`ClusterImagePolicy`’s code to set `use-sigstore-attachments` does not set it for mirrors

[mtrmac]

When a ClusterImagePolicy is set on a scope to accept sigstore signatures, the underlying registry needs to be configured with use-sigstore-attachments: true. https://github.com/openshift/machine-config-operator/blob/444decb1dfd1ebb3fb7c2e5a96ff3b3d53b6f492/pkg/controller/container-runtime-config/helpers.go#L936 does do that for the configured scope; but the use-sigstore-attachments option applies not to the “logical name”, but to each underlying mirror individually.

I.e. the option needs to be on every mirror of the scope. Without that, if the image is found on one of such mirrors, the c/image code will not be looking for signatures on the mirror, and policy enforcement is likely to fail.

[mtrmac]

Thanks to @wking for reporting and tracking down this issue.

[wking]

Thanks for writing up this summary :bow: I've opened OCPBUGS-36344 with a Jira-side copy of this report, and an attempt at reproducer steps, so for convenient tracking on the Jira side.

[QiWang19]

I will look into this next sprint. :eyes: