If I understand it correctly, Docker Content Trust (Notary) is supposed to enable me to pull a Docker image from a public registry while having confidence that the image has not been compromised by a malicious actor.
However, when I experiment with Docker Content Trust, I see that on the first pull from a new repository, Docker does not seem to verify which keypair was used to sign the digest stored in Notary. On subsequent pulls from the same repository, Docker does verify that the same keypair was used as on previous pulls.
How does Docker Content Trust protect against a bad actor pushing a malicious image to a new repository? It seems as though we need some way for the Docker CLI to import a known good public key to prevent this exploit. I feel like I must be missing something here.