No good way to verify public image sha256 in docker hub – security concern

This is a little crazy but apparently we don’t have a good way to verify sha256 digests of public images in docker hub.

Related thread is here: and also this stackoverflow is useful: .

Problems in the nutshell:

  1. Publicly displayed digests on docker hub UI do not match those seen when pulling images locally
  2. Getting public image manifests is highly problematic (very hacky work-around involved)
  3. Public image may be re-pushed with same tag -> forcing new digest -> forcing details about last image erased. How we audit this to still be good?

Potentially, all those present serious level of security concern.