How can I verify the authenticity of an image pulled from docker hub? (original) (raw)

For example, I pull `--arch amd64 --tls-verify=true debian:bookworm-20211220

Copying blob 9aa4f47c6909 done
Copying config 0b63fd0343 done
Storing signatures
0b63fd03430d8e3ba5bbe108ef16ea978c934a378c865a83af2a040eae9cf174`

Then for that image 0b63fd03430d locally, I get the following two digests:
docker.io/library/debian@sha256:3baade3697056cfb82c7e9592d8e1b40eacfebc90e1fe36d39892745822c0f10 docker.io/library/debian@sha256:630147f5e4964acc91557e8c049c3e8460777954a1956cc8c27c5563311e497c
How do I compare the above two digests to the SHA256 checksums that I see on https://docker.debian.net/?
The SHA256 (rootfs.tar.xz) for amd64 reported on that site is 23f6b075419a6380920282137cf07359ba5f2725f16cd8c803c454b07127d126

Also, I'd like to do the same for the slim amd64 release. Locally, I get the following two digests for bookworm-20211220-slim:
docker.io/library/debian@sha256:302ff7cde82ce20eb79ee3d8685a9e3e3a683cae5f86851e821153223cca7def
docker.io/library/debian@sha256:e4699bbf9229fd14a848864ec4eb400582f7bf8127a874df6b43e019230b6a3a

P.S. Just to mention that I can find the above output digests on https://hub.docker.com/_/debian?tab=tags&name=bookworm-20211220 but I wanted to verify them also against https://...debian.net in order to be doubly sure. I hope that makes sense.