Where can I find the sha256 code of a docker image?

Asked 17/8, 2015 at 8:57 Answered 17/5, 2023 at 13:25

217

I'd like to pull the images of CentOS, Tomcat, ... using their sha256 code, like in

docker pull myimage@sha256:0ecb2ad60

But I can't find the sha256-code to use anywhere.

I checked the DockerHub repository for any hint of the sha256-code, but couldn't find any. I downloaded the images by their tag

docker pull tomcat:7-jre8

and checked the image with docker inspect to see if there's a sha256 code in the metadata, but there is none (adding the sha256 code of the image would probably change the sha256 code).

Do I have to compute the sha256 code of an image myself and use that?

Sericeous answered 17/8, 2015 at 8:57 Comment(1)

I created an issue on dockerhub related to this - github.com/docker/docker/issues/17670 – Hanoverian 4/11, 2015 at 0:53

Just saw it:

When I pull an image, the sha256 code is diplayed at the bottom of the output (Digest: sha....):

docker pull tomcat:7-jre8
7-jre8: Pulling from library/tomcat
902b87aaaec9: Already exists 
9a61b6b1315e: Already exists 
...   
4dcef5c50d60: Already exists 
Digest: sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f
Status: Image is up to date for tomcat:7-jre8

This sha code

sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f

can be used to pull the image afterwards with

docker pull tomcat@sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f

This way you can be sure that the image is not changed and can be safely used for production.

Sericeous answered 17/8, 2015 at 11:8 Comment(2)

This is not really a complete solution, as it only treats images online. What if you want the sha256 of a local image? – Barocchio 20/5, 2017 at 13:59

There is another answer (with more upvotes) that will get you the local SHA. Then, above that, with even more upvotes, how to get the remote SHA without downloading the whole image. – Illative 1/3, 2022 at 7:3

200

Latest answer

Edit suggested by OhJeez in the comments.

docker inspect --format='{{index .RepoDigests 0}}' $IMAGE

Original answer

I believe you can also get this using

docker inspect --format='{{.RepoDigests}}' $IMAGE

Works only in Docker 1.9 and if the image was originally pulled by the digest. Details are on the docker issue tracker.

Hanoverian answered 4/11, 2015 at 0:42 Comment(7)

At least for me, this also works for images not pulled by digest, but by tag. That's with Docker 18.09.7. – Alainaalaine 21/10, 2019 at 10:27

Under Windows, please use double quotes --format="..." (github.com/docker/toolbox/issues/433#issuecomment-188790050) – Bouffard 6/11, 2020 at 18:57

After going through this post, one might want to have a look at below post as well. #56365143 – Intracranial 10/12, 2020 at 6:42

This is great to get the remote sha. You may also want another answer below to get the local sha. – Illative 1/3, 2022 at 7:3

This also works for me docker images --format '{{.Digest}}' $IMAGE – Zalucki 22/7, 2022 at 15:15

Yup, doesn't work for locally-built image – Touchwood 3/2, 2023 at 6:38

The above docker inspect is pulling the wrong value. It looks like correct attribute is "Id" not "RepoDigests". Pull {{.Id}} instead or use docker images --no-trunc --quiet IMAGE – Kenti 5/3 at 20:33

193

You can get it by docker images --digests

REPOSITORY          TAG    DIGEST                                                                    IMAGE ID     CREATED        SIZE
docker/ucp-agent    2.1.0  sha256:a428de44a9059f31a59237a5881c2d2cffa93757d99026156e4ea544577ab7f3   583407a61900 3 weeks ago    22.3 MB

Hilltop answered 8/3, 2017 at 20:37 Comment(2)

To get only the digests, you can also use docker images --format '{{.Digest}}'. This is useful in a foreach statement to get some work done with the digests. – Contraoctave 3/6, 2020 at 6:13

I would have preferred this as it is easy to remember but I believe it is incorrect: this is the digest of the image manifest, which does not exist for an image created locally (unless you manufacture one). It will be none. The command that outputs the same SHA as printed at the very end of the build is in answer https://mcmap.net/q/125382/-where-can-i-find-the-sha256-code-of-a-docker-image – Unbolt 6/4, 2022 at 22:28

Simplest and most concise way is:

docker images --no-trunc --quiet $IMAGE

This returns only the sha256:... string and nothing else.

e.g.:

$ docker images --no-trunc --quiet debian:stretch-slim
sha256:220611111e8c9bbe242e9dc1367c0fa89eef83f26203ee3f7c3764046e02b248

Edit:

NOTE: this only works for images that are local. You can docker pull $IMAGE first, if required.

