Find the tag of a Docker image having only the SHA256

get-docker-image-tag-by-sha.sh

#!/bin/bash

SHA256_HASH="5bb4faffc8b35e2702b2ffa78e982b979d7b66db29bd55b0c58de8fa745df661"

for i in {1..1000}
do
   echo "Looking into page: $i"

   curl "https://registry.hub.docker.com/v2/repositories/apache/superset/tags/?page=$i" \
    | jq '.results[] | select(.["images"][]["digest"] == "sha256:'${SHA256_HASH}'")'
done

For the benefit of anyone else who happens to hit this, if what you have is the hash of a particular tag of a multi-arch image, this approach does not work.

Ha, the later iterations do work! It's the or .digest == [...] part which does the trick I think.

Anyway, for posterity, here's my iteration of the script, with simplistic command line argument handling, sleeping every 100 pages and adding the sha256: prefix if not given.

#!/bin/bash
set -eou pipefail

SHA256_HASH=""
IMAGE=""

while [[ $# -gt 0 ]]; do
  case "$1" in
  --hash)
    shift
    SHA256_HASH="$1"
    shift
    ;;
  --image)
    shift
    IMAGE="$1"
    shift
    ;;
  *)
    echo "Unknown argument \"$1\"" >&2
    echo "Usage: $0 --hash HASH --image REPO/IMAGE" >&2
    exit 1
    ;;
  esac
done

if [[ -z "$SHA256_HASH" || -z "$IMAGE" ]]; then
  echo "Usage: $0 --hash HASH --image REPO/IMAGE" >&2
  exit 1
fi

if [[ ! "${SHA256_HASH:0:7}" == "sha256:" ]]; then
  SHA256_HASH="sha256:${SHA256_HASH}"
fi

for i in {1..1000}; do
  if [[ $(expr $i % 100) -eq 0 ]]; then
    echo "Sleeping for 7 seconds on page $i..."
    sleep 7
  fi

  echo "Looking into page: $i"

  result=$(
    curl "https://registry.hub.docker.com/v2/repositories/$IMAGE/tags/?page=$i" |
      jq '.results[] | select(.["images"][]["digest"] == "'${SHA256_HASH}'" or .digest == "'${SHA256_HASH}'")'
  ) || break

  if [[ ! -z "$result" ]]; then
    echo "$result" | jq .
    break
  fi
done