Verify Docker Hub signatures

[hzhou97]

Hello,

I was wondering if it is possible to verify the signature of images that are hosted on Docker Hub.
E.g. something along the lines of
notation.exe verify docker.io/library/alpine:3.17.2

I tried it out on Windows, using notation 1.0.0-rc.1 for the above command, and got the following error:

Resolved artifact tag 3.17.2 to digest sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a before verification. Warning: The resolved digest may not point to the same signed artifact, since tags are mutable. Error: signature verification failed for all the signatures associated with docker.io/library/alpine@sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a

The resolved digest matches the one in the signature:
docker trust inspect docker.io/library/alpine:3.17.2

[
    {
        "Name": "docker.io/library/alpine:3.17.2",
        "SignedTags": [
            {
                "SignedTag": "3.17.2",
                "Digest": "69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a",
                "Signers": [
                    "Repo Admin"
                ]
            }
        ],
        "Signers": [],
        "AdministrativeKeys": [
            ......
        ]
    }
]

Also, when I tried notation.exe list docker.io/library/alpine:3.17.2, there is no output.

I am new to the tool, so I wanted to know if I am doing something wrong or the tool just does not support the functionality.

Thank you.