diff --git a/Dockerfile b/Dockerfile
index 3cf2be4f..28d82980 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,6 +10,7 @@ RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md
 	gnupg \
 	# OpenShift deps
 	which tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
+        bats jq podman \
 	&& dnf clean all
 
 # Install two versions of the registry. The first is an older version that
diff --git a/Makefile b/Makefile
index 8f431701..6e5df788 100644
--- a/Makefile
+++ b/Makefile
@@ -138,12 +138,23 @@ install-completions:
 shell: build-container
 	$(CONTAINER_RUN) bash
 
-check: validate test-unit test-integration
+check: validate test-unit test-integration test-system
 
 # The tests can run out of entropy and block in containers, so replace /dev/random.
 test-integration: build-container
 	$(CONTAINER_RUN) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-integration'
 
+# complicated set of options needed to run podman-in-podman
+test-system: build-container
+	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
+	$(CONTAINER_CMD) --privileged --net=host \
+	    -v $$DTEMP:/var/lib/containers:Z \
+            "$(IMAGE)" \
+            bash -c 'BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-system'; \
+	rc=$$?; \
+	$(RM) -rf $$DTEMP; \
+	exit $$rc
+
 test-unit: build-container
 	# Just call (make test unit-local) here instead of worrying about environment differences, e.g. GO15VENDOREXPERIMENT.
 	$(CONTAINER_RUN) make test-unit-local BUILDTAGS='$(BUILDTAGS)'
diff --git a/hack/make/test-system b/hack/make/test-system
new file mode 100755
index 00000000..bc881e17
--- /dev/null
+++ b/hack/make/test-system
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+# Before running podman for the first time, make sure
+# to set storage to vfs (not overlay): podman-in-podman
+# doesn't work with overlay. And, disable mountopt,
+# which causes error with vfs.
+sed -i \
+    -e 's/^driver\s*=.*/driver = "vfs"/' \
+    -e 's/^mountopt/#mountopt/' \
+    /etc/containers/storage.conf
+
+# Build skopeo, install into /usr/bin
+make binary-local ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
+make install
+
+# Run tests
+SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
diff --git a/systemtest/001-basic.bats b/systemtest/001-basic.bats
new file mode 100644
index 00000000..314052fc
--- /dev/null
+++ b/systemtest/001-basic.bats
@@ -0,0 +1,19 @@
+#!/usr/bin/env bats
+#
+# Simplest set of skopeo tests. If any of these fail, we have serious problems.
+#
+
+load helpers
+
+# Override standard setup! We don't yet trust anything
+function setup() {
+    :
+}
+
+@test "skopeo version emits reasonable output" {
+    run_skopeo --version
+
+    expect_output --substring "skopeo version [0-9.]+"
+}
+
+# vim: filetype=sh
diff --git a/systemtest/010-inspect.bats b/systemtest/010-inspect.bats
new file mode 100644
index 00000000..ee01d123
--- /dev/null
+++ b/systemtest/010-inspect.bats
@@ -0,0 +1,67 @@
+#!/usr/bin/env bats
+#
+# Simplest test for skopeo inspect
+#
+
+load helpers
+
+@test "inspect: basic" {
+    workdir=$TESTDIR/inspect
+
+    remote_image=docker://quay.io/libpod/alpine_labels:latest
+    # Inspect remote source, then pull it. There's a small race condition
+    # in which the remote image can get updated between the inspect and
+    # the copy; let's just not worry about it.
+    run_skopeo inspect $remote_image
+    inspect_remote=$output
+
+    # Now pull it into a directory
+    run_skopeo copy $remote_image dir:$workdir
+    expect_output --substring "Getting image source signatures"
+    expect_output --substring "Writing manifest to image destination"
+
+    # Unpacked contents must include a manifest and version
+    [ -e $workdir/manifest.json ]
+    [ -e $workdir/version ]
+
+    # Now run inspect locally
+    run_skopeo inspect dir:$workdir
+    inspect_local=$output
+
+    # Each SHA-named file must be listed in the output of 'inspect'
+    for sha in $(find $workdir -type f | xargs -l1 basename | egrep '^[0-9a-f]{64}$'); do
+        expect_output --from="$inspect_local" --substring "sha256:$sha" \
+                      "Locally-extracted SHA file is present in 'inspect'"
+    done
+
+    # Simple sanity check on 'inspect' output.
