nova-compute doesn't check image signature if imagecache exists

Description
===========
nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node.

Steps to reproduce
==================
Preconditions:
Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case).

* Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html
* Create separate project and user with "member" role in it.
* Login as member user and try to boot VM from your signed image.

Actual and expected result:
VM is not booted. Error:
Server <ID> failed to build and is in ERROR status
Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'}

* Login as admin. Boot VM from the image.
Actual and expected result:
VM is Active.

* Login as member user again. Boot VM from the image.
Actual result:
VM is Active.

Expected result:
User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM.

On compute node:
ls -la /var/lib/nova/instances/_base/
   total 38424
   drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 .
   drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 ..
   -rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149

Environment
===========
Openstack Pike,
nova 2:16.1.3-1~u16.04
python-novaclient 2:9.1.1-1~u16.04
qemu-kvm 1:2.11+dfsg-1.4~u16.04
libvirt 4.0.0-1.7~u16.04
python-libvirt 3.5.0-1.1~u16.04