diff --git a/crates/containerd-shim-wasm/src/container/context.rs b/crates/containerd-shim-wasm/src/container/context.rs
index 51c017366..2001b9982 100644
--- a/crates/containerd-shim-wasm/src/container/context.rs
+++ b/crates/containerd-shim-wasm/src/container/context.rs
@@ -137,7 +137,7 @@ impl RuntimeContext for WasiContext<'_> {
 #[cfg(test)]
 mod tests {
     use anyhow::Result;
-    use oci_spec::image::Descriptor;
+    use oci_spec::image::{Descriptor, Digest};
     use oci_spec::runtime::{ProcessBuilder, RootBuilder, SpecBuilder};
 
     use super::*;
@@ -370,7 +370,11 @@ mod tests {
             spec: &spec,
             wasm_layers: &[WasmLayer {
                 layer: vec![],
-                config: Descriptor::new(oci_spec::image::MediaType::Other("".to_string()), 10, ""),
+                config: Descriptor::new(
+                    oci_spec::image::MediaType::Other("".to_string()),
+                    10,
+                    Digest::try_from(format!("sha256:{:064?}", 0))?,
+                ),
             }],
             platform: &Platform::default(),
         };
diff --git a/crates/containerd-shim-wasm/src/sandbox/containerd/client.rs b/crates/containerd-shim-wasm/src/sandbox/containerd/client.rs
index b287aa6c9..74445fe64 100644
--- a/crates/containerd-shim-wasm/src/sandbox/containerd/client.rs
+++ b/crates/containerd-shim-wasm/src/sandbox/containerd/client.rs
@@ -17,7 +17,7 @@ use containerd_client::tonic::transport::Channel;
 use containerd_client::tonic::Streaming;
 use containerd_client::{tonic, with_namespace};
 use futures::TryStreamExt;
-use oci_spec::image::{Arch, ImageManifest, MediaType, Platform};
+use oci_spec::image::{Arch, Digest, ImageManifest, MediaType, Platform};
 use sha256::digest;
 use tokio::sync::mpsc;
 use tokio_stream::wrappers::ReceiverStream;
@@ -259,7 +259,7 @@ impl Client {
     }
 
     #[cfg_attr(feature = "tracing", tracing::instrument(parent = tracing::Span::current(), skip_all, level = "Info"))]
-    async fn get_info(&self, content_digest: &str) -> Result<Info> {
+    async fn get_info(&self, content_digest: &Digest) -> Result<Info> {
         let req = InfoRequest {
             digest: content_digest.to_string(),
         };
@@ -359,9 +359,9 @@ impl Client {
     async fn get_image_manifest_and_digest(
         &self,
         image_name: &str,
-    ) -> Result<(ImageManifest, String)> {
+    ) -> Result<(ImageManifest, Digest)> {
         let image = self.get_image(image_name).await?;
-        let image_digest = self.extract_image_content_sha(&image)?;
+        let image_digest = self.extract_image_content_sha(&image)?.try_into()?;
         let manifest =
             ImageManifest::from_reader(self.read_content(&image_digest).await?.as_slice())?;
         Ok((manifest, image_digest))
@@ -521,7 +521,7 @@ impl Client {
             let info = self.get_info(&digest_to_load).await?;
             if let Some(label) = info.labels.get(precompile_id) {
                 // Safe to unwrap here since we already checked for the label's existence
-                digest_to_load.clone_from(label);
+                digest_to_load = label.parse()?;
                 log::info!(
                     "layer {} has pre-compiled content: {} ",
                     info.digest,
diff --git a/crates/oci-tar-builder/src/lib.rs b/crates/oci-tar-builder/src/lib.rs
index 16d61065c..fb80aa2d6 100644
--- a/crates/oci-tar-builder/src/lib.rs
+++ b/crates/oci-tar-builder/src/lib.rs
@@ -7,8 +7,8 @@ use anyhow::{Context, Error, Result};
 use indexmap::IndexMap;
 use log::{debug, warn};
 use oci_spec::image::{
-    DescriptorBuilder, ImageConfiguration, ImageIndexBuilder, ImageManifestBuilder, MediaType,
-    PlatformBuilder, SCHEMA_VERSION,
+    DescriptorBuilder, Digest, ImageConfiguration, ImageIndexBuilder, ImageManifestBuilder,
+    MediaType, PlatformBuilder, SCHEMA_VERSION,
 };
 use oci_wasm::{WasmConfig, WASM_ARCHITECTURE};
 use serde::Serialize;
@@ -142,7 +142,6 @@ impl<C: OciConfig> Builder<C> {
         for layer in self.layers.iter() {
             let dgst = try_digest(layer.0.as_path()).context("failed to digest layer")?;
             let meta = metadata(layer.0.clone()).context("could not get layer metadata")?;
-            let oci_digest = "sha256:".to_owned() + &dgst;
 
             let mut media_type = MediaType::ImageLayer;
             if !layer.1.is_empty() {
@@ -151,11 +150,11 @@ impl<C: OciConfig> Builder<C> {
             let desc = DescriptorBuilder::default()
                 // TODO: check file headers to determine mediatype? Could also just require it to be passed in on add_layer
                 .media_type(media_type)
-                .digest(&oci_digest)
-                .size(meta.len() as i64)
+                .digest(Digest::try_from(format!("sha256:{dgst}"))?)
+                .size(meta.len() as u64)
                 .build()
                 .context("failed to build descriptor")?;
-            layer_digests.insert(oci_digest, desc);
+            layer_digests.insert(format!("sha256:{dgst}"), desc);
 
             let mut th = tar::Header::new_gnu();
             th.set_mode(0o444);
@@ -185,8 +184,8 @@ impl<C: OciConfig> Builder<C> {
 
             let desc = DescriptorBuilder::default()
                 .media_type(config.2.clone())
-                .size(b.len() as i64)
-                .digest("sha256:".to_owned() + &dgst)
+                .size(b.len() as u64)
+                .digest(Digest::try_from(format!("sha256:{dgst}"))?)
                 .build()
                 .context("failed to build descriptor")?;
 
@@ -245,10 +244,10 @@ impl<C: OciConfig> Builder<C> {
 
             let desc = DescriptorBuilder::default()
                 .media_type(MediaType::ImageManifest)
-                .size(b.len() as i64)
+                .size(b.len() as u64)
                 .platform(platform)
                 .annotations(annotations)
-                .digest("sha256:".to_owned() + &dgst)
+                .digest(Digest::try_from(format!("sha256:{dgst}"))?)
                 .build()
                 .context("failed to build descriptor")?;