Release v1.9.1

- Bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 - Bump github.com/containers/storage from 1.41.0 to 1.42.0 - Update to github.com/containers/image/v5 v5.22.0 - Update to github.com/containers/common v0.49.0 - Stop using deprecated names from c/common/pkg/retry Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Merge pull request #1712 from mtrmac/release
2026-01-30 22:08:44 +00:00 · 2022-07-25 21:14:44 +02:00 · 2022-07-25 21:13:40 +02:00 · 2022-07-25 18:16:13 +02:00 · 2022-07-25 18:13:11 +02:00 · 2022-07-25 18:05:03 +02:00
1411 changed files with 104184 additions and 40114 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -23,26 +23,23 @@ env:
    ####
    #### Cache-image names to test with (double-quotes around names are critical)
    ####
-    FEDORA_NAME: "fedora-34"
-    PRIOR_FEDORA_NAME: "fedora-33"
-    UBUNTU_NAME: "ubuntu-2104"
-    PRIOR_UBUNTU_NAME: "ubuntu-2010"
+    FEDORA_NAME: "fedora-36"
+    PRIOR_FEDORA_NAME: "fedora-35"
+    UBUNTU_NAME: "ubuntu-2204"

    # Google-cloud VM Images
-    IMAGE_SUFFIX: "c6248193773010944"
+    IMAGE_SUFFIX: "c6340043416535040"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
-    PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX}"

    # Container FQIN's
    FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}"
-    PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX}"

-    # Equivilent to image produced by 'make build-container'
-    SKOPEO_CI_CONTAINER_FQIN: "quay.io/skopeo/ci:${DEST_BRANCH}"
+    # Built along with the standard PR-based workflow in c/automation_images
+    SKOPEO_CIDEV_CONTAINER_FQIN: "quay.io/libpod/skopeo_cidev:${IMAGE_SUFFIX}"


 # Default timeout for each task
@@ -56,9 +53,9 @@ validate_task:
    # The git-validation tool doesn't work well on branch or tag push,
    # under Cirrus-CI, due to challenges obtaining the starting commit ID.
    # Only do validation for PRs.
-    only_if: $CIRRUS_PR != ''
-    container:  &build_container
-        image: "${SKOPEO_CI_CONTAINER_FQIN}"
+    only_if: &is_pr $CIRRUS_PR != ''
+    container:
+        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
        cpu: 4
        memory: 8
    script: |
@@ -66,7 +63,7 @@ validate_task:
        make vendor && hack/tree_status.sh

 doccheck_task:
-    only_if: $CIRRUS_PR != ''
+    only_if: *is_pr
    depends_on:
      - validate
    container:
@@ -84,7 +81,10 @@ doccheck_task:
      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck

 osx_task:
-    only_if: &not_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    # Run for regular PRs and those with [CI:BUILD] but not [CI:DOCS]
+    only_if: &not_docs_multiarch >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
    macos_instance:
@@ -93,7 +93,7 @@ osx_task:
        export PATH=$GOPATH/bin:$PATH
        brew update
        brew install gpgme go go-md2man
-        go get -u golang.org/x/lint/golint
+        go install golang.org/x/lint/golint@latest
    test_script: |
        export PATH=$GOPATH/bin:$PATH
        go version
@@ -105,10 +105,10 @@ osx_task:

 cross_task:
    alias: cross
-    only_if: *not_docs
+    only_if: *not_docs_multiarch
    depends_on:
        - validate
-    gce_instance:
+    gce_instance: &standardvm
        image_project: libpod-218412
        zone: "us-central1-f"
        cpu: 2
@@ -132,7 +132,11 @@ cross_task:
 #####
 test_skopeo_task:
    alias: test_skopeo
-    only_if: *not_docs
+    # Don't test for [CI:DOCS], [CI:BUILD], or 'multiarch' cron.
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
    gce_instance:
@@ -145,7 +149,7 @@ test_skopeo_task:
        disk: 200
        image_name: ${FEDORA_CACHE_IMAGE_NAME}
    matrix:
-        - name: "Skopeo Test"
+        - name: "Skopeo Test"  # N/B: Name ref. by hack/get_fqin.sh
          env:
              BUILDTAGS: 'btrfs_noversion libdm_no_deferred_remove'
        - name: "Skopeo Test w/ opengpg"
@@ -165,6 +169,49 @@ test_skopeo_task:
        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system


+image_build_task: &image-build
+    name: "Build multi-arch $CTXDIR"
+    alias: image_build
+    # Some of these container images take > 1h to build, limit
+    # this task to a specific Cirrus-Cron entry with this name.
+    only_if: $CIRRUS_CRON == 'multiarch'
+    timeout_in: 120m  # emulation is sssllllooooowwww
+    gce_instance:
+        <<: *standardvm
+        image_name: build-push-${IMAGE_SUFFIX}
+        # More muscle required for parallel multi-arch build
+        type: "n2-standard-4"
+    matrix:
+        - env:
+            CTXDIR: contrib/skopeoimage/upstream
+        - env:
+            CTXDIR: contrib/skopeoimage/testing
+        - env:
+            CTXDIR: contrib/skopeoimage/stable
+    env:
+        SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da]
+        SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de]
+        CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91]
+        CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26]
+    main_script:
+        - source /etc/automation_environment
+        - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
+
+
+test_image_build_task:
+    <<: *image-build
+    alias: test_image_build
+    # Allow this to run inside a PR w/ [CI:BUILD] only.
+    only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*'
+    # This takes a LONG time, only run when requested.  N/B: Any task
+    # made to depend on this one will block FOREVER unless triggered.
+    # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`.
+    trigger_type: manual
+    # Overwrite all 'env', don't push anything, just do the build.
+    env:
+        DRYRUN: 1
+
+
 # This task is critical.  It updates the "last-used by" timestamp stored
 # in metadata for all VM images.  This mechanism functions in tandem with
 # an out-of-band pruning operation to remove disused VM images.
@@ -181,7 +228,6 @@ meta_task:
            ${FEDORA_CACHE_IMAGE_NAME}
            ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
            ${UBUNTU_CACHE_IMAGE_NAME}
-            ${PRIOR_UBUNTU_CACHE_IMAGE_NAME}
        BUILDID: "${CIRRUS_BUILD_ID}"
        REPOREF: "${CIRRUS_REPO_NAME}"
        GCPJSON: ENCRYPTED[6867b5a83e960e7c159a98fe6c8360064567a071c6f4b5e7d532283ecd870aa65c94ccd74bdaa9bf7aadac9d42e20a67]
@@ -204,6 +250,7 @@ success_task:
        - osx
        - cross
        - test_skopeo
+        - image_build
        - meta
    container: *smallcontainer
    env:
--- a/.github/workflows/check_cirrus_cron.yml
+++ b/.github/workflows/check_cirrus_cron.yml
@@ -0,0 +1,105 @@
+---
+
+# See also:
+# https://github.com/containers/podman/blob/main/.github/workflows/check_cirrus_cron.yml
+
+# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
+
+# Required to un-FUBAR default ${{github.workflow}} value
+name: check_cirrus_cron
+
+on:
+    # Note: This only applies to the default branch.
+    schedule:
+        # N/B: This should correspond to a period slightly after
+        # the last job finishes running.  See job defs. at:
+        # https://cirrus-ci.com/settings/repository/6706677464432640
+        - cron:  '59 23 * * 1-5'
+    # Debug: Allow triggering job manually in github-actions WebUI
+    workflow_dispatch: {}
+
+permissions:
+    contents: read
+
+env:
+    # Debug-mode can reveal secrets, only enable by a secret value.
+    # Ref: https://help.github.com/en/actions/configuring-and-managing-workflows/managing-a-workflow-run#enabling-step-debug-logging
+    ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
+    # CSV listing of e-mail addresses for delivery failure or error notices
+    RCPTCSV: rh.container.bot@gmail.com,podman-monitor@lists.podman.io
+    # Filename for table of cron-name to build-id data
+    # (must be in $GITHUB_WORKSPACE/artifacts/)
+    NAME_ID_FILEPATH: './artifacts/name_id.txt'
+
+jobs:
+    cron_failures:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+              with:
+                  persist-credentials: false
+
+            # Avoid duplicating cron_failures.sh in skopeo repo.
+            - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+              with:
+                  repository: containers/podman
+                  path: '_podman'
+                  persist-credentials: false
+
+            - name: Get failed cron names and Build IDs
+              id: cron
+              run: './_podman/.github/actions/${{ github.workflow }}/${{ github.job }}.sh'
+
+            - if: steps.cron.outputs.failures > 0
+              shell: bash
+              # Must be inline, since context expressions are used.
+              # Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions
+              run: |
+                set -eo pipefail
+                (
+                echo "Detected one or more Cirrus-CI cron-triggered jobs have failed recently:"
+                echo ""
+
+                while read -r NAME BID; do
+                    echo "Cron build '$NAME' Failed: https://cirrus-ci.com/build/$BID"
+                done < "$NAME_ID_FILEPATH"
+
+                echo ""
+                echo "# Source: ${{ github.workflow }} workflow on ${{ github.repository }}."
+                # Separate content from sendgrid.com automatic footer.
+                echo ""
+                echo ""
+                ) > ./artifacts/email_body.txt
+
+            - if: steps.cron.outputs.failures > 0
+              name: Send failure notification e-mail
+              # Ref: https://github.com/dawidd6/action-send-mail
+              uses: dawidd6/action-send-mail@a80d851dc950256421f1d1d735a2dc1ef314ac8f # v2.2.2
+              with:
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_port: 465
+                username: ${{secrets.ACTION_MAIL_USERNAME}}
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                subject: Cirrus-CI cron build failures on ${{github.repository}}
+                to: ${{env.RCPTCSV}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}
+                body: file://./artifacts/email_body.txt
+
+            - if: always()
+              uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
+              with:
+                  name: ${{ github.job }}_artifacts
+                  path: artifacts/*
+
+            - if: failure()
+              name: Send error notification e-mail
+              uses: dawidd6/action-send-mail@a80d851dc950256421f1d1d735a2dc1ef314ac8f # v2.2.2
+              with:
+                server_address: ${{secrets.ACTION_MAIL_SERVER}}
+                server_port: 465
+                username: ${{secrets.ACTION_MAIL_USERNAME}}
+                password: ${{secrets.ACTION_MAIL_PASSWORD}}
+                subject: Github workflow error on ${{github.repository}}
+                to: ${{env.RCPTCSV}}
+                from: ${{secrets.ACTION_MAIL_SENDER}}
+                body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
--- a/.github/workflows/multi-arch-build.yaml
+++ b/.github/workflows/multi-arch-build.yaml
@@ -1,209 +0,0 @@
---
-
-# Please see contrib/<reponame>image/README.md for details on the intentions
-# of this workflow.
-#
-# BIG FAT WARNING:  This workflow is duplicated across containers/skopeo,
-#                   containers/buildah, and containers/podman.  ANY AND
-#                   ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED
-#                   TO THE OTHER REPOS.
-
-name: build multi-arch images
-
-on:
-  # Upstream tends to be very active, with many merges per day.
-  # Only run this daily via cron schedule, or manually, not by branch push.
-  schedule:
-    - cron:  '0 8 * * *'
-  # allows to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  multi:
-    name: multi-arch image build
-    env:
-      REPONAME: skopeo  # No easy way to parse this out of $GITHUB_REPOSITORY
-      # Server/namespace value used to format FQIN
-      REPONAME_QUAY_REGISTRY: quay.io/skopeo
-      CONTAINERS_QUAY_REGISTRY: quay.io/containers
-      # list of architectures for build
-      PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
-      # Command to execute in container to obtain project version number
-      VERSION_CMD: "--version"  # skopeo is the entrypoint
-
-    # build several images (upstream, testing, stable) in parallel
-    strategy:
-      # By default, failure of one matrix item cancels all others
-      fail-fast: false
-      matrix:
-        # Builds are located under contrib/<reponame>image/<source> directory
-        source:
-          - upstream
-          - testing
-          - stable
-    runs-on: ubuntu-latest
-    # internal registry caches build for inspection before push
-    services:
-      registry:
-        image: quay.io/libpod/registry:2
-        ports:
-          - 5000:5000
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: network=host
-          install: true
-
-      - name: Build and locally push image
-        uses: docker/build-push-action@v2
-        with:
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-
-      # Simple verification that stable images work, and
-      # also grab version number use in forming the FQIN.
-      - name: amd64 container sniff test
-        if: matrix.source == 'stable'
-        id: sniff_test
-        run: |
-          podman pull --tls-verify=false \
-                            localhost:5000/$REPONAME/${{ matrix.source }}
-          VERSION_OUTPUT=$(podman run \
-                           localhost:5000/$REPONAME/${{ matrix.source }} \
-                           $VERSION_CMD)
-          echo "$VERSION_OUTPUT"
-          VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
-          test -n "$VERSION"
-          echo "::set-output name=version::$VERSION"
-
-      - name: Generate image FQIN(s) to push
-        id: reponame_reg
-        run: |
-          if [[ "${{ matrix.source }}" == 'stable' ]]; then
-            # The command version in image just built
-            VERSION='v${{ steps.sniff_test.outputs.version }}'
-            # workaround vim syntax-highlight bug: '
-            # Push both new|updated version-tag and latest-tag FQINs
-            FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
-          elif [[ "${{ matrix.source }}" == 'testing' ]]; then
-            # Assume some contents changed, always push latest testing.
-            FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
-          elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
-            # Assume some contents changed, always push latest upstream.
-            FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
-          else
-            echo "::error::Unknown matrix item '${{ matrix.source }}'"
-            exit 1
-          fi
-          echo "::warning::Pushing $FQIN"
-          echo "::set-output name=fqin::${FQIN}"
-          echo '::set-output name=push::true'
-
-      # This is substantially similar to the above logic,
-      # but only handles $CONTAINERS_QUAY_REGISTRY for
-      # the stable "latest" and named-version tagged images.
-      - name: Generate containers reg. image FQIN(s)
-        if: matrix.source == 'stable'
-        id: containers_reg
-        run: |
-          VERSION='v${{ steps.sniff_test.outputs.version }}'
-          # workaround vim syntax-highlight bug: '
-          # Push both new|updated version-tag and latest-tag FQINs
-          FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
-          echo "::warning::Pushing $FQIN"
-          echo "::set-output name=fqin::${FQIN}"
-          echo '::set-output name=push::true'
-
-      - name: Define LABELS multi-line env. var. value
-        run: |
-          # This is a really hacky/strange workflow idiom, required
-          # for setting multi-line $LABELS value for consumption in
-          # a future step.  There is literally no cleaner way to do this :<
-          # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
-          function set_labels() {
-            echo 'LABELS<<DELIMITER' >> "$GITHUB_ENV"
-            for line; do
-                echo "$line" | tee -a "$GITHUB_ENV"
-            done
-            echo "DELIMITER" >> "$GITHUB_ENV"
-          }
-
-          declare -a lines
-          lines=(\
-            "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git"
-            "org.opencontainers.image.revision=${GITHUB_SHA}"
-            "org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
-          )
-
-          # Only the 'stable' matrix source obtains $VERSION
-          if [[ "${{ matrix.source }}" == "stable" ]]; then
-            lines+=(\
-              "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}"
-            )
-          fi
-
-          set_labels "${lines[@]}"
-
-      # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
-      # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
-      # are used and namespaced within the registry.  At the same time, reuse
-      # of non-shell steps is not supported by Github Actions nor are YAML
-      # anchors/aliases, nor composite actions.
-
-      # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
-      - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
-        uses: docker/login-action@v1
-        if: steps.reponame_reg.outputs.push == 'true'
-        with:
-          registry: ${{ env.REPONAME_QUAY_REGISTRY }}
-          # N/B: Secrets are not passed to workflows that are triggered
-          #      by a pull request from a fork
-          username: ${{ secrets.REPONAME_QUAY_USERNAME }}
-          password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
-
-      - name: Push images to ${{ steps.reponame_reg.outputs.fqin }}
-        uses: docker/build-push-action@v2
-        if: steps.reponame_reg.outputs.push == 'true'
-        with:
-          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-          cache-to: type=inline
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: ${{ steps.reponame_reg.outputs.fqin }}
-          labels: |
-            ${{ env.LABELS }}
-
-      # Push to $CONTAINERS_QUAY_REGISTRY only stable
-      - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
-        if: steps.containers_reg.outputs.push == 'true'
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ env.CONTAINERS_QUAY_REGISTRY}}
-          username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
-          password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
-
-      - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
-        if: steps.containers_reg.outputs.push == 'true'
-        uses: docker/build-push-action@v2
-        with:
-          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-          cache-to: type=inline
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: ${{ steps.containers_reg.outputs.fqin }}
-          labels: |
-            ${{ env.LABELS }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,13 +7,17 @@ on:
  schedule:
  - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:
-
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
-
    steps:
-    - uses: actions/stale@v1
+    - uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757 # v3
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@
 /layers-*
 /skopeo
 result
-
+/completions/
 # ignore JetBrains IDEs (GoLand) config folder
 .idea

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -149,7 +149,7 @@ When new PRs for [containers/image](https://github.com/containers/image) break `
 ## Communications

 For general questions, or discussions, please use the 
-IRC group on `irc.freenode.net` called `container-projects`
+IRC channel on `irc.libera.chat` called `#container-projects`
 that has been setup.

