Adds invocation image digest verification per the CNAB Spec to the Docker driver.
The specific part of the spec that this PR currently implements is the following line:
If a contentDigest field is present, a runtime MUST validate the image digest prior to executing an action.
I didn't see how this would be done generically, e.g. outside of specific driver implementations, hence implementing it on the Docker driver only. Am I right here? If so, perhaps a follow-up could implement similar in the kubernetes driver.
Note some remaining TODOs/Qs inline. Feel free to respond/answer in the form of code review comments.
@carolynvs @radu-matei @silvin-lubecki if any of y'all have a spare moment, it would be great to get feedback on this PR, as it addresses an area where cnab-go isn't in adherence to the spec.
The specific part of the spec that this PR currently implements is the following line:
If a contentDigest field is present, a runtime MUST validate the image digest prior to executing an action.
I didn't see how this would be done generically, e.g. outside of specific driver implementations, hence implementing it on the Docker driver only. Am I right here? If so, perhaps a follow-up could implement similar in the kubernetes driver.
Note some remaining TODOs/Qs inline. Feel free to respond/answer in the form of code review comments.