diff --git a/src/Containers/Microsoft.NET.Build.Containers/ContainerBuilder.cs b/src/Containers/Microsoft.NET.Build.Containers/ContainerBuilder.cs
index c9a84b8a95d4..c63227808ca1 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/ContainerBuilder.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/ContainerBuilder.cs
@@ -6,9 +6,9 @@
 
 namespace Microsoft.NET.Build.Containers;
 
-public static class ContainerBuilder
+internal static class ContainerBuilder
 {
-    public static async Task<int> ContainerizeAsync(
+    internal static async Task<int> ContainerizeAsync(
         DirectoryInfo publishDirectory,
         string workingDir,
         string baseRegistry,
@@ -31,6 +31,8 @@ public static async Task<int> ContainerizeAsync(
         string localRegistry,
         string? containerUser,
         string? archiveOutputPath,
+        bool generateLabels,
+        bool generateDigestLabel,
         ILoggerFactory loggerFactory,
         CancellationToken cancellationToken)
     {
@@ -124,11 +126,20 @@ public static async Task<int> ContainerizeAsync(
         }
         imageBuilder.SetEntrypointAndCmd(imageEntrypoint, imageCmd);
 
-        foreach (KeyValuePair<string, string> label in labels)
+        if (generateLabels)
         {
-            // labels are validated by System.CommandLine API
-            imageBuilder.AddLabel(label.Key, label.Value);
+            foreach (KeyValuePair<string, string> label in labels)
+            {
+                // labels are validated by System.CommandLine API
+                imageBuilder.AddLabel(label.Key, label.Value);
+            }
+
+            if (generateDigestLabel)
+            {
+                imageBuilder.AddBaseImageDigestLabel();
+            }
         }
+
         foreach (KeyValuePair<string, string> envVar in envVars)
         {
             imageBuilder.AddEnvironmentVariable(envVar.Key, envVar.Value);
diff --git a/src/Containers/Microsoft.NET.Build.Containers/ImageBuilder.cs b/src/Containers/Microsoft.NET.Build.Containers/ImageBuilder.cs
index 7bfdcb809962..92d81fc8813a 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/ImageBuilder.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/ImageBuilder.cs
@@ -14,6 +14,10 @@ namespace Microsoft.NET.Build.Containers;
 /// </summary>
 internal sealed class ImageBuilder
 {
+    // a snapshot of the manifest that this builder is based on
+    private readonly ManifestV2 _baseImageManifest;
+
+    // the mutable internal manifest that we're building by modifying the base and applying customizations
     private readonly ManifestV2 _manifest;
     private readonly ImageConfig _baseImageConfig;
     private readonly ILogger _logger;
@@ -33,7 +37,8 @@ internal sealed class ImageBuilder
 
     internal ImageBuilder(ManifestV2 manifest, ImageConfig baseImageConfig, ILogger logger)
     {
-        _manifest = manifest;
+        _baseImageManifest = manifest;
+        _manifest = new ManifestV2() { SchemaVersion = manifest.SchemaVersion, Config = manifest.Config, Layers = new(manifest.Layers), MediaType = manifest.MediaType };
         _baseImageConfig = baseImageConfig;
         _logger = logger;
     }
@@ -63,9 +68,12 @@ internal BuiltImage Build()
             size = imageSize
         };
 
-        ManifestV2 newManifest = _manifest with
+        ManifestV2 newManifest = new ManifestV2()
         {
-            Config = newManifestConfig
+            Config = newManifestConfig,
+            SchemaVersion = _manifest.SchemaVersion,
+            MediaType = _manifest.MediaType,
+            Layers = _manifest.Layers
         };
 
         return new BuiltImage()
@@ -87,6 +95,11 @@ internal void AddLayer(Layer l)
         _baseImageConfig.AddLayer(l);
     }
 
+    internal void AddBaseImageDigestLabel()
+    {
+        AddLabel("org.opencontainers.image.base.digest", _baseImageManifest.GetDigest());
+    }
+
     /// <summary>
     /// Adds a label to a base image.
     /// </summary>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/ManifestV2.cs b/src/Containers/Microsoft.NET.Build.Containers/ManifestV2.cs
index eb00143665c6..30937d782a4b 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/ManifestV2.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/ManifestV2.cs
@@ -12,8 +12,11 @@ namespace Microsoft.NET.Build.Containers;
 /// <remarks>
 /// https://github.com/opencontainers/image-spec/blob/main/manifest.md
 /// </remarks>
-public readonly record struct ManifestV2
+public class ManifestV2
 {
+    [JsonIgnore]
+    public string? KnownDigest { get; set; }
+
     /// <summary>
     /// This REQUIRED property specifies the image manifest schema version.
     /// For this version of the specification, this MUST be 2 to ensure backward compatibility with older versions of Docker.
@@ -47,9 +50,9 @@ public readonly record struct ManifestV2
     /// <summary>
     /// Gets the digest for this manifest.
     /// </summary>
-    public string GetDigest() => DigestUtils.GetDigest(JsonSerializer.SerializeToNode(this)?.ToJsonString() ?? string.Empty);
+    public string GetDigest() => KnownDigest ??= DigestUtils.GetDigest(JsonSerializer.SerializeToNode(this)?.ToJsonString() ?? string.Empty);
 }
 
 public record struct ManifestConfig(string mediaType, long size, string digest);
 
-public record struct ManifestLayer(string mediaType, long size, string digest, string[]? urls);
+public record struct ManifestLayer(string mediaType, long size, string digest, [property: JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)][field: JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] string[]? urls);
diff --git a/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net472/PublicAPI.Unshipped.txt b/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net472/PublicAPI.Unshipped.txt
index 89caa7583181..dbe4406eb596 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net472/PublicAPI.Unshipped.txt
+++ b/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net472/PublicAPI.Unshipped.txt
@@ -77,6 +77,10 @@ Microsoft.NET.Build.Containers.Tasks.CreateNewImage.RuntimeIdentifierGraphPath.g
 Microsoft.NET.Build.Containers.Tasks.CreateNewImage.RuntimeIdentifierGraphPath.set -> void
 Microsoft.NET.Build.Containers.Tasks.CreateNewImage.WorkingDirectory.get -> string!
 Microsoft.NET.Build.Containers.Tasks.CreateNewImage.WorkingDirectory.set -> void
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateLabels.get -> bool
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateLabels.set -> void
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateDigestLabel.get -> bool
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateDigestLabel.set -> void
 override Microsoft.NET.Build.Containers.Tasks.CreateNewImage.ToolName.get -> string!
 override Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateCommandLineCommands() -> string!
 override Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateFullPathToTool() -> string!
diff --git a/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net8.0/PublicAPI.Unshipped.txt b/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net8.0/PublicAPI.Unshipped.txt
index 3b6d27ca2c1e..f4c70d1e7a8b 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net8.0/PublicAPI.Unshipped.txt
+++ b/src/Containers/Microsoft.NET.Build.Containers/PublicAPI/net8.0/PublicAPI.Unshipped.txt
@@ -13,9 +13,7 @@ Microsoft.NET.Build.Containers.Tasks.ComputeDotnetBaseImageAndTag.TargetRuntimeI
 Microsoft.NET.Build.Containers.Tasks.ComputeDotnetBaseImageAndTag.TargetRuntimeIdentifier.set -> void
 Microsoft.NET.Build.Containers.Tasks.ComputeDotnetBaseImageAndTag.UsesInvariantGlobalization.get -> bool
 Microsoft.NET.Build.Containers.Tasks.ComputeDotnetBaseImageAndTag.UsesInvariantGlobalization.set -> void
-static Microsoft.NET.Build.Containers.ContainerBuilder.ContainerizeAsync(System.IO.DirectoryInfo! publishDirectory, string! workingDir, string! baseRegistry, string! baseImageName, string! baseImageTag, string![]! entrypoint, string![]! entrypointArgs, string![]! defaultArgs, string![]! appCommand, string![]! appCommandArgs, string! appCommandInstruction, string! imageName, string![]! imageTags, string? outputRegistry, System.Collections.Generic.Dictionary<string!, string!>! labels, Microsoft.NET.Build.Containers.Port[]? exposedPorts, System.Collections.Generic.Dictionary<string!, string!>! envVars, string! containerRuntimeIdentifier, string! ridGraphPath, string! localRegistry, string? containerUser, string? archiveOutputPath, Microsoft.Extensions.Logging.ILoggerFactory! loggerFactory, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<int>!
 static readonly Microsoft.NET.Build.Containers.Constants.Version -> string!
-Microsoft.NET.Build.Containers.ContainerBuilder
 Microsoft.NET.Build.Containers.ContainerHelpers
 Microsoft.NET.Build.Containers.ContainerHelpers.ParsePortError
 Microsoft.NET.Build.Containers.ContainerHelpers.ParsePortError.InvalidPortNumber = 1 -> Microsoft.NET.Build.Containers.ContainerHelpers.ParsePortError
@@ -73,6 +71,8 @@ Microsoft.NET.Build.Containers.ManifestV2
 Microsoft.NET.Build.Containers.ManifestV2.Config.get -> Microsoft.NET.Build.Containers.ManifestConfig
 Microsoft.NET.Build.Containers.ManifestV2.Config.init -> void
 Microsoft.NET.Build.Containers.ManifestV2.GetDigest() -> string!
+Microsoft.NET.Build.Containers.ManifestV2.KnownDigest.get -> string?
+Microsoft.NET.Build.Containers.ManifestV2.KnownDigest.set -> void
 Microsoft.NET.Build.Containers.ManifestV2.Layers.get -> System.Collections.Generic.List<Microsoft.NET.Build.Containers.ManifestLayer>!
 Microsoft.NET.Build.Containers.ManifestV2.Layers.init -> void
 Microsoft.NET.Build.Containers.ManifestV2.ManifestV2() -> void
@@ -192,6 +192,10 @@ Microsoft.NET.Build.Containers.Tasks.CreateNewImage.ToolPath.get -> string!
 Microsoft.NET.Build.Containers.Tasks.CreateNewImage.ToolPath.set -> void
 Microsoft.NET.Build.Containers.Tasks.CreateNewImage.WorkingDirectory.get -> string!
 Microsoft.NET.Build.Containers.Tasks.CreateNewImage.WorkingDirectory.set -> void
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateLabels.get -> bool
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateLabels.set -> void
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateDigestLabel.get -> bool
+Microsoft.NET.Build.Containers.Tasks.CreateNewImage.GenerateDigestLabel.set -> void
 Microsoft.NET.Build.Containers.Tasks.ParseContainerProperties
 Microsoft.NET.Build.Containers.Tasks.ParseContainerProperties.ContainerEnvironmentVariables.get -> Microsoft.Build.Framework.ITaskItem![]!
 Microsoft.NET.Build.Containers.Tasks.ParseContainerProperties.ContainerEnvironmentVariables.set -> void
@@ -252,12 +256,6 @@ Microsoft.NET.Build.Containers.ManifestLayer.Equals(Microsoft.NET.Build.Containe
 ~override Microsoft.NET.Build.Containers.Descriptor.Equals(object obj) -> bool
 Microsoft.NET.Build.Containers.ManifestLayer.Deconstruct(out string! mediaType, out long size, out string! digest, out string![]? urls) -> void
 Microsoft.NET.Build.Containers.Descriptor.Equals(Microsoft.NET.Build.Containers.Descriptor other) -> bool
-~override Microsoft.NET.Build.Containers.ManifestV2.ToString() -> string
-static Microsoft.NET.Build.Containers.ManifestV2.operator !=(Microsoft.NET.Build.Containers.ManifestV2 left, Microsoft.NET.Build.Containers.ManifestV2 right) -> bool
-static Microsoft.NET.Build.Containers.ManifestV2.operator ==(Microsoft.NET.Build.Containers.ManifestV2 left, Microsoft.NET.Build.Containers.ManifestV2 right) -> bool
-override Microsoft.NET.Build.Containers.ManifestV2.GetHashCode() -> int
-~override Microsoft.NET.Build.Containers.ManifestV2.Equals(object obj) -> bool
-Microsoft.NET.Build.Containers.ManifestV2.Equals(Microsoft.NET.Build.Containers.ManifestV2 other) -> bool
 ~override Microsoft.NET.Build.Containers.ManifestListV2.ToString() -> string
 static Microsoft.NET.Build.Containers.ManifestListV2.operator !=(Microsoft.NET.Build.Containers.ManifestListV2 left, Microsoft.NET.Build.Containers.ManifestListV2 right) -> bool
 static Microsoft.NET.Build.Containers.ManifestListV2.operator ==(Microsoft.NET.Build.Containers.ManifestListV2 left, Microsoft.NET.Build.Containers.ManifestListV2 right) -> bool
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs b/src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
index 68456fa71bfa..21ba5d8c9271 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs
@@ -6,12 +6,14 @@
 using NuGet.RuntimeModel;
 using System.Diagnostics;
 using System.Net.Http.Json;
+using System.Text.Json;
 using System.Text.Json.Nodes;
 using System.Text.RegularExpressions;
 
 namespace Microsoft.NET.Build.Containers;
 
