Show the "Manifest List" / "OCI Index" digest in the UI

[tianon]

Tell us about your request

Right now, the tags listing UI shows the image digest for each architecture, but not the image digest for the overall manifest list (or OCI index, depending on your terminology preference). This causes concrete user confusion in that docker pull (and other tools) will show the manifest list digest (https://github.com/moby/moby/issues/40636, https://github.com/docker/hub-feedback/issues/1925, for example).

Which service(s) is this request for?

Docker Hub :smile:

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

Ideally, I'd love to be able to docker pull something and validate that the digest listed in the output there is the one I see on Docker Hub. However for myself, the bigger thing I want is to be able to choose a tag from the Hub UI, copy the digest of the manifest list, and then be able to reference that digest no matter which architecture I end up running on.

Are you currently working around the issue?

I currently work around this by using the Registry APIs directly instead of getting this from the UI. :disappointed:

[andrewchen5678]

+1

[jaycuse]

As a user, I was confused. I support this request.

[the-dreamdevil]

+1

[daniel-shuy]

Really need this feature to easily get the latest cross-platform digest to pin images to.

In the meantime, to get the overall manifest list from the Docker Hub Registry API:

curl https://auth.docker.io/token?scope=repository:$image:pull&service=registry.docker.io

where $image is the Docker image name (if it is an official image, prefix it with library/).

This will return a JWT token in the format:

{
  "token", ...,
  "expires_in": ...,
  "issued_at": ...
}

The Bearer Token is the value in token.

curl -v -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json"  -H "Authorization: Bearer $token"  "https://registry-1.docker.io/v2/$image/manifests/$tag"

where $token is the Bearer token from the previous API request, $image is the Docker image name (if it is an official image, prefix it with library/), $tag is the Docker image tag.

The overall manifest list digest can be found in the DOCKER-CONTENT-DIGEST/ETAG response header (in the format sha256:...).

[taoeffect]

Thanks @daniel-shuy. It's nuts DockerHub doesn't show that on their website. How else are people supposed to verify the hashes? Crazy.

[thaJeztah]

Let me copy my comment from https://github.com/moby/moby/issues/40636#issuecomment-595985775;

perhaps both the "manifest list" digest, and the digest for the selected image (platform/architecture) should be shown. Currently it's confusing, because the digest is shown underneath the image name, but is actually referring to the digest for the selected architecture.

Something like this;

[Mohammad-Kabajah]

+1

[GabriFedi97]

+1

[spurin]

+1 - I recently created a lesson on this and already I've had two confused students reach out and mention that what they see in Docker Hub doesn't match what they see in the pull command. It's fine of course if the container image is single platform only but, given that multi arch containers are essential (especially with the likes of apple silicon), this could really do with an update.

An alternative UI viewpoint suggestion to complement the one from @thaJeztah . This was a quick modification to the html in chrome using inspect elements. Given that real estate is now being taken up by Scout, the OS/ARCH specific digest is at the bottom with the main one seen in the docker pull output, being prominent at the top.

% docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
c41833b44d91: Already exists
Digest: sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest

[vttranlina]

+1

[pxlfrk]

+1

[kevin-wyx]

+1 It makes sense to also show the digest output of docker pull in the Docker Hub UI.

[taoeffect]

I think this is a signal that Docker needs to be forked by some intrepid group that is willing to maintain it and cares more about security. This issue is so trivial to fix and yet it has been open for two years now.

[dfuentes77]

How is this still an open issue?!

[rlSimonLi]

If Docker is really serious about pushing multi-arch, they really need to add this.

[teeks99]

+1

[kilrau]

+1

[kilrau]

+1

this causes so much confusion and PAIN

[thaJeztah]

Looks like this was deployed @lukoboi ? https://github.com/docker/hub-feedback/issues/1925#issuecomment-1999995876

Closing this as I've just added the digest on hub 🎉 The index digest will be displayed when present now.

[lukoboi]

@thaJeztah this has now been deployed 😄

[thaJeztah]

Awesome! I think you made a lot of people happy (myself included) I'll go ahead and close this ticket 🥳 🥳 🥳