 For discussions around issues/bugs and features, you can use the github
--- a/56
+++ b/56
@@ -1,56 +0,0 @@
-FROM registry.fedoraproject.org/fedora:latest
-
-RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-md2man \
-	# storage deps
-	btrfs-progs-devel \
-	device-mapper-devel \
-	# gpgme bindings deps
-	libassuan-devel gpgme-devel \
-	gnupg \
-	# htpasswd for system tests
-	httpd-tools \
-	# OpenShift deps
-	which tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
-        bats jq podman runc \
-	golint \
-	openssl \
-	&& dnf clean all
-
-# Install two versions of the registry. The first is an older version that
-# only supports schema1 manifests. The second is a newer version that supports
-# both. This allows integration-cli tests to cover push/pull with both schema1
-# and schema2 manifests.
-RUN set -x \
-	&& export GO111MODULE=off \
-	&& REGISTRY_COMMIT_SCHEMA1=ec87e9b6971d831f0eff752ddb54fb64693e51cd \
-	&& REGISTRY_COMMIT=47a064d4195a9b56133891bbb13620c3ac83a827 \
-	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
-	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
-	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
-		go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \
-	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \
-	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
-		go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \
-	&& rm -rf "$GOPATH"
-
-RUN set -x \
-	&& export GO111MODULE=off \
-	&& export GOPATH=$(mktemp -d) \
-	&& git clone --depth 1 -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
-	# The sed edits out a "go < 1.5" check which works incorrectly with go ≥ 1.10. \
-	&& sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' "$GOPATH/src/github.com/openshift/origin/hack/common.sh" \
-	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
-	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
-	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
-	&& rm -rf "$GOPATH" \
-	&& mkdir /registry
-
-ENV GOPATH /usr/share/gocode:/go
-ENV PATH $GOPATH/bin:/usr/share/gocode/bin:$PATH
-ENV container_magic 85531765-346b-4316-bdb8-358e4cca9e5d
-RUN go version
-WORKDIR /go/src/github.com/containers/skopeo
-COPY . /go/src/github.com/containers/skopeo
-
-#ENTRYPOINT ["hack/dind"]
--- a/Dockerfile.build
+++ b/Dockerfile.build
@@ -1,12 +0,0 @@
-FROM registry.fedoraproject.org/fedora:33
-
-RUN dnf update -y && \
-        dnf install -y \
-        btrfs-progs-devel \
-        device-mapper-devel \
-        golang \
-        gpgme-devel \
-        make
-
-ENV GOPATH=/
-WORKDIR /src/github.com/containers/skopeo
--- a/178
+++ b/178
@@ -1,24 +1,23 @@
-.PHONY: all binary build-container docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor vendor-in-container
+.PHONY: all binary docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor vendor-in-container

 export GOPROXY=https://proxy.golang.org

-# On some plaforms (eg. macOS, FreeBSD) gpgme is installed in /usr/local/ but /usr/local/include/ is
-# not in the default search path. Rather than hard-code this directory, use gpgme-config.
-# Sadly that must be done at the top-level user instead of locally in the gpgme subpackage, because cgo
-# supports only pkg-config, not general shell scripts, and gpgme does not install a pkg-config file.
-# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
-# (and the user will probably find out because the cgo compilation will fail).
-GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
-
 # The following variables very roughly follow https://www.gnu.org/prep/standards/standards.html#Makefile-Conventions .
 DESTDIR ?=
 PREFIX ?= /usr/local
+ifeq ($(shell uname -s),FreeBSD)
+CONTAINERSCONFDIR ?= /usr/local/etc/containers
+else
 CONTAINERSCONFDIR ?= /etc/containers
+endif
 REGISTRIESDDIR ?= ${CONTAINERSCONFDIR}/registries.d
-SIGSTOREDIR ?= /var/lib/containers/sigstore
+LOOKASIDEDIR ?= /var/lib/containers/sigstore
 BINDIR ?= ${PREFIX}/bin
 MANDIR ?= ${PREFIX}/share/man
-BASHCOMPLETIONSDIR ?= ${PREFIX}/share/bash-completion/completions
+
+BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+ZSHINSTALLDIR=${PREFIX}/share/zsh/site-functions
+FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d

 GO ?= go
 GOBIN := $(shell $(GO) env GOBIN)
@@ -29,12 +28,10 @@ ifeq ($(GOBIN),)
 GOBIN := $(GOPATH)/bin
 endif

-# Required for integration-tests to detect they are running inside a specific
-# container image.  Env. var defined in image, make does not automatically
-# pass to children unless explicitly exported
-export container_magic
-CONTAINER_RUNTIME := $(shell command -v podman 2> /dev/null || echo docker)
-GOMD2MAN ?= $(shell command -v go-md2man || echo '$(GOBIN)/go-md2man')
+# Multiple scripts are sensitive to this value, make sure it's exported/available
+# N/B: Need to use 'command -v' here for compatibility with MacOS.
+export CONTAINER_RUNTIME ?= $(if $(shell command -v podman),podman,docker)
+GOMD2MAN ?= $(if $(shell command -v go-md2man),go-md2man,$(GOBIN)/go-md2man)

 # Go module support: set `-mod=vendor` to use the vendored sources.
 # See also hack/make.sh.
@@ -54,9 +51,32 @@ ifeq ($(GOOS), linux)
 endif

 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
-IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
-# set env like gobuildtag?
-CONTAINER_CMD := ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" #$(CONTAINER_ENVS)
+
+# If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
+# You can increase test output verbosity with the option '-test.vv'.
+# You can select certain tests to run, with `-test.run <regex>` for example:
+#
+#     make test-unit TESTFLAGS='-test.run ^TestManifestDigest$'
+#
+# For integration test, we use [gocheck](https://labix.org/gocheck).
+# You can increase test output verbosity with the option '-check.vv'.
+# You can limit test selection with `-check.f <regex>`, for example:
+#
+#     make test-integration TESTFLAGS='-check.f CopySuite.TestCopy.*'
+export TESTFLAGS ?= -v -check.v -test.timeout=15m
+
+# This is assumed to be set non-empty when operating inside a CI/automation environment
+CI ?=
+
+# This env. var. is interpreted by some tests as a permission to
+# modify local configuration files and services.
+export SKOPEO_CONTAINER_TESTS ?= $(if $(CI),1,0)
+
+# This is a compromise, we either use a container for this or require
+# the local user to have a compatible python3 development environment.
+# Define it as a "resolve on use" variable to avoid calling out when possible
+SKOPEO_CIDEV_CONTAINER_FQIN ?= $(shell hack/get_fqin.sh)
+CONTAINER_CMD ?= ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" -e CI=$(CI) -e SKOPEO_CONTAINER_TESTS=1
 # if this session isn't interactive, then we don't want to allocate a
 # TTY, which would fail, but if it is interactive, we do want to attach
 # so that the user can send e.g. ^C through.
@@ -64,7 +84,8 @@ INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
 ifeq ($(INTERACTIVE), 1)
 	CONTAINER_CMD += -t
 endif
-CONTAINER_RUN := $(CONTAINER_CMD) "$(IMAGE)"
+CONTAINER_GOSRC = /src/github.com/containers/skopeo
+CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN)

 GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)

@@ -76,7 +97,8 @@ MANPAGES ?= $(MANPAGES_MD:%.md=%)

 BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh) $(shell hack/btrfs_installed_tag.sh)
 LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
-LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG)
+LIBSUBID_BUILD_TAG = $(shell hack/libsubid_tag.sh)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG) $(LIBSUBID_BUILD_TAG)
 BUILDTAGS += $(LOCAL_BUILD_TAGS)

 ifeq ($(DISABLE_CGO), 1)
@@ -89,6 +111,9 @@ endif
 #           use source debugging tools like delve.
 all: bin/skopeo docs

+codespell:
+	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L fpr,uint,iff,od,ERRO -w
+
 help:
 	@echo "Usage: make <target>"
 	@echo
@@ -96,7 +121,6 @@ help:
 	@echo
 	@echo " * 'install' - Install binaries and documents to system locations"
 	@echo " * 'binary' - Build skopeo with a container"
-	@echo " * 'static' - Build statically linked binary"
 	@echo " * 'bin/skopeo' - Build skopeo locally"
 	@echo " * 'test-unit' - Execute unit tests"
 	@echo " * 'test-integration' - Execute integration tests"
@@ -105,55 +129,41 @@ help:
 	@echo " * 'shell' - Run the built image and attach to a shell"
 	@echo " * 'clean' - Clean artifacts"

-# Build a container image (skopeobuild) that has everything we need to build.
-# Then do the build and the output (skopeo) should appear in current dir
+# Do the build and the output (skopeo) should appear in current dir
 binary: cmd/skopeo
-	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
-	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
-		skopeobuildimage make bin/skopeo $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
-
-# Update nix/nixpkgs.json its latest stable commit
-.PHONY: nixpkgs
-nixpkgs:
-	@nix run \
-		-f channel:nixos-21.05 nix-prefetch-git \
-		-c nix-prefetch-git \
-		--no-deepClone \
-		https://github.com/nixos/nixpkgs refs/heads/nixos-21.05 > nix/nixpkgs.json
-
-# Build statically linked binary
-.PHONY: static
-static:
-	@nix build -f nix/
-	mkdir -p ./bin
-	cp -rfp ./result/bin/* ./bin/
+	$(CONTAINER_RUN) make bin/skopeo $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'

 # Build w/o using containers
 .PHONY: bin/skopeo
 bin/skopeo:
-	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
+	$(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
 bin/skopeo.%:
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build $(MOD_VENDOR) ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
 local-cross: bin/skopeo.darwin.amd64 bin/skopeo.linux.arm bin/skopeo.linux.arm64 bin/skopeo.windows.386.exe bin/skopeo.windows.amd64.exe

-build-container:
-	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -t "$(IMAGE)" .
-
 $(MANPAGES): %: %.md
+ifneq ($(DISABLE_DOCS), 1)
 	sed -e 's/\((skopeo.*\.md)\)//' -e 's/\[\(skopeo.*\)\]/\1/' $<  | $(GOMD2MAN) -in /dev/stdin -out $@
+endif

 docs: $(MANPAGES)

 docs-in-container:
-	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
-	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
-		skopeobuildimage make docs $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+	${CONTAINER_RUN} $(MAKE) docs $(if $(DEBUG),DEBUG=$(DEBUG))
+
+.PHONY: completions
+completions: bin/skopeo
+	install -d -m 755 completions/bash completions/zsh completions/fish completions/powershell
+	./bin/skopeo completion bash >| completions/bash/skopeo
+	./bin/skopeo completion zsh >| completions/zsh/_skopeo
+	./bin/skopeo completion fish >| completions/fish/skopeo.fish
+	./bin/skopeo completion powershell >| completions/powershell/skopeo.ps1

 clean:
-	rm -rf bin docs/*.1
+	rm -rf bin docs/*.1 completions/

 install: install-binary install-docs install-completions
-	install -d -m 755 ${DESTDIR}${SIGSTOREDIR}
+	install -d -m 755 ${DESTDIR}${LOOKASIDEDIR}
 	install -d -m 755 ${DESTDIR}${CONTAINERSCONFDIR}
 	install -m 644 default-policy.json ${DESTDIR}${CONTAINERSCONFDIR}/policy.json
 	install -d -m 755 ${DESTDIR}${REGISTRIESDDIR}
@@ -164,54 +174,63 @@ install-binary: bin/skopeo
 	install -m 755 bin/skopeo ${DESTDIR}${BINDIR}/skopeo

 install-docs: docs
+ifneq ($(DISABLE_DOCS), 1)
 	install -d -m 755 ${DESTDIR}${MANDIR}/man1
 	install -m 644 docs/*.1 ${DESTDIR}${MANDIR}/man1
+endif

-install-completions:
-	install -m 755 -d ${DESTDIR}${BASHCOMPLETIONSDIR}
-	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHCOMPLETIONSDIR}/skopeo
+install-completions: completions
+	install -d -m 755 ${DESTDIR}${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${ZSHINSTALLDIR}
+	install -m 644 completions/zsh/_skopeo ${DESTDIR}${ZSHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${FISHINSTALLDIR}
+	install -m 644 completions/fish/skopeo.fish ${DESTDIR}${FISHINSTALLDIR}
+	# There is no common location for powershell files so do not install them. Users have to source the file from their powershell profile.

