with docker content trust enabled, an image without trust metadata will not be downloaded.
However, in the case where the trust metadata is present, the image will be pulled, so how does an image consumer validates the origin of the pulled image? for example, the pulled nginx image with trust metadata associated is indeed offered by the genuine nginx publisher?