containers/image: remove signatures when copying in to OCI layout

[joelanford]

This does not affect signature validation, and we do not need to preserve signatures after validation because we will never need to propagate those signatures to another image transport/destination.

Description of the change:

When using the containers/image registry client implementation, remove signatures when copying in to OCI layout

Motivation for the change:

The OCI layout destination does not support copying signatures. This causes a bug (render/migrate fail) when using a policy that requires signature validation.

This change does not affect signature validation, and we do not need to preserve signatures after validation because we will never need to propagate those signatures to another image transport/destination.

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Docs updated or added to /docs
• Commit messages sensible and descriptive

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joelanford

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [joelanford]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.17%. Comparing base (bec5c5c) to head (aac07e9).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1664      +/-   ##
==========================================
+ Coverage   55.15%   55.17%   +0.01%     
==========================================
  Files         136      136              
  Lines       15911    15918       +7     
==========================================
+ Hits         8776     8782       +6     
- Misses       5982     5983       +1     
  Partials     1153     1153              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[grokspawn]

Maybe we also want

PreserveDigests: true,

It doesn't impact this particular operation, but it also seems a good option which doesn't default on.
I verified that this works with upstream (unsigned) and downstream (signed) example catalogs.

[joelanford]

GoDoc for that field is:

// Preserve digests, and fail if we cannot.

I'm hesitant about the "fail if we cannot" part. We have similar code in operator-controller that does not set this value, so I don't think it is necessary, and likely not for this bug fix specifically.

[grokspawn]

I agree that it's not necessary for resolving this bug. But the bug arose because we didn't consider other fields that might've been pertinent when we introduced the new containers/image registry support, so it felt like we should at least discuss any other possible missed configuration.

I think we can agree that mutating digests across our local copy would be an undesirable side effect.

[grokspawn]

On second thought, even skopeo has this option as a non-main-path flag, which suggests that there are conditions under which this is desirable, but not in general.
If we wanted this, we should plumb through a controlling flag. Which I don't think we need to do, at this time.

[grokspawn]

/lgtm