Español
Home»Operations»How to find the digest (sha256) of a multi-platform Docker image?

Recent Posts

Categories

Archives

How to find the digest (sha256) of a multi-platform Docker image?

2023-12-14 in Operations tagged Docker / Quickie by Marc Nuri | Last updated: 2023-12-14
Versión en Español

Container image digests

A container image digest can be used to uniquely and immutably identify a container image. The digest is usually an SHA-256 hash of the container image manifest. Using the digest instead of the tag to reference an image has a few advantages:

  • The digest is immutable, so the image referenced by the digest will never change.
    • On the other contrary, image tags can be reused, so the same tag can reference different images. This might lead to unexpected results when pulling an image.
    • Scanning tools can be used to check if an image has vulnerabilities, but if the image is updated, the scan results will be outdated.
  • The digest is unique, so there's no chance of referencing the wrong image.
  • Some cloud container platforms require the digest to reference an image.

Finding the digest of a standard container image is easy.

  • The digest might be visible from the container image registry web interface.
  • The digest is shown when pulling an image.
  • The digest can be found using multiple docker commands.

Multi-platform image digests

However, when using multi-platform images, the digest shown when pulling the image might not be the digest of the image manifest but the digest of the image for your specific platform. Since we want to ensure that we reference the same image for all platforms, we need to find the digest of the multi-platform image manifest.

For this purpose, we can use the Docker buildx plugin which is usually included with the Docker CLI. This approach has also the advantage that we don't need to pull the image to find the digest.

The following command prints the complete manifest for an image with name image/name and tag version hosted in the docker.io registry:

docker buildx imagetools inspect docker.io/image/name:version --format "{{json .Manifest}}"

If you have jq installed, you can use the following command to print just the digest of the image manifest:

docker buildx imagetools inspect docker.io/image/name:tag --format "{{json .Manifest}}" | jq -r '.digest'

For example, this would be the output for the marcnuri/yakd:0.0.4 image:

$ docker buildx imagetools inspect docker.io/marcnuri/yakd:0.0.4 --format "{{json .Manifest}}" | jq -r '.digest'
sha256:a3f540278e4c11373e15605311851dd9c64d208f4d63e727bccc0e39f9329310