pack
pack copied to clipboard
buildpacks
opencontainers annotations not added correctly
Summary
The rfcs references opencontainers predefined keys which references which references how the be should be set in the image index, image manifest, and descriptor as actual annotations on the image.
But the link to how Snyk and Renovate references how the set it as labels, which is not according to the opencontainers specifications, but this is incorrect, and how it is implemented.
- Annotations describe OCI image components, such as manifests, indexes, and descriptors.
- Labels describe Docker resources, such as images, containers, networks, and volumes.
The result is that tools don't see the annotations as it should, an example could be Kargo
Reproduction
Steps
git clone https://github.com/buildpacks/samples
cd samples
pack build docker.io/martinschmidt/sample-app-pack:main \
--path ./apps/java-maven \
--builder paketobuildpacks/builder-jammy-base \
--env BP_OCI_SOURCE=https://github.com/buildpacks/samples/tree/main/apps/java-maven \
--env BP_OCI_REVISION=$(git rev-parse HEAD) \
--publish
docker buildx imagetools inspect docker.io/martinschmidt/sample-app-pack:main --raw
Current behavior
The annotations are not added correctly:
docker buildx imagetools inspect docker.io/martinschmidt/sample-app-pack:main --raw
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 15820,
"digest": "sha256:c662462978f98805fbf87c02efc1641f88bb79695f5c40565e92e40644414cc5"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 33987054,
"digest": "sha256:ac9ef76bb7c824668f3cf73964e96e9d474b04a20b608ff804402476f2a4145a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 12511443,
"digest": "sha256:67d7bd07ccd5224721ef9f58e74ceb1e01df5d677b3f539e07851d56d8de4750"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 807,
"digest": "sha256:6fa82fa6083081d8cbe225f1ecd25d7308ee31c71bd68fdbc4303e57f977cbee"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 428,
"digest": "sha256:5cc8ee8cdeb657c72b17ab5dc18a0eeca9d859b2bb0239128e259378196d4d15"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2147215,
"digest": "sha256:91b5fef4aeb694c8e4c59af3dae93f803102715faa6a262f15755945c88f3f0c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2430109,
"digest": "sha256:3df7b837364e333ededdefa305dbd3fd836050b06f9b5e4643458e52d7d2c5d2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 393,
"digest": "sha256:5f4c1d5773eb3a00ebec6070263004ec60faf7311ea4db1ac5ff045aecd165f8"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 76004082,
"digest": "sha256:524c64f86948cfe60283729d137a1750cdf4625057ee4891341cb74acdec1453"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 285,
"digest": "sha256:b8578b8a2ac51f7abdfdd4eea28bc34a73920771ba01df61f9f6d30f2bbc0dfe"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1734859,
"digest": "sha256:06a046bcd588488110383986b9653a43d30700ee2887ca2db61ed154eae85600"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 72710,
"digest": "sha256:ec660789f01ac29d11bf029218ed99c0d8474e837b20c3ad40a8b007c5b250d4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 271,
"digest": "sha256:bc7f82c871ffa12af89cd62c3047e5289ce24fbbe07f7adeeb840ccd43140f20"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 60057,
