[BUG] Image signing is broken

[RoyalOughtness]

Describe the bug
I posted about this elsewhere but it probably fell through the cracks as it was on a closed issue.

Trying to pull ghcr.io/jasonn3/build-container-installer:latest...
Error: Source image rejected: A signature was required, but no signature exists

I have this in my policy.json:

      "ghcr.io/jasonn3": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/build-container-installer.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],

and this in /usr/etc/pki/containers/build-container-installer.pub:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY4ljyIhI2w9DOptB4WT20S+K5ts3
GJTEKRkXmIYEXGfyKpJMdlGCWeg2kOam5dNhWKXXl46d3eBBo9S53TPpyQ==
-----END PUBLIC KEY-----

To Reproduce
Steps to reproduce the behavior:

1. podman pull ghcr.io/jasonn3/build-container-installer:latest

Expected behavior

it should pull successfully

Desktop (please complete the following information):

• OS: Fedora GNOME Atomic
• Version 41

[JasonN3]

There's a cleanup job that is supposed to only clean up old images that aren't needed any more. It's apparently cleaning up too much and removing the signature images. I've disabled the schedule for now so the signatures don't get cleaned up again before I can figure out which part of the workflow is doing too much.