Indeed, I can see that the image verification code only executes when an image is downloaded from glance:
https://github.com/openstack/nova/blob/20bc0136d0665bafdcd379f19389a0a5ea7bf310/nova/image/glance.py#L387
To fix this, we need to run the verification routine even when an image is already cached on the compute node, if instance.trusted_certs or CONF.glance.verify_glance_signatures.
Indeed, I can see that the image verification code only executes when an image is downloaded from glance:
https:/ /github. com/openstack/ nova/blob/ 20bc0136d0665ba fdcd379f19389a0 a5ea7bf310/ nova/image/ glance. py#L387
To fix this, we need to run the verification routine even when an image is already cached on the compute node, if instance. trusted_ certs or CONF.glance. verify_ glance_ signatures.