cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

Docker push: ability to get the digest

Open kristof-mattei opened this issue 7 months ago • 3 comments

Description

As part of attestation and security, I would like to push an image and immediately get the sha256 digest.

When I push the image with docker push <tag> the digest is shown:

The push refers to repository [kristofmattei/foobar:my-awesome-tag]
da39f46fb7a8: Waiting
da39f46fb7a8: Layer already exists
...
4f4fb700ef54: Waiting
4f4fb700ef54: Layer already exists
my-awesome-tag: digest: sha256:d67fed5e2a846838ace975a96fd1a53e3fbe7fe60d95a8019e3003c295643a07 size: 1043

But using --quiet the the digest itself disappears too:

kristofmattei/foobar:my-awesome-tag

Once this is done I can do docker image inspect kristofmattei/foobar:my-awesome-tag to get the digest.

However I might be pushing multiple images, and in order to avoid any bugs when I accidentally push 2 images with the same tags but different digests, I'd like to get the digest directly from the push (both digests are valid, for example in the case of multi-platform images).

That way I can merge the images together later.

Is there another way to get the digest from the push, other than capture & filter the output?

kristof-mattei avatar Jul 12 '25 22:07 kristof-mattei

Hey @kristof-mattei great issue there! I think by using the Docker Registry HTTP API you can query the digest after push. Here is a minimal example: curl -sI \ -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \ https://registry-1.docker.io/v2/kristofmattei/foobar/manifests/my-awesome-tag \ | grep -i Docker-Content-Digest \ | awk '{print $2}' \ | tr -d $'\r'

shivgithub1234 avatar Jul 16 '25 06:07 shivgithub1234

Hey @kristof-mattei great issue there! I think by using the Docker Registry HTTP API you can query the digest after push. Here is a minimal example: curl -sI \ -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \ https://registry-1.docker.io/v2/kristofmattei/foobar/manifests/my-awesome-tag \ | grep -i Docker-Content-Digest \ | awk '{print $2}' \ | tr -d $'\r'

Sadly this is still a 2 step process. I would like to do it in 1 step.

kristof-mattei avatar Jul 16 '25 16:07 kristof-mattei

Hello! I've also been looking for a way to do this to prevent race conditions from push. In my ecosystem, we generate many images from many different users and push them to a common registry under a single tag (e.g. latest), but only ever pull by repo digest. If there was a way to push anonymous images without tags, we would use that instead.

As-is, a push-then-query model is subject to race conditions from different users pushing in parallel.

To mitigate, we can either parse the the output of docker push for the digest or run docker image inspect $image --format={{index .RepoDigests 0}}, but I'm not sure if that field is guaranteed to exist after push. Ideally, docker push would either have an option for machine parseable output or a mechanism to write the resulting repo digest somewhere.

Please do consider adding a way to perform a push + query of the repo digest atomically.

vmrob avatar Nov 05 '25 07:11 vmrob