-internal interface IManifestPicker {
+internal interface IManifestPicker
+{
     public PlatformSpecificManifest? PickBestManifestForRid(IReadOnlyDictionary<string, PlatformSpecificManifest> manifestList, string runtimeIdentifier);
 }
 
@@ -26,7 +28,8 @@ public RidGraphManifestPicker(string runtimeIdentifierGraphPath)
     public PlatformSpecificManifest? PickBestManifestForRid(IReadOnlyDictionary<string, PlatformSpecificManifest> ridManifestDict, string runtimeIdentifier)
     {
         var bestManifestRid = GetBestMatchingRid(_runtimeGraph, runtimeIdentifier, ridManifestDict.Keys);
-        if (bestManifestRid is null) {
+        if (bestManifestRid is null)
+        {
             return null;
         }
         return ridManifestDict[bestManifestRid];
@@ -132,7 +135,8 @@ private static string DeriveRegistryName(Uri baseUri)
     /// <remarks>
     /// Google Artifact Registry locations (one for each availability zone) are of the form "ZONE-docker.pkg.dev".
     /// </remarks>
-    public bool IsGoogleArtifactRegistry {
+    public bool IsGoogleArtifactRegistry
+    {
         get => RegistryName.EndsWith("-docker.pkg.dev", StringComparison.Ordinal);
     }
 
@@ -151,7 +155,7 @@ public async Task<ImageBuilder> GetImageManifestAsync(string repositoryName, str
         {
             SchemaTypes.DockerManifestV2 or SchemaTypes.OciManifestV1 => await ReadSingleImageAsync(
                 repositoryName,
-                await initialManifestResponse.Content.ReadFromJsonAsync<ManifestV2>(cancellationToken: cancellationToken).ConfigureAwait(false),
+                await ReadManifest().ConfigureAwait(false),
                 cancellationToken).ConfigureAwait(false),
             SchemaTypes.DockerManifestListV2 => await PickBestImageFromManifestListAsync(
                 repositoryName,
@@ -167,6 +171,17 @@ await initialManifestResponse.Content.ReadFromJsonAsync<ManifestListV2>(cancella
                 BaseUri,
                 unknownMediaType))
         };
+
+        async Task<ManifestV2> ReadManifest()
+        {
+            initialManifestResponse.Headers.TryGetValues("Docker-Content-Digest", out var knownDigest);
+            var manifest = (await initialManifestResponse.Content.ReadFromJsonAsync<ManifestV2>(cancellationToken: cancellationToken).ConfigureAwait(false))!;
+            if (knownDigest?.FirstOrDefault() is string knownDigestValue)
+            {
+                manifest.KnownDigest = knownDigestValue;
+            }
+            return manifest;
+        }
     }
 
     internal async Task<ManifestListV2?> GetManifestListAsync(string repositoryName, string reference, CancellationToken cancellationToken)
@@ -193,11 +208,12 @@ private async Task<ImageBuilder> ReadSingleImageAsync(string repositoryName, Man
         return new ImageBuilder(manifest, new ImageConfig(configDoc), _logger);
     }
 
-    
+
     private static IReadOnlyDictionary<string, PlatformSpecificManifest> GetManifestsByRid(ManifestListV2 manifestList)
     {
         var ridDict = new Dictionary<string, PlatformSpecificManifest>();
-        foreach (var manifest in manifestList.manifests) {
+        foreach (var manifest in manifestList.manifests)
+        {
             if (CreateRidForPlatform(manifest.platform) is { } rid)
             {
                 ridDict.TryAdd(rid, manifest);
@@ -206,7 +222,7 @@ private static IReadOnlyDictionary<string, PlatformSpecificManifest> GetManifest
 
         return ridDict;
     }
-    
+
     private static string? CreateRidForPlatform(PlatformInformation platform)
     {
         // we only support linux and windows containers explicitly, so anything else we should skip past.
@@ -220,7 +236,7 @@ private static IReadOnlyDictionary<string, PlatformSpecificManifest> GetManifest
         // TODO: we _may_ need OS-specific version parsing. Need to do more research on what the field looks like across more manifest lists.
         var versionPart = platform.version?.Split('.') switch
         {
-            [var major, .. ] => major,
+        [var major, ..] => major,
             _ => null
         };
         var platformPart = platform.architecture switch
@@ -254,12 +270,15 @@ private async Task<ImageBuilder> PickBestImageFromManifestListAsync(
             using HttpResponseMessage manifestResponse = await _registryAPI.Manifest.GetAsync(repositoryName, matchingManifest.digest, cancellationToken).ConfigureAwait(false);
 
             cancellationToken.ThrowIfCancellationRequested();
-
+            var manifest = await manifestResponse.Content.ReadFromJsonAsync<ManifestV2>(cancellationToken: cancellationToken).ConfigureAwait(false);
+            if (manifest is null) throw new BaseImageNotFoundException(runtimeIdentifier, repositoryName, reference, ridManifestDict.Keys);
+            manifest.KnownDigest = matchingManifest.digest;
             return await ReadSingleImageAsync(
                 repositoryName,
-                await manifestResponse.Content.ReadFromJsonAsync<ManifestV2>(cancellationToken: cancellationToken).ConfigureAwait(false),
+                manifest,
                 cancellationToken).ConfigureAwait(false);
-        } else 
+        }
+        else
         {
             throw new BaseImageNotFoundException(runtimeIdentifier, repositoryName, reference, ridManifestDict.Keys);
         }
@@ -332,13 +351,13 @@ internal async Task<FinalizeUploadInformation> UploadBlobChunkedAsync(Stream con
 
             int bytesRead = await contents.ReadAsync(chunkBackingStore, cancellationToken).ConfigureAwait(false);
 
-            ByteArrayContent content = new (chunkBackingStore, offset: 0, count: bytesRead);
+            ByteArrayContent content = new(chunkBackingStore, offset: 0, count: bytesRead);
             content.Headers.ContentLength = bytesRead;
 
