Just issue docker pull tomcat:7-jre8 again and you will get what you want.

This should have been the Id field, that you could see in the old deprecated Docker Hub API

GET /v1/repositories/foo/bar/images HTTP/1.1
  Host: index.docker.io
  Accept: application/json

Parameters:

namespace – the namespace for the repo
repo_name – the name for the repo

Example Response:

HTTP/1.1 200
Vary: Accept
Content-Type: application/json

[{"id": "9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f",
"checksum": "b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087"},
{"id": "ertwetewtwe38722009fe6857087b486531f9a779a0c1dfddgfgsdgdsgds",
"checksum": "34t23f23fc17e3ed29dae8f12c4f9e89cc6f0bsdfgfsdgdsgdsgerwgew"}]

BUT: this is not how it is working now with the new docker distribution.
See issue 628: "Get image ID with tag name"

The /v1/ registry response /repositories/<repo>/tags used to list the image ID along with the tag handle.
/v2/ only seems to give the handle.

It would be useful to get the ID to compare to the ID found locally. The only place I can find the ID is in the v1Compat section of the manifest (which is overkill for the info I want)

The current (mid 2015) answer is:

This property of the V1 API was very computationally expensive for the way images are stored on the backend. Only the tag names are enumerated to avoid a secondary lookup.
In addition, the V2 API does not deal in Image IDs. Rather, it uses digests to identify layers, which can be calculated as property of the layer and are independently verifiable.

In addition to the existing answers, you can use the --digests option while doing docker images to get a list of digests for all the images you have.

docker images --digests

You can add a grep to drill down further

docker images --digests | grep tomcat

Latest answer

Edit suggested by OhJeez in the comments.

docker inspect --format='{{index .RepoDigests 0}}' $IMAGE

Original answer

I believe you can also get this using

docker inspect --format='{{.RepoDigests}}' $IMAGE

Works only in Docker 1.9 and if the image was originally pulled by the digest. Details are on the docker issue tracker.

Just saw it:

When I pull an image, the sha256 code is diplayed at the bottom of the output (Digest: sha....):

docker pull tomcat:7-jre8
7-jre8: Pulling from library/tomcat
902b87aaaec9: Already exists 
9a61b6b1315e: Already exists 
...   
4dcef5c50d60: Already exists 
Digest: sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f
Status: Image is up to date for tomcat:7-jre8

This sha code

sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f

can be used to pull the image afterwards with

docker pull tomcat@sha256:c34ce3c1fcc0c7431e1392cc3abd0dfe2192ffea1898d5250f199d3ac8d8720f

This way you can be sure that the image is not changed and can be safely used for production.

You can get it by docker images --digests

REPOSITORY          TAG    DIGEST                                                                    IMAGE ID     CREATED        SIZE
docker/ucp-agent    2.1.0  sha256:a428de44a9059f31a59237a5881c2d2cffa93757d99026156e4ea544577ab7f3   583407a61900 3 weeks ago    22.3 MB