Let's say a company has pushed and signed an image on its own docker registry using its X509 certificate and corresponding private key issued by a public CA.
Having a copy of their certificate on my computer, how can I verify that the image I pulled from their registry is really signed by them?