Inferensys

Glossary

Manifest

A JSON document in a container registry that describes a specific artifact, including its content-addressable layers, configuration, and annotations, serving as the root of trust for a given tag.
MLOps engineer reviewing model serving infrastructure on laptop, container orchestration visible, technical workspace.
ROOT OF TRUST

What is a Manifest?

A manifest is a JSON document within an OCI-compliant container registry that serves as the definitive descriptor for a specific artifact, linking a human-readable tag to a content-addressable set of layers and configuration.

A manifest is the root of trust for any artifact stored in a container registry. It is a JSON document that identifies an artifact's exact composition by referencing its constituent parts—such as filesystem layers and a runtime configuration object—via their cryptographic content digests. This indirection between a mutable tag and an immutable digest is the foundational mechanism for ensuring data integrity and enabling non-repudiation in the software supply chain.

When a registry client pulls an image by tag, it first retrieves the manifest to resolve the tag into a list of content-addressable blobs. The manifest itself is also content-addressable, meaning its own digest acts as a unique, immutable identifier for that specific artifact version. This design allows security systems like Cosign to attach attestation signatures directly to the manifest's digest, creating a cryptographically verifiable link between the artifact's identity and its provenance.

OCI DISTRIBUTION SPECIFICATION

Key Characteristics of a Manifest

A manifest is the root of trust for any artifact stored in a container registry. It defines the artifact's identity, composition, and integrity through content-addressable layers and cryptographic digests.

01

Content-Addressable Integrity

Every layer and configuration object in a manifest is referenced by its cryptographic digest (SHA-256), not by a mutable name. This creates a Merkle DAG where:

  • Any modification to a single byte produces an entirely new digest
  • The manifest's own digest becomes a globally unique, tamper-evident identifier
  • Verification is deterministic: recalculate the hash and compare

This property is the foundation of non-repudiation and supply chain security in OCI registries.

02

Schema Versioning

Manifests declare their schema version explicitly through the schemaVersion field, ensuring parsers can handle format evolution:

  • Schema Version 1: Legacy format with backward compatibility, uses unsigned manifests
  • Schema Version 2: Current standard supporting multi-architecture images, content-addressable descriptors, and extensible annotations

This versioning prevents silent misinterpretation of manifest fields across different registry implementations and client tooling.

03

Multi-Architecture Index Manifests

A manifest list (or image index) is a special manifest type that points to platform-specific manifests for different architectures and operating systems:

  • A single tag like python:3.12 resolves to an index containing pointers to linux/amd64, linux/arm64, windows/amd64 variants
  • The container runtime selects the appropriate child manifest based on its own platform
  • Each child manifest is independently content-addressable and can be signed separately

This enables fat manifests that provide seamless cross-platform deployment without tag proliferation.

04

Annotations and Metadata

The annotations field is an extensible key-value map that attaches arbitrary metadata to a manifest without altering its digest:

  • Standard annotations: org.opencontainers.image.created, org.opencontainers.image.authors, org.opencontainers.image.source
  • Security annotations: SBOM references, vulnerability scan results, attestation pointers
  • Custom annotations: Enterprise-specific labels for compliance, cost centers, or deployment policies

Annotations are critical for artifact discovery and policy evaluation without parsing layer contents.

05

Artifact Type and Config Media Type

The artifactType and config.mediaType fields distinguish what kind of artifact the manifest describes, extending registries beyond container images:

  • application/vnd.oci.image.config.v1+json: Standard container image configuration
  • application/vnd.cncf.helm.chart.config.v1+json: Helm chart stored as an OCI artifact
  • application/vnd.ai.model.config.v1+json: Machine learning model weights and metadata

This OCI Artifact pattern, supported by tools like ORAS, transforms container registries into general-purpose artifact stores for SBOMs, WASM modules, and model registries.

06

Subject Referencing for Attestations

The subject field creates a cryptographically verifiable link between a manifest and its parent artifact, enabling in-toto attestations and supply chain metadata:

  • An SBOM attestation manifest references the image manifest it describes via subject.digest
  • A vulnerability scan result manifest points to the exact artifact digest it analyzed
  • Cosign signatures are stored as separate manifests with a subject pointer to the signed artifact

This creates a verifiable graph of related artifacts within the registry, enabling policy engines like OPA to enforce that every deployed image has a valid attestation chain.

MANIFEST

Frequently Asked Questions

Clear answers to common questions about the OCI manifest, its role as the root of trust in container registries, and how it enables content-addressable storage for tamper-proof model registries.

A manifest is a JSON document in an OCI-compliant container registry that serves as the root of trust for a specific artifact tag. It describes the artifact's composition by referencing its content-addressable layers, a configuration blob, and optional annotations. When you pull an image by tag like my-model:v1.2, the registry resolves that tag to a manifest, which then specifies the exact digests of every layer required to reconstruct the artifact. This indirection between human-readable tags and content-addressable digests is what enables cryptographic verification of the entire artifact. The manifest schema is defined by the Open Container Initiative (OCI) Image Specification, ensuring interoperability across registries and tools.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.