#Best way to get a image SHA with the Go SDK?

I'm working on a build system and it would be great to get the image/tag sha's for the intermediate and final containers during the build. This was we can log those details as part of our internal SBOM. I don't see a way to get that now, but would it be possible in the Go SDK?

The string returned by Publish will be the fully qualified ref, including SHA, of the image being pushed.

Does that work for your use case? Or do you need the SHA at other times besides when you push the image?

That will work for part of it, but I would also need the SHA of the images pulled to build the artifacts in the multi-stage build.

I see, yeah we don't have an API for that at this moment unfortunately but we could add one fairly easily.

An additional possibility would be to add support for buildkit's provenance features, which would include all that information when doing publishes or exports of images. Some docs here: https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md

Is that something that would help you? Or are you doing something custom/internal where you just want to get the image SHAs directly and plug into your own thing?

That looks like it might have the right details, but it is a lot to parse at first glance... will need to dive into that some more

Totally, it's probably a larger project for us to implement too, so something in the longer run. I opened an issue for just getting the SHA here which should be easier: https://github.com/dagger/dagger/issues/4516

In the mean time the only workaround I can think of is to resolve the SHA before you provide it to dagger using a library like go-containerregistry (we use that in one place of our own code too actually https://github.com/sipsma/dagger/blob/984230dafba479b0d1caf9c8ee257c883aa465bb/internal/engine/docker.go#L48-L48)

Not the best but worth consideration if you need an immediate unblocker

thank you @wide trellis!