It appears this was finally changed mid-March, but after initial release in December image signing initially worked as follows:
Docker’s report that a downloaded image is “verified” is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest.