Skip to content
Latchkey

crane digest: Resolve an Image Digest

crane digest returns the immutable sha256 digest for an image tag, fetched directly from the registry.

Signing, deploying, and pinning should all use a digest, not a mutable tag. crane digest is the quickest way to resolve a tag to that digest in a pipeline.

What it does

crane digest queries the registry for the manifest of a reference and prints its sha256 digest. For a multi-arch index it returns the index digest by default; --platform returns the digest of a specific platform image within the index.

Common usage

Terminal
crane digest ghcr.io/org/app:ci
# capture it for a sign/deploy step
DIGEST=$(crane digest ghcr.io/org/app:ci)
cosign sign --yes ghcr.io/org/app@${DIGEST}
# digest of a specific platform
crane digest --platform linux/arm64 ghcr.io/org/app:ci

Options

FlagWhat it does
--platform <os/arch>Digest of a specific platform in an index
--full-refPrint repo@sha256:... instead of just the digest
--insecureAllow plain HTTP / skip TLS (testing)
crane auth loginAuthenticate for private repositories

In CI

Resolve the digest right after a push and use it for every downstream step, signing, attesting, and deploying by digest so a moved tag cannot change what you ship. Use --platform when you need to pin a single architecture rather than the whole index.

Common errors in CI

"MANIFEST_UNKNOWN" means the tag does not exist or the repo path is wrong. "UNAUTHORIZED" means the repo is private and crane is not logged in; run crane auth login. An empty result piped into a sign step usually means the digest command failed silently inside a subshell; check its exit code.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →