In order to avoid supply chain attacks against the operator, and allow repository mirroring, references from the packagemanifest in OCP OLM should be by digest, not by tag.

See:
http://post-office.corp.redhat.com/archives/openshift-sme/2019-October/msg01569.html

oc get packagemanifest/servicemeshoperator -o=jsonpath='

{.metadata.name}{"\t"}{range .status.channels[*]}{.currentCSV}{"t"}{.currentCSVDesc.annotations.containerImage}{"\n"}{end}'
servicemeshoperator servicemeshoperator.v1.0.2 registry.redhat.io/openshift-service-mesh/istio-rhel8-operator:1.0.2

$ oc get packagemanifest/jaeger-product -o=jsonpath='{.metadata.name} {"\t"}{range .status.channels[*]}{.currentCSV}{"t"} {.currentCSVDesc.annotations.containerImage}{"\n"}{end}'
jaeger-product jaeger-operator.v1.13.1 registry.redhat.io/distributed-tracing/jaeger-rhel7-operator:1.13.1

oc get packagemanifest/kiali-ossm -o=jsonpath='{.metadata.name}{"\t"}{range .status.channels[*]}{.currentCSV}{"t"}{.currentCSVDesc.annotations.containerImage} {"\n"} {end}

'
kiali-ossm kiali-operator.v1.0.7 registry.redhat.io/openshift-service-mesh/kiali-rhel7-operator:1.0.7