Tag Signing and DCT Usage

2nd chunk of `content/manuals/engine/security/trust/_index.md`

5d8f1f4a6bac9bfddbcdda13efa3d342c303a6f5feeaa6690000000100000407



Publishers can choose to sign a specific tag or not. As a result, the content of
an unsigned tag and that of a signed tag with the same name may not match. For
example, a publisher can push a tagged image `someimage:latest` and sign it.
Later, the same publisher can push an unsigned `someimage:latest` image. This second
push replaces the last unsigned tag `latest` but does not affect the signed `latest` version.
The ability to choose which tags they can sign, allows publishers to iterate over
the unsigned version of an image before officially signing it.

Image consumers can enable DCT to ensure that images they use were signed. If a
consumer enables DCT, they can only pull, run, or build with trusted images.
Enabling DCT is a bit like applying a "filter" to your registry. Consumers "see"
only signed image tags and the less desirable, unsigned image tags are
"invisible" to them.

Title: Tag Signing and DCT Usage

Summary

Publishers can sign or not sign specific tags, leading to potential discrepancies between signed and unsigned versions. Image consumers can enable Docker Content Trust (DCT) to ensure they only use signed images. Enabling DCT filters the registry, making unsigned images invisible to the consumer, thus ensuring a trusted image supply chain.