What's the difference between a Docker image's Image ID and its Digest?

This has been surprisingly confusing for me. I thought Docker's Image ID is its SHA256 hash. However, apparently the result from docker image ls --digests (listed under the column header DIGEST) is different from the IMAGE ID of that image.

For example

docker image ls --digests alpine
REPOSITORY          TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
alpine              latest              sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6   055936d39205        2 weeks ago         5.53MB

while

docker image ls --no-trunc
REPOSITORY                                             TAG                 IMAGE ID                                                                  CREATED             SIZE
...
alpine                                                 latest              sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1   2 weeks ago         5.53MB

Clearly sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1 (IMAGE ID) and sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 (DIGEST) are not the same value. But why? What's the purpose of having two different sha256 hashes of the same image. How are they calculated, respectively?

I was confused by this when reading the book Docker Deep Dive, and I haven't been able to find a clear answer either in the book or online.

Solution 1:

Thanks for michalk's comment. The short answer is:

• The "digest" is a hash of the manifest, introduced in Docker registry v2.
• The image ID is a hash of the local image JSON configuration.