Currently, our operator enables Chains by default. Even though, the secret is empty and chains.tekton.dev/signed = True is set. This is an incorrect behaviour.
The correct behaviour should be - if the secret is empty and "keyless" is not configured, chains shouldn't sign anything, and thus shouldn't set that annotation.