+    # For each of the given keys (LHS of the table below):
+    #    1) Get local and remote values
+    #    2) Sanity-check local value using simple expression
+    #    3) Confirm that local and remote values match.
+    #
+    # The reason for (2) is to make sure that we don't compare bad results
+    #
+    # The reason for a hardcoded list, instead of 'jq keys', is that RepoTags
+    # is always empty locally, but a list remotely.
+    while read key expect; do
+        local=$(echo "$inspect_local" | jq -r ".$key")
+        remote=$(echo "$inspect_remote" | jq -r ".$key")
+
+        expect_output --from="$local" --substring "$expect" \
+                  "local $key is sane"
+
+        expect_output --from="$remote" "$local" \
+                      "local $key matches remote"
+    done <<END_EXPECT
+Architecture       amd64
+Created            [0-9-]+T[0-9:]+\.[0-9]+Z
+Digest             sha256:[0-9a-f]{64}
+DockerVersion      [0-9]+\.[0-9][0-9.-]+
+Labels             \\\{.*PODMAN.*podman.*\\\}
+Layers             \\\[.*sha256:.*\\\]
+Os                 linux
+END_EXPECT
+}
+
+# vim: filetype=sh
diff --git a/systemtest/020-copy.bats b/systemtest/020-copy.bats
new file mode 100644
index 00000000..c824973e
--- /dev/null
+++ b/systemtest/020-copy.bats
@@ -0,0 +1,79 @@
+#!/usr/bin/env bats
+#
+# Copy tests
+#
+
+load helpers
+
+function setup() {
+    standard_setup
+
+    start_registry reg
+}
+
+# From remote, to dir1, to local, to dir2;
+# compare dir1 and dir2, expect no changes
+@test "copy: dir, round trip" {
+    local remote_image=docker://busybox:latest
+    local localimg=docker://localhost:5000/busybox:unsigned
+
+    local dir1=$TESTDIR/dir1
+    local dir2=$TESTDIR/dir2
+
+    run_skopeo copy          $remote_image  dir:$dir1
+    run_skopeo copy --dest-tls-verify=false dir:$dir1  $localimg
+    run_skopeo copy  --src-tls-verify=false            $localimg  dir:$dir2
+
+    # Both extracted copies must be identical
+    diff -urN $dir1 $dir2
+}
+
+# Same as above, but using 'oci:' instead of 'dir:' and with a :latest tag
+@test "copy: oci, round trip" {
+    local remote_image=docker://busybox:latest
+    local localimg=docker://localhost:5000/busybox:unsigned
+
+    local dir1=$TESTDIR/oci1
+    local dir2=$TESTDIR/oci2
+
+    run_skopeo copy          $remote_image  oci:$dir1:latest
+    run_skopeo copy --dest-tls-verify=false oci:$dir1:latest  $localimg
+    run_skopeo copy  --src-tls-verify=false                   $localimg  oci:$dir2:latest
+
+    # Both extracted copies must be identical
+    diff -urN $dir1 $dir2
+}
+
+# Same image, extracted once with :tag and once without
+@test "copy: oci w/ and w/o tags" {
+    local remote_image=docker://busybox:latest
+
+    local dir1=$TESTDIR/dir1
+    local dir2=$TESTDIR/dir2
+
+    run_skopeo copy $remote_image oci:$dir1
+    run_skopeo copy $remote_image oci:$dir2:withtag
+
+    # Both extracted copies must be identical, except for index.json
+    diff -urN --exclude=index.json $dir1 $dir2
+
+    # ...which should differ only in the tag. (But that's too hard to check)
+    grep '"org.opencontainers.image.ref.name":"withtag"' $dir2/index.json
+}
+
+# This one seems unlikely to get fixed
+@test "copy: bug 651" {
+    skip "Enable this once skopeo issue #651 has been fixed"
+
+    run_skopeo copy --dest-tls-verify=false \
+               docker://quay.io/libpod/alpine_labels:latest \
+               docker://localhost:5000/foo
+}
+
+teardown() {
+    podman rm -f reg
+
+    standard_teardown
+}
+
+# vim: filetype=sh
diff --git a/systemtest/030-local-registry-tls.bats b/systemtest/030-local-registry-tls.bats
new file mode 100644
index 00000000..69270199
--- /dev/null
+++ b/systemtest/030-local-registry-tls.bats
@@ -0,0 +1,32 @@
+#!/usr/bin/env bats
+#
+# Confirm that skopeo will push to and pull from a local
+# registry with locally-created TLS certificates.
