✦ For everyone, free.

Practical knowledge for real and everyday life

Home

3.2.3.3 Digest Supply Verification

A focused guide to Digest Supply Verification, connecting core concepts with practical Docker and container operations.

Digest supply verification is the practice of confirming, using an image's content digest, that what was actually received from a registry exactly matches what was expected, protecting against corruption during transfer or tampering anywhere along the supply chain between build and deployment.

Verifying Integrity on Pull

When pulling an image by digest, the client verifies the received content against that digest before considering the pull successful, which means any corruption or substitution during transfer is detected rather than silently accepted.

docker pull myapp@sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

If the actual content received does not hash to this exact digest, the pull fails rather than completing with incorrect content.

Recording Expected Digests as Part of a Build Pipeline

A build pipeline can record the digest of the image it produces immediately after building it, creating a trusted reference that later stages of the pipeline, or external systems, can use to verify they are working with the exact same artifact.

docker build -t myapp:2.3.0 .
docker inspect myapp:2.3.0 --format '{{.Id}}' > expected-digest.txt
Comparing Against the Recorded Digest Before Deployment

Before deploying an image, its actual digest can be compared against a previously recorded, trusted value, confirming that nothing has changed it since it was originally built and validated.

docker inspect registry.example.com/myapp:2.3.0 --format '{{index .RepoDigests 0}}'
Why This Matters for Supply Chain Security

Without digest-based verification, a compromised registry, a man-in-the-middle attacker, or even an accidental tag reassignment could result in different content being deployed than what was actually tested and approved — digest verification closes this gap by making the actual deployed content cryptographically verifiable against a known-good reference.

docker scan registry.example.com/myapp@sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Why Digest Supply Verification Matters

As container images move through increasingly complex build, storage, and deployment pipelines, verifying content by digest at each handoff point is one of the most concrete, low-effort ways to maintain confidence that the artifact ultimately deployed is the same one that was originally built and tested.

Related content