Written by Jamie Tanna
on 
CC-BY-NC-SA-4.0 Apache-2.0
2 mins

Checking the digest for a Docker image, using crane

When working with (Docker/OCI) container images, it's a good best practice to pin your digests.

For instance, instead of:

FROM ghcr.io/renovatebot/base-image:9.70.8

We should instead reference the exact digest of this image's layer, to provide a (more) reproducible build:

FROM ghcr.io/renovatebot/base-image:9.70.8@sha256:d04bd0560e8eea48cf8402054e698b63ce05c65ffc35655a8db36866d0521038 AS slim-base

This is more secure, and more reproducible, as tags are very mutable, allowing someone to re-push that image's tag at will.

This is useful for cases like the :latest tag, but may not be expected for all tags.

Although I'll always use Renovate to update those digests - or pin the digests, if I'd forgotten to pin them when I first raised them - it's good practice to pin them yourself, as well as know how you can reproduce the digest to confirm it's correct!

This is something I've got in my muscle memory - especially since we've been using Chainguard Images for our container builds - but I thought it was worth having it written up as a form of blogumentation for the future.

For instance, we can use crane to check the digest of the image's tag.

(Aside: this isn't the only crane tool out there - you want to make sure you're using Google's crane, not the project from Michael Sauter with the same name)

Once installed, we can run:

$ crane digest ghcr.io/renovatebot/base-image:9.70.8
sha256:d04bd0560e8eea48cf8402054e698b63ce05c65ffc35655a8db36866d0521038

Notice that this matches the definition from above:

FROM ghcr.io/renovatebot/base-image:9.70.8@sha256:d04bd0560e8eea48cf8402054e698b63ce05c65ffc35655a8db36866d0521038 AS slim-base

Another important thing to note when using tag+digest is that when you specify the digest, the tag is ignored, and can be seen as ""only"" useful for indicating to humans and bots what it is and how to update it.

But as the tag is ignored, it could be a bad actor trying to make you think it's the tag you think it is, but actually it's not. Please confirm with the steps above!

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #docker #containers.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.