2

Given an image like this one

I want to be able to verify that the image I have matches

DIGEST:sha256:6889517fd553d36ed5743827cd81c8f94438bd2502db57e9bbfbfac73e746f5b

How can this be done in docker's command line tool?

Evan Carroll
  • 2,921
  • 6
  • 37
  • 85
Nat
  • 135
  • 1
  • 7

2 Answers2

3

Use this command

docker images --digests

You'll get this output

REPOSITORY    TAG       DIGEST                                                                    IMAGE ID       CREATED        SIZE
hello-world   latest    sha256:80f31da1ac7b312ba29d65080fddf797dd76acfb870e677f390d5acba9741b17   feb5d9fea6a5   8 months ago   13.3kB
hazmei
  • 106
  • 2
1

For a given image, these are listed in the RepoDigests section of the inspect:

$ docker image inspect nginx --format '{{json .RepoDigests}}'
["nginx@sha256:644a70516a26004c97d0d85c7fe1d0c3a67ea8ab7ddf4aff193d9f301670cf36","localhost:5000/library/nginx@sha256:644a70516a26004c97d0d85c7fe1d0c3a67ea8ab7ddf4aff193d9f301670cf36"]

Note that there are multiple digests for an image. One for a manifest list when you have multi-platform images (this contains the digests for platform specific images). Another for a platform specific image, which is what Hocker Hub shows on their website. And that image manifest contains digests for the image config and layers. The image config is the json describing things like the entrypoint, user, and other settings associated with the image, and this is used as the image ID in Docker.

That image ID is going to be unique to an image since it also contains a version of the layer digests (those digests will be different since they're uncompressed and other digests for layers will be on the compressed version). So if you don't have a repo digest, you can compare the image ID to the config digest to see if they match. E.g.

$ regctl manifest get localhost:5000/library/alpine --platform linux/arm64
Name:        localhost:5000/library/alpine
MediaType:   application/vnd.docker.distribution.manifest.v2+json
Digest:      sha256:c3c58223e2af75154c4a7852d6924b4cc51a00c821553bbd9b3319481131b2e0
Total Size:  2.694MB

Config:

  Digest:    sha256:6e30ab57aeeef1ebca8ac5a6ea05b5dd39d54990be94e7be18bb969a02d10a3f
  MediaType: application/vnd.docker.container.image.v1+json
  Size:      1487B


Layers:


Digest:    sha256:b3c136eddcbf2003d3180787cef00f39d46b9fd9e4623178282ad6a8d63ad3b0
  MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
  Size:      2.694MB


$ docker image inspect alpine --format '{{.ID}}'
sha256:e66264b98777e12192600bf9b4d663655c98a090072e1bab49e233d7531d1294

That config digest is only useful for comparison, you still need the manifest digest if you want to pull the image from the registry.

BMitch
  • 3,568
  • 12
  • 18