Goodlooking answered 18/11, 2019 at 3:25 Comment(3)

This is truly local only. The checksum printed by --quiet is not really a digest, cannot be pulled from Docker Hub, and is different from the one printed by other answers. See github.com/docker/hub-feedback/issues/…. – Laurenelaurens 19/11, 2021 at 19:42

THIS! This is a very important piece of the work-avoidance puzzle. Use this to get the LOCAL sha you just built, and then compare this sha against the REMOTE sha where you want to push the image (see above), to see if you can skip the operation entirely. Bravo! (The other solutions don't work locally). – Illative 1/3, 2022 at 7:1

this is incorrect. This returns the image ID and not the digest! they are very different concepts and this will not work when used to pull the image from a registry. – Animalist 28/4, 2022 at 20:49

Just saw it:

When I pull an image, the sha256 code is diplayed at the bottom of the output (Digest: sha....):

docker pull tomcat:7-jre8
7-jre8: Pulling from library/tomcat
902b87aaaec9: Already exists 
9a61b6b1315e: Already exists 
...   
4dcef5c50d60: Already exists 
Digest: sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f
Status: Image is up to date for tomcat:7-jre8

This sha code

sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f

can be used to pull the image afterwards with

docker pull tomcat@sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f

This way you can be sure that the image is not changed and can be safely used for production.

Sericeous answered 17/8, 2015 at 11:8 Comment(2)

This is not really a complete solution, as it only treats images online. What if you want the sha256 of a local image? – Barocchio 20/5, 2017 at 13:59

I found the above methods to not work in some cases. They either:

don't deal well with multiple images with the same hash (in the case of .RepoDigests suggestion - when you want to use a specific registry path)
don't work well when pushing the image to registries (in the case of .Id where it's a local hash, not the hash in the registry).

The below method is delicate, but works for extracting the specific full 'name' and hash for a specific pushed container.

Here's the scenario - An image is uploaded separately to 2 different projects in the same repo, so querying RepoDigests returns 2 results.

$ docker inspect --format='{{.RepoDigests}}' gcr.io/alpha/homeapp:latest

[gcr.io/alpha/homeapp@sha256:ce7395d681afeb6afd68e73a8044e4a965ede52cd0799de7f97198cca6ece7ed gcr.io/beta/homeapp@sha256:ce7395d681afeb6afd68e73a8044e4a965ede52cd0799de7f97198cca6ece7ed]

I want to use the alpha result, but I can't predict which index it will be. So I need to manipulate the text output to remove the brackets and get each entry on a separate line. From there I can easily grep the result.

$ docker inspect --format='{{.RepoDigests}}' gcr.io/alpha/homeapp:latest | sed 's:^.\(.*\).$:\1:' | tr " " "\n" | grep alpha

gcr.io/alpha/homeapp@sha256:ce7395d681afeb6afd68e73a8044e4a965ede52cd0799de7f97198cca6ece7ed

Goatherd answered 1/12, 2019 at 18:44 Comment(2)

I had the same digest inconsistency issue with GCR images in Cloud Deploy. this was exactly what I needed. Thank you. – Bashee 8/6, 2021 at 23:19

I think you should try jq. – Colony 22/6, 2023 at 2:12

In addition to the existing answers, you can use the --digests option while doing docker images to get a list of digests for all the images you have.

docker images --digests

You can add a grep to drill down further

docker images --digests | grep tomcat

Giselegisella answered 4/8, 2018 at 6:33 Comment(0)

My preferred way to do this is in order to get a manifest SHA rather than a platform specific SHA is:

docker buildx imagetools inspect $IMAGE --format "{{json .Manifest}}" | jq -r .digest

e.g.

docker buildx imagetools inspect busybox --format "{{json .Manifest}}" | jq -r .digest
sha256:9e2bbca079387d7965c3a9cee6d0c53f4f4e63ff7637877a83c4c05f2a666112

Of course if you want to see all the platform specific SHAs just omit the jq filter:

docker buildx imagetools inspect $IMAGE --format "{{json .Manifest}}"

The nice thing about buildx imagetools is that the image doesn't need to be pulled locally, so it can be used to find info about any image on Docker Hub (or whatever other registry you point it at).