+#
+load helpers
+
+function setup() {
+    standard_setup
+
+    start_registry --with-cert reg
+}
+
+@test "local registry, with cert" {
+    # Push to local registry...
+    run_skopeo copy --dest-cert-dir=$TESTDIR/client-auth \
+               docker://busybox:latest \
+               docker://localhost:5000/busybox:unsigned
+
+    # ...and pull it back out
+    run_skopeo copy --src-cert-dir=$TESTDIR/client-auth \
+               docker://localhost:5000/busybox:unsigned \
+               dir:$TESTDIR/extracted
+}
+
+teardown() {
+    podman rm -f reg
+
+    standard_teardown
+}
+
+# vim: filetype=sh
diff --git a/systemtest/040-local-registry-auth.bats b/systemtest/040-local-registry-auth.bats
new file mode 100644
index 00000000..dab3bd18
--- /dev/null
+++ b/systemtest/040-local-registry-auth.bats
@@ -0,0 +1,78 @@
+#!/usr/bin/env bats
+#
+# Tests with a local registry with auth
+#
+
+load helpers
+
+function setup() {
+    standard_setup
+
+    # Remove old/stale cred file
+    _cred_dir=$TESTDIR/credentials
+    export XDG_RUNTIME_DIR=$_cred_dir
+    mkdir -p $_cred_dir/containers
+    rm -f $_cred_dir/containers/auth.json
+
+    # Start authenticated registry with random password
+    testuser=testuser
+    testpassword=$(random_string 15)
+
+    start_registry --testuser=testuser --testpassword=$testpassword reg
+}
+
+@test "auth: credentials on command line" {
+    # No creds
+    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/nonesuch
+    expect_output --substring "unauthorized: authentication required"
+
+    # Wrong user
+    run_skopeo 1 inspect --tls-verify=false --creds=baduser:badpassword \
+               docker://localhost:5000/nonesuch
+    expect_output --substring "unauthorized: authentication required"
+
+    # Wrong password
+    run_skopeo 1 inspect --tls-verify=false --creds=$testuser:badpassword \
+               docker://localhost:5000/nonesuch
+    expect_output --substring "unauthorized: authentication required"
+
+    # Correct creds, but no such image
+    run_skopeo 1 inspect --tls-verify=false --creds=$testuser:$testpassword \
+               docker://localhost:5000/nonesuch
+    expect_output --substring "manifest unknown: manifest unknown"
+
+    # These should pass
+    run_skopeo copy --dest-tls-verify=false --dcreds=$testuser:$testpassword \
+               docker://busybox:latest docker://localhost:5000/busybox:mine
+    run_skopeo inspect --tls-verify=false --creds=$testuser:$testpassword \
+               docker://localhost:5000/busybox:mine
+    expect_output --substring "localhost:5000/busybox"
+}
+
+@test "auth: credentials via podman login" {
+    # Logged in: skopeo should work
+    podman login --tls-verify=false -u $testuser -p $testpassword localhost:5000
+
+    run_skopeo copy --dest-tls-verify=false \
+               docker://busybox:latest docker://localhost:5000/busybox:mine
+    run_skopeo inspect --tls-verify=false docker://localhost:5000/busybox:mine
+    expect_output --substring "localhost:5000/busybox"
+
+    # Logged out: should fail
+    podman logout localhost:5000
+
+    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/busybox:mine
+    expect_output --substring "unauthorized: authentication required"
+}
+
+teardown() {
+    podman rm -f reg
+
+    if [[ -n $_cred_dir ]]; then
+        rm -rf $_cred_dir
+    fi
+
+    standard_teardown
+}
+
+# vim: filetype=sh
diff --git a/systemtest/050-signing.bats b/systemtest/050-signing.bats
new file mode 100644
index 00000000..af7e978f
--- /dev/null
+++ b/systemtest/050-signing.bats
@@ -0,0 +1,142 @@
+#!/usr/bin/env bats
+#
+# Tests with gpg signing
+#
+
+load helpers
+
+function setup() {
+    standard_setup
+
+    # Create dummy gpg keys
+    export GNUPGHOME=$TESTDIR/skopeo-gpg
+    mkdir --mode=0700 $GNUPGHOME
