Signing manifests of manifests

[gm42]

Description

I have been thinking of the process of signing manifests vs signing the images ultimately downloaded through the manifests.

A manifest can contain other manifests, thus signing the first manifest A alone does not suffice:

graph TD;
    manifest_A_signed-->manifest_B_unsigned;
    manifest_B_unsigned-->manifest_C_unsigned;
    manifest_C_unsigned-->good_image_D;
    manifest_C_unsigned-->good_image_E;
style manifest_A_signed fill:green;
style good_image_D fill:yellow
style good_image_E fill:yellow
style good_image_D color: black
style good_image_E color: black

While A is signed, B and C are not, neither are the final downloaded images.

Now let's assume that one of the intermediate manifests is hijacked:

graph TD;
    manifest_A_signed-->manifest_B_unsigned;
    manifest_B_unsigned-->malicious_manifest_C_unsigned;
    malicious_manifest_C_unsigned-->bad_image_D;
    malicious_manifest_C_unsigned-->bad_image_E;
style manifest_A_signed fill:green;
style malicious_manifest_C_unsigned fill:red;
style bad_image_D fill:red
style bad_image_E fill:red

Does this mean that the signing process should be recursive (with some limit on recursion)? Is there something I am missing? Perhaps this is a problem only with manifests that reference tags instead of digests? Related #2047

Thanks!