crane-digest

Get the digest of an image

$ crane digest [image_name]

$ crane digest [image_name] --full-ref

$ crane digest [image_name] --tarball [path/to/tarball]

$ crane digest [[-h|--help]]

crane digest IMAGE [flags]

--format string
    Go template format string to print the digest. Useful for custom output.

-h, --help
    Show help message for the digest subcommand.

--insecure
    Allow connections to insecure registries that might use plain HTTP or have untrusted TLS certificates.

--platform string
    Specify the target platform for multi-platform images in the format os/arch[/variant] (e.g., linux/amd64 or linux/arm/v7). If not specified, the platform of the current system might be used or an arbitrary one chosen.

--plain-http
    Allow connections to registries over plain HTTP without TLS. This is less secure and should be used with caution.

--repo string
    Optional: Repository to digest from. Usually inferred from the IMAGE argument.

--tag string
    Optional: Tag to digest. Usually inferred from the IMAGE argument.

--username string
    Username for authentication to the container registry.

The crane digest command is a subcommand of the crane utility, a powerful tool for interacting with container image registries. It is used to retrieve the content addressable digest (SHA256 checksum) of a specified container image. This digest uniquely identifies a specific immutable version of an image's manifest, providing a reliable way to verify the image's content and ensure supply chain integrity. Unlike image tags, which can be mutable and refer to different image layers over time, a digest always points to the exact same image content. This command is particularly useful for scripting, automation, and security-conscious workflows where precise image identification is critical for reproducibility and trust.

The 'crane-digest' command as a standalone Linux command does not exist. This analysis refers to the digest subcommand of the crane utility (crane digest). crane is a command-line tool primarily used for interacting with OCI (Open Container Initiative) container registries and images, not a general-purpose system utility.

When interacting with private or authenticated registries, crane digest supports authentication via the --username flag. It can also leverage credentials cached by docker login in ~/.docker/config.json for convenience, simplifying access to secured resources. For automated environments, environment variables or credential helpers might be used.

The IMAGE argument typically includes both the repository and tag (e.g., myregistry.com/myrepo/myimage:mytag) or a specific digest directly (e.g., myregistry.com/myrepo/myimage@sha256:...). If the image is multi-platform, the --platform flag can be used to specify which manifest within a manifest list to digest, ensuring the correct platform-specific image content is targeted.

The crane utility, of which digest is a subcommand, is part of the GoogleContainerTools project. It was developed to provide a lightweight, Go-based client for interacting with container registries without needing a full Docker or containerd daemon. Its focus is on low-level registry operations and image manipulation, making it a valuable tool for CI/CD pipelines, image analysis, and scenarios requiring direct registry interaction. The digest subcommand specifically addresses the need for immutable content addressing in the container ecosystem, which is crucial for reproducibility and security.

crane, docker, podman, skopeo