-shell: build-container
+shell:
 	$(CONTAINER_RUN) bash

 check: validate test-unit test-integration test-system

-# The tests can run out of entropy and block in containers, so replace /dev/random.
-test-integration: build-container
-	$(CONTAINER_RUN) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 BUILDTAGS="$(BUILDTAGS)" $(MAKE) test-integration-local'
+test-integration:
+	$(CONTAINER_RUN) $(MAKE) test-integration-local

-# Intended for CI, shortcut 'build-container' since already running inside container.
-test-integration-local:
+
+# Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
+test-integration-local: bin/skopeo
 	hack/make.sh test-integration

 # complicated set of options needed to run podman-in-podman
-test-system: build-container
+# TODO: The $(RM) command will likely fail w/o `podman unshare`
+test-system:
 	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
 	$(CONTAINER_CMD) --privileged \
-	    -v $$DTEMP:/var/lib/containers:Z -v /run/systemd/journal/socket:/run/systemd/journal/socket \
-            "$(IMAGE)" \
-            bash -c 'BUILDTAGS="$(BUILDTAGS)" $(MAKE) test-system-local'; \
+		-v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) \
+		-v $$DTEMP:/var/lib/containers:Z -v /run/systemd/journal/socket:/run/systemd/journal/socket \
+		"$(SKOPEO_CIDEV_CONTAINER_FQIN)" \
+			$(MAKE) test-system-local; \
 	rc=$$?; \
-	$(RM) -rf $$DTEMP; \
+	-$(RM) -rf $$DTEMP; \
 	exit $$rc

-# Intended for CI, shortcut 'build-container' since already running inside container.
-test-system-local:
+# Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
+test-system-local: bin/skopeo
 	hack/make.sh test-system

-test-unit: build-container
+test-unit:
 	# Just call (make test unit-local) here instead of worrying about environment differences
-	$(CONTAINER_RUN) make test-unit-local BUILDTAGS='$(BUILDTAGS)'
+	$(CONTAINER_RUN) $(MAKE) test-unit-local

-validate: build-container
-	$(CONTAINER_RUN) make validate-local
+validate:
+	$(CONTAINER_RUN) $(MAKE) validate-local

 # This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
 test-all-local: validate-local validate-docs test-unit-local

 .PHONY: validate-local
 validate-local:
-	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+	BUILDTAGS="${BUILDTAGS}" hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet

 # This invokes bin/skopeo, hence cannot be run as part of validate-local
 .PHONY: validate-docs
@@ -219,8 +238,8 @@ validate-docs:
 	hack/man-page-checker
 	hack/xref-helpmsgs-manpages

-test-unit-local:
-	$(GPGME_ENV) $(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+test-unit-local: bin/skopeo
+	$(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')

 vendor:
 	$(GO) mod tidy
@@ -228,4 +247,9 @@ vendor:
 	$(GO) mod verify

 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.16 make vendor
+	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src quay.io/libpod/golang:1.16 $(MAKE) vendor
+
+# CAUTION: This is not a replacement for RPMs provided by your distro.
+# Only intended to build and test the latest unreleased changes.
+rpm:
+	rpkg local
--- a/17
+++ b/17
@@ -0,0 +1,17 @@
+approvers:
+  - mtrmac
+  - lsm5
+  - TomSweeneyRedHat
+  - rhatdan
+  - vrothberg
+reviewers:
+  - ashley-cui
+  - giuseppe
+  - containers/image-maintainers
+  - lsm5
+  - mtrmac
+  - QiWang19
+  - rhatdan
+  - runcom
+  - TomSweeneyRedHat
+  - vrothberg
--- a/cmd/skopeo/cgo_pthread_ordering_workaround.go
+++ b/cmd/skopeo/cgo_pthread_ordering_workaround.go
@@ -1,34 +0,0 @@
-// +build !containers_image_openpgp
-
-package main
-
-/*
-This is a pretty horrible workaround.  Due to a glibc bug
-https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
-with -lgpgme before -lpthread.  Such arguments come from various packages
-using cgo, and the ordering of these arguments is, with current (go tool link),
-dependent on the order in which the cgo-using packages are found in a
-breadth-first search following dependencies, starting from “main”.
-
-Thus, if
-   import "net"
-is processed before
-   import "…/skopeo/signature"
-it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
-"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
-lpthread (used by "runtime/cgo") to be used before -lgpgme.
-
-This might be possible to work around by careful import ordering, or by removing
-a direct dependency on "net", but that would be very fragile.
-
-So, until the above bug is fixed, add -lgpgme directly in the "main" package
-to ensure the needed build order.
-
-Unfortunately, this workaround needs to be applied at the top level of any user
-of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
-by that time this package is first processed by the linker, a -lpthread may
-already be queued and it would be too late.
-*/
-
-// #cgo LDFLAGS: -lgpgme
-import "C"
--- a/cmd/skopeo/completions.go
+++ b/cmd/skopeo/completions.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"github.com/containers/image/v5/transports"
+	"github.com/spf13/cobra"
+)
+
+// autocompleteSupportedTransports list all supported transports with the colon suffix.
+func autocompleteSupportedTransports(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	tps := transports.ListNames()
+	suggestions := make([]string, 0, len(tps))
+	for _, tp := range tps {
+		suggestions = append(suggestions, tp+":")
+	}
+	return suggestions, cobra.ShellCompDirectiveNoFileComp
+}
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -4,13 +4,15 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"
 	"strings"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	encconfig "github.com/containers/ocicrypt/config"
@@ -19,21 +21,26 @@ import (
 )

 type copyOptions struct {
-	global              *globalOptions
-	deprecatedTLSVerify *deprecatedTLSVerifyOption
-	srcImage            *imageOptions
-	destImage           *imageDestOptions
-	retryOpts           *retry.RetryOptions
-	additionalTags      []string       // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
-	removeSignatures    bool           // Do not copy signatures from the source image
-	signByFingerprint   string         // Sign the image using a GPG key with the specified fingerprint
-	digestFile          string         // Write digest to this file
-	format              optionalString // Force conversion of the image to a specified format
-	quiet               bool           // Suppress output information when copying images
-	all                 bool           // Copy all of the images if the source is a list
-	encryptLayer        []int          // The list of layers to encrypt
-	encryptionKeys      []string       // Keys needed to encrypt the image
-	decryptionKeys      []string       // Keys needed to decrypt the image
+	global                   *globalOptions
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions
+	destImage                *imageDestOptions
+	retryOpts                *retry.Options
+	additionalTags           []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing (for either signature format, but only one of them)
+	signIdentity             string                    // Identity of the signed image, must be a fully specified docker reference
+	digestFile               string                    // Write digest to this file
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	quiet                    bool                      // Suppress output information when copying images
+	all                      bool                      // Copy all of the images if the source is a list
+	multiArch                commonFlag.OptionalString // How to handle multi architecture images
+	preserveDigests          bool                      // Preserve digests during copy
+	encryptLayer             []int                     // The list of layers to encrypt
+	encryptionKeys           []string                  // Keys needed to encrypt the image
+	decryptionKeys           []string                  // Keys needed to decrypt the image
 }

 func copyCmd(global *globalOptions) *cobra.Command {
@@ -58,8 +65,9 @@ Supported transports:

 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -71,17 +79,43 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 	flags.StringSliceVar(&opts.additionalTags, "additional-tag", []string{}, "additional tags (supports docker-archive)")
 	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress output information when copying images")
 	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.Var(commonFlag.NewOptionalStringValue(&opts.multiArch), "multi-arch", `How to handle multi-architecture images (system, all, or index-only)`)
+	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE-IMAGE")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "Read a passphrase for signing an image from `PATH`")
+	flags.StringVar(&opts.signIdentity, "sign-identity", "", "Identity of signed image, must be a fully specified docker reference. Defaults to the target docker reference.")
 	flags.StringVar(&opts.digestFile, "digestfile", "", "Write the digest of the pushed image to the specified file")
-	flags.VarP(newOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
+	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
 	flags.StringSliceVar(&opts.encryptionKeys, "encryption-key", []string{}, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)")
 	flags.IntSliceVar(&opts.encryptLayer, "encrypt-layer", []int{}, "*Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)")
 	flags.StringSliceVar(&opts.decryptionKeys, "decryption-key", []string{}, "*Experimental* key needed to decrypt the image")
 	return cmd
 }

-func (opts *copyOptions) run(args []string, stdout io.Writer) error {
+// parseMultiArch parses the list processing selection
+// It returns the copy.ImageListSelection to use with image.Copy option
+func parseMultiArch(multiArch string) (copy.ImageListSelection, error) {
+	switch multiArch {
+	case "system":
+		return copy.CopySystemImage, nil
+	case "all":
+		return copy.CopyAllImages, nil
+	// There is no CopyNoImages value in copy.ImageListSelection, but because we
+	// don't provide an option to select a set of images to copy, we can use
+	// CopySpecificImages.
+	case "index-only":
+		return copy.CopySpecificImages, nil
+	// We don't expose CopySpecificImages other than index-only above, because
+	// we currently don't provide an option to choose the images to copy. That
+	// could be added in the future.
+	default:
+		return copy.CopySystemImage, fmt.Errorf("unknown multi-arch option %q. Choose one of the supported options: 'system', 'all', or 'index-only'", multiArch)
+	}
+}
+
+func (opts *copyOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
@@ -96,7 +130,11 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if err != nil {
 		return fmt.Errorf("Error loading trust policy: %v", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	srcRef, err := alltransports.ParseImageName(imageNames[0])
 	if err != nil {
@@ -117,8 +155,8 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	}

 	var manifestType string
-	if opts.format.present {
-		manifestType, err = parseManifestFormat(opts.format.value)
+	if opts.format.Present() {
+		manifestType, err = parseManifestFormat(opts.format.Value())
 		if err != nil {
 			return err
 		}
@@ -142,7 +180,17 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if opts.quiet {
 		stdout = nil
 	}
+
 	imageListSelection := copy.CopySystemImage
+	if opts.multiArch.Present() && opts.all {
+		return fmt.Errorf("Cannot use --all and --multi-arch flags together")
+	}
+	if opts.multiArch.Present() {
+		imageListSelection, err = parseMultiArch(opts.multiArch.Value())
+		if err != nil {
+			return err
+		}
+	}
 	if opts.all {
 		imageListSelection = copy.CopyAllImages
 	}
@@ -183,18 +231,52 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 		decConfig = cc.DecryptConfig
 	}

-	return retry.RetryIfNecessary(ctx, func() error {
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} // opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
+
+	var signIdentity reference.Named = nil
+	if opts.signIdentity != "" {
+		signIdentity, err = reference.ParseNamed(opts.signIdentity)
+		if err != nil {
+			return fmt.Errorf("Could not parse --sign-identity: %v", err)
+		}
+	}
+
+	return retry.IfNecessary(ctx, func() error {
 		manifestBytes, err := copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
-			RemoveSignatures:      opts.removeSignatures,
-			SignBy:                opts.signByFingerprint,
-			ReportWriter:          stdout,
-			SourceCtx:             sourceCtx,
-			DestinationCtx:        destinationCtx,
-			ForceManifestMIMEType: manifestType,
-			ImageListSelection:    imageListSelection,
-			OciDecryptConfig:      decConfig,
-			OciEncryptLayers:      encLayers,
-			OciEncryptConfig:      encConfig,
+			RemoveSignatures:                 opts.removeSignatures,
+			SignBy:                           opts.signByFingerprint,
+			SignPassphrase:                   passphrase,
+			SignBySigstorePrivateKeyFile:     opts.signBySigstorePrivateKey,
+			SignSigstorePrivateKeyPassphrase: []byte(passphrase),
+			SignIdentity:                     signIdentity,
+			ReportWriter:                     stdout,
+			SourceCtx:                        sourceCtx,
+			DestinationCtx:                   destinationCtx,
+			ForceManifestMIMEType:            manifestType,
+			ImageListSelection:               imageListSelection,
+			PreserveDigests:                  opts.preserveDigests,
+			OciDecryptConfig:                 decConfig,
+			OciEncryptLayers:                 encLayers,
+			OciEncryptConfig:                 encConfig,
 		})
 		if err != nil {
 			return err
@@ -204,7 +286,7 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 			if err != nil {
 				return err
 			}
-			if err = ioutil.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
+			if err = os.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
 				return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
 			}
 		}
--- a/cmd/skopeo/delete.go
+++ b/cmd/skopeo/delete.go
@@ -15,7 +15,7 @@ import (
 type deleteOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func deleteCmd(global *globalOptions) *cobra.Command {
@@ -35,8 +35,9 @@ Supported transports:
 %s
 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo delete docker://registry.example.com/example/pause:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo delete docker://registry.example.com/example/pause:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -69,7 +70,7 @@ func (opts *deleteOptions) run(args []string, stdout io.Writer) error {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()

-	return retry.RetryIfNecessary(ctx, func() error {
+	return retry.IfNecessary(ctx, func() error {
 		return ref.DeleteImage(ctx, sys)
 	}, opts.retryOpts)
 }
--- a/cmd/skopeo/flag_test.go
+++ b/cmd/skopeo/flag_test.go
@@ -1,222 +0,0 @@
-package main
-
-import (
-	"testing"
-
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestOptionalBoolSet(t *testing.T) {
-	for _, c := range []struct {
-		input    string
-		accepted bool
-		value    bool
-	}{
-		// Valid inputs documented for strconv.ParseBool == flag.BoolVar
-		{"1", true, true},
-		{"t", true, true},
-		{"T", true, true},
-		{"TRUE", true, true},
-		{"true", true, true},
-		{"True", true, true},
-		{"0", true, false},
-		{"f", true, false},
-		{"F", true, false},
-		{"FALSE", true, false},
-		{"false", true, false},
-		{"False", true, false},
-		// A few invalid inputs
-		{"", false, false},
-		{"yes", false, false},
-		{"no", false, false},
-		{"2", false, false},
-	} {
-		var ob optionalBool
-		v := internalNewOptionalBoolValue(&ob)
-		require.False(t, ob.present)
-		err := v.Set(c.input)
-		if c.accepted {
-			assert.NoError(t, err, c.input)
-			assert.Equal(t, c.value, ob.value)
-		} else {
-			assert.Error(t, err, c.input)
-			assert.False(t, ob.present) // Just to be extra paranoid.
-		}
-	}
-
-	// Nothing actually explicitly says that .Set() is never called when the flag is not present on the command line;
-	// so, check that it is not being called, at least in the straightforward case (it's not possible to test that it
-	// is not called in any possible situation).
-	var globalOB, commandOB optionalBool
-	actionRun := false
-	app := &cobra.Command{
-		Use: "app",
-	}
-	optionalBoolFlag(app.PersistentFlags(), &globalOB, "global-OB", "")
-	cmd := &cobra.Command{
-		Use: "cmd",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			assert.False(t, globalOB.present)
-			assert.False(t, commandOB.present)
-			actionRun = true
-			return nil
-		},
-	}
-	optionalBoolFlag(cmd.Flags(), &commandOB, "command-OB", "")
-	app.AddCommand(cmd)
-	app.SetArgs([]string{"cmd"})
-	err := app.Execute()
-	require.NoError(t, err)
-	assert.True(t, actionRun)
-}
-
-func TestOptionalBoolString(t *testing.T) {
-	for _, c := range []struct {
-		input    optionalBool
-		expected string
-	}{
-		{optionalBool{present: true, value: true}, "true"},
-		{optionalBool{present: true, value: false}, "false"},
-		{optionalBool{present: false, value: true}, ""},
-		{optionalBool{present: false, value: false}, ""},
-	} {
-		var ob optionalBool
-		v := internalNewOptionalBoolValue(&ob)
-		ob = c.input
-		res := v.String()
-		assert.Equal(t, c.expected, res)
-	}
-}
-
-func TestOptionalBoolIsBoolFlag(t *testing.T) {
-	// IsBoolFlag means that the argument value must either be part of the same argument, with =;
-	// if there is no =, the value is set to true.
-	// This differs form other flags, where the argument is required and may be either separated with = or supplied in the next argument.
-	for _, c := range []struct {
-		input        []string
-		expectedOB   optionalBool
-		expectedArgs []string
-	}{
-		{[]string{"1", "2"}, optionalBool{present: false}, []string{"1", "2"}},                                       // Flag not present
-		{[]string{"--OB=true", "1", "2"}, optionalBool{present: true, value: true}, []string{"1", "2"}},              // --OB=true
-		{[]string{"--OB=false", "1", "2"}, optionalBool{present: true, value: false}, []string{"1", "2"}},            // --OB=false
-		{[]string{"--OB", "true", "1", "2"}, optionalBool{present: true, value: true}, []string{"true", "1", "2"}},   // --OB true
-		{[]string{"--OB", "false", "1", "2"}, optionalBool{present: true, value: true}, []string{"false", "1", "2"}}, // --OB false
-	} {
-		var ob optionalBool
-		actionRun := false
-		app := &cobra.Command{Use: "app"}
-		cmd := &cobra.Command{
-			Use: "cmd",
-			RunE: func(cmd *cobra.Command, args []string) error {
-				assert.Equal(t, c.expectedOB, ob)
-				assert.Equal(t, c.expectedArgs, args)
-				actionRun = true
-				return nil
-			},
-		}
-		optionalBoolFlag(cmd.Flags(), &ob, "OB", "")
-		app.AddCommand(cmd)
-
-		app.SetArgs(append([]string{"cmd"}, c.input...))
-		err := app.Execute()
-		require.NoError(t, err)
-		assert.True(t, actionRun)
-	}
-}
-
-func TestOptionalStringSet(t *testing.T) {
-	// Really just a smoke test, but differentiating between not present and empty.
-	for _, c := range []string{"", "hello"} {
-		var os optionalString
-		v := newOptionalStringValue(&os)
-		require.False(t, os.present)
-		err := v.Set(c)
-		assert.NoError(t, err, c)
-		assert.Equal(t, c, os.value)
-	}
-
-	// Nothing actually explicitly says that .Set() is never called when the flag is not present on the command line;
-	// so, check that it is not being called, at least in the straightforward case (it's not possible to test that it
-	// is not called in any possible situation).
-	var globalOS, commandOS optionalString
-	actionRun := false
-	app := &cobra.Command{
-		Use: "app",
-	}
-	app.PersistentFlags().Var(newOptionalStringValue(&globalOS), "global-OS", "")
-	cmd := &cobra.Command{
-		Use: "cmd",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			assert.False(t, globalOS.present)
-			assert.False(t, commandOS.present)
-			actionRun = true
-			return nil
-		},
-	}
-	cmd.Flags().Var(newOptionalStringValue(&commandOS), "command-OS", "")
-	app.AddCommand(cmd)
-	app.SetArgs([]string{"cmd"})
-	err := app.Execute()
-	require.NoError(t, err)
-	assert.True(t, actionRun)
-}
-
-func TestOptionalStringString(t *testing.T) {
-	for _, c := range []struct {
-		input    optionalString
-		expected string
-	}{
-		{optionalString{present: true, value: "hello"}, "hello"},
-		{optionalString{present: true, value: ""}, ""},
-		{optionalString{present: false, value: "hello"}, ""},
-		{optionalString{present: false, value: ""}, ""},
-	} {
-		var os optionalString
-		v := newOptionalStringValue(&os)
-		os = c.input
-		res := v.String()
-		assert.Equal(t, c.expected, res)
-	}
-}
-
-func TestOptionalStringIsBoolFlag(t *testing.T) {
-	// NOTE: optionalStringValue does not implement IsBoolFlag!
-	// IsBoolFlag means that the argument value must either be part of the same argument, with =;
-	// if there is no =, the value is set to true.
-	// This differs form other flags, where the argument is required and may be either separated with = or supplied in the next argument.
-	for _, c := range []struct {
-		input        []string
-		expectedOS   optionalString
-		expectedArgs []string
-	}{
-		{[]string{"1", "2"}, optionalString{present: false}, []string{"1", "2"}},                                 // Flag not present
-		{[]string{"--OS=hello", "1", "2"}, optionalString{present: true, value: "hello"}, []string{"1", "2"}},    // --OS=true
-		{[]string{"--OS=", "1", "2"}, optionalString{present: true, value: ""}, []string{"1", "2"}},              // --OS=false
-		{[]string{"--OS", "hello", "1", "2"}, optionalString{present: true, value: "hello"}, []string{"1", "2"}}, // --OS true
-		{[]string{"--OS", "", "1", "2"}, optionalString{present: true, value: ""}, []string{"1", "2"}},           // --OS false
-	} {
-		var os optionalString
-		actionRun := false
-		app := &cobra.Command{
-			Use: "app",
-		}
-		cmd := &cobra.Command{
-			Use: "cmd",
-			RunE: func(cmd *cobra.Command, args []string) error {
-				assert.Equal(t, c.expectedOS, os)
-				assert.Equal(t, c.expectedArgs, args)
-				actionRun = true
-				return nil
-			},
-		}
-		cmd.Flags().Var(newOptionalStringValue(&os), "OS", "")
-		app.AddCommand(cmd)
-		app.SetArgs(append([]string{"cmd"}, c.input...))
-		err := app.Execute()
-		require.NoError(t, err)
-		assert.True(t, actionRun)
-	}
-}
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -2,6 +2,7 @@ package main