             // manual because ACR throws an error with the .NET type {"Range":"bytes 0-84521/*","Reason":"the Content-Range header format is invalid"}
             //    content.Headers.Add("Content-Range", $"0-{contents.Length - 1}");
             Debug.Assert(content.Headers.TryAddWithoutValidation("Content-Range", $"{chunkStart}-{chunkStart + bytesRead - 1}"));
-            
+
             NextChunkUploadInformation nextChunk = await _registryAPI.Blob.Upload.UploadChunkAsync(patchUri, content, cancellationToken).ConfigureAwait(false);
             patchUri = nextChunk.UploadUri;
 
@@ -420,7 +439,7 @@ private async Task PushAsync(BuiltImage builtImage, SourceImageReference source,
             }
 
             // Blob wasn't there; can we tell the server to get it from the base image?
-            if (! await _registryAPI.Blob.Upload.TryMountAsync(destination.Repository, source.Repository, digest, cancellationToken).ConfigureAwait(false))
+            if (!await _registryAPI.Blob.Upload.TryMountAsync(destination.Repository, source.Repository, digest, cancellationToken).ConfigureAwait(false))
             {
                 // The blob wasn't already available in another namespace, so fall back to explicitly uploading it
 
@@ -432,7 +451,8 @@ private async Task PushAsync(BuiltImage builtImage, SourceImageReference source,
                     await destinationRegistry.PushLayerAsync(Layer.FromDescriptor(descriptor), destination.Repository, cancellationToken).ConfigureAwait(false);
                     _logger.LogInformation(Strings.Registry_LayerUploaded, digest, destinationRegistry.RegistryName);
                 }
-                else {
+                else
+                {
                     throw new NotImplementedException(Resource.GetString(nameof(Strings.MissingLinkToRegistry)));
                 }
             }
@@ -444,7 +464,7 @@ private async Task PushAsync(BuiltImage builtImage, SourceImageReference source,
         }
         else
         {
-            foreach(var descriptor in builtImage.LayerDescriptors)
+            foreach (var descriptor in builtImage.LayerDescriptors)
             {
                 await uploadLayerFunc(descriptor).ConfigureAwait(false);
             }
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.Designer.cs b/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.Designer.cs
index 10966e412937..7d9ee2b0048d 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.Designer.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.Designer.cs
@@ -893,5 +893,16 @@ internal static string UnrecognizedMediaType
                 return ResourceManager.GetString("UnrecognizedMediaType", resourceCulture);
             }
         }
+
+        /// <summary>
+        ///   Looks up a localized string similar to CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created..
+        /// </summary>
+        internal static string GenerateDigestLabelWithoutGenerateLabels
+        {
+            get
+            {
+                return ResourceManager.GetString("GenerateDigestLabelWithoutGenerateLabels", resourceCulture);
+            }
+        }
     }
 }
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.resx b/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.resx
index 52f220d00d05..97764561ee6b 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.resx
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/Strings.resx
@@ -1,17 +1,17 @@
 <?xml version="1.0" encoding="utf-8"?>
 <root>
-  <!-- 
-    Microsoft ResX Schema 
-    
+  <!--
+    Microsoft ResX Schema
+
     Version 2.0
-    
-    The primary goals of this format is to allow a simple XML format 
-    that is mostly human readable. The generation and parsing of the 
-    various data types are done through the TypeConverter classes 
+
+    The primary goals of this format is to allow a simple XML format
+    that is mostly human readable. The generation and parsing of the
+    various data types are done through the TypeConverter classes
     associated with the data types.
-    
+
     Example:
-    
+
     ... ado.net/XML headers & schema ...
     <resheader name="resmimetype">text/microsoft-resx</resheader>
     <resheader name="version">2.0</resheader>
@@ -26,79 +26,79 @@
         <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
         <comment>This is a comment</comment>
     </data>
-                
-    There are any number of "resheader" rows that contain simple 
+
+    There are any number of "resheader" rows that contain simple
     name/value pairs.
-    
-    Each data row contains a name, and value. The row also contains a 
-    type or mimetype. Type corresponds to a .NET class that support 
-    text/value conversion through the TypeConverter architecture. 
-    Classes that don't support this are serialized and stored with the 
+
+    Each data row contains a name, and value. The row also contains a
+    type or mimetype. Type corresponds to a .NET class that support
+    text/value conversion through the TypeConverter architecture.
+    Classes that don't support this are serialized and stored with the
     mimetype set.
-    
-    The mimetype is used for serialized objects, and tells the 
-    ResXResourceReader how to depersist the object. This is currently not 
+
+    The mimetype is used for serialized objects, and tells the
+    ResXResourceReader how to depersist the object. This is currently not
     extensible. For a given mimetype the value must be set accordingly:
-    
-    Note - application/x-microsoft.net.object.binary.base64 is the format 
-    that the ResXResourceWriter will generate, however the reader can 
+
+    Note - application/x-microsoft.net.object.binary.base64 is the format
+    that the ResXResourceWriter will generate, however the reader can
     read any of the formats listed below.
-    
+
     mimetype: application/x-microsoft.net.object.binary.base64
-    value   : The object must be serialized with 
+    value   : The object must be serialized with
             : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
             : and then encoded with base64 encoding.
-    
+
     mimetype: application/x-microsoft.net.object.soap.base64
-    value   : The object must be serialized with 
+    value   : The object must be serialized with
             : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
             : and then encoded with base64 encoding.
 
