diff --git a/pkg/build/gobuild.go b/pkg/build/gobuild.go
index e9ad9d1377..f25812bd9d 100644
--- a/pkg/build/gobuild.go
+++ b/pkg/build/gobuild.go
@@ -1171,6 +1171,13 @@ func parseSpec(spec []string) (*platformMatcher, error) {
 }
 
 func (pm *platformMatcher) matches(base *v1.Platform) bool {
+	// Strip out manifests with "unknown/unknown" platform, which Docker uses
+	// to store provenance attestations.
+	if base != nil &&
+		(base.OS == "unknown" || base.Architecture == "unknown") {
+		return false
+	}
+
 	if len(pm.spec) > 0 && pm.spec[0] == "all" {
 		return true
 	}
diff --git a/pkg/build/gobuild_test.go b/pkg/build/gobuild_test.go
index 938fdc6ab5..3d9ec9db8f 100644
--- a/pkg/build/gobuild_test.go
+++ b/pkg/build/gobuild_test.go
@@ -1139,6 +1139,11 @@ func TestMatchesPlatformSpec(t *testing.T) {
 			OSVersion:    "10.0.17763.1234.5678", // this won't happen in the wild, but it shouldn't match.
 		},
 		result: false,
+	}, {
+		// Even --platform=all does not match unknown/unknown.
+		platform: &v1.Platform{Architecture: "unknown", OS: "unknown"},
+		spec:     []string{"all"},
+		result:   false,
 	}} {
 		pm, err := parseSpec(tc.spec)
 		if tc.err {