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -18,18 +19,18 @@ import (
 	"github.com/containers/image/v5/types"
 	"github.com/containers/skopeo/cmd/skopeo/inspect"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )

 type inspectOptions struct {
-	global    *globalOptions
-	image     *imageOptions
-	retryOpts *retry.RetryOptions
-	format    string
-	raw       bool // Output the raw manifest instead of parsing information about the image
-	config    bool // Output the raw config blob instead of parsing information about the image
+	global        *globalOptions
+	image         *imageOptions
+	retryOpts     *retry.Options
+	format        string
+	raw           bool // Output the raw manifest instead of parsing information about the image
+	config        bool // Output the raw config blob instead of parsing information about the image
+	doNotListTags bool // Do not list all tags available in the same repository
 }

 func inspectCmd(global *globalOptions) *cobra.Command {
@@ -54,12 +55,14 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 		Example: `skopeo inspect docker://registry.fedoraproject.org/fedora
  skopeo inspect --config docker://docker.io/alpine
  skopeo inspect  --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.raw, "raw", false, "output raw manifest or configuration")
 	flags.BoolVar(&opts.config, "config", false, "output configuration")
 	flags.StringVarP(&opts.format, "format", "f", "", "Format the output to a Go template")
+	flags.BoolVarP(&opts.doNotListTags, "no-tags", "n", false, "Do not list the available tags from the repository in the output")
 	flags.AddFlagSet(&sharedFlags)
 	flags.AddFlagSet(&imageFlags)
 	flags.AddFlagSet(&retryFlags)
@@ -93,30 +96,30 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		return err
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		src, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error parsing image name %q", imageName)
+		return fmt.Errorf("Error parsing image name %q: %w", imageName, err)
 	}

 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		rawManifest, _, err = src.GetManifest(ctx, nil)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error retrieving manifest for image")
+		return fmt.Errorf("Error retrieving manifest for image: %w", err)
 	}

 	if opts.raw && !opts.config {
 		_, err := stdout.Write(rawManifest)
 		if err != nil {
-			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+			return fmt.Errorf("Error writing manifest to standard output: %w", err)
 		}

 		return nil
@@ -124,29 +127,29 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)

 	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
 	if err != nil {
-		return errors.Wrapf(err, "Error parsing manifest for image")
+		return fmt.Errorf("Error parsing manifest for image: %w", err)
 	}

 	if opts.config && opts.raw {
 		var configBlob []byte
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			configBlob, err = img.ConfigBlob(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading configuration blob")
+			return fmt.Errorf("Error reading configuration blob: %w", err)
 		}
 		_, err = stdout.Write(configBlob)
 		if err != nil {
-			return errors.Wrapf(err, "Error writing configuration blob to standard output")
+			return fmt.Errorf("Error writing configuration blob to standard output: %w", err)
 		}
 		return nil
 	} else if opts.config {
 		var config *v1.Image
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			config, err = img.OCIConfig(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading OCI-formatted configuration data")
+			return fmt.Errorf("Error reading OCI-formatted configuration data: %w", err)
 		}
 		if report.IsJSON(opts.format) || opts.format == "" {
 			var out []byte
@@ -160,12 +163,12 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 			err = printTmpl(row, data)
 		}
 		if err != nil {
-			return errors.Wrapf(err, "Error writing OCI-formatted configuration data to standard output")
+			return fmt.Errorf("Error writing OCI-formatted configuration data to standard output: %w", err)
 		}
 		return nil
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		imgInspect, err = img.Inspect(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -187,12 +190,12 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 	}
 	outputData.Digest, err = manifest.Digest(rawManifest)
 	if err != nil {
-		return errors.Wrapf(err, "Error computing manifest digest")
+		return fmt.Errorf("Error computing manifest digest: %w", err)
 	}
 	if dockerRef := img.Reference().DockerReference(); dockerRef != nil {
 		outputData.Name = dockerRef.Name()
 	}
-	if img.Reference().Transport() == docker.Transport {
+	if !opts.doNotListTags && img.Reference().Transport() == docker.Transport {
 		sys, err := opts.image.newSystemContext()
 		if err != nil {
 			return err
@@ -205,7 +208,7 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 			// In addition, AWS ECR rejects it with 403 (Forbidden) if the "ecr:ListImages"
 			// action is not allowed.
 			if !strings.Contains(err.Error(), "401") && !strings.Contains(err.Error(), "403") {
-				return errors.Wrapf(err, "Error determining repository tags")
+				return fmt.Errorf("Error determining repository tags: %w", err)
 			}
 			logrus.Warnf("Registry disallows tag list retrieval; skipping")
 		}
--- a/cmd/skopeo/layers.go
+++ b/cmd/skopeo/layers.go
@@ -1,9 +1,9 @@
 package main

 import (
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"

@@ -13,14 +13,13 @@ import (
 	"github.com/containers/image/v5/pkg/blobinfocache"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 type layersOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func layersCmd(global *globalOptions) *cobra.Command {
@@ -69,25 +68,25 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		rawSource types.ImageSource
 		src       types.ImageCloser
 	)
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		rawSource, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
 		return err
 	}
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		src, err = image.FromSource(ctx, sys, rawSource)
 		return err
 	}, opts.retryOpts); err != nil {
 		if closeErr := rawSource.Close(); closeErr != nil {
-			return errors.Wrapf(err, " (close error: %v)", closeErr)
+			return fmt.Errorf("%w (closing image source: %v)", err, closeErr)
 		}

 		return err
 	}
 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

@@ -122,7 +121,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 	}

-	tmpDir, err := ioutil.TempDir(".", "layers-")
+	tmpDir, err := os.MkdirTemp(".", "layers-")
 	if err != nil {
 		return err
 	}
@@ -137,7 +136,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {

 	defer func() {
 		if err := dest.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing destination", err)
 		}
 	}()

@@ -146,7 +145,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 			r        io.ReadCloser
 			blobSize int64
 		)
-		if err = retry.RetryIfNecessary(ctx, func() error {
+		if err = retry.IfNecessary(ctx, func() error {
 			r, blobSize, err = rawSource.GetBlob(ctx, types.BlobInfo{Digest: bd.digest, Size: -1}, cache)
 			return err
 		}, opts.retryOpts); err != nil {
@@ -154,14 +153,14 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 		if _, err := dest.PutBlob(ctx, r, types.BlobInfo{Digest: bd.digest, Size: blobSize}, cache, bd.isConfig); err != nil {
 			if closeErr := r.Close(); closeErr != nil {
-				return errors.Wrapf(err, " (close error: %v)", closeErr)
+				return fmt.Errorf("%w (close error: %v)", err, closeErr)
 			}
 			return err
 		}
 	}

 	var manifest []byte
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		manifest, _, err = src.Manifest(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
--- a/cmd/skopeo/list_tags.go
+++ b/cmd/skopeo/list_tags.go
@@ -3,29 +3,46 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"sort"
 	"strings"

 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/archive"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 // tagListOutput is the output format of (skopeo list-tags), primarily so that we can format it with a simple json.MarshalIndent.
 type tagListOutput struct {
-	Repository string
+	Repository string `json:",omitempty"`
 	Tags       []string
 }

 type tagsOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
+}
+
+var transportHandlers = map[string]func(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error){
+	docker.Transport.Name():  listDockerRepoTags,
+	archive.Transport.Name(): listDockerArchiveTags,
+}
+
+// supportedTransports returns all the supported transports
+func supportedTransports(joinStr string) string {
+	res := make([]string, 0, len(transportHandlers))
+	for handlerName := range transportHandlers {
+		res = append(res, handlerName)
+	}
+	sort.Strings(res)
+	return strings.Join(res, joinStr)
 }

 func tagsCmd(global *globalOptions) *cobra.Command {
@@ -38,13 +55,14 @@ func tagsCmd(global *globalOptions) *cobra.Command {
 		image:     imageOpts,
 		retryOpts: retryOpts,
 	}
+
 	cmd := &cobra.Command{
-		Use:   "list-tags [command options] REPOSITORY-NAME",
-		Short: "List tags in the transport/repository specified by the REPOSITORY-NAME",
-		Long: `Return the list of tags from the transport/repository "REPOSITORY-NAME"
+		Use:   "list-tags [command options] SOURCE-IMAGE",
+		Short: "List tags in the transport/repository specified by the SOURCE-IMAGE",
+		Long: `Return the list of tags from the transport/repository "SOURCE-IMAGE"

 Supported transports:
-docker
+` + supportedTransports(" ") + `

 See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 `,
@@ -63,12 +81,12 @@ See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 // Would really love to not have this, but needed to enforce tag-less and digest-less names
 func parseDockerRepositoryReference(refString string) (types.ImageReference, error) {
 	if !strings.HasPrefix(refString, docker.Transport.Name()+"://") {
-		return nil, errors.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
+		return nil, fmt.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
 	}

 	parts := strings.SplitN(refString, ":", 2)
 	if len(parts) != 2 {
-		return nil, errors.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
+		return nil, fmt.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
 	}

 	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(parts[1], "//"))
@@ -90,11 +108,63 @@ func listDockerTags(ctx context.Context, sys *types.SystemContext, imgRef types.

 	tags, err := docker.GetRepositoryTags(ctx, sys, imgRef)
 	if err != nil {
-		return ``, nil, fmt.Errorf("Error listing repository tags: %v", err)
+		return ``, nil, fmt.Errorf("Error listing repository tags: %w", err)
 	}
 	return repositoryName, tags, nil
 }

+// return the tagLists from a docker repo
+func listDockerRepoTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	// Do transport-specific parsing and validation to get an image reference
+	imgRef, err := parseDockerRepositoryReference(userInput)
+	if err != nil {
+		return
+	}
+	if err = retry.IfNecessary(ctx, func() error {
+		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
+		return err
+	}, opts.retryOpts); err != nil {
+		return
+	}
+	return
+}
+
+// return the tagLists from a docker archive file
+func listDockerArchiveTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	ref, err := alltransports.ParseImageName(userInput)
+	if err != nil {
+		return
+	}
+
+	tarReader, _, err := archive.NewReaderForReference(sys, ref)
+	if err != nil {
+		return
+	}
+	defer tarReader.Close()
+
+	imageRefs, err := tarReader.List()
+	if err != nil {
+		return
+	}
+
+	var repoTags []string
+	for imageIndex, items := range imageRefs {
+		for _, ref := range items {
+			repoTags, err = tarReader.ManifestTagsForReference(ref)
+			if err != nil {
+				return
+			}
+			// handle for each untagged image
+			if len(repoTags) == 0 {
+				repoTags = []string{fmt.Sprintf("@%d", imageIndex)}
+			}
+			tagListing = append(tagListing, repoTags...)
+		}
+	}
+
+	return
+}
+
 func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -113,23 +183,17 @@ func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 		return fmt.Errorf("Invalid %q: does not specify a transport", args[0])
 	}

-	if transport.Name() != docker.Transport.Name() {
-		return fmt.Errorf("Unsupported transport '%v' for tag listing. Only '%v' currently supported", transport.Name(), docker.Transport.Name())
-	}
-
-	// Do transport-specific parsing and validation to get an image reference
-	imgRef, err := parseDockerRepositoryReference(args[0])
-	if err != nil {
-		return err
-	}
-
 	var repositoryName string
 	var tagListing []string
-	if err = retry.RetryIfNecessary(ctx, func() error {
-		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
-		return err
-	}, opts.retryOpts); err != nil {
-		return err
+
+	if val, ok := transportHandlers[transport.Name()]; ok {
+		repositoryName, tagListing, err = val(ctx, sys, opts, args[0])
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("Unsupported transport '%s' for tag listing. Only supported: %s",
+			transport.Name(), supportedTransports(", "))
 	}

 	outputData := tagListOutput{
--- a/cmd/skopeo/login.go
+++ b/cmd/skopeo/login.go
@@ -5,6 +5,7 @@ import (
 	"os"

