5

I have just copied a docker image from one repository to another, by pulling an explicit sha256 hash tag from our OpenShift 3.11 external repository, retagging it to our Harbor 1.9.2 repository and pushing that tag.

In that process the sha256 key for the new image was shown, and it was different to the sha256 key I started out with. This was unexpected as I did not change anything with the image, except assigning it another tag, so the bytes should be the same giving the same hash.

Does this mean that the algorithms for some reason are different? That the repository name is included in the hash key calculation? Or something else?

Thorbjørn Ravn Andersen
  • 73,784
  • 33
  • 194
  • 347

1 Answers1

5

You are confusing the image id digest with the layer digests. If you docker inspect those images you will notice that the underlying layer digests will match exactly.

Each image in the registry gets an image id. Run docker images --digests --no-trunc and notice that you will see a digest column and an image id column and they are not the same. The digest column is the digest of the manifest and is shown as RepoDigests in docker inspect output. If the manifest contains the name and the tag, then the digest will be different as well.

Also try diff <(docker inspect image_id_1) <(docker inspect image_id_2) to see what is going on.

See this answer and this article for additional details.

Praveen Lobo
  • 6,956
  • 2
  • 28
  • 40