containers/image: remove signatures when copying in to OCI layout

This does not affect signature validation, and we do not need to
preserve signatures _after_ validation because we will never need to
propagate those signatures to another image transport/destination.

Signed-off-by: Joe Lanford <[email protected]>

Author: joelanford

pkg/image/containersimageregistry/registry.go

@@ -161,6 +161,13 @@ func (r *Registry) Pull(ctx context.Context, ref orimage.Reference) error {
 		SourceCtx:                             sourceCtx,
 		DestinationCtx:                        r.cache.getSystemContext(),
 		OptimizeDestinationImageAlreadyExists: true,
+
+		// We use the OCI layout as a temporary storage and
+		// pushing signatures for OCI images is not supported
+		// so we remove the source signatures when copying.
+		// Signature validation will still be performed
+		// accordingly to a provided policy context.
+		RemoveSignatures: true,
 	}); err != nil {
 		return err
 	}