For added security, we want to make sure that only trusted images run in our production cluster. Some orchestrators allow us to configure a cluster so that it can only ever run signed images. Content trust and signing images is all about making sure that the authors of the image are the ones that we expect them to be, namely our trusted developers or, even better, our trusted CI server. Furthermore, with content trust, we want to guarantee that the image we get is fresh and not an old and maybe vulnerable image. And finally, we want to make sure that the image cannot be compromised by malicious hackers in transit. The latter is often called a man-in-the-middle (MITM) attack.
By signing images at the source and validating the signature at the target, we can guarantee that the images we want to run are not compromised.