 	"github.com/containers/common/pkg/auth"
+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
 )
@@ -12,7 +13,7 @@ import (
 type loginOptions struct {
 	global    *globalOptions
 	loginOpts auth.LoginOptions
-	tlsVerify optionalBool
+	tlsVerify commonFlag.OptionalBool
 }

 func loginCmd(global *globalOptions) *cobra.Command {
@@ -28,7 +29,7 @@ func loginCmd(global *globalOptions) *cobra.Command {
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
-	optionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
+	commonFlag.OptionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
 	flags.AddFlagSet(auth.GetLoginFlags(&opts.loginOpts))
 	return cmd
 }
@@ -40,8 +41,8 @@ func (opts *loginOptions) run(args []string, stdout io.Writer) error {
 	opts.loginOpts.Stdin = os.Stdin
 	opts.loginOpts.AcceptRepositories = true
 	sys := opts.global.newSystemContext()
-	if opts.tlsVerify.present {
-		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
 	}
 	return auth.Login(ctx, sys, &opts.loginOpts, args)
 }
--- a/cmd/skopeo/logout.go
+++ b/cmd/skopeo/logout.go
@@ -4,6 +4,7 @@ import (
 	"io"

 	"github.com/containers/common/pkg/auth"
+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/image/v5/types"
 	"github.com/spf13/cobra"
 )
@@ -11,7 +12,7 @@ import (
 type logoutOptions struct {
 	global     *globalOptions
 	logoutOpts auth.LogoutOptions
-	tlsVerify  optionalBool
+	tlsVerify  commonFlag.OptionalBool
 }

 func logoutCmd(global *globalOptions) *cobra.Command {
@@ -27,7 +28,7 @@ func logoutCmd(global *globalOptions) *cobra.Command {
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
-	optionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
+	commonFlag.OptionalBoolFlag(flags, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the registry")
 	flags.AddFlagSet(auth.GetLogoutFlags(&opts.logoutOpts))
 	return cmd
 }
@@ -36,8 +37,8 @@ func (opts *logoutOptions) run(args []string, stdout io.Writer) error {
 	opts.logoutOpts.Stdout = stdout
 	opts.logoutOpts.AcceptRepositories = true
 	sys := opts.global.newSystemContext()
-	if opts.tlsVerify.present {
-		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		sys.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
 	}
 	return auth.Logout(sys, &opts.logoutOpts, args)
 }
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -3,8 +3,10 @@ package main
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/skopeo/version"
@@ -20,17 +22,32 @@ var gitCommit = ""
 var defaultUserAgent = "skopeo/" + version.Version

 type globalOptions struct {
-	debug              bool          // Enable debug output
-	tlsVerify          optionalBool  // Require HTTPS and verify certificates (for docker: and docker-daemon:)
-	policyPath         string        // Path to a signature verification policy file
-	insecurePolicy     bool          // Use an "allow everything" signature verification policy
-	registriesDirPath  string        // Path to a "registries.d" registry configuration directory
-	overrideArch       string        // Architecture to use for choosing images, instead of the runtime one
-	overrideOS         string        // OS to use for choosing images, instead of the runtime one
-	overrideVariant    string        // Architecture variant to use for choosing images, instead of the runtime one
-	commandTimeout     time.Duration // Timeout for the command execution
-	registriesConfPath string        // Path to the "registries.conf" file
-	tmpDir             string        // Path to use for big temporary files
+	debug              bool                    // Enable debug output
+	tlsVerify          commonFlag.OptionalBool // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	policyPath         string                  // Path to a signature verification policy file
+	insecurePolicy     bool                    // Use an "allow everything" signature verification policy
+	registriesDirPath  string                  // Path to a "registries.d" registry configuration directory
+	overrideArch       string                  // Architecture to use for choosing images, instead of the runtime one
+	overrideOS         string                  // OS to use for choosing images, instead of the runtime one
+	overrideVariant    string                  // Architecture variant to use for choosing images, instead of the runtime one
+	commandTimeout     time.Duration           // Timeout for the command execution
+	registriesConfPath string                  // Path to the "registries.conf" file
+	tmpDir             string                  // Path to use for big temporary files
+}
+
+// requireSubcommand returns an error if no sub command is provided
+// This was copied from podman: `github.com/containers/podman/cmd/podman/validate/args.go
+// Some small style changes to match skopeo were applied, but try to apply any
+// bugfixes there first.
+func requireSubcommand(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		suggestions := cmd.SuggestionsFor(args[0])
+		if len(suggestions) == 0 {
+			return fmt.Errorf("Unrecognized command `%[1]s %[2]s`\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0])
+		}
+		return fmt.Errorf("Unrecognized command `%[1]s %[2]s`\n\nDid you mean this?\n\t%[3]s\n\nTry '%[1]s --help' for more information", cmd.CommandPath(), args[0], strings.Join(suggestions, "\n\t"))
+	}
+	return fmt.Errorf("Missing command '%[1]s COMMAND'\nTry '%[1]s --help' for more information", cmd.CommandPath())
 }

 // createApp returns a cobra.Command, and the underlying globalOptions object, to be run or tested.
@@ -40,16 +57,14 @@ func createApp() (*cobra.Command, *globalOptions) {
 	rootCommand := &cobra.Command{
 		Use:  "skopeo",
 		Long: "Various operations with container images and container image registries",
+		RunE: requireSubcommand,
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			return opts.before(cmd)
 		},
 		SilenceUsage:  true,
 		SilenceErrors: true,
-		// Currently, skopeo uses manually written completions.  Cobra allows
-		// for auto-generating completions for various shells.  Podman is
-		// already making us of that.  If Skopeo decides to follow, please
-		// remove the line below (and hide the `completion` command).
-		CompletionOptions: cobra.CompletionOptions{DisableDefaultCmd: true},
+		// Hide the completion command which is provided by cobra
+		CompletionOptions: cobra.CompletionOptions{HiddenDefaultCmd: true},
 		// This is documented to parse "local" (non-PersistentFlags) flags of parent commands before
 		// running subcommands and handling their options. We don't really run into such cases,
 		// because all of our flags on rootCommand are in PersistentFlags, except for the deprecated --tls-verify;
@@ -78,7 +93,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 		logrus.Fatal("unable to mark registries-conf flag as hidden")
 	}
 	rootCommand.PersistentFlags().StringVar(&opts.tmpDir, "tmpdir", "", "directory used to store temporary files")
-	flag := optionalBoolFlag(rootCommand.Flags(), &opts.tlsVerify, "tls-verify", "Require HTTPS and verify certificates when accessing the registry")
+	flag := commonFlag.OptionalBoolFlag(rootCommand.Flags(), &opts.tlsVerify, "tls-verify", "Require HTTPS and verify certificates when accessing the registry")
 	flag.Hidden = true
 	rootCommand.AddCommand(
 		copyCmd(&opts),
@@ -88,6 +103,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 		loginCmd(&opts),
 		logoutCmd(&opts),
 		manifestDigestCmd(),
+		proxyCmd(&opts),
 		syncCmd(&opts),
 		standaloneSignCmd(),
 		standaloneVerifyCmd(),
@@ -102,7 +118,7 @@ func (opts *globalOptions) before(cmd *cobra.Command) error {
 	if opts.debug {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
-	if opts.tlsVerify.present {
+	if opts.tlsVerify.Present() {
 		logrus.Warn("'--tls-verify' is deprecated, please set this on the specific subcommand")
 	}
 	return nil
@@ -159,8 +175,8 @@ func (opts *globalOptions) newSystemContext() *types.SystemContext {
 		DockerRegistryUserAgent:  defaultUserAgent,
 	}
 	// DEPRECATED: We support this for backward compatibility, but override it if a per-image flag is provided.
-	if opts.tlsVerify.present {
-		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
 	}
 	return ctx
 }
--- a/cmd/skopeo/manifest.go
+++ b/cmd/skopeo/manifest.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"

 	"github.com/containers/image/v5/manifest"
 	"github.com/spf13/cobra"
@@ -31,7 +31,7 @@ func (opts *manifestDigestOptions) run(args []string, stdout io.Writer) error {
 	}
 	manifestPath := args[0]