+
+    # gpg on f30 needs this, otherwise:
+    #   gpg: agent_genkey failed: Inappropriate ioctl for device
+    # ...but gpg on f29 (and, probably, Ubuntu) doesn't grok this
+    GPGOPTS='--pinentry-mode loopback'
+    if gpg --pinentry-mode asdf 2>&1 | grep -qi 'Invalid option'; then
+        GPGOPTS=
+    fi
+
+    for k in alice bob;do
+        gpg --batch $GPGOPTS --gen-key --passphrase '' <<END_GPG
+Key-Type: RSA
+Name-Real: Test key - $k
+Name-email: $k@test.redhat.com
+%commit
+END_GPG
+
+        gpg --armor --export $k@test.redhat.com >$GNUPGHOME/pubkey-$k.gpg
+    done
+
+    # Registries. The important part here seems to be sigstore,
+    # because (I guess?) the registry itself has no mechanism
+    # for storing or validating signatures.
+    REGISTRIES_D=$TESTDIR/registries.d
+    mkdir $REGISTRIES_D $TESTDIR/sigstore
+    cat >$REGISTRIES_D/registries.yaml <<EOF
+docker:
+   localhost:5000:
+        sigstore: file://$TESTDIR/sigstore
+EOF
+
+    # Policy file. Basically, require /myns/alice and /myns/bob
+    # to be signed; allow /open; and reject anything else.
+    POLICY_JSON=$TESTDIR/policy.json
+    cat >$POLICY_JSON <<END_POLICY_JSON
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "localhost:5000/myns/alice": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "$GNUPGHOME/pubkey-alice.gpg"
+                }
+            ],
+            "localhost:5000/myns/bob": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "$GNUPGHOME/pubkey-bob.gpg"
+                }
+            ],
+            "localhost:5000/open": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        }
+    }
+}
+END_POLICY_JSON
+
+    start_registry reg
+}
+
+@test "signing" {
+    # Cache local copy
+    run_skopeo copy docker://busybox:latest dir:$TESTDIR/busybox
+
+    # Push a bunch of images. Do so *without* --policy flag; this lets us
+    # sign or not, creating images that will or won't conform to policy.
+    while read path sig comments; do
+        local sign_opt=
+        if [[ $sig != '-' ]]; then
+            sign_opt="--sign-by=${sig}@test.redhat.com"
+        fi
+        run_skopeo --registries.d $REGISTRIES_D \
+                   copy --dest-tls-verify=false \
+                   $sign_opt \
+                   dir:$TESTDIR/busybox \
+                   docker://localhost:5000$path
+    done <<END_PUSH
+/myns/alice:signed        alice    # Properly-signed image
+/myns/alice:unsigned      -        # Unsigned image to path that requires signature
+/myns/bob:signedbyalice   alice    # Bad signature: image under /bob
+/myns/carol:latest        -        # No signature
+/open/forall:latest       -        # No signature, but none needed
+END_PUSH
+
+    # Done pushing. Now try to fetch. From here on we use the --policy option.
+    # The table below lists the paths to fetch, and the expected errors (or
+    # none, if we expect them to pass).
+    while read path expected_error; do
+        expected_rc=
+        if [[ -n $expected_error ]]; then
+            expected_rc=1
+        fi
+
+        rm -rf $TESTDIR/d
+        run_skopeo $expected_rc \
+                   --registries.d $REGISTRIES_D \
+                   --policy $POLICY_JSON \
+                   copy --src-tls-verify=false \
+                   docker://localhost:5000$path \
+                   dir:$TESTDIR/d
+        if [[ -n $expected_error ]]; then
+            expect_output --substring "Source image rejected: $expected_error"
+        fi
+    done <<END_TESTS
+/myns/alice:signed
+/myns/bob:signedbyalice    Invalid GPG signature
+/myns/alice:unsigned       Signature for identity localhost:5000/myns/alice:signed is not accepted
+/myns/carol:latest         Running image docker://localhost:5000/myns/carol:latest is rejected by policy.
