diff --git a/cmd/skopeo/copy.go b/cmd/skopeo/copy.go
index 14e3577a..e2104826 100644
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -80,6 +80,12 @@ func copyHandler(context *cli.Context) error {
 		return errors.New("Usage: copy source destination")
 	}
 
+	policyContext, err := getPolicyContext(context)
+	if err != nil {
+		return fmt.Errorf("Error loading verification policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
 	dest, err := parseImageDestination(context, context.Args()[1])
 	if err != nil {
 		return fmt.Errorf("Error initializing %s: %v", context.Args()[1], err)
@@ -93,11 +99,21 @@ func copyHandler(context *cli.Context) error {
 
 	signBy := context.String("sign-by")
 
+	// Please keep this policy check BEFORE reading any other information about the image.
+	if allowed, err := policyContext.IsRunningImageAllowed(src); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
+		return fmt.Errorf("Source image rejected: %v", err)
+	}
+
 	manifest, _, err := src.Manifest()
 	if err != nil {
 		return fmt.Errorf("Error reading manifest: %v", err)
 	}
 
+	sigs, err := src.Signatures()
+	if err != nil {
+		return fmt.Errorf("Error reading signatures: %v", err)
+	}
+
 	blobDigests, err := src.BlobDigests()
 	if err != nil {
 		return fmt.Errorf("Error parsing manifest: %v", err)
@@ -128,11 +144,6 @@ func copyHandler(context *cli.Context) error {
 		}
 	}
 
-	sigs, err := src.Signatures()
-	if err != nil {
-		return fmt.Errorf("Error reading signatures: %v", err)
-	}
-
 	if signBy != "" {
 		mech, err := signature.NewGPGSigningMechanism()
 		if err != nil {
diff --git a/docs/skopeo.1.md b/docs/skopeo.1.md
index 957f4211..a761f2cb 100644
--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -59,6 +59,8 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
 
 Copy an image (manifest, filesystem layers, signatures) from one location to another.
 
+Uses the system's signature verification policy to validate images, refuses to copy images rejected by the policy.
+
   _source-image_ use the "image name" format described above
 
   _destination-image_ use the "image name" format described above