It appears this was finally changed mid-March, but after initial release in December image signing initially worked as follows:
Docker’s report that a downloaded image is “verified” is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest.
Docker’s report that a downloaded image is “verified” is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest.
https://news.ycombinator.com/item?id=8788770
https://titanous.com/posts/docker-insecurity
https://github.com/docker/docker/issues/9719
edit: add hn discussion, github issue.