Back out enforced signature verification by default

[cgwalters]

I think the ostree/container attempt to enforce signature verification is strongly motivated (and this is all covered in containers/skopeo#1829 ) but ultimately I feel we're also kind of fighting against the current ecosystem. And our implementation is suboptimal.

In this proposal we behave the same as podman/docker. I do still think we should have e.g. podman pull --require-signatures or so...and once that happens we handle it too.

[cgwalters]

In this proposal we behave the same as podman/docker. I do still think we should have e.g. podman pull --require-signatures or so...and once that happens we handle it too.

To elaborate on this I think what we ultimately want is to try to slowly force into the ecosystem at least a minimum bar where privileged containers must be signed, and we think of the bootc OS as just another privileged container. Truly enforcing it may never happen in podman upstream but we could emit increasing warnings over time (e.g. start with just printing, maybe a year or two from now we add in my favorite mechanism, a sleep(5) that makes it just annoying enough to force). And some OS vendors would probably be very happy with a trivial drop-in to /etc/containers/policy/01-force.json or so.