     mimetype: application/x-microsoft.net.object.bytearray.base64
-    value   : The object must be serialized into a byte array 
+    value   : The object must be serialized into a byte array
             : using a System.ComponentModel.TypeConverter
             : and then encoded with base64 encoding.
     -->
   <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
-    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace"/>
     <xsd:element name="root" msdata:IsDataSet="true">
       <xsd:complexType>
         <xsd:choice maxOccurs="unbounded">
           <xsd:element name="metadata">
             <xsd:complexType>
               <xsd:sequence>
-                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+                <xsd:element name="value" type="xsd:string" minOccurs="0"/>
               </xsd:sequence>
-              <xsd:attribute name="name" use="required" type="xsd:string" />
-              <xsd:attribute name="type" type="xsd:string" />
-              <xsd:attribute name="mimetype" type="xsd:string" />
-              <xsd:attribute ref="xml:space" />
+              <xsd:attribute name="name" use="required" type="xsd:string"/>
+              <xsd:attribute name="type" type="xsd:string"/>
+              <xsd:attribute name="mimetype" type="xsd:string"/>
+              <xsd:attribute ref="xml:space"/>
             </xsd:complexType>
           </xsd:element>
           <xsd:element name="assembly">
             <xsd:complexType>
-              <xsd:attribute name="alias" type="xsd:string" />
-              <xsd:attribute name="name" type="xsd:string" />
+              <xsd:attribute name="alias" type="xsd:string"/>
+              <xsd:attribute name="name" type="xsd:string"/>
             </xsd:complexType>
           </xsd:element>
           <xsd:element name="data">
             <xsd:complexType>
               <xsd:sequence>
-                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
-                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1"/>
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2"/>
               </xsd:sequence>
-              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
-              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
-              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
-              <xsd:attribute ref="xml:space" />
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1"/>
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3"/>
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4"/>
+              <xsd:attribute ref="xml:space"/>
             </xsd:complexType>
           </xsd:element>
           <xsd:element name="resheader">
             <xsd:complexType>
               <xsd:sequence>
-                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1"/>
               </xsd:sequence>
-              <xsd:attribute name="name" type="xsd:string" use="required" />
+              <xsd:attribute name="name" type="xsd:string" use="required"/>
             </xsd:complexType>
           </xsd:element>
         </xsd:choice>
@@ -183,6 +183,7 @@
   </data>
   <data name="HostObjectNotDetected" xml:space="preserve">
     <value>No host object detected.</value>
+    <comment/>
   </data>
   <data name="ImageLoadFailed" xml:space="preserve">
     <value>CONTAINER1009: Failed to load image from local registry. stdout: {0}</value>
@@ -250,6 +251,7 @@
   </data>
   <data name="NormalizedContainerName" xml:space="preserve">
     <value>'{0}' was not a valid container image name, it was normalized to '{1}'</value>
+    <comment/>
   </data>
   <data name="PublishDirectoryDoesntExist" xml:space="preserve">
     <value>CONTAINER2011: {0} '{1}' does not exist</value>
@@ -333,12 +335,15 @@
   </data>
   <data name="ContainerBuilder_ImageUploadedToLocalDaemon" xml:space="preserve">
     <value>Pushed image '{0}' to {1}.</value>
+    <comment/>
   </data>
   <data name="ContainerBuilder_ImageUploadedToRegistry" xml:space="preserve">
     <value>Pushed image '{0}' to registry '{1}'.</value>
+    <comment/>
   </data>
   <data name="ContainerBuilder_StartBuildingImage" xml:space="preserve">
     <value>Building image '{0}' with tags '{1}' on top of base image '{2}'.</value>
+    <comment/>
   </data>
   <data name="LocalDocker_FailedToGetConfig" xml:space="preserve">
     <value>Error while reading daemon config: {0}</value>
@@ -350,12 +355,15 @@
   </data>
   <data name="Registry_ConfigUploaded" xml:space="preserve">
     <value>Uploaded config to registry.</value>
+    <comment/>
   </data>
   <data name="Registry_ConfigUploadStarted" xml:space="preserve">
     <value>Uploading config to registry at blob '{0}',</value>
+    <comment/>
   </data>
   <data name="Registry_LayerExists" xml:space="preserve">
     <value>Layer '{0}' already exists.</value>
+    <comment/>
   </data>
   <data name="Registry_LayerUploaded" xml:space="preserve">
     <value>Finished uploading layer '{0}' to '{1}'.</value>
@@ -409,4 +417,8 @@
     <value>local registry via '{0}'</value>
     <comment>{0} is the command used</comment>
   </data>
+  <data name="GenerateDigestLabelWithoutGenerateLabels" xml:space="preserve">
+    <value>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</value>
+    <comment>{StrBegin="CONTAINER2030: "}</comment>
+  </data>
 </root>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.cs.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.cs.xlf
index f9f553aaf43a..055a9be19bd8 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.cs.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.cs.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: Načtení přihlašovacích údajů pro „{0}“ se nezdařilo: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Nebyl zjištěn žádný objekt hostitele.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.de.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.de.xlf
index 6e44d62a3cd2..fbed5b0d3e1c 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.de.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.de.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: Fehler beim Abrufen der Anmeldeinformationen für „{0}“: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Es wurde kein Hostobjekt erkannt.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.es.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.es.xlf
index 0f6db91cd0c5..7364cbdbfe7b 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.es.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.es.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: No se pudieron recuperar las credenciales de "{0}": {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">No se detectó ningún objeto host.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.fr.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.fr.xlf
index e956008b1359..8afbdbf783fc 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.fr.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.fr.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: échec de la récupération des informations d’identification pour «{0}» : {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Aucun objet hôte détecté.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.it.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.it.xlf
index 0aea78393d0c..a730bd5e1543 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.it.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.it.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: non è stato possibile recuperare le credenziali per "{0}": {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Nessun oggetto host rilevato.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ja.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ja.xlf
index f6bdc23de4a9..34b1388a710d 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ja.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ja.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: "{0}" の資格情報を取得できませんでした: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">ホスト オブジェクトが検出されませんでした。</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ko.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ko.xlf
index 71a564a7cc8d..c91c2674d3fe 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ko.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ko.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: "{0}"에 대한 자격 증명 검색 실패: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">호스트 개체가 검색되지 않았습니다.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pl.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pl.xlf
index 7131b49d1249..88ed0a462dcd 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pl.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pl.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: nie można pobrać poświadczeń dla „{0}”: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Nie wykryto obiektu hosta.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pt-BR.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pt-BR.xlf
index c79987338301..c42f53aa4e90 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pt-BR.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.pt-BR.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: Falha ao recuperar credenciais para "{0}": {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Nenhum objeto de host detectado.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ru.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ru.xlf
index b33f10b9cc61..8c7e84485486 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ru.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.ru.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: Не удалось получить учетные данные для "{0}": {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Объект узла не обнаружен.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.tr.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.tr.xlf
index aaa79eda3d82..961fcff03a61 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.tr.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.tr.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: "{0}" için kimlik bilgileri alınamadı: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">Ana bilgisayar nesnesi algılanmadı.</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hans.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hans.xlf
index 06dfd0303418..fadd6de7ab1c 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hans.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hans.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: 检索“{0}”的凭据失败: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">未检测到主机对象。</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hant.xlf b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hant.xlf
index 6718c93391b2..901f86ed7c37 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hant.xlf
+++ b/src/Containers/Microsoft.NET.Build.Containers/Resources/xlf/Strings.zh-Hant.xlf
@@ -142,6 +142,11 @@
         <target state="translated">CONTAINER1008: 無法擷取 "{0}" 的認證: {1}</target>
         <note>{StrBegin="CONTAINER1008: "}</note>
       </trans-unit>
+      <trans-unit id="GenerateDigestLabelWithoutGenerateLabels">
+        <source>CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</source>
+        <target state="new">CONTAINER2030: GenerateLabels was disabled but GenerateDigestLabel was enabled - no digest label will be created.</target>
+        <note>{StrBegin="CONTAINER2030: "}</note>
+      </trans-unit>
       <trans-unit id="HostObjectNotDetected">
         <source>No host object detected.</source>
         <target state="translated">未偵測到主機物件。</target>
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.Interface.cs b/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.Interface.cs
index 51944549cba4..19cf905128a3 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.Interface.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.Interface.cs
@@ -146,6 +146,21 @@ partial class CreateNewImage
     /// </summary>
     public string ContainerUser { get; set; }
 
