Story #9507
Updated by ipanova@redhat.com about 3 years ago
Mirrored signatures are not verified. Signature verification is offloaded to the client.
If `with-signature=True` ( TBD agree on naming) was specified only those images that have signature with be mirrored. Rest of the images will be skipped. `Signature server location` needs to be specified.
Otherwise it will be assumed that the signature is stored on the registry in a form of manifest or a separate object:
* If it is a separate object, signature API extensions should be available on the registry and `X-Registry-Supports-Signatures` header will identify that https://github.com/containers/image/blob/main/docs/signature-protocols.md#openshift-dockerdistribution-api-extension
* If it is stored in a form of a manifest then it most likely was signed with cosign https://github.com/SigStore/cosign#signing-subjects.
**Q** does podman/skopeo support verification of cosign signature type? I see only atomic type for now.
.