-	man, err := ioutil.ReadFile(manifestPath)
+	man, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
--- a/cmd/skopeo/proxy.go
+++ b/cmd/skopeo/proxy.go
@@ -0,0 +1,738 @@
+//go:build !windows
+// +build !windows
+
+package main
+
+/*
+  This code is currently only intended to be used by ostree
+  to fetch content via containers.  The API is subject
+  to change.  A goal however is to stabilize the API
+  eventually as a full out-of-process interface to the
+  core containers/image library functionality.
+
+  To use this command, in a parent process create a
+  `socketpair()` of type `SOCK_SEQPACKET`.  Fork
+  off this command, and pass one half of the socket
+  pair to the child.  Providing it on stdin (fd 0)
+  is the expected default.
+
+  The protocol is JSON for the control layer,
+  and  a read side of a `pipe()` passed for large data.
+
+ Base JSON protocol:
+
+ request: { method: "MethodName": args: [arguments] }
+ reply: { success: bool, value: JSVAL, pipeid: number, error: string }
+
+ For any non-metadata i.e. payload data from `GetManifest`
+ and `GetBlob` the server will pass back the read half of a `pipe(2)` via FD passing,
+ along with a `pipeid` integer.
+
+ The expected flow looks like this:
+
+  - Initialize
+    And validate the returned protocol version versus
+	what your client supports.
+  - OpenImage docker://quay.io/someorg/example:latest
+    (returns an imageid)
+  - GetManifest imageid (and associated <pipeid>)
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - GetBlob imageid sha256:...
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - GetBlob imageid sha256:...
+  (Streaming read data from pipe)
+  - FinishPipe <pipeid>
+  - CloseImage imageid
+
+ You may interleave invocations of these methods, e.g. one
+ can also invoke `OpenImage` multiple times, as well as
+ starting multiple GetBlob requests before calling `FinishPipe`
+ on them.  The server will stream data into the pipefd
+ until `FinishPipe` is invoked.
+
+ Note that the pipe will not be closed by the server until
+ the client has invoked `FinishPipe`.  This is to ensure
+ that the client checks for errors.  For example, `GetBlob`
+ performs digest (e.g. sha256) verification and this must
+ be checked after all data has been written.
+*/
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"sync"
+	"syscall"
+
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/spf13/cobra"
+)
+
+// protocolVersion is semantic version of the protocol used by this proxy.
+// The first version of the protocol has major version 0.2 to signify a
+// departure from the original code which used HTTP.
+//
+// 0.2.1: Initial version
+// 0.2.2: Added support for fetching image configuration as OCI
+// 0.2.3: Added GetFullConfig
+const protocolVersion = "0.2.3"
+
+// maxMsgSize is the current limit on a packet size.
+// Note that all non-metadata (i.e. payload data) is sent over a pipe.
+const maxMsgSize = 32 * 1024
+
+// maxJSONFloat is ECMA Number.MAX_SAFE_INTEGER
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
+// We hard error if the input JSON numbers we expect to be
+// integers are above this.
+const maxJSONFloat = float64(uint64(1)<<53 - 1)
+
+// request is the JSON serialization of a function call
+type request struct {
+	// Method is the name of the function
+	Method string `json:"method"`
+	// Args is the arguments (parsed inside the function)
+	Args []interface{} `json:"args"`
+}
+
+// reply is serialized to JSON as the return value from a function call.
+type reply struct {
+	// Success is true if and only if the call succeeded.
+	Success bool `json:"success"`
+	// Value is an arbitrary value (or values, as array/map) returned from the call.
+	Value interface{} `json:"value"`
+	// PipeID is an index into open pipes, and should be passed to FinishPipe
+	PipeID uint32 `json:"pipeid"`
+	// Error should be non-empty if Success == false
+	Error string `json:"error"`
+}
+
+// replyBuf is our internal deserialization of reply plus optional fd
+type replyBuf struct {
+	// value will be converted to a reply Value
+	value interface{}
+	// fd is the read half of a pipe, passed back to the client
+	fd *os.File
+	// pipeid will be provided to the client as PipeID, an index into our open pipes
+	pipeid uint32
+}
+
+// activePipe is an open pipe to the client.
+// It contains an error value
+type activePipe struct {
+	// w is the write half of the pipe
+	w *os.File
+	// wg is completed when our worker goroutine is done
+	wg sync.WaitGroup
+	// err may be set in our worker goroutine
+	err error
+}
+
+// openImage is an opened image reference
+type openImage struct {
+	// id is an opaque integer handle
+	id        uint32
+	src       types.ImageSource
+	cachedimg types.Image
+}
+
+// proxyHandler is the state associated with our socket.
+type proxyHandler struct {
+	// lock protects everything else in this structure.
+	lock sync.Mutex
+	// opts is CLI options
+	opts   *proxyOptions
+	sysctx *types.SystemContext
+	cache  types.BlobInfoCache
+
+	// imageSerial is a counter for open images
+	imageSerial uint32
+	// images holds our opened images
+	images map[uint32]*openImage
+	// activePipes maps from "pipeid" to a pipe + goroutine pair
+	activePipes map[uint32]*activePipe
+}
+
+// Initialize performs one-time initialization, and returns the protocol version
+func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if len(args) != 0 {
+		return ret, fmt.Errorf("invalid request, expecting zero arguments")
+	}
+
+	if h.sysctx != nil {
+		return ret, fmt.Errorf("already initialized")
+	}
+
+	sysctx, err := h.opts.imageOpts.newSystemContext()
+	if err != nil {
+		return ret, err
+	}
+	h.sysctx = sysctx
+	h.cache = blobinfocache.DefaultCache(sysctx)
+
+	r := replyBuf{
+		value: protocolVersion,
+	}
+	return r, nil
+}
+
+// OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
+// The return value is an opaque integer handle.
+func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imageref, ok := args[0].(string)
+	if !ok {
+		return ret, fmt.Errorf("expecting string imageref, not %T", args[0])
+	}
+
+	imgRef, err := alltransports.ParseImageName(imageref)
+	if err != nil {
+		return ret, err
+	}
+	imgsrc, err := imgRef.NewImageSource(context.Background(), h.sysctx)
+	if err != nil {
+		return ret, err
+	}
+
+	h.imageSerial++
+	openimg := &openImage{
+		id:  h.imageSerial,
+		src: imgsrc,
+	}
+	h.images[openimg.id] = openimg
+	ret.value = openimg.id
+
+	return ret, nil
+}
+
+func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	imgref.src.Close()
+	delete(h.images, imgref.id)
+
+	return ret, nil
+}
+
+func parseImageID(v interface{}) (uint32, error) {
+	imgidf, ok := v.(float64)
+	if !ok {
+		return 0, fmt.Errorf("expecting integer imageid, not %T", v)
+	}
+	return uint32(imgidf), nil
+}
+
+// parseUint64 validates that a number fits inside a JavaScript safe integer
+func parseUint64(v interface{}) (uint64, error) {
+	f, ok := v.(float64)
+	if !ok {
+		return 0, fmt.Errorf("expecting numeric, not %T", v)
+	}
+	if f > maxJSONFloat {
+		return 0, fmt.Errorf("out of range integer for numeric %f", f)
+	}
+	return uint64(f), nil
+}
+
+func (h *proxyHandler) parseImageFromID(v interface{}) (*openImage, error) {
+	imgid, err := parseImageID(v)
+	if err != nil {
+		return nil, err
+	}
+	imgref, ok := h.images[imgid]
+	if !ok {
+		return nil, fmt.Errorf("no image %v", imgid)
+	}
+	return imgref, nil
+}
+
+func (h *proxyHandler) allocPipe() (*os.File, *activePipe, error) {
+	piper, pipew, err := os.Pipe()
+	if err != nil {
+		return nil, nil, err
+	}
+	f := activePipe{
+		w: pipew,
+	}
+	h.activePipes[uint32(pipew.Fd())] = &f
+	f.wg.Add(1)
+	return piper, &f, nil
+}
+
+// returnBytes generates a return pipe() from a byte array
+// In the future it might be nicer to return this via memfd_create()
+func (h *proxyHandler) returnBytes(retval interface{}, buf []byte) (replyBuf, error) {
+	var ret replyBuf
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		return ret, err
+	}
+
+	go func() {
+		// Signal completion when we return
+		defer f.wg.Done()
+		_, err = io.Copy(f.w, bytes.NewReader(buf))
+		if err != nil {
+			f.err = err
+		}
+	}()
+
+	ret.value = retval
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// cacheTargetManifest is invoked when GetManifest or GetConfig is invoked
+// the first time for a given image.  If the requested image is a manifest
+// list, this function resolves it to the image matching the calling process'
+// operating system and architecture.
+//
+// TODO: Add GetRawManifest or so that exposes manifest lists
+func (h *proxyHandler) cacheTargetManifest(img *openImage) error {
+	ctx := context.Background()
+	if img.cachedimg != nil {
+		return nil
+	}
+	unparsedToplevel := image.UnparsedInstance(img.src, nil)
+	mfest, manifestType, err := unparsedToplevel.Manifest(ctx)
+	if err != nil {
+		return err
+	}
+	var target *image.UnparsedImage
+	if manifest.MIMETypeIsMultiImage(manifestType) {
+		manifestList, err := manifest.ListFromBlob(mfest, manifestType)
+		if err != nil {
+			return err
+		}
+		instanceDigest, err := manifestList.ChooseInstance(h.sysctx)
+		if err != nil {
+			return err
+		}
+		target = image.UnparsedInstance(img.src, &instanceDigest)
+	} else {
+		target = unparsedToplevel
+	}
+	cachedimg, err := image.FromUnparsedImage(ctx, h.sysctx, target)
+	if err != nil {
+		return err
+	}
+	img.cachedimg = cachedimg
+	return nil
+}
+
+// GetManifest returns a copy of the manifest, converted to OCI format, along with the original digest.
+// Manifest lists are resolved to the current operating system and architecture.
+func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting one argument")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.Background()
+	rawManifest, manifestType, err := img.Manifest(ctx)
+	if err != nil {
+		return ret, err
+	}
+
+	// We only support OCI and docker2schema2.  We know docker2schema2 can be easily+cheaply
+	// converted into OCI, so consumers only need to see OCI.
+	switch manifestType {
+	case imgspecv1.MediaTypeImageManifest, manifest.DockerV2Schema2MediaType:
+		break
+	// Explicitly reject e.g. docker schema 1 type with a "legacy" note
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
+		return ret, fmt.Errorf("unsupported legacy manifest MIME type: %s", manifestType)
+	default:
+		return ret, fmt.Errorf("unsupported manifest MIME type: %s", manifestType)
+	}
+
+	// We always return the original digest, as that's what clients need to do pull-by-digest
+	// and in general identify the image.
+	digest, err := manifest.Digest(rawManifest)
+	if err != nil {
+		return ret, err
+	}
+	var serialized []byte
+	// But, we convert to OCI format on the wire if it's not already.  The idea here is that by reusing the containers/image
+	// stack, clients to this proxy can pretend the world is OCI only, and not need to care about e.g.
+	// docker schema and MIME types.
+	if manifestType != imgspecv1.MediaTypeImageManifest {
+		manifestUpdates := types.ManifestUpdateOptions{ManifestMIMEType: imgspecv1.MediaTypeImageManifest}
+		ociImage, err := img.UpdatedImage(ctx, manifestUpdates)
+		if err != nil {
+			return ret, err
+		}
+
+		ociSerialized, _, err := ociImage.Manifest(ctx)
+		if err != nil {
+			return ret, err
+		}
+		serialized = ociSerialized
+	} else {
+		serialized = rawManifest
+	}
+	return h.returnBytes(digest, serialized)
+}
+
+// GetFullConfig returns a copy of the image configuration, converted to OCI format.
+// https://github.com/opencontainers/image-spec/blob/main/config.md
+func (h *proxyHandler) GetFullConfig(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
+}
+
+// GetConfig returns a copy of the container runtime configuration, converted to OCI format.
+// Note that due to a historical mistake, this returns not the full image configuration,
+// but just the container runtime configuration.  You should use GetFullConfig instead.
+func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 1 {
+		return ret, fmt.Errorf("invalid request, expecting: [imgid]")
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	ctx := context.TODO()
+	config, err := img.OCIConfig(ctx)
+	if err != nil {
+		return ret, err
+	}
+	serialized, err := json.Marshal(&config.Config)
+	if err != nil {
+		return ret, err
+	}
+	return h.returnBytes(nil, serialized)
+}
+
+// GetBlob fetches a blob, performing digest verification.
+func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+	if len(args) != 3 {
+		return ret, fmt.Errorf("found %d args, expecting (imgid, digest, size)", len(args))
+	}
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+	digestStr, ok := args[1].(string)
+	if !ok {
+		return ret, fmt.Errorf("expecting string blobid")
+	}
+	size, err := parseUint64(args[2])
+	if err != nil {
+		return ret, err
+	}
+
+	ctx := context.TODO()
+	d, err := digest.Parse(digestStr)
+	if err != nil {
+		return ret, err
+	}
+	blobr, blobSize, err := imgref.src.GetBlob(ctx, types.BlobInfo{Digest: d, Size: int64(size)}, h.cache)
+	if err != nil {
+		return ret, err
+	}
+
+	piper, f, err := h.allocPipe()
+	if err != nil {
+		return ret, err
+	}
+	go func() {
+		// Signal completion when we return
+		defer f.wg.Done()
+		verifier := d.Verifier()
+		tr := io.TeeReader(blobr, verifier)
+		n, err := io.Copy(f.w, tr)
+		if err != nil {
+			f.err = err
+			return
+		}
+		if n != int64(size) {
+			f.err = fmt.Errorf("expected %d bytes in blob, got %d", size, n)
+		}
+		if !verifier.Verified() {
+			f.err = fmt.Errorf("corrupted blob, expecting %s", d.String())
+		}
+	}()
+
+	ret.value = blobSize
+	ret.fd = piper
+	ret.pipeid = uint32(f.w.Fd())
+	return ret, nil
+}
+
+// FinishPipe waits for the worker goroutine to finish, and closes the write side of the pipe.
+func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	pipeidv, err := parseUint64(args[0])
+	if err != nil {
+		return ret, err
+	}
+	pipeid := uint32(pipeidv)
+
+	f, ok := h.activePipes[pipeid]
+	if !ok {
+		return ret, fmt.Errorf("finishpipe: no active pipe %d", pipeid)
+	}
+
+	// Wait for the goroutine to complete
+	f.wg.Wait()
+	// And only now do we close the write half; this forces the client to call this API
+	f.w.Close()
+	// Propagate any errors from the goroutine worker
+	err = f.err
+	delete(h.activePipes, pipeid)
+	return ret, err
+}
+
+// send writes a reply buffer to the socket
+func (buf replyBuf) send(conn *net.UnixConn, err error) error {
+	replyToSerialize := reply{
+		Success: err == nil,
+		Value:   buf.value,
+		PipeID:  buf.pipeid,
+	}
+	if err != nil {
+		replyToSerialize.Error = err.Error()
+	}
+	serializedReply, err := json.Marshal(&replyToSerialize)
+	if err != nil {
+		return err
+	}
+	// We took ownership of the FD - close it when we're done.
+	defer func() {
+		if buf.fd != nil {
+			buf.fd.Close()
+		}
+	}()
+	// Copy the FD number to the socket ancillary buffer
+	fds := make([]int, 0)
+	if buf.fd != nil {
+		fds = append(fds, int(buf.fd.Fd()))
+	}
+	oob := syscall.UnixRights(fds...)
+	n, oobn, err := conn.WriteMsgUnix(serializedReply, oob, nil)
+	if err != nil {
+		return err
+	}
+	// Validate that we sent the full packet
+	if n != len(serializedReply) || oobn != len(oob) {
+		return io.ErrShortWrite
+	}
+	return nil
+}
+
+type proxyOptions struct {
+	global    *globalOptions
+	imageOpts *imageOptions
+	sockFd    int
+}
+
+func proxyCmd(global *globalOptions) *cobra.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, nil, "", "")
+	opts := proxyOptions{global: global, imageOpts: imageOpts}
+	cmd := &cobra.Command{
+		Use:   "experimental-image-proxy [command options] IMAGE",
+		Short: "Interactive proxy for fetching container images (EXPERIMENTAL)",
+		Long:  `Run skopeo as a proxy, supporting HTTP requests to fetch manifests and blobs.`,
+		RunE:  commandAction(opts.run),
+		Args:  cobra.ExactArgs(0),
+		// Not stabilized yet
+		Hidden:  true,
+		Example: `skopeo experimental-image-proxy --sockfd 3`,
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.AddFlagSet(&sharedFlags)
+	flags.AddFlagSet(&imageFlags)
+	flags.IntVar(&opts.sockFd, "sockfd", 0, "Serve on opened socket pair (default 0/stdin)")
+	return cmd
+}
+
+// processRequest dispatches a remote request.
+// replyBuf is the result of the invocation.
+// terminate should be true if processing of requests should halt.
+func (h *proxyHandler) processRequest(readBytes []byte) (rb replyBuf, terminate bool, err error) {
+	var req request
+
+	// Parse the request JSON
+	if err = json.Unmarshal(readBytes, &req); err != nil {
+		err = fmt.Errorf("invalid request: %v", err)
+		return
+	}
+	// Dispatch on the method
+	switch req.Method {
+	case "Initialize":
+		rb, err = h.Initialize(req.Args)
+	case "OpenImage":
+		rb, err = h.OpenImage(req.Args)
+	case "CloseImage":
+		rb, err = h.CloseImage(req.Args)
+	case "GetManifest":
+		rb, err = h.GetManifest(req.Args)
+	case "GetConfig":
+		rb, err = h.GetConfig(req.Args)
+	case "GetFullConfig":
+		rb, err = h.GetFullConfig(req.Args)
+	case "GetBlob":
+		rb, err = h.GetBlob(req.Args)
+	case "FinishPipe":
+		rb, err = h.FinishPipe(req.Args)
+	case "Shutdown":
+		terminate = true
+	default:
+		err = fmt.Errorf("unknown method: %s", req.Method)
+	}
+	return
+}
+
+// Implementation of podman experimental-image-proxy
+func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
+	handler := &proxyHandler{
+		opts:        opts,
+		images:      make(map[uint32]*openImage),
+		activePipes: make(map[uint32]*activePipe),
+	}
+
+	// Convert the socket FD passed by client into a net.FileConn
+	fd := os.NewFile(uintptr(opts.sockFd), "sock")
+	fconn, err := net.FileConn(fd)
+	if err != nil {
+		return err
+	}
+	conn := fconn.(*net.UnixConn)
+
+	// Allocate a buffer to copy the packet into
+	buf := make([]byte, maxMsgSize)
+	for {
+		n, _, err := conn.ReadFrom(buf)
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				return nil
+			}
+			return fmt.Errorf("reading socket: %v", err)
+		}
+		readbuf := buf[0:n]
+
+		rb, terminate, err := handler.processRequest(readbuf)
+		if terminate {
+			return nil
+		}
+
+		if err := rb.send(conn, err); err != nil {
+			return fmt.Errorf("writing to socket: %w", err)
+		}
+	}
+}
--- a/cmd/skopeo/proxy_windows.go
+++ b/cmd/skopeo/proxy_windows.go
@@ -0,0 +1,30 @@
+//go:build windows
+// +build windows
+
+package main
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+)
+
+type proxyOptions struct {
+	global *globalOptions
+}
+
+func proxyCmd(global *globalOptions) *cobra.Command {
+	opts := proxyOptions{global: global}
+	cmd := &cobra.Command{
+		RunE: commandAction(opts.run),
+		Args: cobra.ExactArgs(0),
+		// Not stabilized yet
+		Hidden: true,
+	}
+	return cmd
+}
+
+func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
+	return fmt.Errorf("This command is not supported on Windows")
+}
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -5,14 +5,16 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"

+	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/signature"
 	"github.com/spf13/cobra"
 )

 type standaloneSignOptions struct {
-	output string // Output file path
+	output         string // Output file path
+	passphraseFile string // Path pointing to a passphrase file when signing
 }

 func standaloneSignCmd() *cobra.Command {
@@ -25,6 +27,7 @@ func standaloneSignCmd() *cobra.Command {
 	adjustUsage(cmd)
 	flags := cmd.Flags()
 	flags.StringVarP(&opts.output, "output", "o", "", "output the signature to `SIGNATURE`")
+	flags.StringVarP(&opts.passphraseFile, "passphrase-file", "", "", "file that contains a passphrase for the --sign-by key")
 	return cmd
 }

@@ -36,7 +39,7 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 	dockerReference := args[1]
 	fingerprint := args[2]

-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
 	}
@@ -46,12 +49,18 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 		return fmt.Errorf("Error initializing GPG: %v", err)
 	}
 	defer mech.Close()
-	signature, err := signature.SignDockerManifest(manifest, dockerReference, mech, fingerprint)
+
+	passphrase, err := cli.ReadPassphraseFile(opts.passphraseFile)
+	if err != nil {
+		return err
+	}
+
+	signature, err := signature.SignDockerManifestWithOptions(manifest, dockerReference, mech, fingerprint, &signature.SignOptions{Passphrase: passphrase})
 	if err != nil {
 		return fmt.Errorf("Error creating signature: %v", err)
 	}

-	if err := ioutil.WriteFile(opts.output, signature, 0644); err != nil {
+	if err := os.WriteFile(opts.output, signature, 0644); err != nil {
 		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
 	}
 	return nil
@@ -80,11 +89,11 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 	expectedFingerprint := args[2]
 	signaturePath := args[3]

-	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
+	unverifiedManifest, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
-	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	unverifiedSignature, err := os.ReadFile(signaturePath)
 	if err != nil {
 		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
 	}
@@ -130,7 +139,7 @@ func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer)
 	}
 	untrustedSignaturePath := args[0]

-	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	untrustedSignature, err := os.ReadFile(untrustedSignaturePath)
 	if err != nil {
 		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
 	}
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -2,7 +2,6 @@ package main

 import (
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -25,9 +24,8 @@ const (
 // Test that results of runSkopeo failed with nothing on stdout, and substring
 // within the error message.
 func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
-	assert.Error(t, err)
+	assert.ErrorContains(t, err, substring)
 	assert.Empty(t, stdout)
-	assert.Contains(t, err.Error(), substring)
 }

 func TestStandaloneSign(t *testing.T) {
@@ -40,8 +38,7 @@ func TestStandaloneSign(t *testing.T) {

 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
@@ -78,7 +75,7 @@ func TestStandaloneSign(t *testing.T) {
 	assertTestFailed(t, out, err, "/dev/full")

 	// Success
-	sigOutput, err := ioutil.TempFile("", "sig")
+	sigOutput, err := os.CreateTemp("", "sig")
 	require.NoError(t, err)
 	defer os.Remove(sigOutput.Name())
 	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
@@ -86,9 +83,9 @@ func TestStandaloneSign(t *testing.T) {
 	require.NoError(t, err)
 	assert.Empty(t, out)

-	sig, err := ioutil.ReadFile(sigOutput.Name())
+	sig, err := os.ReadFile(sigOutput.Name())
 	require.NoError(t, err)
-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	require.NoError(t, err)
 	mech, err = signature.NewGPGSigningMechanism()
 	require.NoError(t, err)
@@ -103,8 +100,7 @@ func TestStandaloneVerify(t *testing.T) {
 	manifestPath := "fixtures/image.manifest.json"
 	signaturePath := "fixtures/image.signature"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -2,24 +2,26 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/directory"
 	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v2"
@@ -27,18 +29,23 @@ import (

