Currently we document how to install OpenShift in disconnected environments and how to mirror the images. But images for certain components outside of OCP core come from registries like `registry.redhat.io` that starting with RHEL 9 require image signatures. There is no documented process to mirror those signatures, which causes issues. Those issues are currently solved disabling signature checking (see  MGMT-13934). That results in a potentially insecure setup. It would be better to provide a documented process to explain how to also mirror the signatures.

Detected in OpenShift 4.13 with RHCOS 9.2 because it includes a `policy.json` file that requires image signatures for `registry.redhat.io` and `registry.access.redhat.com`.

Always.

1. Create a mirror of the OpenShift images as described in the documentation.
2. Add to the mirror the images required for ACM and assisted installer.

The cluster installation fails to pull some of the assisted installer images that come from `registry.redhat.io` because the signature can't be verified, and therefore the cluster installation fails.

The images from `registry.redhat.io` are pulled from the mirror and the signatures are verified using some kind of mirror.

Note that the solution for that is currently to disable signature verification, see OCPBUGS-10421. The request here is to avoid having to do that modification to the policy, and instead ask customers to also mirror the signatures, if that is even possible.