Images published by this repo carry SBOM and SLSA provenance attestations (attest=["type=provenance,mode=max", "type=sbom"] in docker-bake.hcl). Still, the resulting attestation manifests are emitted in BuildKit's legacy Docker format rather than as OCI 1.1 artifacts.
As a result, the attestations are not discoverable through the OCI Referrers API, as they are missing both artifactType and the subject backlink to the parent image manifest.
Same issue and fix as in cloudnative-pg/cloudnative-pg#10601.
How to verify
The index references attestations with the legacy Docker annotations:
$ docker buildx imagetools inspect --raw ghcr.io/cloudnative-pg/pgvector:0.8.2-18-trixie
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:9d7163ba30b61b4e67ea5e443eed6bc4b0d99688af1af375686ea5b809fcdad5",
"size": 2265,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:e9cae88c446b5682d923f041f492856cf13e332b8dbbc7639aab2ffdc789d298",
"size": 2265,
"platform": {
"architecture": "arm64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:0d1e152cb9e086308a5ec7ce7763ab6305581f57b691f208f8d91d5e82948146",
"size": 836,
"annotations": {
"vnd.docker.reference.digest": "sha256:9d7163ba30b61b4e67ea5e443eed6bc4b0d99688af1af375686ea5b809fcdad5",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:af2f4d8452c70d200253fbd47820314cdda3edffa21ccb5910d802d7aa22f3da",
"size": 836,
"annotations": {
"vnd.docker.reference.digest": "sha256:e9cae88c446b5682d923f041f492856cf13e332b8dbbc7639aab2ffdc789d298",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
],
"annotations": {
"io.cloudnativepg.image.base.name": "ghcr.io/cloudnative-pg/postgresql:18-minimal-trixie",
"io.cloudnativepg.image.base.os": "trixie",
"io.cloudnativepg.image.base.pgmajor": "18",
"io.cloudnativepg.image.sql.version": "0.8.2",
"org.opencontainers.image.authors": "The CloudNativePG Contributors",
"org.opencontainers.image.base.name": "scratch",
"org.opencontainers.image.created": "2026-04-29T12:50:04Z",
"org.opencontainers.image.description": "A pgvector 0.8.2 container image for PostgreSQL 18 on trixie",
"org.opencontainers.image.documentation": "https://github.com/cloudnative-pg/postgres-extensions-containers",
"org.opencontainers.image.licenses": "PostgreSQL",
"org.opencontainers.image.revision": "7cec00c247266be17daed06bcff17ee2ae9439a1",
"org.opencontainers.image.source": "https://github.com/cloudnative-pg/postgres-extensions-containers",
"org.opencontainers.image.title": "pgvector 0.8.2 18 trixie",
"org.opencontainers.image.url": "https://github.com/cloudnative-pg/postgres-extensions-containers",
"org.opencontainers.image.vendor": "The CloudNativePG Contributors",
"org.opencontainers.image.version": "0.8.2"
}
}The attestation manifest with digest anding with f3da is missing artifactType and subject:
$ docker buildx imagetools inspect --raw ghcr.io/cloudnative-pg/pgvector:0.8.2-18-trixie@sha256:af2f4d8452c70d200253fbd47820314cdda3edffa21ccb5910d802d7aa22f3da
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:8d1d609243cb03bd618e35ed8a8647bb0db62489af45e92a2d7946b7e176da73",
"size": 241
},
"layers": [
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:c5a86d5a75baf21c821e82f188c86efb7e95c019b2ada3e1c4e84f6ce2ec24f3",
"size": 1281,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:048fcaabc3514a9866211dac6aec834c1e4246569c72f8166fa62606cfd4d9eb",
"size": 21857,
"annotations": {
"in-toto.io/predicate-type": "https://slsa.dev/provenance/v1"
}
}
]
}
Images published by this repo carry SBOM and SLSA provenance attestations (
attest=["type=provenance,mode=max", "type=sbom"]indocker-bake.hcl). Still, the resulting attestation manifests are emitted in BuildKit's legacy Docker format rather than as OCI 1.1 artifacts.As a result, the attestations are not discoverable through the OCI Referrers API, as they are missing both
artifactTypeand thesubjectbacklink to the parent image manifest.Same issue and fix as in cloudnative-pg/cloudnative-pg#10601.
How to verify
The index references attestations with the legacy Docker annotations:
The attestation manifest with digest anding with
f3dais missingartifactTypeandsubject: