Story #9507

Updated by pulpbot over 2 years ago


 **Ticket moved to GitHub**: "pulp/pulp_container/498": 


 Synced signatures are not verified. Signature verification is offloaded to the client. 

 If `with-signature=True` ( TBD agree on naming)    was specified only those images that have signature with be mirrored. Rest of the images will be skipped. `Signature server location` needs to be specified ( it's the webserver location of signatures, for example 
 Otherwise it will be assumed that the signature is stored on the remote registry in a form of manifest or a separate object: 
 * If it is a separate object, signature API extensions should be available on the registry and `X-Registry-Supports-Signatures` header will identify that 
 * If it is stored in a form of a manifest then it most likely was signed with cosign **we will not support this for now** 

 **Q:** does podman/skopeo support verification of cosign signature type? Only atomic type for now 

 **Q:** how this will work with mirror=True?