"digest": "sha256:424f9029b5f6571584944ecce35bde81ffc5be3470cbece7f59cb5dafa248796"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 17370731,
"digest": "sha256:cf95bc096d3ad6e1fb7416a77909188f1288eaf8c5c196ec92051cd299b9128c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1366636,
"digest": "sha256:59c41dd5001fd357e682bcce742ced6b509f72f1afdff98915ead7d32a20fc3c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 782,
"digest": "sha256:fd4b7b00c087927585e63096c171f23a48445425b2bed19a914ca4cbb59968f3"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 209,
"digest": "sha256:b39b18afe74ec7ee652aed10c5c3e637af7e7daad3da9380043a93fe7d212d44"
}
]
}
instead they are added as labels:
docker pull docker.io/martinschmidt/sample-app-pack:main
docker image inspect docker.io/martinschmidt/sample-app-pack:main
[
{
"Id": "sha256:03f487890f33c939507af0540cebf01b91cb4d07e2036ba02e010529ffbd7e12",
"RepoTags": [
"martinschmidt/sample-app-pack:main"
],
"RepoDigests": [
"martinschmidt/sample-app-pack@sha256:03f487890f33c939507af0540cebf01b91cb4d07e2036ba02e010529ffbd7e12"
],
"Created": "1980-01-01T00:00:01Z",
"Config": {
"User": "1002:1000",
"Env": [
"PATH=/cnb/process:/cnb/lifecycle:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"CNB_LAYERS_DIR=/layers",
"CNB_APP_DIR=/workspace",
"CNB_PLATFORM_API=0.13",
"CNB_DEPRECATION_MODE=quiet"
],
"Entrypoint": [
"/cnb/process/web"
],
"WorkingDir": "/workspace",
"Labels": {
"io.buildpacks.build.metadata": "{\"buildpacks\":[{\"id\":\"paketo-buildpacks/ca-certificates\",\"version\":\"3.10.5\",\"homepage\":\"https://github.com/paketo-buildpacks/ca-certificates\"},{\"id\":\"paketo-buildpacks/bellsoft-liberica\",\"version\":\"11.4.3\",\"homepage\":\"https://github.com/paketo-buildpacks/bellsoft-liberica\"},{\"id\":\"paketo-buildpacks/syft\",\"version\":\"2.25.0\",\"homepage\":\"https://github.com/paketo-buildpacks/syft\"},{\"id\":\"paketo-buildpacks/maven\",\"version\":\"6.20.8\",\"homepage\":\"https://github.com/paketo-buildpacks/maven\"},{\"id\":\"paketo-buildpacks/executable-jar\",\"version\":\"6.13.4\",\"homepage\":\"https://github.com/paketo-buildpacks/executable-jar\"},{\"id\":\"paketo-buildpacks/apache-tomcat\",\"version\":\"8.7.6\",\"homepage\":\"https://github.com/paketo-buildpacks/apache-tomcat\"},{\"id\":\"paketo-buildpacks/apache-tomee\",\"version\":\"1.15.1\",\"homepage\":\"https://github.com/paketo-buildpacks/apache-tomee\"},{\"id\":\"paketo-buildpacks/liberty\",\"version\":\"5.1.9\",\"homepage\":\"https://github.com/paketo-buildpacks/liberty\"},{\"id\":\"paketo-buildpacks/dist-zip\",\"version\":\"5.10.4\",\"homepage\":\"https://github.com/paketo-buildpacks/dist-zip\"},{\"id\":\"paketo-buildpacks/spring-boot\",\"version\":\"5.33.5\",\"homepage\":\"https://github.com/paketo-buildpacks/spring-boot\"},{\"id\":\"paketo-buildpacks/image-labels\",\"version\":\"4.10.3\",\"homepage\":\"https://github.com/paketo-buildpacks/image-labels\"}],\"launcher\":{\"version\":\"0.20.19\",\"source\":{\"git\":{\"repository\":\"github.com/buildpacks/lifecycle\",\"commit\":\"73739826\"}}},\"processes\":[{\"type\":\"executable-jar\",\"command\":[\"java\"],\"args\":[\"org.springframework.boot.loader.JarLauncher\"],\"direct\":true,\"buildpackID\":\"paketo-buildpacks/executable-jar\"},{\"type\":\"task\",\"command\":[\"java\"],\"args\":[\"org.springframework.boot.loader.JarLauncher\"],\"direct\":true,\"buildpackID\":\"paketo-buildpacks/executable-jar\"},{\"type\":\"web\",\"command\":[\"java\"],\"args\":[\"org.springframework.boot.loader.JarLauncher\"],\"direct\":true,\"buildpackID\":\"paketo-buildpacks/executable-jar\"}],\"buildpack-default-process-type\":\"web\"}",
"io.buildpacks.lifecycle.metadata": "{\"app\":[{\"sha\":\"sha256:ac57c69a8bb3c58abf4e3c15edbb3eb0c6794820be5236af4df29ee3f3fad70d\"}],\"sbom\":{\"sha\":\"sha256:67c8b643997428e08f364ea731e5ef4961ccd8913dd10b7504b9ec5f5016cea2\"},\"buildpacks\":[{\"key\":\"paketo-buildpacks/ca-certificates\",\"version\":\"3.10.5\",\"layers\":{\"helper\":{\"sha\":\"sha256:af2064c0cc24d97c6286e91b901495cb6338aaa31c1b5843cd99f2262ffae091\",\"data\":{\"buildpackInfo\":{\"clear-env\":false,\"description\":\"A Cloud Native Buildpack that adds custom CA certificates to a build and a created image\",\"homepage\":\"https://github.com/paketo-buildpacks/ca-certificates\",\"id\":\"paketo-buildpacks/ca-certificates\",\"keywords\":[\"ca-certificates\",\"trust\",\"certificates\"],\"licenses\":[{\"type\":\"Apache-2.0\",\"uri\":\"https://github.com/paketo-buildpacks/ca-certificates/blob/main/LICENSE\"}],\"name\":\"Paketo Buildpack for CA Certificates\",\"sbom-formats\":[\"application/vnd.cyclonedx+json\",\"application/vnd.syft+json\"],\"version\":\"3.10.5\"},\"helperNames\":[\"ca-certificates-helper\"]},\"build\":false,\"launch\":true,\"cache\":false}}},{\"key\":\"paketo-buildpacks/bellsoft-liberica\",\"version\":\"11.4.3\",\"layers\":{\"helper\":{\"sha\":\"sha256:ed89a93371ac78ebe179ec893acda701f182b39a16b7d2be5a9d3f3cbc78259a\",\"data\":{\"buildpackInfo\":{\"clear-env\":false,\"description\":\"A Cloud Native Buildpack that provides the Bellsoft Liberica implementations of JREs and JDKs\",\"homepage\":\"https://github.com/paketo-buildpacks/bellsoft-liberica\",\"id\":\"paketo-buildpacks/bellsoft-liberica\",\"keywords\":[\"java\",\"jvm\",\"jre\",\"jdk\"],\"licenses\":[{\"type\":\"Apache-2.0\",\"uri\":\"https://github.com/paketo-buildpacks/bellsoft-liberica/blob/main/LICENSE\"}],\"name\":\"Paketo Buildpack for BellSoft Liberica\",\"sbom-formats\":[\"application/vnd.syft+json\",\"application/vnd.cyclonedx+json\"],\"version\":\"11.4.3\"},\"helperNames\":[\"java-opts\",\"jvm-heap\",\"link-local-dns\",\"memory-calculator\",\"security-providers-configurer\",\"jmx\",\"jfr\",\"openssl-certificate-loader\",\"security-providers-classpath-9\",\"debug-9\",\"nmt\"]},\"build\":false,\"launch\":true,\"cache\":false},\"java-security-properties\":{\"sha\":\"sha256:bea0a3dc2651cac7c9c567a5cb4e7536107b357cb9113e8806f690f050500012\",\"data\":{\"clear-env\":false,\"description\":\"A Cloud Native Buildpack that provides the Bellsoft Liberica implementations of JREs and JDKs\",\"homepage\":\"https://github.com/paketo-buildpacks/bellsoft-liberica\",\"id\":\"paketo-buildpacks/bellsoft-liberica\",\"keywords\":[\"java\",\"jvm\",\"jre\",\"jdk\"],\"licenses\":[{\"type\":\"Apache-2.0\",\"uri\":\"https://github.com/paketo-buildpacks/bellsoft-liberica/blob/main/LICENSE\"}],\"name\":\"Paketo