Red Hat delivers signatures for the images in the Red Hat Container Registries. Those signatures can be automatically verified when being pulled to {product-title} 4 clusters by using the Machine Config Operator (MCO).
Quay.io serves most of the images that make up {product-title}, and only the release image is signed. Release images refer to the approved {product-title} images, offering a degree of protection against supply chain attacks. However, some extensions to {product-title}, such as logging, monitoring, and service mesh, are shipped as Operators from the Operator Lifecycle Manager (OLM). Those images ship from the Red Hat Ecosystem Catalog Container images registry.
To verify the integrity of those images between Red Hat registries and your infrastructure, enable signature verification.