1. Proposed title of this feature request:
Add a mechanism to check the presence of the image signature before initiating the upgrade of OCP cluster.

2. What is the nature and description of the request?
While we are initiating the upgrade (oc adm upgrade) for OCP cluster in a disconnected environment, we need to have some validation to check the presence of the image signatures in the cluster.

3. Why does the customer need this? (List the business requirements here)
We get many cases where the upgrade is stuck because the image signature is not present.
Implementing this feature will avoid this issue, minimize the downtime and have better experience with the upgrade procedure.

4. List any affected packages or components.

• oc adm upgrade

=====================================

When the signature is missing, the upgrade gets stuck with below error :
------
The update cannot be verified: unable to verify sha256:<image-digest> against keyrings: verifier-public-key-redhat
------

We have below list of kcs for this :
https://access.redhat.com/solutions/7006404
https://access.redhat.com/solutions/7030139

Thus, the detection of the signature can be checked based on presence of configmap in the cluster.

• Signature can be applied by creating configmap manually:

https://docs.redhat.com/zh-cn/documentation/openshift_container_platform/4.5/html/updating_clusters/updating-restricted-network-image-signature-configmap#update-configuring-image-signature

• By applying the signatures generated when using oc-mirror for mirroring:

https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/disconnected_installation_mirroring/installing-mirroring-disconnected#oc-mirror-updating-cluster-manifests_installing-mirroring-disconnected

• And as mentioned in https://access.redhat.com/solutions/7006404