You can query the registry API for the image digest and compare it to that of what you've pulled.
$ cat digest-v2.sh
#!/bin/sh
ref="${1:-library/ubuntu:latest}"
repo="${ref%:*}"
tag="${ref##*:}"
acceptM="application/vnd.docker.distribution.manifest.v2+json"
acceptML="application/vnd.docker.distribution.manifest.list.v2+json"
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull"
| jq -r '.token')
curl -H "Accept: ${acceptM}"
-H "Accept: ${acceptML}"
-H "Authorization: Bearer $token"
-I -s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}"
$ ./digest-v2.sh library/busybox:latest
HTTP/1.1 200 OK
Content-Length: 2080
Content-Type: application/vnd.docker.distribution.manifest.list.v2+json
Docker-Content-Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a"
Date: Sun, 11 Oct 2020 21:04:59 GMT
Strict-Transport-Security: max-age=31536000
You can compare that ETag or Docker-Content-Digest header to the registry reference on the image you've previously pulled:
$ docker image inspect busybox:latest --format '{{json .RepoDigests}}' | jq .
[
"busybox@sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a"
]
$ docker image pull busybox:latest
latest: Pulling from library/busybox
Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Status: Image is up to date for busybox:latest
docker.io/library/busybox:latest
I've also been working on some Go APIs and CLI to work with more registries where you may need to pass different types of authorization. That project is at regclient/regclient and includes a regctl command.
$ regctl image digest --list busybox:latest
sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