Buildpack for BellSoft Liberica\",\"sbom-formats\":[\"application/vnd.syft+json\",\"application/vnd.cyclonedx+json\"],\"version\":\"11.4.3\"},\"build\":false,\"launch\":true,\"cache\":false},\"jre\":{\"sha\":\"sha256:6b02acc0c8308132bfd06407f99bf9379eb5f7bd2da2f183162b975ec4baaaa3\",\"data\":{\"cert-file\":\"6d84ab71cb726c0641b0af84303c316e3fa50db941dc8507d09045eb2fa5d238\",\"dependency\":{\"cpes\":[\"cpe:2.3:a:oracle:jre:21.0.9:*:*:*:*:*:*:*\"],\"deprecation_date\":\"0001-01-01T00:00:00Z\",\"id\":\"jre\",\"licenses\":[{\"type\":\"GPL-2.0 WITH Classpath-exception-2.0\",\"uri\":\"https://openjdk.java.net/legal/gplv2+ce.html\"}],\"name\":\"BellSoft Liberica JRE\",\"purl\":\"pkg:generic/[email protected]?arch=amd64\",\"sha256\":\"0c9cb6693a9eab34e5990d581f9865824b159d365733960ccfa0e7eac9387b99\",\"stacks\":[\"*\"],\"uri\":\"https://github.com/bell-sw/Liberica/releases/download/21.0.9+15/bellsoft-jre21.0.9+15-linux-amd64.tar.gz\",\"version\":\"21.0.9\"}},\"build\":false,\"launch\":true,\"cache\":false}}},{\"key\":\"paketo-buildpacks/syft\",\"version\":\"2.25.0\",\"layers\":{}},{\"key\":\"paketo-buildpacks/maven\",\"version\":\"6.20.8\",\"layers\":{}},{\"key\":\"paketo-buildpacks/executable-jar\",\"version\":\"6.13.4\",\"layers\":{\"classpath\":{\"sha\":\"sha256:417e5bfc3c82b9373cf6804206e071d2fc74560df867d0f39cb21ac3d15231b6\",\"data\":{\"classpath\":[\"/workspace\"],\"launch\":true},\"build\":true,\"launch\":true,\"cache\":false}}},{\"key\":\"paketo-buildpacks/apache-tomcat\",\"version\":\"8.7.6\",\"layers\":{}},{\"key\":\"paketo-buildpacks/apache-tomee\",\"version\":\"1.15.1\",\"layers\":{}},{\"key\":\"paketo-buildpacks/liberty\",\"version\":\"5.1.9\",\"layers\":{}},{\"key\":\"paketo-buildpacks/dist-zip\",\"version\":\"5.10.4\",\"layers\":{}},{\"key\":\"paketo-buildpacks/spring-boot\",\"version\":\"5.33.5\",\"layers\":{\"helper\":{\"sha\":\"sha256:3f379d0a1f14af80d58a10af3dedb6b31cbbe12d94afab46e247e0f9d8c6f548\",\"data\":{\"buildpackInfo\":{\"clear-env\":false,\"description\":\"A Cloud Native Buildpack that contributes Spring Boot dependency information and slices an application into multiple layers\",\"homepage\":\"https://github.com/paketo-buildpacks/spring-boot\",\"id\":\"paketo-buildpacks/spring-boot\",\"keywords\":[\"java\",\"spring\",\"spring-boot\"],\"licenses\":[{\"type\":\"Apache-2.0\",\"uri\":\"https://github.com/paketo-buildpacks/spring-boot/blob/main/LICENSE\"}],\"name\":\"Paketo Buildpack for Spring Boot\",\"sbom-formats\":[\"application/vnd.cyclonedx+json\",\"application/vnd.syft+json\"],\"version\":\"5.33.5\"},\"helperNames\":[\"spring-cloud-bindings\"]},\"build\":false,\"launch\":true,\"cache\":false},\"spring-cloud-bindings\":{\"sha\":\"sha256:585d8b141d7aa07eecde5a1bae075c7898ab5809a215d66f160d3dfd46eaf577\",\"data\":{\"cpes\":[\"cpe:2.3:a:vmware:spring_cloud_bindings:1.13.0:*:*:*:*:*:*:*\"],\"deprecation_date\":\"0001-01-01T00:00:00Z\",\"id\":\"spring-cloud-bindings\",\"licenses\":[{\"type\":\"Apache-2.0\",\"uri\":\"https://github.com/spring-cloud/spring-cloud-bindings/blob/main/LICENSE\"}],\"name\":\"Spring Cloud Bindings\",\"purl\":\"pkg:generic/springframework/[email