Todo list:

• Understand all the requirements (attestations for example)
  • Description & examples (build attestations) can be found here
• Find the SMEs that can assist with this
• Find out plans of c/image regarding OCI 1.1referals
• Find out if c/image's copy copies signatures along with images (when tag-based is found)
  •  Yes, provided that the config in /etc/containers/registries.d/ for both source and destination registries have use-sigstore-attachments: true
  • For manifest lists, are all signatures copied? I had a feeling only the amd64 and the manifest list signatures were copied. arm64, and other manifests don't seem to have signatures
• Find out if c/image's copy copies attestations
• Find out plans of distribution/distribution (oc-mirror cache) regarding OCI 1.1 referals
• Find out whether oc-mirror is expected to verify all the signatures or just copy them
• Find out if we are supposed to support all sigstore signatures or just the ones signed by ART/RedHat
• Find out if the ART/Redhat signatures are signed by PGP or if they require access to Rekor and other Sigstore external systems (Certificate authorities, certificate repositories, etc)
• Find out if oc-mirror needs to describe the disconnected process to verify these signatures
• No access to external systems (sigstore related) for enclaves
• Archives generated by oc-mirror v2 are differential: this means that ImageBlobGatherer discovers and copies all blobs belonging to the manifests, but today doesn't explore signatures attached...
• Is it possible that c/Image copy needs a different set of configurations per image (policy, signByFingerPrint, signBySigstorePrivateKey, signIdentity, etc)?
• Should oc-mirror verify signatures? or only copy them?
• Should we implement a new signature verification for releases? today's version is based on something that resembles lookaside, but not exactly...
• Is the configMap generation still necessary?