Validating an "Notation (ex-Notary)" image signature every time before using it to run a container ?

[nipil]

I am using Notation to sign image and the signatures are stored along the image in a Harbor registry, and the registry can prevent pulling the image if it is not signed, and that works.

But i cannot seem to find how to force podman to verify locally stored (pulled) image Notation signature every time before using it.

I have two use-cases where that behaviour is desired :

1. The signature on the image has been revoked/removed since the last pull
2. To prevent local load and use (bypassing the registry) and thus running unsigned images

I have read https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#sigstoresigned

And i admit i have not yet understood if (and how) it would be applicable to the cases above, furthermore with Notation

[nipil]

Anyone would have any idea ?