crane-digest

Get the digest of an image

$ crane digest [image_name]

$ crane digest [image_name] --full-ref

$ crane digest [image_name] --tarball [path/to/tarball]

$ crane digest [[-h|--help]]

crane digest [flags] IMAGE
where IMAGE is "repository/image:tag" or "repository/image@sha256:digest"

--insecure
    Allow HTTP registries or skip TLS certificate validation

--platform
    Specify platform for multi-arch images, e.g. "linux/amd64"

--verbose
    Enable verbose logging for debugging

crane digest is a subcommand of the crane CLI tool from Google Container Tools, designed for efficient interaction with OCI and Docker-compatible container registries. It calculates the canonical SHA256 digest of a specified image manifest without downloading full image layers, enabling quick verification of image integrity.

This command fetches the image descriptor from the registry, resolves the manifest (supporting multi-platform images via --platform), and outputs the digest in sha256:hex format. Ideal for scripting, CI/CD pipelines, and image attestation workflows like Cosign. It requires network access to the registry and supports insecure connections for private or HTTP repos.

Key benefits include speed (minimal data transfer) and reliability for remote images. For local tarballs or directories, use crane digest --local (though not directly in this subcommand). Outputs to stdout for easy piping.

Requires internet access to registry; does not support local files directly (use crane digest --local file.tar); insecure mode poses security risks.

crane digest alpine:3.18
sha256:5b0bcabd1ed38e65d6a0eb53be7735a678bc539d058679c8305b1f4ebcc9f62f

crane digest --platform linux/arm64 alpine:3.18

Always sha256:<64-char hex>; digest matches image manifest exactly for reproducibility.

Introduced in crane v0.1.0 (2021) by Google Container Tools as part of OCI tooling ecosystem; evolved with sigstore for image signing verification.

crane(1), skopeo(1), docker(1), cosign(1)