14

A digest is the sha256 hash of a docker image, but an image is not really a single file but rather a set of layers. I assumed the digest was the sha256 hash over the Image manifest file, but I have computed the sha256 hash of numerous manifest files and compared the result to the digest docker provide for the image and they are diff. So what exactly is being sha256-hashed to create the Image digest value?

lewiada
  • 1,397
  • 2
  • 10
  • 15
  • 1
    The engine is an open source project, would probably be faster to check their source than to try to recreate. – BMitch Sep 02 '16 at 20:05
  • 1
    not looking to recreate, only to deepen my understanding. I suppose I could dig through the source ... – lewiada Sep 02 '16 at 21:15
  • Can you please tell us how did you fetch the image manifest file? Save the image to tar file then get the manifest from the tar file? Or fetch the manifest file from your private registry? – Haoming Zhang Sep 03 '16 at 01:07
  • 1
    By "recreate" I was referring to your black box attempts with "I have computed the sha256 hash of numerous manifest files". It's a lot less error prone to simply check the source since there may be other factors you aren't testing in your scenarios. – BMitch Sep 03 '16 at 13:29
  • GET /v2//manifests/. you can see the API documentation here: https://docs.docker.com/registry/spec/api/#/pulling-an-image-manifest – lewiada Sep 07 '16 at 19:07

2 Answers2

5

Image Digest is the digest of manifest body without the signature content. Make sure you exclude it before calculating it.

https://docs.docker.com/registry/spec/api/#content-digests

DIGEST HEADER

To provide verification of http content, any response may include a Docker-Content-Digest header. This will include the digest of the target entity returned in the response. For blobs, this is the entire blob content. For manifests, this is the manifest body without the signature content, also known as the JWS payload. Note that the commonly used canonicalization for digest calculation may be dependent on the mediatype of the content, such as with manifests.

Pierre
  • 1,068
  • 1
  • 9
  • 13
SunghoMoon
  • 1,329
  • 1
  • 15
  • 21
3

Based on my adventures in the Docker source, it seems that the digest is a SHA256 (by default) of a JSON string that represents the image configuration.

You can look at the relevant method for creating an image and the function that computes the digest.

Chaim Eliyah
  • 2,743
  • 4
  • 24
  • 37
trey-jones
  • 3,329
  • 1
  • 27
  • 35
  • 3
    Linking to the source is great, but it would pay to link to a specific commit hash rather than `master` because the code at `master` will change over time and your line number will no longer be relevant. – bart Jan 11 '22 at 17:54