 // syncOptions contains information retrieved from the skopeo sync command line.
 type syncOptions struct {
-	global              *globalOptions // Global (not command dependent) skopeo options
-	deprecatedTLSVerify *deprecatedTLSVerifyOption
-	srcImage            *imageOptions     // Source image options
-	destImage           *imageDestOptions // Destination image options
-	retryOpts           *retry.RetryOptions
-	removeSignatures    bool           // Do not copy signatures from the source image
-	signByFingerprint   string         // Sign the image using a GPG key with the specified fingerprint
-	format              optionalString // Force conversion of the image to a specified format
-	source              string         // Source repository name
-	destination         string         // Destination registry name
-	scoped              bool           // When true, namespace copied images at destination using the source repository name
-	all                 bool           // Copy all of the images if an image in the source is a list
+	global                   *globalOptions // Global (not command dependent) skopeo options
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions     // Source image options
+	destImage                *imageDestOptions // Destination image options
+	retryOpts                *retry.Options
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	source                   string                    // Source repository name
+	destination              string                    // Destination registry name
+	scoped                   bool                      // When true, namespace copied images at destination using the source repository name
+	all                      bool                      // Copy all of the images if an image in the source is a list
+	dryRun                   bool                      // Don't actually copy anything, just output what it would have done
+	preserveDigests          bool                      // Preserve digests during sync
+	keepGoing                bool                      // Whether or not to abort the sync if there are any errors during syncing the images
 }

 // repoDescriptor contains information of a single repository used as a sync source.
@@ -99,11 +106,16 @@ See skopeo-sync(1) for details.
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE images")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
-	flags.VarP(newOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
+	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
 	flags.StringVarP(&opts.source, "src", "s", "", "SOURCE transport type")
 	flags.StringVarP(&opts.destination, "dest", "d", "", "DESTINATION transport type")
 	flags.BoolVar(&opts.scoped, "scoped", false, "Images at DESTINATION are prefix using the full source image path as scope")
 	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.BoolVar(&opts.dryRun, "dry-run", false, "Run without actually copying data")
+	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
+	flags.BoolVarP(&opts.keepGoing, "keep-going", "", false, "Do not abort the sync if any image copy fails")
 	flags.AddFlagSet(&sharedFlags)
 	flags.AddFlagSet(&deprecatedTLSVerifyFlags)
 	flags.AddFlagSet(&srcFlags)
@@ -130,13 +142,13 @@ func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) err
 // It returns a new unmarshaled sourceConfig object and any error encountered.
 func newSourceConfig(yamlFile string) (sourceConfig, error) {
 	var cfg sourceConfig
-	source, err := ioutil.ReadFile(yamlFile)
+	source, err := os.ReadFile(yamlFile)
 	if err != nil {
 		return cfg, err
 	}
 	err = yaml.Unmarshal(source, &cfg)
 	if err != nil {
-		return cfg, errors.Wrapf(err, "Failed to unmarshal %q", yamlFile)
+		return cfg, fmt.Errorf("Failed to unmarshal %q: %w", yamlFile, err)
 	}
 	return cfg, nil
 }
@@ -148,7 +160,7 @@ func parseRepositoryReference(input string) (reference.Named, error) {
 		return nil, err
 	}
 	if !reference.IsNameOnly(ref) {
-		return nil, errors.Errorf("input names a reference, not a repository")
+		return nil, errors.New("input names a reference, not a repository")
 	}
 	return ref, nil
 }
@@ -166,24 +178,24 @@ func destinationReference(destination string, transport string) (types.ImageRefe
 	case directory.Transport.Name():
 		_, err := os.Stat(destination)
 		if err == nil {
-			return nil, errors.Errorf("Refusing to overwrite destination directory %q", destination)
+			return nil, fmt.Errorf("Refusing to overwrite destination directory %q", destination)
 		}
 		if !os.IsNotExist(err) {
-			return nil, errors.Wrap(err, "Destination directory could not be used")
+			return nil, fmt.Errorf("Destination directory could not be used: %w", err)
 		}
 		// the directory holding the image must be created here
 		if err = os.MkdirAll(destination, 0755); err != nil {
-			return nil, errors.Wrapf(err, "Error creating directory for image %s", destination)
+			return nil, fmt.Errorf("Error creating directory for image %s: %w", destination, err)
 		}
 		imageTransport = directory.Transport
 	default:
-		return nil, errors.Errorf("%q is not a valid destination transport", transport)
+		return nil, fmt.Errorf("%q is not a valid destination transport", transport)
 	}
 	logrus.Debugf("Destination for transport %q: %s", transport, destination)

 	destRef, err := imageTransport.ParseReference(destination)
 	if err != nil {
-		return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", imageTransport.Name(), destination)
+		return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", imageTransport.Name(), destination, err)
 	}

 	return destRef, nil
@@ -203,16 +215,16 @@ func getImageTags(ctx context.Context, sysCtx *types.SystemContext, repoRef refe
 		return nil, err // Should never happen for a reference with tag and no digest
 	}
 	tags, err := docker.GetRepositoryTags(ctx, sysCtx, dockerRef)
-
-	switch err := err.(type) {
-	case nil:
-		break
-	case docker.ErrUnauthorizedForCredentials:
-		// Some registries may decide to block the "list all tags" endpoint.
-		// Gracefully allow the sync to continue in this case.
-		logrus.Warnf("Registry disallows tag list retrieval: %s", err)
-	default:
-		return tags, errors.Wrapf(err, "Error determining repository tags for image %s", name)
+	if err != nil {
+		var unauthorizedForCredentials docker.ErrUnauthorizedForCredentials
+		if errors.As(err, &unauthorizedForCredentials) {
+			// Some registries may decide to block the "list all tags" endpoint.
+			// Gracefully allow the sync to continue in this case.
+			logrus.Warnf("Registry disallows tag list retrieval: %s", err)
+			tags = nil
+		} else {
+			return nil, fmt.Errorf("Error determining repository tags for image %s: %w", name, err)
+		}
 	}

 	return tags, nil
@@ -232,11 +244,11 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 	for _, tag := range tags {
 		taggedRef, err := reference.WithTag(repoRef, tag)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Error creating a reference for repository %s and tag %q", repoRef.Name(), tag)
+			return nil, fmt.Errorf("Error creating a reference for repository %s and tag %q: %w", repoRef.Name(), tag, err)
 		}
 		ref, err := docker.NewReference(taggedRef)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %s", docker.Transport.Name(), taggedRef.String())
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %s: %w", docker.Transport.Name(), taggedRef.String(), err)
 		}
 		sourceReferences = append(sourceReferences, ref)
 	}
@@ -249,15 +261,15 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 // and any error encountered.
 func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
 	var sourceReferences []types.ImageReference
-	err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
+	err := filepath.WalkDir(dirPath, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
+		if !d.IsDir() && d.Name() == "manifest.json" {
 			dirname := filepath.Dir(path)
 			ref, err := directory.Transport.ParseReference(dirname)
 			if err != nil {
-				return errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", directory.Transport.Name(), dirname)
+				return fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", directory.Transport.Name(), dirname, err)
 			}
 			sourceReferences = append(sourceReferences, ref)
 			return filepath.SkipDir
@@ -267,7 +279,7 @@ func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {

 	if err != nil {
 		return sourceReferences,
-			errors.Wrapf(err, "Error walking the path %q", dirPath)
+			fmt.Errorf("Error walking the path %q: %w", dirPath, err)
 	}

 	return sourceReferences, nil
@@ -425,7 +437,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}
 		named, err := reference.ParseNormalizedNamed(source) // May be a repository or an image.
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), source)
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), source, err)
 		}
 		imageTagged := !reference.IsNameOnly(named)
 		logrus.WithFields(logrus.Fields{
@@ -435,7 +447,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		if imageTagged {
 			srcRef, err := docker.NewReference(named)
 			if err != nil {
-				return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), named.String())
+				return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), named.String(), err)
 			}
 			desc.ImageRefs = []types.ImageReference{srcRef}
 		} else {
@@ -444,7 +456,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 				return descriptors, err
 			}
 			if len(desc.ImageRefs) == 0 {
-				return descriptors, errors.Errorf("No images to sync found in %q", source)
+				return descriptors, fmt.Errorf("No images to sync found in %q", source)
 			}
 		}
 		descriptors = append(descriptors, desc)
@@ -455,7 +467,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}

 		if _, err := os.Stat(source); err != nil {
-			return descriptors, errors.Wrap(err, "Invalid source directory specified")
+			return descriptors, fmt.Errorf("Invalid source directory specified: %w", err)
 		}
 		desc.DirBasePath = source
 		var err error
@@ -464,7 +476,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		if len(desc.ImageRefs) == 0 {
-			return descriptors, errors.Errorf("No images to sync found in %q", source)
+			return descriptors, fmt.Errorf("No images to sync found in %q", source)
 		}
 		descriptors = append(descriptors, desc)

@@ -483,7 +495,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex

 			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
 			if err != nil {
-				return descriptors, errors.Wrapf(err, "Failed to retrieve list of images from registry %q", registryName)
+				return descriptors, fmt.Errorf("Failed to retrieve list of images from registry %q: %w", registryName, err)
 			}
 			descriptors = append(descriptors, descs...)
 		}
@@ -492,7 +504,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 	return descriptors, nil
 }

-func (opts *syncOptions) run(args []string, stdout io.Writer) error {
+func (opts *syncOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
@@ -500,9 +512,13 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {

 	policyContext, err := opts.global.getPolicyContext()
 	if err != nil {
-		return errors.Wrapf(err, "Error loading trust policy")
+		return fmt.Errorf("Error loading trust policy: %w", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	// validate source and destination options
 	contains := func(val string, list []string) (_ bool) {
@@ -518,14 +534,14 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return errors.New("A source transport must be specified")
 	}
 	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
-		return errors.Errorf("%q is not a valid source transport", opts.source)
+		return fmt.Errorf("%q is not a valid source transport", opts.source)
 	}

 	if len(opts.destination) == 0 {
 		return errors.New("A destination transport must be specified")
 	}
 	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
-		return errors.Errorf("%q is not a valid destination transport", opts.destination)
+		return fmt.Errorf("%q is not a valid destination transport", opts.destination)
 	}

 	if opts.source == opts.destination && opts.source == directory.Transport.Name() {
@@ -543,8 +559,8 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 	}

 	var manifestType string
-	if opts.format.present {
-		manifestType, err = parseManifestFormat(opts.format.value)
+	if opts.format.Present() {
+		manifestType, err = parseManifestFormat(opts.format.Value())
 		if err != nil {
 			return err
 		}
@@ -555,7 +571,7 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {

 	sourceArg := args[0]
 	var srcRepoList []repoDescriptor
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		srcRepoList, err = imagesToCopy(sourceArg, opts.source, sourceCtx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -568,16 +584,44 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return err
 	}

-	imagesNumber := 0
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
 	options := copy.Options{
 		RemoveSignatures:                      opts.removeSignatures,
 		SignBy:                                opts.signByFingerprint,
+		SignPassphrase:                        passphrase,
+		SignBySigstorePrivateKeyFile:          opts.signBySigstorePrivateKey,
+		SignSigstorePrivateKeyPassphrase:      []byte(passphrase),
 		ReportWriter:                          os.Stdout,
 		DestinationCtx:                        destinationCtx,
 		ImageListSelection:                    imageListSelection,
+		PreserveDigests:                       opts.preserveDigests,
 		OptimizeDestinationImageAlreadyExists: true,
 		ForceManifestMIMEType:                 manifestType,
 	}
+	errorsPresent := false
+	imagesNumber := 0
+	if opts.dryRun {
+		logrus.Warn("Running in dry-run mode")
+	}

 	for _, srcRepo := range srcRepoList {
 		options.SourceCtx = srcRepo.Context
@@ -605,21 +649,39 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 				return err
 			}

-			logrus.WithFields(logrus.Fields{
+			fromToFields := logrus.Fields{
 				"from": transports.ImageName(ref),
 				"to":   transports.ImageName(destRef),
-			}).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
-
-			if err = retry.RetryIfNecessary(ctx, func() error {
-				_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
-				return err
-			}, opts.retryOpts); err != nil {
-				return errors.Wrapf(err, "Error copying ref %q", transports.ImageName(ref))
+			}
+			if opts.dryRun {
+				logrus.WithFields(fromToFields).Infof("Would have copied image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+			} else {
+				logrus.WithFields(fromToFields).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+				if err = retry.IfNecessary(ctx, func() error {
+					_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
+					return err
+				}, opts.retryOpts); err != nil {
+					if !opts.keepGoing {
+						return fmt.Errorf("Error copying ref %q: %w", transports.ImageName(ref), err)
+					}
+					// log the error, keep a note that there was a failure and move on to the next
+					// image ref
+					errorsPresent = true
+					logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
+					continue
+				}
 			}
 			imagesNumber++
 		}
 	}

-	logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
-	return nil
+	if opts.dryRun {
+		logrus.Infof("Would have synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	} else {
+		logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	}
+	if !errorsPresent {
+		return nil
+	}
+	return errors.New("Sync failed due to previous reported error(s) for one or more images")
 }
--- a/cmd/skopeo/unshare.go
+++ b/cmd/skopeo/unshare.go
@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux

 package main
--- a/cmd/skopeo/unshare_linux.go
+++ b/cmd/skopeo/unshare_linux.go
@@ -1,9 +1,10 @@
 package main

 import (
+	"fmt"
+
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/storage/pkg/unshare"
-	"github.com/pkg/errors"
 	"github.com/syndtr/gocapability/capability"
 )

@@ -22,7 +23,7 @@ func maybeReexec() error {
 	// if we already have the capabilities we need.
 	capabilities, err := capability.NewPid(0)
 	if err != nil {
-		return errors.Wrapf(err, "error reading the current capabilities sets")
+		return fmt.Errorf("error reading the current capabilities sets: %w", err)
 	}
 	for _, cap := range neededCapabilities {
 		if !capabilities.Get(capability.EFFECTIVE, cap) {
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -2,21 +2,23 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"strings"

+	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"golang.org/x/term"
 )

 // errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that cli.ShowSubcommandHelp should be called.
@@ -24,6 +26,27 @@ type errorShouldDisplayUsage struct {
 	error
 }

+// noteCloseFailure returns (possibly-nil) err modified to account for (non-nil) closeErr.
+// The error for closeErr is annotated with description (which is not a format string)
+// Typical usage:
+//
+// defer func() {
+//     if err := something.Close(); err != nil {
+//         returnedErr = noteCloseFailure(returnedErr, "closing something", err)
+//     }
+// }
+func noteCloseFailure(err error, description string, closeErr error) error {
+	// We don’t accept a Closer() and close it ourselves because signature.PolicyContext has .Destroy(), not .Close().
+	// This also makes it harder for a caller to do
+	//     defer noteCloseFailure(returnedErr, …)
+	// which doesn’t use the right value of returnedErr, and doesn’t update it.
+	if err == nil {
+		return fmt.Errorf("%s: %w", description, closeErr)
+	}
+	// In this case we prioritize the primary error for use with %w; closeErr is usually less relevant, or might be a consequence of the primary erorr.
+	return fmt.Errorf("%w (%s: %v)", err, description, closeErr)
+}
+
 // commandAction intermediates between the RunE interface and the real handler,
 // primarily to ensure that cobra.Command is not available to the handler, which in turn
 // makes sure that the cmd.Flags() etc. flag access functions are not used,
@@ -32,8 +55,9 @@ type errorShouldDisplayUsage struct {
 func commandAction(handler func(args []string, stdout io.Writer) error) func(cmd *cobra.Command, args []string) error {
 	return func(c *cobra.Command, args []string) error {
 		err := handler(args, c.OutOrStdout())
-		if _, ok := err.(errorShouldDisplayUsage); ok {
-			c.Help()
+		var shouldDisplayUsage errorShouldDisplayUsage
+		if errors.As(err, &shouldDisplayUsage) {
+			return c.Help()
 		}
 		return err
 	}
@@ -45,7 +69,7 @@ func commandAction(handler func(args []string, stdout io.Writer) error) func(cmd
 // whether or not the value actually ends up being used.
 // DO NOT ADD ANY NEW USES OF THIS; just call dockerImageFlags with an appropriate, possibly empty, flagPrefix.
 type deprecatedTLSVerifyOption struct {
-	tlsVerify optionalBool // FIXME FIXME: Warn if this is used, or even if it is ignored.
+	tlsVerify commonFlag.OptionalBool // FIXME FIXME: Warn if this is used, or even if it is ignored.
 }

