Provide a verifiable document giving SHA256 sum of the published image tags

Customers are requesting if GitLab can provide a verifiable document giving the SHA256 sum of the published image tags so they could verify, and then push to internal registry. They are looking for something they can provide to their security team before we provide official support for signing and verifying images with cosign.

Copied over from Slack:

We've been seeing some increased demand for supporting signing and verification of container images. We have a proposal to evaluate using cosign down the road (#338682 (closed)). We could potentially use it to sign our own GitLab images (CNG) so that customers can verify their integrity.

Meanwhile, we have received a few requests to offer a simple verifiable document that maps the published CNG image tags to the underlying SHA256 digest, so that customers can use it for validation (container-registry#83 (comment 728655524)).