OBS[1] has supported building container images for several years.
Unfortunately the interface isn't great if you aren't used to it, but because it's integrated into the build system of the entire distribution you get automated rebuilds when your container image's dependencies change for free.
[Disclaimer: I work for SUSE and am an active openSUSE contributor.]
I'm not sure what you're trying to say exactly, but I'm pretty sure that this already exist and there are multiple solutions and self-hosted registries as well for it. Check out Harbor:
I'm not talking about private hosting of containers, I'm talking about an alternative to today's public registry of container images that is 100% verifiable so that when something like this happens it is possible to be certain that no one has tampered with any of the container images.
Do you mean formal verification? Verifying such a vast web service may be nearly impossible, especially since you'd still have to rely on a database server, os, and kernel, the most popular of which are seemingly fundamentally incompatible with verification.
You can only have 100% verifiable container images if the Dockerfiles uploaded by users are reproducible (in the sense of https://reproducible-builds.org/). The vast majority probably aren't, and I'm not sure the Hub could reliably detect those that are.
I'm considering building a registry (manually to start with) using https://tahoe-lafs.org/trac/tahoe-lafs as a PoC to see if it could work. If it does, then that gets you verifiability, immutability, as well as the ability to make any image you want public without making other ones you own public. The only potential downside is that it might not work with the existing docker mechanisms for pulling images.
If you're looking for cryptographic signatures on container images, check out what my company Sylabs.io is doing. I wrote a comment on the other HN thread about this breach: https://news.ycombinator.com/item?id=19769590
Unfortunately the interface isn't great if you aren't used to it, but because it's integrated into the build system of the entire distribution you get automated rebuilds when your container image's dependencies change for free.
[Disclaimer: I work for SUSE and am an active openSUSE contributor.]
[1]: https://build.opensuse.org