A manifest is the root of trust for any artifact stored in a container registry. It is a JSON document that identifies an artifact's exact composition by referencing its constituent parts—such as filesystem layers and a runtime configuration object—via their cryptographic content digests. This indirection between a mutable tag and an immutable digest is the foundational mechanism for ensuring data integrity and enabling non-repudiation in the software supply chain.
Glossary
Manifest

What is a Manifest?
A manifest is a JSON document within an OCI-compliant container registry that serves as the definitive descriptor for a specific artifact, linking a human-readable tag to a content-addressable set of layers and configuration.
When a registry client pulls an image by tag, it first retrieves the manifest to resolve the tag into a list of content-addressable blobs. The manifest itself is also content-addressable, meaning its own digest acts as a unique, immutable identifier for that specific artifact version. This design allows security systems like Cosign to attach attestation signatures directly to the manifest's digest, creating a cryptographically verifiable link between the artifact's identity and its provenance.
Key Characteristics of a Manifest
A manifest is the root of trust for any artifact stored in a container registry. It defines the artifact's identity, composition, and integrity through content-addressable layers and cryptographic digests.
Content-Addressable Integrity
Every layer and configuration object in a manifest is referenced by its cryptographic digest (SHA-256), not by a mutable name. This creates a Merkle DAG where:
- Any modification to a single byte produces an entirely new digest
- The manifest's own digest becomes a globally unique, tamper-evident identifier
- Verification is deterministic: recalculate the hash and compare
This property is the foundation of non-repudiation and supply chain security in OCI registries.
Schema Versioning
Manifests declare their schema version explicitly through the schemaVersion field, ensuring parsers can handle format evolution:
- Schema Version 1: Legacy format with backward compatibility, uses unsigned manifests
- Schema Version 2: Current standard supporting multi-architecture images, content-addressable descriptors, and extensible annotations
This versioning prevents silent misinterpretation of manifest fields across different registry implementations and client tooling.
Multi-Architecture Index Manifests
A manifest list (or image index) is a special manifest type that points to platform-specific manifests for different architectures and operating systems:
- A single tag like
python:3.12resolves to an index containing pointers tolinux/amd64,linux/arm64,windows/amd64variants - The container runtime selects the appropriate child manifest based on its own platform
- Each child manifest is independently content-addressable and can be signed separately
This enables fat manifests that provide seamless cross-platform deployment without tag proliferation.
Annotations and Metadata
The annotations field is an extensible key-value map that attaches arbitrary metadata to a manifest without altering its digest:
- Standard annotations:
org.opencontainers.image.created,org.opencontainers.image.authors,org.opencontainers.image.source - Security annotations: SBOM references, vulnerability scan results, attestation pointers
- Custom annotations: Enterprise-specific labels for compliance, cost centers, or deployment policies
Annotations are critical for artifact discovery and policy evaluation without parsing layer contents.
Artifact Type and Config Media Type
The artifactType and config.mediaType fields distinguish what kind of artifact the manifest describes, extending registries beyond container images:
application/vnd.oci.image.config.v1+json: Standard container image configurationapplication/vnd.cncf.helm.chart.config.v1+json: Helm chart stored as an OCI artifactapplication/vnd.ai.model.config.v1+json: Machine learning model weights and metadata
This OCI Artifact pattern, supported by tools like ORAS, transforms container registries into general-purpose artifact stores for SBOMs, WASM modules, and model registries.
Subject Referencing for Attestations
The subject field creates a cryptographically verifiable link between a manifest and its parent artifact, enabling in-toto attestations and supply chain metadata:
- An SBOM attestation manifest references the image manifest it describes via
subject.digest - A vulnerability scan result manifest points to the exact artifact digest it analyzed
- Cosign signatures are stored as separate manifests with a
subjectpointer to the signed artifact
This creates a verifiable graph of related artifacts within the registry, enabling policy engines like OPA to enforce that every deployed image has a valid attestation chain.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear answers to common questions about the OCI manifest, its role as the root of trust in container registries, and how it enables content-addressable storage for tamper-proof model registries.
A manifest is a JSON document in an OCI-compliant container registry that serves as the root of trust for a specific artifact tag. It describes the artifact's composition by referencing its content-addressable layers, a configuration blob, and optional annotations. When you pull an image by tag like my-model:v1.2, the registry resolves that tag to a manifest, which then specifies the exact digests of every layer required to reconstruct the artifact. This indirection between human-readable tags and content-addressable digests is what enables cryptographic verification of the entire artifact. The manifest schema is defined by the Open Container Initiative (OCI) Image Specification, ensuring interoperability across registries and tools.
Related Terms
Core concepts that interact with the manifest to establish a complete chain of trust for model artifacts in a tamper-proof registry.
Content-Addressable Layers
The manifest references each filesystem layer by its cryptographic digest (SHA256), not by a mutable name. This means the content's identity is its hash. If a single byte in a model weight or config file changes, the digest changes, breaking the manifest's integrity. This property enables deduplication across registries and guarantees that a given digest always resolves to the exact same bytes.
Digest-Pinned References
While a tag like v1.0 is a mutable pointer, a digest reference like sha256:abc... is immutable. Pinning a deployment to a manifest digest ensures you always pull the exact artifact that passed your security scans, eliminating race conditions and tag mutation attacks. This is the foundational practice for reproducible deployments in regulated environments.
OCI Distribution Specification
The manifest is the core object defined by the Open Container Initiative (OCI) Distribution Spec. This spec standardizes how artifacts are pushed, pulled, and discovered in a registry. It extends the registry's utility beyond container images to include:
- Helm charts
- WebAssembly (WASM) modules
- Model weights and tokenizers This standardization is what allows tools like ORAS to store AI artifacts in any compliant registry.
Cosign Signature Attachment
Cosign signs a manifest by computing its digest and storing the resulting signature as a separate OCI object in the same repository. This signature is linked to the manifest via a referrers API or tag convention. During verification, the manifest's digest is recomputed and checked against the signature, providing cryptographic non-repudiation that the artifact was published by a trusted identity without altering the original manifest.
Model Card as Annotations
The manifest's annotations map is a key-value metadata store that can hold structured information like a Model Card. By embedding details such as intended use, performance benchmarks, and ethical considerations directly into the manifest, the registry becomes a self-describing artifact store. This allows policy engines like OPA to make admission decisions based on model properties without pulling the full artifact.
Rekor Transparency Log
When a manifest is signed, the signing event can be recorded in Rekor, an append-only transparency log. This provides a publicly auditable, timestamped proof that the signature existed at a specific point in time. For AI supply chains, this means an auditor can verify not just who signed a model manifest, but when, preventing backdating attacks and ensuring long-term non-repudiation.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us