signatures missing

[maciej-markowski]

Version
Please provide the versions of the pulpcore and pulp_container packages in use, and how they are installed. If you are using Pulp via Katello, please provide the Katello version.
Pulp container quay.io/pulp/pulp:3.92.1

- component: core
  domain_compatible: true
  module: pulpcore.app
  package: pulpcore
  version: 3.92.1

- component: container
  domain_compatible: true
  module: pulp_container.app
  package: pulp-container
  version: 2.26.3

Describe the bug
I am using cosign to sign images that are pushed into Azure Container Registry.
I need to replicate the ACR repositories in pulp container registry. Images are synced correctly, but signature and attestations are omitted.

I have tested 'old' cosign 2.6.1 which produces attestations and signatures in form of additional artifacts stored in ACR, in the same repo as image, with pseudo tag <image_sha>.[sig|att] <- they are ignored by pulp sync.

I also tested 'new' cosign 3.02, which produces attestation and signatures in form of bundle - they are stored as referrers, the difference between them and what is in pulp docs, is that the artifact type is application/vnd.dev.sigstore.bundle.v0.3+json <- pulp sync ignores them as well.

To Reproduce
Build container image
Push to ACR
Sign it with cosign
Create repository, remote, distribution
sync

Expected behavior
Image is synced into pulp, signature and attestations are available as well

Additional context

[maciej-markowski]

I did some more testing. It turns out that signatures and attestations are synced (in both formats), however it requires two things:

• setting use-sigstore-attachments: true for given registry
• not limiting the tags
  Setting include_tags or exclude_tags is preventing pulp from syncing the signatures and attestations.

1. I don't think it is documented
2. Is it on the roadmap to support syncing signatures, attestations etc. from remotes with limited tags?