production Primary owners: artifact-store, Railiance platform, product repos Genesis family: Supply chain ## Problem Container images can be replaced, confused, or deployed from untrusted origins unless image identity is cryptographically verifiable. ## Context Use this pattern for production container images, platform controllers, tenant workloads, and deployment admission. ## Forces - Tags are mutable unless controlled. - Signatures need trusted keys or identities. - Admission must verify the image that actually runs. - Rollbacks need signed artifacts too. ## Solution Sign container image digests after trusted builds and require production deployments to reference images whose signatures and provenance satisfy policy. ## Verification - Images are signed by trusted build or release identities. - Admission rejects unsigned or untrusted images. - Deployments pin or verify immutable digests. - Signature rotation and key compromise processes exist. ## Related Patterns - Signed Image Admission. - SLSA Build Provenance. - SBOM-per-Release. - Quarantined Build Runner.