diff --git a/pkg/registryclient/client.go b/pkg/registryclient/client.go
index 2babf544b1..fb58b2c495 100644
--- a/pkg/registryclient/client.go
+++ b/pkg/registryclient/client.go
@@ -186,6 +186,9 @@ func (c *client) FetchImageDescriptor(ctx context.Context, imageRef string) (*gc
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", imageRef, err)
 	}
+	if _, ok := parsedRef.(name.Digest); ok && parsedRef.Identifier() != desc.Digest.String() {
+		return nil, fmt.Errorf("digest mismatch, expected: %s, received: %s", parsedRef.Identifier(), desc.Digest.String())
+	}
 	return desc, nil
 }
 
diff --git a/pkg/registryclient/client_test.go b/pkg/registryclient/client_test.go
index e1a45a2dde..fe3d56d885 100644
--- a/pkg/registryclient/client_test.go
+++ b/pkg/registryclient/client_test.go
@@ -1,6 +1,7 @@
 package registryclient
 
 import (
+	"context"
 	"crypto/tls"
 	"net/http"
 	"testing"
@@ -29,3 +30,16 @@ func TestInitClientWithInsecureRegistryOption(t *testing.T) {
 	assert.Assert(t, expInsecureSkipVerify == gotInsecureSkipVerify)
 	assert.Assert(t, c.Keychain() != nil)
 }
+
+func TestFetchImageDescriptor(t *testing.T) {
+	c, err := New()
+	assert.NilError(t, err)
+
+	tagDesc, err := c.FetchImageDescriptor(context.Background(), "ghcr.io/kyverno/test-verify-image:signed-keyless")
+	assert.NilError(t, err)
+	assert.Equal(t, tagDesc.Digest.String(), "sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1")
+
+	digestDesc, err := c.FetchImageDescriptor(context.Background(), "ghcr.io/kyverno/test-verify-image@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105")
+	assert.NilError(t, err)
+	assert.Equal(t, digestDesc.Digest.String(), "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105")
+}