https://www.youngju.dev/blog 천천히 올바르게. AI Researcher & DevOps Engineer Youngju's tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering. ko fjvbn2003@gmail.com (Youngju Kim) fjvbn2003@gmail.com (Youngju Kim) Sat, 16 May 2026 00:00:00 GMT https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.en https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.en In 2026, container registries are no longer just a docker push away. Following Docker Hub pricing changes, GHCR has effectively become the OSS standard. Harbor has matured into the self-hosting default as a CNCF graduated project, while Zot has carved out the emerging OCI-only simplicity niche. ECR Public stands as the free Quay alternative, and Google Artifact Registry has fully replaced GCR. On top of all that sit Cosign + Sigstore signing, in-toto supply-chain attestations, CycloneDX and SPDX SBOMs, and ORAS-powered generic OCI artifacts — the registry is no longer an image store but the central hub of supply-chain security. This post compares 13 registries, signing tools, and SBOM standards in one breath, traces the real choices made by Toss, KakaoPay, Mercari, and LINE, and gives you a matrix of who should pick what. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) containerregistrydocker-hubghcrecrgcracrharborquayzotartifactorydistributioncosignsigstorein-totosbomcyclonedxspdxnotaryoras2026deep-diveenglish https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.ja https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive.ja 2026 年のコンテナレジストリは、もう docker push 一発で終わる世界ではない。Docker Hub の価格変更以降、GHCR が事実上 OSS の標準となり、Harbor は CNCF graduated として自社ホスティングのデフォルトに、Zot は OCI-only のシンプルさで emerging 領域を獲得した。ECR Public は無料の Quay 代替として定着し、Google Artifact Registry が GCR を完全に置き換えた。さらに Cosign + Sigstore による署名、in-toto によるサプライチェーン証言、CycloneDX・SPDX SBOM、ORAS による generic OCI artifact まで — レジストリはもはやイメージの保管庫ではなく、サプライチェーンセキュリティの中心ハブだ。本稿は 13 のレジストリ・署名ツール・SBOM 規格を一息に比較し、トス・カカオペイ・メルカリ・LINE の実戦的選択を辿り、誰が何を選ぶべきかをマトリクスにする。 Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) containerregistrydocker-hubghcrecrgcracrharborquayzotartifactorydistributioncosignsigstorein-totosbomcyclonedxspdxnotaryoras2026deep-dive日本語 https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive https://www.youngju.dev/blog/culture/2026-05-16-container-registries-2026-docker-hub-ghcr-ecr-harbor-quay-zot-cosign-sigstore-deep-dive 2026년 컨테이너 레지스트리는 더 이상 docker push 한 줄로 끝나지 않는다. Docker Hub의 가격 정책 변화 이후 GHCR가 사실상 OSS 표준이 되었고, Harbor가 CNCF graduated 프로젝트로 셀프호스팅의 기본값이 되었으며, Zot이 OCI-only 단순성으로 emerging 영역을 차지했다. ECR Public이 무료 Quay 대안으로 자리잡고, Google Artifact Registry가 GCR을 완전히 대체했다. 그리고 그 위에 Cosign + Sigstore의 서명, in-toto의 공급망 증언, CycloneDX·SPDX SBOM, ORAS의 generic OCI artifact까지 — 레지스트리는 이미지 저장소가 아니라 공급망 보안의 중심 허브가 되었다. 이 글은 13개 레지스트리·서명 도구·SBOM 표준을 한 호흡에 비교하고, 토스·카카오 페이·메르카리·LINE의 실전 선택을 따라가며, 누가 무엇을 골라야 하는지 매트릭스로 정리한다. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) containerregistrydocker-hubghcrecrgcracrharborquayzotartifactorydistributioncosignsigstorein-totosbomcyclonedxspdxnotaryoras2026deep-dive