question: does this library ensures the integrity of an image downloaded by its digest ?

[arbll]

Hey Folks,

I am trying to understand if this library, when asked to grab an image by digest of its manifest/index in the following way:

registry, err := name.NewRegistry("malicious.io", name.StrictValidation)
if err != nil {
	return fmt.Errorf("could not create registry: %w", err)
}
digest := registry.Repo("org", "image").Digest("sha256:32a9fbff2c13d04a369cb9436ccb281068d6c5c11f6ee3880412eaf3564cde1e")
image, err := remote.Image(digest)
if err != nil {
	return fmt.Errorf("could not retrieve image: %w", err)
}

would, even if the registry answering is malicious, properly check that:

• the initial index/manifest that gets returned has the right hash
• subsequent manifest / config / layers have the right hash as referenced in previous index / manifest

The following piece of code makes me doubt:

go-containerregistry/pkg/v1/remote/fetcher.go

Lines 151 to 155 in 8dadbe7

	if err == nil && mediaType == types.DockerManifestSchema1Signed {
	// If we can parse the digest from the header, and it's a signed schema 1
	// manifest, let's use that for the digest to appease older registries.
	digest = contentDigest
	}

It looks like answering a DockerManifestSchema1Signed could be abused by the remote repo to bypass the digest verification ?
I might be missing something tho