Container Support

Ticket moved to GitHub: "pulp/pulp_container/498":https://github.com/pulp/pulp_container/issues/498

Synced signatures are not verified. Signature verification is offloaded to the client.

If with-signature=True ( TBD agree on naming) was specified only those images that have signature with be mirrored. Rest of the images will be skipped. Signature server location needs to be specified ( it's the webserver location of signatures, for example https://registry.redhat.io/containers/sigstore). Otherwise it will be assumed that the signature is stored on the remote registry in a form of manifest or a separate object:

• If it is a separate object, signature API extensions should be available on the registry and X-Registry-Supports-Signatures header will identify that https://github.com/containers/image/blob/main/docs/signature-protocols.md#openshift-dockerdistribution-api-extension
• If it is stored in a form of a manifest then it most likely was signed with cosign https://github.com/SigStore/cosign#signing-subjects. we will not support this for now

Q: does podman/skopeo support verification of cosign signature type? Only atomic type for now https://github.com/containers/image/blob/main/docs/containers-signature.5.md#criticaltype

Q: how this will work with mirror=True?