Error in pulling a docker image based on its digest

The digest you received from the command is most likely not the digest of a manifest, and therefore is not something you would pull with a docker pull command. In general, there are two types of manifests you’ll see on a registry, a manifest list and an image manifest. There are Docker and OCI variants of each, but the format is nearly identical between the two.

When the docker manifest inspect command is run on a manifest list, you’ll receive a list of digests for each platform specific image manifest, and your command would return the first platform from the list. But if the command is run on an image manifest, the digest returned will be for the config blob of that image, and the config blob is not something you would pull with docker pull, causing the manifest unknown error.

What you would be better off doing is using docker buildx imagetools inspect, e.g.:

docker buildx imagetools inspect alpine --format '{{printf .Manifest.Digest.String}}'

docker buildx imagetools inspect alpine@sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85 --format '{{printf .Manifest.Digest.String}}'

Both of these commands will return the digest of the manifest pulled, and not a child object of that manifest. For a more efficient command, there’s also:

# crane is from Google's go-containerregistry project
crane digest $image

# regctl is from my own regclient project
regctl image digest $image

The advantage of these two commands is they do not pull the manifest, which counts against rate limits on some registries.

That said, the command you then attempt to run:

docker pull MY_REPO/my-product/development/my_artifact:latest...

appears to be trying to pull something that may not be an image. If the media types do not match those of a container image, and are instead an OCI artifact, the docker pull will fail since it is a container engine. Other tools like crane, oras, or regctl would be better for working with artifacts.