protected]\",\"sha256\":\"70a448cd45d1dbc117770f934961cd9577c0c4404d34986824f8f593cae4aada\",\"stacks\":[\"io.buildpacks.stacks.bionic\",\"io.paketo.stacks.tiny\",\"*\"],\"uri\":\"https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-bindings/1.13.0/spring-cloud-bindings-1.13.0.jar\",\"version\":\"1.13.0\"},\"build\":false,\"launch\":true,\"cache\":true},\"web-application-type\":{\"sha\":\"sha256:366ce7d1a7f90f2e4ad08752f87510eee3ffca18736fa63c03823c8c4ebf2925\",\"data\":{\"files\":\"062a19887629f436dd1b2c215e2824592e55ba5e756732327d104bb33e31ddac\"},\"build\":false,\"launch\":true,\"cache\":false}}},{\"key\":\"paketo-buildpacks/image-labels\",\"version\":\"4.10.3\",\"layers\":{}}],\"config\":{\"sha\":\"sha256:fe1984ccd6a6476909a19cc1179cc91cdb319051056ce42113fcceaa7404e33c\"},\"launcher\":{\"sha\":\"sha256:e553d7c9d019d7e80ad349f4040a997b83c814767d16996f8202811e1c33b493\"},\"process-types\":{\"sha\":\"sha256:1dc94a70dbaa2171fb086500a5d27797f779219b126b0a1eebb9180c2792e80e\"},\"runImage\":{\"topLayer\":\"sha256:bfafb912e6aba933375505b5bfdd67195f628dda14b8af196670565e133532a5\",\"reference\":\"index.docker.io/paketobuildpacks/run-jammy-base@sha256:5748cbddf639795ce770a636701657bf2b0e24f473da4ce35e693a719082ec12\",\"image\":\"index.docker.io/paketobuildpacks/run-jammy-base:latest\"},\"stack\":{\"runImage\":{\"image\":\"index.docker.io/paketobuildpacks/run-jammy-base:latest\"}}}",
"io.buildpacks.project.metadata": "{}",
"io.buildpacks.stack.description": "ubuntu:jammy with some common dependencies like tzdata and openssl",
"io.buildpacks.stack.distro.name": "ubuntu",
"io.buildpacks.stack.distro.version": "22.04",
"io.buildpacks.stack.homepage": "https://github.com/paketo-buildpacks/jammy-base-stack",
"io.buildpacks.stack.id": "io.buildpacks.stacks.jammy",
"io.buildpacks.stack.maintainer": "Paketo Buildpacks",
"io.buildpacks.stack.metadata": "{}",
"io.buildpacks.stack.released": "2025-12-01T04:48:02Z",
"org.opencontainers.image.ref.name": "ubuntu",
"org.opencontainers.image.revision": "ff523267214af1a078afbcd6ed82fd55d56baba3",
"org.opencontainers.image.source": "https://github.com/buildpacks/samples/tree/main/apps/java-maven",
"org.opencontainers.image.title": "sample",
"org.opencontainers.image.version": "0.0.1-SNAPSHOT",
"org.springframework.boot.version": "2.1.18.RELEASE"
}
},
"Architecture": "amd64",
"Os": "linux",
"Size": 147706916,
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:73974f74b436f39a2fdb6461b1e3f7c3e41c73325776fa71d16b942a5b4a365b",
"sha256:3f978e3566433d708249d4aa0bb8d3dd12ca3862eefd9cb8a24d9d1e77382eb9",
"sha256:9e348ad7ee877b9d1bff1392185a37ee56f00945089fd1b27822acd313e2e2b3",
"sha256:bfafb912e6aba933375505b5bfdd67195f628dda14b8af196670565e133532a5",
"sha256:af2064c0cc24d97c6286e91b901495cb6338aaa31c1b5843cd99f2262ffae091",
"sha256:ed89a93371ac78ebe179ec893acda701f182b39a16b7d2be5a9d3f3cbc78259a",
"sha256:bea0a3dc2651cac7c9c567a5cb4e7536107b357cb9113e8806f690f050500012",
"sha256:6b02acc0c8308132bfd06407f99bf9379eb5f7bd2da2f183162b975ec4baaaa3",
"sha256:417e5bfc3c82b9373cf6804206e071d2fc74560df867d0f39cb21ac3d15231b6",
"sha256:3f379d0a1f14af80d58a10af3dedb6b31cbbe12d94afab46e247e0f9d8c6f548",
