Description (possible bug)

The api endpoint used by the UI /api/automation-hub/_ui/v1/repo/rh-certified/ scopes CollectionVersions to a specific repo (in this case rh-certified).

Within that endpoint, it gets metadata about the CollectionVersion including signatures. When looking up the signatures, it seems to retrieve all CollectionVersionSignatures associated to the CollectionVersion via database relation: https://github.com/ansible/galaxy_ng/blob/14f148a699b42ba380f85af1ffea9f7c75a183bb/galaxy_ng/app/api/ui/serializers/collection.py#L66

If you remove the CollectionVersionSignature content from the rh-certified repo, it still  retrieves information about it. This was discovered while working AAH-1937, where running orphan cleanup to delete the CollectionVersionSignature was the only way for system to not attempt display of it in the serializer, even though the signature was no longer in the repo.

Steps to Reproduce

1. Remove a CollectionVersionSignature from a repo (rh-certified)
2. Go to /api/automation-hub/_ui/v1/repo/rh-certified/ and see the CollectionVersion still shows as signed.

Possible scenario (tbd not verified)

1. Sync against galaxy.ansible.com to get CollectionVersion into community repo
2. Sync against CRC with same CollectionVersion which is signed
   1. CollectionVersion is already present so does not get created, but does get added to rh-certified repo
   2. CollectionVersionSignature is syncd to rh-certified repo
3. Go to /api/automation-hub/_ui/v1/repo/community/ and see the CollectionVersion shows as signed

Actual Behavior

CollectionVersion in repo X shows as signed even though there is no CollectionVersionSignature in repo X

Expected Behavior

CollectionVersion in repo X should only show as signed if CollectionVersionSignature is in repo X