feat(docker): add verification of image digest(s)

[vdice]

• Adds invocation image digest verification per the CNAB Spec to the Docker driver.

The specific part of the spec that this PR currently implements is the following line:

If a contentDigest field is present, a runtime MUST validate the image digest prior to executing an action.

I didn't see how this would be done generically, e.g. outside of specific driver implementations, hence implementing it on the Docker driver only. Am I right here? If so, perhaps a follow-up could implement similar in the kubernetes driver.

Note some remaining TODOs/Qs inline. Feel free to respond/answer in the form of code review comments.

[vdice]

@carolynvs @radu-matei @silvin-lubecki if any of y'all have a spare moment, it would be great to get feedback on this PR, as it addresses an area where cnab-go isn't in adherence to the spec.