"sha256:585d8b141d7aa07eecde5a1bae075c7898ab5809a215d66f160d3dfd46eaf577",
"sha256:366ce7d1a7f90f2e4ad08752f87510eee3ffca18736fa63c03823c8c4ebf2925",
"sha256:67c8b643997428e08f364ea731e5ef4961ccd8913dd10b7504b9ec5f5016cea2",
"sha256:ac57c69a8bb3c58abf4e3c15edbb3eb0c6794820be5236af4df29ee3f3fad70d",
"sha256:e553d7c9d019d7e80ad349f4040a997b83c814767d16996f8202811e1c33b493",
"sha256:fe1984ccd6a6476909a19cc1179cc91cdb319051056ce42113fcceaa7404e33c",
"sha256:1dc94a70dbaa2171fb086500a5d27797f779219b126b0a1eebb9180c2792e80e"
]
},
"Metadata": {
"LastTagTime": "2025-12-04T15:23:52.40566781Z"
},
"Descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:03f487890f33c939507af0540cebf01b91cb4d07e2036ba02e010529ffbd7e12",
"size": 3025
}
}
]
Expected behavior
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 15820,
"digest": "sha256:c662462978f98805fbf87c02efc1641f88bb79695f5c40565e92e40644414cc5"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 33987054,
"digest": "sha256:ac9ef76bb7c824668f3cf73964e96e9d474b04a20b608ff804402476f2a4145a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 12511443,
"digest": "sha256:67d7bd07ccd5224721ef9f58e74ceb1e01df5d677b3f539e07851d56d8de4750"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 807,
"digest": "sha256:6fa82fa6083081d8cbe225f1ecd25d7308ee31c71bd68fdbc4303e57f977cbee"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 428,
"digest": "sha256:5cc8ee8cdeb657c72b17ab5dc18a0eeca9d859b2bb0239128e259378196d4d15"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2147215,
"digest": "sha256:91b5fef4aeb694c8e4c59af3dae93f803102715faa6a262f15755945c88f3f0c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2430109,
"digest": "sha256:3df7b837364e333ededdefa305dbd3fd836050b06f9b5e4643458e52d7d2c5d2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 393,
"digest": "sha256:5f4c1d5773eb3a00ebec6070263004ec60faf7311ea4db1ac5ff045aecd165f8"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 76004082,
"digest": "sha256:524c64f86948cfe60283729d137a1750cdf4625057ee4891341cb74acdec1453"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 285,
"digest": "sha256:b8578b8a2ac51f7abdfdd4eea28bc34a73920771ba01df61f9f6d30f2bbc0dfe"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1734859,
"digest": "sha256:06a046bcd588488110383986b9653a43d30700ee2887ca2db61ed154eae85600"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 72710,
"digest": "sha256:ec660789f01ac29d11bf029218ed99c0d8474e837b20c3ad40a8b007c5b250d4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 271,
"digest": "sha256:bc7f82c871ffa12af89cd62c3047e5289ce24fbbe07f7adeeb840ccd43140f20"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 60057,
"digest": "sha256:424f9029b5f6571584944ecce35bde81ffc5be3470cbece7f59cb5dafa248796"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 17370731,
"digest": "sha256:cf95bc096d3ad6e1fb7416a77909188f1288eaf8c5c196ec92051cd299b9128c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1366636,
"digest": "sha256:59c41dd5001fd357e682bcce742ced6b509f72f1afdff98915ead7d32a20fc3c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 782,
"digest": "sha256:fd4b7b00c087927585e63096c171f23a48445425b2bed19a914ca4cbb59968f3"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 209,
