Enabling https://docs.openshift.com/container-platform/4.16/security/container_security/security-container-signature.html#containers-signature-verify-enable_security-container-signature causes problems with ocp4-cis-ocp-allowed-registries check from Compliance Operator because there are some changes required to make Image Signature verification work as expected. Details can be found in https://access.redhat.com/solutions/6958257 but summary is as following.

To make Image Signature verification work, once needs to remove registrySources.allowedRegistries from image.config.openshift.io/cluster resource to prevent a MachineConfig being written that always takes prcedence. The question is, whether registrySources.allowedRegistries is really required to achieve compliance with ocp4-cis-ocp-allowed-registries or if allowedRegistriesForImport would be enough. It certainly is rather painful to implement Image Signature verification and then finding that CIS compliance is no longer possible.

OpenShift Container Platform 4 with Compliance Operator (all version)

Always

1. Install OpenShift Container Platform 4 with Compliance Operator (CIS Benchmark profile shall be used)
2. Configure image.config.openshift.io/cluster resource with allowedRegistriesForImport
3. Enable Image Signature verification following https://docs.openshift.com/container-platform/4.16/security/container_security/security-container-signature.html#containers-signature-verify-enable_security-container-signature 

$ oc get ComplianceCheckResult |grep -i ocp4-cis-ocp-allowed-registries
ocp4-cis-ocp-allowed-registries                                               FAIL     medium

ocp4-cis-ocp-allowed-registries should eventually PASS when allowedRegistriesForImport is set or otherwise the entire approach with registrySources.allowedRegistries and/or Image Signature verification needs to be adopted to make things work as expected.