How come two docker images have the same image ID and same tag, but different digests?

Question

When I docker pull hello-world, I got the image with a digest of f9dfddf63636d84ef479d645ab5885156ae030f611a56f3a7ac7f2fdd86d7e4e

$ docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
Digest: sha256:f9dfddf63636d84ef479d645ab5885156ae030f611a56f3a7ac7f2fdd86d7e4e
Status: Image is up to date for hello-world:latest
docker.io/library/hello-world:latest

I was using a Mac, but when I docker inspect hello-world:latest, I saw the os/arch is linux/amd64

    ...
    "Architecture": "amd64",
    "Os": "linux",
    ...

So I went to https://hub.docker.com/_/hello-world/?tab=tags and found strangely enough, the latest hello-world for linux/amd64 is at https://hub.docker.com/layers/hello-world/library/hello-world/latest/images/sha256-92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a?context=explore with a digest of 92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a

So I pulled down this image as well

$ docker pull hello-world@sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a: Pulling from library/hello-world
Digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
Status: Downloaded newer image for hello-world@sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
docker.io/library/hello-world@sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a

Surprisingly, I ended up with two images with the same tag, same image ID, but different digests.

$ docker image ls --digests
REPOSITORY                    TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
hello-world                   latest              sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a   fce289e99eb9        15 months ago       1.84kB
hello-world                   latest              sha256:f9dfddf63636d84ef479d645ab5885156ae030f611a56f3a7ac7f2fdd86d7e4e   fce289e99eb9        15 months ago       1.84kB

Are these two images the same one? How can I uniquely address an image if I want consistency across my team?

Answer 1

-> This is how manifest works with docker. Config.digest file remains same for both images as they are pointing towards same configuration of layers.
->The digest used for docker pull represents the digest of image manifest which is stored in a registry. This digest is considered the root of a hash chain since the manifest itself contains the hash of the content which will be downloaded and imported into docker.
->See the schema 2 spec for a description of this manifest https://docs.docker.com/registry/spec/manifest-v2-2/. The image id used within docker can be found in this manifest as config.digest. This config represents the image configuration which will be used within docker.
->So you could say the manifest is the envelope and image is what is inside. The manifest digest will always be different than the image id BUT for any given manifest the same image id should always be produced.
->As it is a hash chain, we cannot guarantee that the manifest digest will always be the same for a given image id.
-> In most cases it should usually produce the same digest, we just cannot guarantee it but do a best effort. The possible difference in manifest digest is because we do not store gzipped blobs locally and exporting of layers may produce a different digest, even though the uncompressed content should remain the same.
->The image id itself verifies that uncompressed content is the same, this is what we mean when we say the image id is now a content addressable identifier.