docker push to support signed digest updates to a tag

[SteveLasker]

The title is not meant to imply tag signing, rather we want to assure the validations and eventually the final design accounts for the following scenario:

1. The net-monitor:v1 image is posted to docker hub, with the wabbit-networks signature, and a digest of @sha256:aaa
2. Consumers of the net-monitor:v1 image monitor the manifest associated with the :v1 tag, and continually poll for updates
3. Wabbit Networks wants to post an update to the :v1 tag.
4. Wabbit networks builds the image in their environment, signing the image offline
5. When they push to docker hub, the following underlying sequence occurs
6. docker push net-monitor:v1 which has a digest of @sha256:bbb is first pushed as a digest, without a tag
7. The docker push command will then push any signatures that exist, (including the wabbit-networks signatures)
8. After the image and signature are pushed, a tag update is pushed, assigning the :v1 tag to @sha256:bbb
9. Consumers polling the net-monitor:v1 image never have a window where the :v1 tag is backed by an unsigned digest.

We must address tag signing as well, however, we expect the tag-signing issue to take a bit more work. This flow would apply to any content push to a registry, whether it's an existing tag or a new tag. The follow has no knowledge of any existing tags.