Currently when fetching a multi-arch image, this crate will resolve the manifest list into the appropriate architecture and get the manifest for that architecture. This is great, but there is one snag. Sometimes when people sign multi-arch images, they just sign the manifest list. Thus, to validate the signature, you need the digest of the manifest list, which this crate does not report.
Perhaps, we could add an additional interface that retrieves the manifest digest and also the manifest list digest for multi-arch images?
Currently when fetching a multi-arch image, this crate will resolve the manifest list into the appropriate architecture and get the manifest for that architecture. This is great, but there is one snag. Sometimes when people sign multi-arch images, they just sign the manifest list. Thus, to validate the signature, you need the digest of the manifest list, which this crate does not report.
Perhaps, we could add an additional interface that retrieves the manifest digest and also the manifest list digest for multi-arch images?