Verifying the digest of an image

Using docker 1.10.2, I’ve experienced the following:

If I pull an image explicitly by digest, then

  • the docker daemon verifies the digest
  • the digest is subsequently available locally via the “docker inspect” command in the “RepoDigests” field

If I pull by tag (without Content Trust enabled)

  • the digest from the manifest is printed to the console
  • however, the docker daemon does not verify the digest
  • the digest is not available via “docker inspect”

Is there any way to do either or both of:

  • force the daemon to verify the digest on pull by tag
  • keep the digest available for later inspection?


Is the content trust enabled? “NOTE: If you omit the latest tag, content trust is skipped. This is true even if content trust is enabled”