crane digest: Resolve an Image Digest
crane digest returns the immutable sha256 digest for an image tag, fetched directly from the registry.
Signing, deploying, and pinning should all use a digest, not a mutable tag. crane digest is the quickest way to resolve a tag to that digest in a pipeline.
What it does
crane digest queries the registry for the manifest of a reference and prints its sha256 digest. For a multi-arch index it returns the index digest by default; --platform returns the digest of a specific platform image within the index.
Common usage
crane digest ghcr.io/org/app:ci
# capture it for a sign/deploy step
DIGEST=$(crane digest ghcr.io/org/app:ci)
cosign sign --yes ghcr.io/org/app@${DIGEST}
# digest of a specific platform
crane digest --platform linux/arm64 ghcr.io/org/app:ciOptions
| Flag | What it does |
|---|---|
| --platform <os/arch> | Digest of a specific platform in an index |
| --full-ref | Print repo@sha256:... instead of just the digest |
| --insecure | Allow plain HTTP / skip TLS (testing) |
| crane auth login | Authenticate for private repositories |
In CI
Resolve the digest right after a push and use it for every downstream step, signing, attesting, and deploying by digest so a moved tag cannot change what you ship. Use --platform when you need to pin a single architecture rather than the whole index.
Common errors in CI
"MANIFEST_UNKNOWN" means the tag does not exist or the repo path is wrong. "UNAUTHORIZED" means the repo is private and crane is not logged in; run crane auth login. An empty result piped into a sign step usually means the digest command failed silently inside a subshell; check its exit code.