Haplography answered 17/5, 2023 at 13:25 Comment(5)

docker buildx? As I mentioned here, since Moby v23.0 (Feb. 2023), docker build is enough: it uses buildx by default. – Compliant 17/5, 2023 at 15:44

@Compliant docker build is now short for docker buildx build. You still need to call docker buildx ... to access other buildx commands like imagetools. – Inglorious 8/7, 2023 at 22:6

This is the right answer. All the others requiring pulling the image first while this one gets the manifest without pulling anything other than the manifest. – Antithesis 14/8, 2023 at 19:37

this just gives you the current image sha. How do you get all the past image shas? – Release 19/10, 2023 at 12:8

This is by far best answer. It shows multiplatform SHA which can by used on all platforms to pull platform specific image. This way you can use one SHA everywhere. – Acro 28/10, 2023 at 6:46

You can find it at the time of pulling the image from the respective repository. Below command mentions Digest: sha256 at the time of pulling the docker image.

09:33 AM##~::>docker --version
Docker version 19.03.4, build 9013bf5

Digest: sha256:6e9f67fa63b0323e9a1e587fd71c561ba48a034504fb804fd26fd8800039835d

09:28 AM##~::>docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
7ddbc47eeb70: Pull complete
c1bbdc448b72: Pull complete
8c3b70e39044: Pull complete
45d437916d57: Pull complete
**Digest: sha256:6e9f67fa63b0323e9a1e587fd71c561ba48a034504fb804fd26fd8800039835d**
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest

Once, the image is downloaded, we can do the following

"ubuntu@sha256:6e9f67fa63b0323e9a1e587fd71c561ba48a034504fb804fd26fd8800039835d"

09:36 AM##~::>docker inspect ubuntu | grep -i sha256
        "Id": "sha256:775349758637aff77bf85e2ff0597e86e3e859183ef0baba8b3e8fc8d3cba51c",
            **"ubuntu@sha256:6e9f67fa63b0323e9a1e587fd71c561ba48a034504fb804fd26fd8800039835d"**
            "Image": "sha256:f0caea6f785de71fe8c8b1b276a7094151df6058aa3f22d2902fe6b51f1a7a8f",
            "Image": "sha256:f0caea6f785de71fe8c8b1b276a7094151df6058aa3f22d2902fe6b51f1a7a8f",
                "sha256:cc967c529ced563b7746b663d98248bc571afdb3c012019d7f54d6c092793b8b",
                "sha256:2c6ac8e5063e35e91ab79dfb7330c6154b82f3a7e4724fb1b4475c0a95dfdd33",
                "sha256:6c01b5a53aac53c66f02ea711295c7586061cbe083b110d54dafbeb6cf7636bf",
                "sha256:e0b3afb09dc386786d49d6443bdfb20bc74d77dcf68e152db7e5bb36b1cca638"

Putrid answered 18/11, 2019 at 3:59 Comment(2)

docker inspect IMAGE_NAME | grep -i sha256 is what did the trick for me. – Cowled 27/2, 2023 at 19:2

How can you get it without pulling the image? – Antithesis 14/8, 2023 at 19:35

This should have been the Id field, that you could see in the old deprecated Docker Hub API

GET /v1/repositories/foo/bar/images HTTP/1.1
  Host: index.docker.io
  Accept: application/json

Parameters:

namespace – the namespace for the repo
repo_name – the name for the repo

Example Response:

HTTP/1.1 200
Vary: Accept
Content-Type: application/json

[{"id": "9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f",
"checksum": "b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087"},
{"id": "ertwetewtwe38722009fe6857087b486531f9a779a0c1dfddgfgsdgdsgds",
"checksum": "34t23f23fc17e3ed29dae8f12c4f9e89cc6f0bsdfgfsdgdsgdsgerwgew"}]

BUT: this is not how it is working now with the new docker distribution.
See issue 628: "Get image ID with tag name"

The /v1/ registry response /repositories/<repo>/tags used to list the image ID along with the tag handle.
/v2/ only seems to give the handle.

It would be useful to get the ID to compare to the ID found locally. The only place I can find the ID is in the v1Compat section of the manifest (which is overkill for the info I want)

The current (mid 2015) answer is:

This property of the V1 API was very computationally expensive for the way images are stored on the backend. Only the tag names are enumerated to avoid a secondary lookup.
In addition, the V2 API does not deal in Image IDs. Rather, it uses digests to identify layers, which can be calculated as property of the layer and are independently verifiable.

Compliant answered 17/8, 2015 at 9:28 Comment(0)

As mentioned by @zelphir, using digests is not a good way since it doesn't exist for a local-only image. I assume the image ID sha is the most accurate and consistent across tags/pull/push etc.

docker inspect --format='{{index .Id}}' $IMAGE

Does the trick.

Geophilous answered 11/4, 2019 at 7:2 Comment(0)

Just issue docker pull tomcat:7-jre8 again and you will get what you want.

Merrymerryandrew answered 6/3, 2018 at 3:35 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Latest answer

Original answer

Recommended topics

Hot tags