+/open/forall:latest
+END_TESTS
+}
+
+teardown() {
+    podman rm -f reg
+
+    standard_teardown
+}
+
+# vim: filetype=sh
diff --git a/systemtest/helpers.bash b/systemtest/helpers.bash
new file mode 100644
index 00000000..e15342fb
--- /dev/null
+++ b/systemtest/helpers.bash
@@ -0,0 +1,332 @@
+#!/bin/bash
+
+SKOPEO_BINARY=${SKOPEO_BINARY:-$(dirname ${BASH_SOURCE})/../skopeo}
+
+# Default timeout for a skopeo command.
+SKOPEO_TIMEOUT=${SKOPEO_TIMEOUT:-300}
+
+###############################################################################
+# BEGIN setup/teardown
+
+# Provide common setup and teardown functions, but do not name them such!
+# That way individual tests can override with their own setup/teardown,
+# while retaining the ability to include these if they so desire.
+
+function standard_setup() {
+    # Argh. Although BATS provides $BATS_TMPDIR, it's just /tmp!
+    # That's bloody worthless. Let's make our own, in which subtests
+    # can write whatever they like and trust that it'll be deleted
+    # on cleanup.
+    TESTDIR=$(mktemp -d --tmpdir=${BATS_TMPDIR:-/tmp} skopeo_bats.XXXXXX)
+}
+
+function standard_teardown() {
+    if [[ -n $TESTDIR ]]; then
+        rm -rf $TESTDIR
+    fi
+}
+
+# Individual .bats files may override or extend these
+function setup() {
+    standard_setup
+}
+
+function teardown() {
+    standard_teardown
+}
+
+# END   setup/teardown
+###############################################################################
+# BEGIN standard helpers for running skopeo and testing results
+
+#################
+#  run_skopeo  #  Invoke skopeo, with timeout, using BATS 'run'
+#################
+#
+# This is the preferred mechanism for invoking skopeo:
+#
+#  * we use 'timeout' to abort (with a diagnostic) if something
+#    takes too long; this is preferable to a CI hang.
+#  * we log the command run and its output. This doesn't normally
+#    appear in BATS output, but it will if there's an error.
+#  * we check exit status. Since the normal desired code is 0,
+#    that's the default; but the first argument can override:
+#
+#     run_skopeo 125  nonexistent-subcommand
+#     run_skopeo '?'  some-other-command       # let our caller check status
+#
+# Since we use the BATS 'run' mechanism, $output and $status will be
+# defined for our caller.
+#
+function run_skopeo() {
+    # Number as first argument = expected exit code; default 0
+    expected_rc=0
+    case "$1" in
+        [0-9])           expected_rc=$1; shift;;
+        [1-9][0-9])      expected_rc=$1; shift;;
+        [12][0-9][0-9])  expected_rc=$1; shift;;
+        '?')             expected_rc=  ; shift;;  # ignore exit code
+    esac
+
+    # Remember command args, for possible use in later diagnostic messages
+    MOST_RECENT_SKOPEO_COMMAND="skopeo $*"
+
+    # stdout is only emitted upon error; this echo is to help a debugger
+    echo "\$ $SKOPEO_BINARY $*"
+    run timeout --foreground --kill=10 $SKOPEO_TIMEOUT ${SKOPEO_BINARY} "$@"
+    # without "quotes", multiple lines are glommed together into one
+    if [ -n "$output" ]; then
+        echo "$output"
+    fi
+    if [ "$status" -ne 0 ]; then
+        echo -n "[ rc=$status ";
+        if [ -n "$expected_rc" ]; then
+            if [ "$status" -eq "$expected_rc" ]; then
+                echo -n "(expected) ";
+            else
+                echo -n "(** EXPECTED $expected_rc **) ";
+            fi
+        fi
+        echo "]"
+    fi
+
+    if [ "$status" -eq 124 -o "$status" -eq 137 ]; then
+        # FIXME: 'timeout -v' requires coreutils-8.29; travis seems to have
+        #        an older version. If/when travis updates, please add -v
+        #        to the 'timeout' command above, and un-comment this out:
+        # if expr "$output" : ".*timeout: sending" >/dev/null; then
+        echo "*** TIMED OUT ***"
+        false
+    fi
+
+    if [ -n "$expected_rc" ]; then
+        if [ "$status" -ne "$expected_rc" ]; then
+            die "exit code is $status; expected $expected_rc"
+        fi
+    fi
+}
+
+#########
+#  die  #  Abort with helpful message
+#########
+function die() {
+    echo "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"  >&2
+    echo "#| FAIL: $*"                                           >&2
+    echo "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" >&2
+    false
+}
+
+###################
+#  expect_output  #  Compare actual vs expected string; fail if mismatch
+###################
+#
+# Compares $output against the given string argument. Optional second
+# argument is descriptive text to show as the error message (default:
+# the command most recently run by 'run_skopeo'). This text can be
+# useful to isolate a failure when there are multiple identical
+# run_skopeo invocations, and the difference is solely in the
+# config or setup; see, e.g., run.bats:run-cmd().
