Create manifest and hash at docker build time rather than push

[deitch]

Description

Request: Make it possible to hash-address images by using foo/bar@sha256:hash before pushing to a registry

Logic: Using foo/bar@sha256:hash allows one to ensure that the manifest hasn't changed. However, since you have to push it to a registry first, you are limited to the registry, and cannot prevent it from files (or the Image) changing on disk over time.

When we do docker build, the RepoDigests field is empty in docker inspect, because a manifest does not exist. However, when we do docker push, it constructs the manifest (and the digest) based entirely on information that already is available at build time locally. Thus, rather than waiting until docker push to construct the manifest and its hash, we should construct them at docker build time. This should be fairly simple - move the code from push to build, although it cannot hurt to validate at push time - and thus will be available even for locally build images without pushing.

Steps to reproduce the issue:

1. build a simple image using docker build -t foo/bar:tag .
2. try to get the digest for that image via docker inspect --format='{{index .RepoDigests 0}}' foo/bar:tag ; it fails
3. you cannot run the image using its sha256 manifest hash docker run foo/bar@sha256:<something>

Describe the results you received:

No way to get the manifest hash and thus close the validation loop without pushing to a registry.

Describe the results you expected:

Get the hash once the image is built.

Output of docker version:

Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:05:26 2018
 OS/Arch:           darwin/amd64
 Experimental:      true

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:13:46 2018
  OS/Arch:          linux/amd64
  Experimental:     true```

**Output of `docker info`:**

Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 607
Server Version: 18.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.93-linuxkit-aufs
Operating System: Docker for Mac
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.952GiB
Name: linuxkit-025000000001
ID: UJ3S:YG5T:JDBM:ORIS:WAXS:FSBR:KM26:TFKL:NHOG:HEFE:JRTR:LBFH
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 27
Goroutines: 54
System Time: 2018-08-29T11:39:07.7983983Z
EventsListeners: 2
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

**Additional environment details (AWS, VirtualBox, physical, etc.):**


cc @justincormack with whom I have discussed this