The ORAS Artifact manifest is similar to the OCI image manifest, but removes constraints defined on the image-manifest such as a required config
object and required & ordinal layers
.
It adds a subject
property supporting a graph of independently linked artifacts.
The addition of a new manifest does not change, nor impact the image.manifest
.
It provides a means to define a wide range of artifacts, including a chain of related artifacts enabling SBoMs, on-demand loading, signatures and metadata that can be related to an image.manifest
, image.index
or another artifact.manifest
.
By defining a new manifest, registries and clients opt-into new capabilities, without breaking existing registry and client behavior or setting expectations for scenarios to function when the client and/or registry may not yet implement new capabilities.
This section defines the application/vnd.cncf.oras.artifact.manifest.v1+json
media type.
The artifact.manifest
provides an optional collection of blobs
, an optional subject
reference to the manifest of another artifact and an artifactType
to differentiate types of artifacts (such as signatures, sboms and security scan results)
-
mediaType
stringThis REQUIRED field contains the
mediaType
of this document, differentiating from image-manifest and image-index. ThemediaType
for this manifest type MUST beapplication/vnd.cncf.oras.artifact.manifest.v1+json
, where the version WILL change to reflect newer versions. -
artifactType
stringThe REQUIRED
artifactType
is a unique value, as registered with iana.org. TheartifactType
values are equivalent to the values used in themanifest.config.mediaType
in OCI Artifacts. Examples includesbom/example
,application/vnd.cncf.notary.v2
. For details on creating a uniqueartifactType
, see OCI Artifact Authors Guidance -
blobs
array of objectsAn OPTIONAL collection of 0 or more blobs. The blobs array is analogous to oci.image.manifest layers, however unlike image-manifest, the ordering of blobs is specific to the artifact type. Some artifacts may choose an overlay of files, while other artifact types may store independent collections of files.
- Each item in the array MUST be an artifact descriptor or
null
, and MUST NOT refer to anothermanifest
providing dependency closure. - The max number of blobs is not defined, but MAY be limited by distribution-spec implementations.
- An encountered
[descriptors].descriptor.mediaType
that is unknown to the implementation MUST be persisted as a blob.
- Each item in the array MUST be an artifact descriptor or
-
subject
descriptorAn OPTIONAL reference to any existing manifest within the repository. When specified, the artifact is said to be dependent upon the referenced
subject
.- The item MUST be an artifact descriptor representing a manifest. Descriptors to blobs are not supported. The registry MUST return a
400
response code whensubject
is not found in the same repository, and not a manifest.
- The item MUST be an artifact descriptor representing a manifest. Descriptors to blobs are not supported. The registry MUST return a
-
annotations
string-string mapThis OPTIONAL property contains arbitrary metadata for the artifact manifest. This OPTIONAL property MUST use the annotation rules. This map MAY contain some or all of the pre-defined keys listed below.
Pre-Defined Annotation Keys: This defines a set of keys that have been pre-defined for use by authors of ORAS artifacts.
io.cncf.oras.artifact.created
date and time on which the artifact was created (string, date-time as defined by RFC 3339)
net-monitor:v1
notary v2 signaturenet-monitor:v1
sample sbomnet-monitor:v1
nydus image with on-demand loading
Following the distribution-spec push api, all blobs and the subject
descriptors SHOULD exist when pushed to a distribution instance.
Registries MAY treat the lifecycle of a reference type object, such as an SBoM or signature, as being tied to its subject
. In such registries, when the subject
is deleted or marked for garbage collection, the defined artifact is subject to deletion as well, unless the artifact is tagged.
- Usage and Scenarios
- Comparing the ORAS Artifact Manifest and OCI Image Manifest
- Referrers API for more information on listing references