Comment 1 for bug 1785668

Indeed, I can see that the image verification code only executes when an image is downloaded from glance:

https://github.com/openstack/nova/blob/20bc0136d0665bafdcd379f19389a0a5ea7bf310/nova/image/glance.py#L387

To fix this, we need to run the verification routine even when an image is already cached on the compute node, if instance.trusted_certs or CONF.glance.verify_glance_signatures.