"digest": "sha256:b39b18afe74ec7ee652aed10c5c3e637af7e7daad3da9380043a93fe7d212d44"
}
],
"annotations": {
"org.opencontainers.image.revision": "ff523267214af1a078afbcd6ed82fd55d56baba3",
"org.opencontainers.image.source": "https://github.com/buildpacks/samples/tree/main/apps/java-maven"
}
}
Example with docker
echo "FROM alpine" > Dockerfile
docker buildx build \
--annotation index,manifest:org.opencontainers.image.source=https://github.com/buildpacks/samples/tree/main/apps/java-maven \
--annotation index,manifest:org.opencontainers.image.revision="$(git rev-parse HEAD)" \
-t docker.io/martinschmidt/sample-app:latest \
--push .
docker buildx imagetools inspect docker.io/martinschmidt/sample-app:latest --raw
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:fa6629cb5ca95604137f452d40d6d0cb1254b165579ea04f55739cfcf1698f9a",
"size": 694,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:cbd1e9fa8b5b115b39645d8b35c2e1bd1591d9695e00ef9e2309f733584c296a",
"size": 566,
"annotations": {
"vnd.docker.reference.digest": "sha256:fa6629cb5ca95604137f452d40d6d0cb1254b165579ea04f55739cfcf1698f9a",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
],
"annotations": {
"org.opencontainers.image.revision": "ff523267214af1a078afbcd6ed82fd55d56baba3",
"org.opencontainers.image.source": "https://github.com/buildpacks/samples/tree/main/apps/java-maven"
}
}
@MartinSchmidt Thanks for reporting this issue! This is indeed a valid request and something we've been discussing for quite some time.
Related Work
We have an open RFC that addresses exactly this problem: https://github.com/buildpacks/rfcs/pull/196. The RFC proposes adding proper OCI annotations (including org.opencontainers.image.source and org.opencontainers.image.revision) to the manifest/index instead of only setting them as Docker labels in the image config.
Why the RFC is Stuck
The RFC has been in draft status since December 2021, primarily blocked by an architectural debate:
The core issue: OCI annotations can only be applied to images pushed to registries, not to images exported to the Docker daemon. This creates a behavioral difference between registry and daemon export targets, which conflicted with our design principle of consistent output regardless of export destination.
The original blocker: The discussion stalled around whether we should:
- Option A: Implement annotations now with conditional logic (registry-only)
- Option B: First remove daemon support entirely, then implement annotations
We ended up not pursuing daemon removal, which left the RFC in limbo.
Path Forward
However, the landscape has changed since 2021. Docker is moving toward OCI-compatible storage (with containerd and OCI layout support), which means the daemon is increasingly behaving like an OCI registry. This may resolve the original concern about behavioral differences.
Given that:
- This is causing real-world compatibility issues (as you've demonstrated with Kargo)
- The daemon/registry gap is narrowing
- The two modes already have some behavioral differences in practice
It may be time to revisit RFC #196 and move forward with the implementation. I'll bring this up with the team for discussion.