+    /// <summary>
+    /// If true, the tooling may create labels on the generated images.
+    /// </summary>
+    [Required]
+    public bool GenerateLabels { get; set; }
+
+    /// <summary>
+    /// If true, the tooling will generate an <c>org.opencontainers.image.base.digest</c> label on the generated images containing the digest of the chosen base image.
+    /// </summary>
+    /// <remarks>
+    /// Normally this would have been handled in the container targets, but we do not currently _fetch_ the digest of the base image in pure MSBuild, so we do it during generation-time.
+    /// </remarks>
+    [Required]
+    public bool GenerateDigestLabel { get; set; }
+
     [Output]
     public string GeneratedContainerManifest { get; set; }
 
@@ -191,6 +206,9 @@ public CreateNewImage()
         GeneratedContainerDigest = "";
         GeneratedArchiveOutputPath = "";
 
+        GenerateLabels = false;
+        GenerateDigestLabel = false;
+
         TaskResources = Resource.Manager;
     }
 }
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.cs b/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.cs
index 3779a49f1112..ced4b0646988 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImage.cs
@@ -120,9 +120,24 @@ internal async Task<bool> ExecuteAsync(CancellationToken cancellationToken)
         (string[] entrypoint, string[] cmd) = DetermineEntrypointAndCmd(baseImageEntrypoint: imageBuilder.BaseImageConfig.GetEntrypoint());
         imageBuilder.SetEntrypointAndCmd(entrypoint, cmd);
 
-        foreach (ITaskItem label in Labels)
+        if (GenerateLabels)
         {
-            imageBuilder.AddLabel(label.ItemSpec, label.GetMetadata("Value"));
+            foreach (ITaskItem label in Labels)
+            {
+                imageBuilder.AddLabel(label.ItemSpec, label.GetMetadata("Value"));
+            }
+
+            if (GenerateDigestLabel)
+            {
+                imageBuilder.AddBaseImageDigestLabel();
+            }
+        }
+        else
+        {
+            if (GenerateDigestLabel)
+            {
+                Log.LogMessageFromResources(nameof(Strings.GenerateDigestLabelWithoutGenerateLabels));
+            }
         }
 
         SetEnvironmentVariables(imageBuilder, ContainerEnvironmentVariables);
diff --git a/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImageToolTask.cs b/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImageToolTask.cs
index 6189d3d74d4e..51869ccb6c54 100644
--- a/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImageToolTask.cs
+++ b/src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateNewImageToolTask.cs
@@ -120,11 +120,11 @@ internal string GenerateCommandLineCommandsInt()
             builder.AppendSwitchIfNotNull("--appcommandinstruction ", AppCommandInstruction);
         }
 
-        AppendSwitchIfNotNullSantized(builder, "--entrypoint ", nameof(Entrypoint), Entrypoint);
-        AppendSwitchIfNotNullSantized(builder, "--entrypointargs ", nameof(EntrypointArgs), EntrypointArgs);
-        AppendSwitchIfNotNullSantized(builder, "--defaultargs ", nameof(DefaultArgs), DefaultArgs);
-        AppendSwitchIfNotNullSantized(builder, "--appcommand ", nameof(AppCommand), AppCommand);
-        AppendSwitchIfNotNullSantized(builder, "--appcommandargs ", nameof(AppCommandArgs), AppCommandArgs);
+        AppendSwitchIfNotNullSanitized(builder, "--entrypoint ", nameof(Entrypoint), Entrypoint);
+        AppendSwitchIfNotNullSanitized(builder, "--entrypointargs ", nameof(EntrypointArgs), EntrypointArgs);
+        AppendSwitchIfNotNullSanitized(builder, "--defaultargs ", nameof(DefaultArgs), DefaultArgs);
+        AppendSwitchIfNotNullSanitized(builder, "--appcommand ", nameof(AppCommand), AppCommand);
+        AppendSwitchIfNotNullSanitized(builder, "--appcommandargs ", nameof(AppCommandArgs), AppCommandArgs);
 
         if (Labels.Any(e => string.IsNullOrWhiteSpace(e.ItemSpec)))
         {
@@ -192,9 +192,19 @@ internal string GenerateCommandLineCommandsInt()
             builder.AppendSwitchIfNotNull("--archiveoutputpath ", ArchiveOutputPath);
         }
 
+        if (GenerateLabels)
+        {
+            builder.AppendSwitch("--generate-labels");
+        }
+
+        if (GenerateDigestLabel)
+        {
+            builder.AppendSwitch("--generate-digest-label");
+        }
+
         return builder.ToString();
 
-        void AppendSwitchIfNotNullSantized(CommandLineBuilder builder, string commandArgName, string propertyName, ITaskItem[] value)
+        void AppendSwitchIfNotNullSanitized(CommandLineBuilder builder, string commandArgName, string propertyName, ITaskItem[] value)
         {
             ITaskItem[] santized = value.Where(e => !string.IsNullOrWhiteSpace(e.ItemSpec)).ToArray();
             if (santized.Length != value.Length)
diff --git a/src/Containers/containerize/ContainerizeCommand.cs b/src/Containers/containerize/ContainerizeCommand.cs
index 7a64e403a0e7..52b7e390b503 100644
--- a/src/Containers/containerize/ContainerizeCommand.cs
+++ b/src/Containers/containerize/ContainerizeCommand.cs
@@ -23,7 +23,7 @@ internal class ContainerizeCommand : CliRootCommand
         Required = true
     };
 
-    internal CliOption<string> BaseImageNameOption { get;  } = new("--baseimagename")
+    internal CliOption<string> BaseImageNameOption { get; } = new("--baseimagename")
     {
         Description = "The base image to pull.",
         Required = true
@@ -185,6 +185,18 @@ internal class ContainerizeCommand : CliRootCommand
 
     internal CliOption<string> ContainerUserOption { get; } = new("--container-user") { Description = "User to run the container as." };
 
+    internal CliOption<bool> GenerateLabelsOption { get; } = new("--generate-labels")
+    {
+        Description = "If true, the tooling may create labels on the generated images.",
+        Arity = ArgumentArity.Zero
+    };
+
+    internal CliOption<bool> GenerateDigestLabelOption { get; } = new("--generate-digest-label")
+    {
+        Description = "If true, the tooling will generate an 'org.opencontainers.image.base.digest' label on the generated images containing the digest of the chosen base image.",
+        Arity = ArgumentArity.Zero
+    };
+
     internal ContainerizeCommand() : base("Containerize an application without Docker.")
     {
         PublishDirectoryArgument.AcceptLegalFilePathsOnly();
@@ -211,6 +223,8 @@ internal ContainerizeCommand() : base("Containerize an application without Docke
         LocalRegistryOption.AcceptOnlyFromAmong(KnownLocalRegistryTypes.SupportedLocalRegistryTypes);
         this.Options.Add(LocalRegistryOption);
         this.Options.Add(ContainerUserOption);
+        this.Options.Add(GenerateLabelsOption);
+        this.Options.Add(GenerateDigestLabelOption);
 
         this.SetAction(async (parseResult, cancellationToken) =>
         {
@@ -236,6 +250,8 @@ internal ContainerizeCommand() : base("Containerize an application without Docke
             string _ridGraphPath = parseResult.GetValue(RidGraphPathOption)!;
             string _localContainerDaemon = parseResult.GetValue(LocalRegistryOption)!;
             string? _containerUser = parseResult.GetValue(ContainerUserOption);
+            bool _generateLabels = parseResult.GetValue(GenerateLabelsOption);
+            bool _generateDigestLabel = parseResult.GetValue(GenerateDigestLabelOption);
 
             //setup basic logging
             bool traceEnabled = Env.GetEnvironmentVariableAsBool("CONTAINERIZE_TRACE_LOGGING_ENABLED");
@@ -265,6 +281,8 @@ await ContainerBuilder.ContainerizeAsync(
                 _localContainerDaemon,
                 _containerUser,
                 _archiveOutputPath,
+                _generateLabels,
+                _generateDigestLabel,
                 loggerFactory,
                 cancellationToken).ConfigureAwait(false);
         });
diff --git a/src/Containers/packaging/build/Microsoft.NET.Build.Containers.targets b/src/Containers/packaging/build/Microsoft.NET.Build.Containers.targets
index ecb8dee489c7..15af224f67e0 100644
--- a/src/Containers/packaging/build/Microsoft.NET.Build.Containers.targets
+++ b/src/Containers/packaging/build/Microsoft.NET.Build.Containers.targets
@@ -236,7 +236,9 @@
                     ContainerEnvironmentVariables="@(ContainerEnvironmentVariables)"
                     ContainerRuntimeIdentifier="$(ContainerRuntimeIdentifier)"
                     ContainerUser="$(ContainerUser)"
-                    RuntimeIdentifierGraphPath="$(RuntimeIdentifierGraphPath)"> <!-- The RID graph path is provided as a property by the SDK. -->
+                    RuntimeIdentifierGraphPath="$(RuntimeIdentifierGraphPath)"
+                    GenerateLabels="$(ContainerGenerateLabels)"
+                    GenerateDigestLabel="$(ContainerGenerateLabelsImageBaseDigest)"> <!-- The RID graph path is provided as a property by the SDK. -->
 
       <Output TaskParameter="GeneratedContainerManifest" PropertyName="GeneratedContainerManifest" />
       <Output TaskParameter="GeneratedContainerConfiguration" PropertyName="GeneratedContainerConfiguration" />
diff --git a/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/FullFramework/CreateNewImageToolTaskTests.cs b/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/FullFramework/CreateNewImageToolTaskTests.cs
index ba6ff51fdbd4..e09946d14fc2 100644
--- a/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/FullFramework/CreateNewImageToolTaskTests.cs
+++ b/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/FullFramework/CreateNewImageToolTaskTests.cs
@@ -551,6 +551,34 @@ public void Logging_TraceLoggingIsDisabledByDefault()
             .And.NotHaveStdOutContaining("Trace logging: enabled.");
     }
 
+    [Fact]
+    public void GenerateCommandLineCommands_LabelGeneration()
+    {
+        CreateNewImage task = new();
+
+        List<string?> warnings = new();
+        IBuildEngine buildEngine = A.Fake<IBuildEngine>();
+
+        task.BuildEngine = buildEngine;
+
+        DirectoryInfo publishDir = Directory.CreateDirectory(Path.Combine(Path.GetTempPath(), DateTime.Now.ToString("yyyyMMddHHmmssfff")));
+        task.PublishDirectory = publishDir.FullName;
+        task.BaseRegistry = "MyBaseRegistry";
+        task.BaseImageName = "MyBaseImageName";
+        task.Repository = "MyImageName";
+        task.WorkingDirectory = "MyWorkingDirectory";
+        task.Entrypoint = new[] { new TaskItem("MyEntryPoint") };
+        task.GenerateLabels = true;
+        task.GenerateDigestLabel = true;
+
+        string args = task.GenerateCommandLineCommandsInt();
+
+        Assert.Contains("--generate-labels", args);
+        Assert.Contains("--generate-digest-label", args);
+    }
+
+
+
     private static string GetPathToContainerize()
     {
         return Path.Combine(TestContext.Current.TestExecutionDirectory, "Container", "containerize");
diff --git a/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/TargetsTests.cs b/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/TargetsTests.cs
index a00f2fd47554..1606e26f5bc6 100644
--- a/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/TargetsTests.cs
+++ b/src/Tests/Microsoft.NET.Build.Containers.IntegrationTests/TargetsTests.cs
@@ -175,6 +175,34 @@ public void ShouldTrimTrailingGitSuffixFromRepoUrls(string repoUrl, string expec
             .And.ContainSingle(label => LabelMatch("org.opencontainers.image.source", expectedLabel, label), String.Join(",", logger.AllMessages));
     }
 
