Incorrect digest returned?

[jurre]

Currently the digest is fetched from the Docker registry manifest
endpoint with the
application/vnd.docker.distribution.manifest.v2+json Media Type:

dt=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/python:pull" | jq -r .access_token)
curl curl --get -v https://registry.hub.docker.com:443/v2/library/python/manifests/slim --header "Authorization: Bearer $dt" --header "Accept: application/vnd.docker.distribution.manifest.v2+json"
< HTTP/1.1 200 OK
< Content-Length: 1370
< Content-Type: application/vnd.docker.distribution.manifest.v2+json
< Docker-Content-Digest: sha256:af2d64e6de9f891bd5958a498bd2394389143749b3c57ffcc8c2aec054b28ad5

However, the digest that is returned in the header here, is actually
that of the first platform that's listed.

When we install that latest image, we see the digest should actually be:

docker images --digests | grep python
python slim sha256:50328b4efe5ff8ef8bb2e62e088a4cefeace39062c483c04987f5820e7cf73b1

When using the
application/vnd.docker.distribution.manifest.list.v2+json media type:

dt=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/python:pull" | jq -r .access_token)
curl curl --get -v https://registry.hub.docker.com:443/v2/library/python/manifests/slim --header "Authorization: Bearer $dt" --header "Accept: application/vnd.docker.distribution.manifest.list.v2+json"

< HTTP/1.1 200 OK
< Content-Length: 1862
< Content-Type: application/vnd.docker.distribution.manifest.list.v2+json
< Docker-Content-Digest: sha256:50328b4efe5ff8ef8bb2e62e088a4cefeace39062c483c04987f5820e7cf73b1

We get the expected digest, and when inspecting the body, we can see
that we previously got the digest for amd64:

{
  "manifests": [
    {
      "digest": "sha256:af2d64e6de9f891bd5958a498bd2394389143749b3c57ffcc8c2aec054b28ad5",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      },
      "size": 1370
    },

Should we be using the manifest-list.v2 media type to fetch the digest?

[deitch]

I get what you are saying, about accepting multiple types, as opposed to the single one we set here. That becomes even more important if you want to use this against other registries that use the more up-to-date OCI types rather than the docker types.

That might lead to people getting an index, when they want a manifest, and having to walk it down. Then again, that is precisely how my OCI registry tool works.

I do have a hard time understanding how you got the above hashes, though. Here is the root index for docker.io/library/python:slim:

{
  "manifests": [
    {
      "digest": "sha256:88625be04f61b3c2cefcbbcaa49c1f5a2106cc4f4b85557f2ce9e787b05e7625",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      },
      "size": 1370
    },
    {
      "digest": "sha256:a353256c0c36a54371c00d0959b64c5c3e58a6c66a6f5b6b0098a014926c0aa5",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v5"
      },
      "size": 1370
    },
    {
      "digest": "sha256:71ce8007a8cc028c5fcb720190d42b810194b25dccc124b18aac0f0a89352b19",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v7"
      },
      "size": 1370
    },
    {
      "digest": "sha256:93b770ee1ef178108536c0a0c0edb4ff100dbd28b89facfba9ee572c2b6e710c",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm64",
        "os": "linux",
        "variant": "v8"
      },
      "size": 1370
    },
    {
      "digest": "sha256:42797e3545e3ffb5c4acd54e56316d03712a1f680e9c465164877192471208f3",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "386",
        "os": "linux"
      },
      "size": 1370
    },
    {
      "digest": "sha256:b4f638253ea9096dc93dcf1677fb754dd22ca555707f2ae198ee76720c7d4b32",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "mips64le",
        "os": "linux"
      },
      "size": 1370
    },
    {
      "digest": "sha256:37d5ee0a4882f7a76e6ba43ecfdc37b6bce2a2e58956d3bbb9c126b82073abd2",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "ppc64le",
        "os": "linux"
      },
      "size": 1370
    },
    {
      "digest": "sha256:ac9cb86d45fc4abe292f37c5154c323b1b5c2e248bbc829caadaefa21ba0ac36",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "s390x",
        "os": "linux"
      },
      "size": 1370
    }
  ],
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
  "schemaVersion": 2
}

Its hash is sha256:2364a510309d1871c644ce778709bbfd611b581924c849345057db600f48260a.

If I look just at the one for linux/amd64, I get (abbreviated):

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 7609,
    "digest": "sha256:d5d352d7d84082f328a6d1bc84f9da8fb5a6bb652be1974514952aa541e07cc3"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 27108069,
      "digest": "sha256:a076a628af6f7dcabc536bee373c0d9b48d9f0516788e64080c4e841746e6ce6"
    },
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 2750241,
      "digest": "sha256:de8081929fad39cfd342cf72cb9b1c4a072250ebd2f7b2eafde16e0c54aed607"
    },
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 10888610,
      "digest": "sha256:181a96cb0617105c41bed5028f29605da9d2770762dadea6be79051ac1c3faff"
    },
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 233,
      "digest": "sha256:c91fe2011cc2116aea7aab04513720f45fa7c916fa89276236f03cdbebdc9d5b"
    },
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 2452182,
      "digest": "sha256:16e23e4a2e6e5b2c186d0517aa411948e78abb6c8a3aebae3dd2ff5fa082d9bc"
    }
  ]
}

So I have no idea where your sha256:af2d64e6de9f891bd5958a498bd2394389143749b3c57ffcc8c2aec054b28ad5 came from. Maybe the slim tag changed?

In any case, definitely open to a PR for it.

[jurre]

I do have a hard time understanding how you got the above hashes, though. Here is the root index for

There must have been an update after I grabbed these, I'm getting the same hashes rerunning the curl commands I posted 👍

In any case, definitely open to a PR for it.

Sweet, will do. Thanks for the quick response

[deitch]

Haha, got to love mutable tags!

I look forward to the PR.