+#
+# By default we run an exact string comparison; use --substring to
+# look for the given string anywhere in $output.
+#
+# By default we look in "$output", which is set in run_skopeo().
+# To override, use --from="some-other-string" (e.g. "${lines[0]}")
+#
+# Examples:
+#
+#   expect_output "this is exactly what we expect"
+#   expect_output "foo=bar"  "description of this particular test"
+#   expect_output --from="${lines[0]}"  "expected first line"
+#
+function expect_output() {
+    # By default we examine $output, the result of run_skopeo
+    local actual="$output"
+    local check_substring=
+
+    # option processing: recognize --from="...", --substring
+    local opt
+    for opt; do
+        local value=$(expr "$opt" : '[^=]*=\(.*\)')
+        case "$opt" in
+            --from=*)       actual="$value";   shift;;
+            --substring)    check_substring=1; shift;;
+            --)             shift; break;;
+            -*)             die "Invalid option '$opt'" ;;
+            *)              break;;
+        esac
+    done
+
+    local expect="$1"
+    local testname="${2:-${MOST_RECENT_SKOPEO_COMMAND:-[no test name given]}}"
+
+    if [ -z "$expect" ]; then
+        if [ -z "$actual" ]; then
+            return
+        fi
+        expect='[no output]'
+    elif [ "$actual" = "$expect" ]; then
+	return
+    elif [ -n "$check_substring" ]; then
+        if [[ "$actual" =~ $expect ]]; then
+            return
+        fi
+    fi
+
+    # This is a multi-line message, which may in turn contain multi-line
+    # output, so let's format it ourself, readably
+    local -a actual_split
+    readarray -t actual_split <<<"$actual"
+    printf "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv\n" >&2
+    printf "#|     FAIL: $testname\n"                          >&2
+    printf "#| expected: '%s'\n" "$expect"                     >&2
+    printf "#|   actual: '%s'\n" "${actual_split[0]}"          >&2
+    local line
+    for line in "${actual_split[@]:1}"; do
+        printf "#|         > '%s'\n" "$line"                   >&2
+    done
+    printf "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n" >&2
+    false
+}
+
+#######################
+#  expect_line_count  #  Check the expected number of output lines
+#######################
+#
+# ...from the most recent run_skopeo command
+#
+function expect_line_count() {
+    local expect="$1"
+    local testname="${2:-${MOST_RECENT_SKOPEO_COMMAND:-[no test name given]}}"
+
+    local actual="${#lines[@]}"
+    if [ "$actual" -eq "$expect" ]; then
+        return
+    fi
+
+    printf "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv\n"          >&2
+    printf "#| FAIL: $testname\n"                                       >&2
+    printf "#| Expected %d lines of output, got %d\n" $expect $actual   >&2
+    printf "#| Output was:\n"                                           >&2
+    local line
+    for line in "${lines[@]}"; do
+        printf "#| >%s\n" "$line"                                       >&2
+    done
+    printf "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n"         >&2
+    false
+}
+
+# END   standard helpers for running skopeo and testing results
+###############################################################################
+# BEGIN helpers for starting/stopping registries
+
+####################
+#  start_registry  #  Run a local registry container
+####################
+#
+# Usage:  start_registry [OPTIONS] NAME
+#
+#   OPTIONS
+#       --port=NNNN         Port to listen on (default: 5000)
+#       --testuser=XXX      Require authentication; this is the username
+#       --testpassword=XXX  ...and the password (these two go together)
+#       --with-cert         Create a cert for running with TLS (not working)
+#
+#   NAME is the container name to assign.
