Docker push: ability to get the digest

[kristof-mattei]

Description

As part of attestation and security, I would like to push an image and immediately get the sha256 digest.

When I push the image with docker push <tag> the digest is shown:

The push refers to repository [kristofmattei/foobar:my-awesome-tag]
da39f46fb7a8: Waiting
da39f46fb7a8: Layer already exists
...
4f4fb700ef54: Waiting
4f4fb700ef54: Layer already exists
my-awesome-tag: digest: sha256:d67fed5e2a846838ace975a96fd1a53e3fbe7fe60d95a8019e3003c295643a07 size: 1043

But using --quiet the the digest itself disappears too:

kristofmattei/foobar:my-awesome-tag

Once this is done I can do docker image inspect kristofmattei/foobar:my-awesome-tag to get the digest.

However I might be pushing multiple images, and in order to avoid any bugs when I accidentally push 2 images with the same tags but different digests, I'd like to get the digest directly from the push (both digests are valid, for example in the case of multi-platform images).

That way I can merge the images together later.

Is there another way to get the digest from the push, other than capture & filter the output?

[shivgithub1234]

Hey @kristof-mattei great issue there!
I think by using the Docker Registry HTTP API you can query the digest after push.
Here is a minimal example:
curl -sI \ -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \ https://registry-1.docker.io/v2/kristofmattei/foobar/manifests/my-awesome-tag \ | grep -i Docker-Content-Digest \ | awk '{print $2}' \ | tr -d $'\r'

[kristof-mattei]

Hey @kristof-mattei great issue there! I think by using the Docker Registry HTTP API you can query the digest after push. Here is a minimal example: curl -sI \ -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \ https://registry-1.docker.io/v2/kristofmattei/foobar/manifests/my-awesome-tag \ | grep -i Docker-Content-Digest \ | awk '{print $2}' \ | tr -d $'\r'

Sadly this is still a 2 step process. I would like to do it in 1 step.