+    [InlineData(true)]
+    [InlineData(false)]
+    [Theory]
+    public void ShouldIncludeBaseImageLabelsUnlessUserOptsOut(bool includeBaseImageLabels)
+    {
+        var expectedBaseImage = "mcr.microsoft.com/dotnet/runtime:7.0";
+        var (project, logger, d) = ProjectInitializer.InitProject(new()
+        {
+            ["ContainerGenerateLabelsImageBaseName"] = includeBaseImageLabels.ToString(),
+            ["ContainerBaseImage"] = expectedBaseImage,
+            ["ContainerGenerateLabels"] = true.ToString()
+        }, projectName: $"{nameof(ShouldIncludeBaseImageLabelsUnlessUserOptsOut)}_{includeBaseImageLabels}");
+        using var _ = d;
+        var instance = project.CreateProjectInstance(global::Microsoft.Build.Execution.ProjectInstanceSettings.None);
+        instance.Build(new[] { ComputeContainerConfig }, new[] { logger }, null, out var outputs).Should().BeTrue("Build should have succeeded but failed due to {0}", String.Join("\n", logger.AllMessages));
+        var labels = instance.GetItems(ContainerLabel);
+        if (includeBaseImageLabels)
+        {
+            labels.Should().NotBeEmpty("Should have evaluated some labels by default")
+                .And.ContainSingle(label => LabelMatch("org.opencontainers.image.base.name", expectedBaseImage, label));
+        }
+        else
+        {
+            labels.Should().NotBeEmpty("Should have evaluated some labels by default")
+                .And.NotContain(label => LabelMatch("org.opencontainers.image.base.name", expectedBaseImage, label));
+        };
+    }
+
     [InlineData("7.0.100", "v7.0", "7.0")]
     [InlineData("7.0.100-preview.7", "v7.0", "7.0")]
     [InlineData("7.0.100-rc.1", "v7.0", "7.0")]
diff --git a/src/Tests/Microsoft.NET.Build.Containers.UnitTests/ImageBuilderTests.cs b/src/Tests/Microsoft.NET.Build.Containers.UnitTests/ImageBuilderTests.cs
index 559bd7d33c86..c353c4b28565 100644
--- a/src/Tests/Microsoft.NET.Build.Containers.UnitTests/ImageBuilderTests.cs
+++ b/src/Tests/Microsoft.NET.Build.Containers.UnitTests/ImageBuilderTests.cs
@@ -13,6 +13,8 @@ public class ImageBuilderTests
 {
     private readonly TestLoggerFactory _loggerFactory;
 
+    private static readonly string StaticKnownDigestValue = "sha256:338c0b702da88157ba4bb706678e43346ece2e4397b888d59fb2d9f6113c8070";
+
     public ImageBuilderTests(ITestOutputHelper output)
     {
         _loggerFactory = new TestLoggerFactory(output);
@@ -566,8 +568,8 @@ public void CanSetPortFromEnvVarFromUser(string envVar, string envValue, params
     [Fact]
     public void CanSetContainerUserAndOverrideAppUID()
     {
-      var userId = "1646";
-      var baseConfigBuilder = FromBaseImageConfig($$"""
+        var userId = "1646";
+        var baseConfigBuilder = FromBaseImageConfig($$"""
         {
             "architecture": "amd64",
             "config": {
@@ -597,9 +599,9 @@ public void CanSetContainerUserAndOverrideAppUID()
         }
         """);
 
-      baseConfigBuilder.SetUser(userId);
-      var config = JsonNode.Parse(baseConfigBuilder.Build().Config);
-      config!["config"]?["User"]?.GetValue<string>().Should().Be(expected: userId, because: "The precedence of SetUser should override inferred user ids");
+        baseConfigBuilder.SetUser(userId);
+        var config = JsonNode.Parse(baseConfigBuilder.Build().Config);
+        config!["config"]?["User"]?.GetValue<string>().Should().Be(expected: userId, because: "The precedence of SetUser should override inferred user ids");
     }
 
     [Fact]
@@ -644,6 +646,47 @@ public void WhenMultipleUrlSourcesAreSetOnlyAspnetcoreUrlsIsUsed()
         Assert.Equal([12345], assignedPorts);
     }
 
+    [Fact]
+    public void CanSetBaseImageDigestLabel()
+    {
+        var builder = FromBaseImageConfig($$"""
+        {
+            "architecture": "amd64",
+            "config": {
+                "Hostname": "",
+                "Domainname": "",
+                "User": "",
+                "Env": [
+                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+                ],
+                "Cmd": ["bash"],
+                "Image": "sha256:d772d27ebeec80393349a4770dc37f977be2c776a01c88b624d43f93fa369d69",
+                "WorkingDir": ""
+            },
+            "created": "2023-02-04T08:14:52.000901321Z",
+            "os": "linux",
+            "rootfs": {
+                "type": "layers",
+                "diff_ids": [
+                "sha256:bd2fe8b74db65d82ea10db97368d35b92998d4ea0e7e7dc819481fe4a68f64cf",
+                "sha256:94100d1041b650c6f7d7848c550cd98c25d0bdc193d30692e5ea5474d7b3b085",
+                "sha256:53c2a75a33c8f971b4b5036d34764373e134f91ee01d8053b4c3573c42e1cf5d",
+                "sha256:49a61320e585180286535a2545be5722b09e40ad44c7c190b20ec96c9e42e4a3",
+                "sha256:8a379cce2ac272aa71aa029a7bbba85c852ba81711d9f90afaefd3bf5036dc48"
+                ]
+            }
+        }
+        """);
+
+        builder.AddBaseImageDigestLabel();
+        var builtImage = builder.Build();
+        JsonNode? result = JsonNode.Parse(builtImage.Config);
+        Assert.NotNull(result);
+        var labels = result["config"]?["Labels"]?.AsObject();
+        var digest = labels?.AsEnumerable().First(label => label.Key == "org.opencontainers.image.base.digest").Value!;
+        digest.GetValue<string>().Should().Be(StaticKnownDigestValue);
+    }
+
     private ImageBuilder FromBaseImageConfig(string baseImageConfig, [CallerMemberName] string testName = "")
     {
         var manifest = new ManifestV2()
@@ -654,9 +697,10 @@ private ImageBuilder FromBaseImageConfig(string baseImageConfig, [CallerMemberNa
             {
                 mediaType = "",
                 size = 0,
-                digest = "sha256:0"
+                digest = "sha256:"
             },
-            Layers = new List<ManifestLayer>()
+            Layers = new List<ManifestLayer>(),
+            KnownDigest = StaticKnownDigestValue
         };
         return new ImageBuilder(manifest, new ImageConfig(baseImageConfig), _loggerFactory.CreateLogger(testName));
     }