+#
+start_registry() {
+    local port=5000
+    local testuser=
+    local testpassword=
+    local create_cert=
+
+    # option processing: recognize options for running the registry
+    # in different modes.
+    local opt
+    for opt; do
+        local value=$(expr "$opt" : '[^=]*=\(.*\)')
+        case "$opt" in
+            --port=*)           port="$value";          shift;;
+            --testuser=*)       testuser="$value";      shift;;
+            --testpassword=*)   testpassword="$value";  shift;;
+            --with-cert)        create_cert=1;          shift;;
+            -*)                 die "Invalid option '$opt'" ;;
+            *)                  break;;
+        esac
+    done
+
+    local name=${1?start_registry() invoked without a NAME}
+
+    # Temp directory must be defined and must exist
+    [[ -n $TESTDIR && -d $TESTDIR ]]
+
+    AUTHDIR=$TESTDIR/auth
+    mkdir -p $AUTHDIR
+
+    local -a reg_args=(-v $AUTHDIR:/auth:Z -p $port:5000)
+
+    # cgroup option necessary under podman-in-podman (CI tests),
+    # and doesn't seem to do any harm otherwise.
+    PODMAN="podman --cgroup-manager=cgroupfs"
+
+    # Called with --testuser? Create an htpasswd file
+    if [[ -n $testuser ]]; then
+        if [[ -z $testpassword ]]; then
+            die "start_registry() invoked with testuser but no testpassword"
+        fi
+
+        if ! egrep -q "^$testuser:" $AUTHDIR/htpasswd; then
+            $PODMAN run --rm --entrypoint htpasswd registry:2 \
+                   -Bbn $testuser $testpassword >> $AUTHDIR/htpasswd
+        fi
+
+        reg_args+=(
+            -e REGISTRY_AUTH=htpasswd
+            -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd
+            -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm"
+        )
+    fi
+
+    # Called with --with-cert? Create certificates.
+    if [[ -n $create_cert ]]; then
+        CERT=$AUTHDIR/domain.crt
+        if [ ! -e $CERT ]; then
+            openssl req -newkey rsa:4096 -nodes -sha256 \
+                    -keyout $AUTHDIR/domain.key -x509 -days 2 \
+                    -out $CERT \
+                    -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost"
+        fi
+
+        reg_args+=(
+            -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt
+            -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key
+        )
+
+        # Copy .crt file to a directory *without* the .key one, so we can
+        # test the client. (If client sees a matching .key file, it fails)
+        # Thanks to Miloslav Trmac for this hint.
+        mkdir -p $TESTDIR/client-auth
+        cp $CERT $TESTDIR/client-auth/
+    fi
+
+    $PODMAN run -d --name $name "${reg_args[@]}" registry:2
+}
+
+# END   helpers for starting/stopping registries
+###############################################################################
+# BEGIN miscellaneous tools
+
+###################
+#  random_string  #  Returns a pseudorandom human-readable string
+###################
+#
+# Numeric argument, if present, is desired length of string
+#
+function random_string() {
+    local length=${1:-10}
+
+    head /dev/urandom | tr -dc a-zA-Z0-9 | head -c$length
+}
+
+# END   miscellaneous tools
+###############################################################################
diff --git a/systemtest/run-tests b/systemtest/run-tests
new file mode 100755
index 00000000..21763494
--- /dev/null
+++ b/systemtest/run-tests
@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# run-tests - simple wrapper allowing shortcuts on invocation
+#
+
+TEST_DIR=$(dirname $0)
+TESTS=$TEST_DIR
+
+for i; do
+    case "$i" in
+        *.bats)    TESTS=$i ;;
+        *)         TESTS=$(echo $TEST_DIR/*$i*.bats) ;;
+    esac
+done
+
+bats $TESTS