Skip to content

policy eval fails with "object required" when checking attestation fields on v2 manifest images #3613

New issue
New issue
Closed
#3611
Closed
policy eval fails with "object required" when checking attestation fields on v2 manifest images#3613
#3611
Labels
status/triage
@dvdksn

Description

@dvdksn
dvdksn
opened on Jan 16, 2026

Contributing guidelines

I've found a bug and checked that ...

  • ... the documentation does not mention anything about my problem
  • ... there are no open or closed issues that are related to my problem

Description

docker buildx policy eval with a policy that checks attestation fields (hasProvenance, signatures) on images using v2 manifest format fails. These fields should be unavailable/unresolved for v2 manifest images. Accessing them causes an error.

Expected behaviour

I guess there's two issues here.

  • It probably shouldn't error because of the image format.
  • Afaict eval doesn't actually resolve hasProvenance so it should probably print an info/warn? eg:
WARNING: Policy evaluation incomplete - unresolved fields: image.hasProvenance

Actual behaviour

# images with oci indexes silently exit:
docker buildx policy eval docker-image://alpine:3.19
# images with manifest lists cause an error
docker buildx policy eval docker-image://davidkarlsson416/image-no-provenance
ERROR: object required

Buildx version

github.com/docker/buildx v0.31.0-rc1 b9b2435

Docker info

Builders list

NAME/NODE           DRIVER/ENDPOINT     STATUS    BUILDKIT      PLATFORMS
v0.27.0-rc1*        docker-container                            
 \_ v0.27.0-rc1      \_ desktop-linux   running   v0.27.0-rc1   linux/amd64 (+2), linux/arm64, linux/arm (+2), linux/ppc64le, (3 more)
default             docker                                      
 \_ default          \_ default         running   v0.26.2       linux/amd64 (+2), linux/arm64, linux/ppc64le, linux/s390x, (2 more)
desktop-linux       docker                                      
 \_ desktop-linux    \_ desktop-linux   running   v0.26.2       linux/amd64 (+2), linux/arm64, linux/ppc64le, linux/s390x, (2 more)

Configuration

$ cat > Dockerfile.rego << 'EOF'
package docker
default allow := false
allow if input.local
allow if input.image.hasProvenance
decision := {"allow": allow}
EOF
$ docker buildx policy eval docker-image://alpine:3.19
$ docker buildx policy eval docker-image://davidkarlsson416/image-no-provenance
ERROR: object required

### Build logs

```text

Additional info

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status/triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions