crane digest: Resolve a Tag to an Immutable Digest
crane digest returns the content digest of an image reference, letting a pipeline pin an immutable image@sha256 instead of a moving tag.
Tags move; digests do not. crane digest gives you the exact sha256 a tag currently points to so deploys are reproducible.
What it does
crane digest fetches the manifest for a reference and prints its sha256:... digest. For a multi-arch tag it returns the digest of the manifest list unless you narrow it with --platform.
Common usage
# get the digest for a tag
crane digest ghcr.io/acme/app:1.4.0
# pin a deploy to the resolved digest
DIGEST=$(crane digest ghcr.io/acme/app:1.4.0)
echo "deploying ghcr.io/acme/app@$DIGEST"
# digest of one platform from a multi-arch index
crane digest --platform linux/amd64 docker.io/library/alpine:3.20Options
| Flag | What it does |
|---|---|
| REF | The image reference to resolve (positional) |
| --platform os/arch | Digest of a specific platform from an index |
| --full-ref | Print the full name@digest, not just the digest |
| --tarball <path> | Compute the digest of a local image tarball |
In CI
Resolve the tag to a digest once, then reference image@sha256:... for the rest of the pipeline so a re-tag upstream cannot change what you deploy. This is the daemonless equivalent of reading RepoDigests from docker inspect.
Common errors in CI
"MANIFEST_UNKNOWN: manifest unknown" means the tag does not exist. "UNAUTHORIZED: authentication required" means log in first. If the digest differs from what a colleague sees, you likely resolved the index digest while they resolved a single platform; align on --platform or on the index digest.