Fixing issue 3669

[Mukuls77]

trafficstars

Summary

Closes #3669 Currently while doing the verification of signatures cosign does not check the MediaType of the layers before downloading those. In the case when some one mistakenly put the signature tag on an artifact which is not a signature than cosign will download all the layers present in the Manifest file of the artifact and than we start verification which will eventually fail as the artifact was not really a signature. The fix provides an additional check to check the Media Type before downloading the layers. this will avoid unnecessary download of stale data and will quickly reject the verification as the artifact is not a signature.

Release Note

• Enhanced cosign verification logic to check MediaType before download of signature layers

Documentation

No change in documentation