 // warnIfUsed warns if tlsVerify was set by the user, and suggests alternatives (which should
@@ -53,7 +77,7 @@ type deprecatedTLSVerifyOption struct {
 // Every user should call this as part of handling the CLI, whether or not the value actually
 // ends up being used.
 func (opts *deprecatedTLSVerifyOption) warnIfUsed(alternatives []string) {
-	if opts.tlsVerify.present {
+	if opts.tlsVerify.Present() {
 		logrus.Warnf("'--tls-verify' is deprecated, instead use: %s", strings.Join(alternatives, ", "))
 	}
 }
@@ -63,7 +87,7 @@ func (opts *deprecatedTLSVerifyOption) warnIfUsed(alternatives []string) {
 func deprecatedTLSVerifyFlags() (pflag.FlagSet, *deprecatedTLSVerifyOption) {
 	opts := deprecatedTLSVerifyOption{}
 	fs := pflag.FlagSet{}
-	flag := optionalBoolFlag(&fs, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the container registry (defaults to true)")
+	flag := commonFlag.OptionalBoolFlag(&fs, &opts.tlsVerify, "tls-verify", "require HTTPS and verify certificates when accessing the container registry")
 	flag.Hidden = true
 	return fs, &opts
 }
@@ -89,11 +113,13 @@ type dockerImageOptions struct {
 	global              *globalOptions             // May be shared across several imageOptions instances.
 	shared              *sharedImageOptions        // May be shared across several imageOptions instances.
 	deprecatedTLSVerify *deprecatedTLSVerifyOption // May be shared across several imageOptions instances, or nil.
-	authFilePath        optionalString             // Path to a */containers/auth.json (prefixed version to override shared image option).
-	credsOption         optionalString             // username[:password] for accessing a registry
-	registryToken       optionalString             // token to be used directly as a Bearer token when accessing the registry
+	authFilePath        commonFlag.OptionalString  // Path to a */containers/auth.json (prefixed version to override shared image option).
+	credsOption         commonFlag.OptionalString  // username[:password] for accessing a registry
+	userName            commonFlag.OptionalString  // username for accessing a registry
+	password            commonFlag.OptionalString  // password for accessing a registry
+	registryToken       commonFlag.OptionalString  // token to be used directly as a Bearer token when accessing the registry
 	dockerCertPath      string                     // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon
-	tlsVerify           optionalBool               // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	tlsVerify           commonFlag.OptionalBool    // Require HTTPS and verify certificates (for docker: and docker-daemon:)
 	noCreds             bool                       // Access the registry anonymously
 }

@@ -119,18 +145,20 @@ func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, depreca
 	fs := pflag.FlagSet{}
 	if flagPrefix != "" {
 		// the non-prefixed flag is handled by a shared flag.
-		fs.Var(newOptionalStringValue(&flags.authFilePath), flagPrefix+"authfile", "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
+		fs.Var(commonFlag.NewOptionalStringValue(&flags.authFilePath), flagPrefix+"authfile", "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
 	}
-	fs.Var(newOptionalStringValue(&flags.credsOption), flagPrefix+"creds", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.credsOption), flagPrefix+"creds", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.userName), flagPrefix+"username", "Username for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.password), flagPrefix+"password", "Password for accessing the registry")
 	if credsOptionAlias != "" {
 		// This is horribly ugly, but we need to support the old option forms of (skopeo copy) for compatibility.
 		// Don't add any more cases like this.
-		f := fs.VarPF(newOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry")
+		f := fs.VarPF(commonFlag.NewOptionalStringValue(&flags.credsOption), credsOptionAlias, "", "Use `USERNAME[:PASSWORD]` for accessing the registry")
 		f.Hidden = true
 	}
-	fs.Var(newOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")
+	fs.Var(commonFlag.NewOptionalStringValue(&flags.registryToken), flagPrefix+"registry-token", "Provide a Bearer token for accessing the registry")
 	fs.StringVar(&flags.dockerCertPath, flagPrefix+"cert-dir", "", "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon")
-	optionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)")
+	commonFlag.OptionalBoolFlag(&fs, &flags.tlsVerify, flagPrefix+"tls-verify", "require HTTPS and verify certificates when talking to the container registry or daemon")
 	fs.BoolVar(&flags.noCreds, flagPrefix+"no-creds", false, "Access the registry anonymously")
 	return fs, &flags
 }
@@ -146,8 +174,8 @@ func imageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLS
 	return fs, opts
 }

-func retryFlags() (pflag.FlagSet, *retry.RetryOptions) {
-	opts := retry.RetryOptions{}
+func retryFlags() (pflag.FlagSet, *retry.Options) {
+	opts := retry.Options{}
 	fs := pflag.FlagSet{}
 	fs.IntVar(&opts.MaxRetry, "retry-times", 0, "the number of times to possibly retry")
 	return fs, &opts
@@ -164,31 +192,49 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 	ctx.AuthFilePath = opts.shared.authFilePath
 	ctx.DockerDaemonHost = opts.dockerDaemonHost
 	ctx.DockerDaemonCertPath = opts.dockerCertPath
-	if opts.dockerImageOptions.authFilePath.present {
-		ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.value
+	if opts.dockerImageOptions.authFilePath.Present() {
+		ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.Value()
 	}
-	if opts.deprecatedTLSVerify != nil && opts.deprecatedTLSVerify.tlsVerify.present {
+	if opts.deprecatedTLSVerify != nil && opts.deprecatedTLSVerify.tlsVerify.Present() {
 		// If both this deprecated option and a non-deprecated option is present, we use the latter value.
-		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.deprecatedTLSVerify.tlsVerify.value)
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.deprecatedTLSVerify.tlsVerify.Value())
 	}
-	if opts.tlsVerify.present {
-		ctx.DockerDaemonInsecureSkipTLSVerify = !opts.tlsVerify.value
+	if opts.tlsVerify.Present() {
+		ctx.DockerDaemonInsecureSkipTLSVerify = !opts.tlsVerify.Value()
 	}
-	if opts.tlsVerify.present {
-		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	if opts.tlsVerify.Present() {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.Value())
 	}
-	if opts.credsOption.present && opts.noCreds {
+	if opts.credsOption.Present() && opts.noCreds {
 		return nil, errors.New("creds and no-creds cannot be specified at the same time")
 	}
-	if opts.credsOption.present {
+	if opts.userName.Present() && opts.noCreds {
+		return nil, errors.New("username and no-creds cannot be specified at the same time")
+	}
+	if opts.credsOption.Present() && opts.userName.Present() {
+		return nil, errors.New("creds and username cannot be specified at the same time")
+	}
+	// if any of username or password is present, then both are expected to be present
+	if opts.userName.Present() != opts.password.Present() {
+		if opts.userName.Present() {
+			return nil, errors.New("password must be specified when username is specified")
+		}
+		return nil, errors.New("username must be specified when password is specified")
+	}
+	if opts.credsOption.Present() {
 		var err error
-		ctx.DockerAuthConfig, err = getDockerAuth(opts.credsOption.value)
+		ctx.DockerAuthConfig, err = getDockerAuth(opts.credsOption.Value())
 		if err != nil {
 			return nil, err
 		}
+	} else if opts.userName.Present() {
+		ctx.DockerAuthConfig = &types.DockerAuthConfig{
+			Username: opts.userName.Value(),
+			Password: opts.password.Value(),
+		}
 	}
-	if opts.registryToken.present {
-		ctx.DockerBearerRegistryToken = opts.registryToken.value
+	if opts.registryToken.Present() {
+		ctx.DockerBearerRegistryToken = opts.registryToken.Value()
 	}
 	if opts.noCreds {
 		ctx.DockerAuthConfig = &types.DockerAuthConfig{}
@@ -200,11 +246,12 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 // imageDestOptions is a superset of imageOptions specialized for image destinations.
 type imageDestOptions struct {
 	*imageOptions
-	dirForceCompression         bool        // Compress layers when saving to the dir: transport
-	dirForceDecompression       bool        // Decompress layers when saving to the dir: transport
-	ociAcceptUncompressedLayers bool        // Whether to accept uncompressed layers in the oci: transport
-	compressionFormat           string      // Format to use for the compression
-	compressionLevel            optionalInt // Level to use for the compression
+	dirForceCompression         bool                   // Compress layers when saving to the dir: transport
+	dirForceDecompression       bool                   // Decompress layers when saving to the dir: transport
+	ociAcceptUncompressedLayers bool                   // Whether to accept uncompressed layers in the oci: transport
+	compressionFormat           string                 // Format to use for the compression
+	compressionLevel            commonFlag.OptionalInt // Level to use for the compression
+	precomputeDigests           bool                   // Precompute digests to dedup layers when saving to the docker: transport
 }

 // imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
@@ -217,7 +264,8 @@ func imageDestFlags(global *globalOptions, shared *sharedImageOptions, deprecate
 	fs.BoolVar(&opts.dirForceDecompression, flagPrefix+"decompress", false, "Decompress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
 	fs.BoolVar(&opts.ociAcceptUncompressedLayers, flagPrefix+"oci-accept-uncompressed-layers", false, "Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)")
 	fs.StringVar(&opts.compressionFormat, flagPrefix+"compress-format", "", "`FORMAT` to use for the compression")
-	fs.Var(newOptionalIntValue(&opts.compressionLevel), flagPrefix+"compress-level", "`LEVEL` to use for the compression")
+	fs.Var(commonFlag.NewOptionalIntValue(&opts.compressionLevel), flagPrefix+"compress-level", "`LEVEL` to use for the compression")
+	fs.BoolVar(&opts.precomputeDigests, flagPrefix+"precompute-digests", false, "Precompute digests to prevent uploading layers already on the registry using the 'docker' transport.")
 	return fs, &opts
 }

@@ -239,9 +287,11 @@ func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
 		}
 		ctx.CompressionFormat = &cf
 	}
-	if opts.compressionLevel.present {
-		ctx.CompressionLevel = &opts.compressionLevel.value
+	if opts.compressionLevel.Present() {
+		value := opts.compressionLevel.Value()
+		ctx.CompressionLevel = &value
 	}
+	ctx.DockerRegistryPushPrecomputeDigests = opts.precomputeDigests
 	return ctx, err
 }

@@ -327,3 +377,19 @@ func adjustUsage(c *cobra.Command) {
 	c.SetUsageTemplate(usageTemplate)
 	c.DisableFlagsInUseLine = true
 }
+
+// promptForPassphrase interactively prompts for a passphrase related to privateKeyFile
+func promptForPassphrase(privateKeyFile string, stdin, stdout *os.File) (string, error) {
+	stdinFd := int(stdin.Fd())
+	if !term.IsTerminal(stdinFd) {
+		return "", fmt.Errorf("Cannot prompt for a passphrase for key %s, standard input is not a TTY", privateKeyFile)
+	}
+
+	fmt.Fprintf(stdout, "Passphrase for key %s: ", privateKeyFile)
+	passphrase, err := term.ReadPassword(stdinFd)
+	if err != nil {
+		return "", fmt.Errorf("Error reading password: %w", err)
+	}
+	fmt.Fprintf(stdout, "\n")
+	return string(passphrase), nil
+}
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -1,7 +1,7 @@
 package main

 import (
-	"os"
+	"errors"
 	"testing"

 	"github.com/containers/image/v5/manifest"
@@ -13,6 +13,27 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func TestNoteCloseFailure(t *testing.T) {
+	const description = "description"
+
+	mainErr := errors.New("main")
+	closeErr := errors.New("closing")
+
+	// Main success, closing failed
+	res := noteCloseFailure(nil, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+
+	// Both main and closing failed
+	res = noteCloseFailure(mainErr, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), mainErr.Error())
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+	assert.ErrorIs(t, res, mainErr)
+}
+
 // fakeGlobalOptions creates globalOptions and sets it according to flags.
 func fakeGlobalOptions(t *testing.T, flags []string) (*globalOptions, *cobra.Command) {
 	app, opts := createApp()
@@ -128,17 +149,9 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
 		DockerRegistryUserAgent: defaultUserAgent,
 	}, res)

-	oldXRD, hasXRD := os.LookupEnv("REGISTRY_AUTH_FILE")
-	defer func() {
-		if hasXRD {
-			os.Setenv("REGISTRY_AUTH_FILE", oldXRD)
-		} else {
-			os.Unsetenv("REGISTRY_AUTH_FILE")
-		}
-	}()
 	authFile := "/tmp/auth.json"
 	// Make sure when REGISTRY_AUTH_FILE is set the auth file is used
-	os.Setenv("REGISTRY_AUTH_FILE", authFile)
+	t.Setenv("REGISTRY_AUTH_FILE", authFile)

 	// Explicitly set everything to default, except for when the default is “not present”
 	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{
@@ -167,26 +180,28 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
 		"--dest-tls-verify=false",
 		"--dest-creds", "creds-user:creds-password",
 		"--dest-registry-token", "faketoken",
+		"--dest-precompute-digests=true",
 	})
 	res, err = opts.newSystemContext()
 	require.NoError(t, err)
 	assert.Equal(t, &types.SystemContext{
-		RegistriesDirPath:                 "/srv/registries.d",
-		AuthFilePath:                      "/srv/authfile",
-		ArchitectureChoice:                "overridden-arch",
-		OSChoice:                          "overridden-os",
-		VariantChoice:                     "overridden-variant",
-		OCISharedBlobDirPath:              "/srv/shared-blob-dir",
-		DockerCertPath:                    "/srv/cert-dir",
-		DockerInsecureSkipTLSVerify:       types.OptionalBoolTrue,
-		DockerAuthConfig:                  &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
-		DockerBearerRegistryToken:         "faketoken",
-		DockerDaemonCertPath:              "/srv/cert-dir",
-		DockerDaemonHost:                  "daemon-host.example.com",
-		DockerDaemonInsecureSkipTLSVerify: true,
-		DockerRegistryUserAgent:           defaultUserAgent,
-		DirForceCompress:                  true,
-		BigFilesTemporaryDir:              "/srv",
+		RegistriesDirPath:                   "/srv/registries.d",
+		AuthFilePath:                        "/srv/authfile",
+		ArchitectureChoice:                  "overridden-arch",
+		OSChoice:                            "overridden-os",
+		VariantChoice:                       "overridden-variant",
+		OCISharedBlobDirPath:                "/srv/shared-blob-dir",
+		DockerCertPath:                      "/srv/cert-dir",
+		DockerInsecureSkipTLSVerify:         types.OptionalBoolTrue,
+		DockerAuthConfig:                    &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
+		DockerBearerRegistryToken:           "faketoken",
+		DockerDaemonCertPath:                "/srv/cert-dir",
+		DockerDaemonHost:                    "daemon-host.example.com",
+		DockerDaemonInsecureSkipTLSVerify:   true,
+		DockerRegistryUserAgent:             defaultUserAgent,
+		DirForceCompress:                    true,
+		BigFilesTemporaryDir:                "/srv",
+		DockerRegistryPushPrecomputeDigests: true,
 	}, res)

 	// Global/per-command tlsVerify behavior is tested in TestTLSVerifyFlags.
@@ -197,6 +212,54 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
 	assert.Error(t, err)
 }

+// TestImageOptionsUsernamePassword verifies that using the username and password
+// options works as expected
+func TestImageOptionsUsernamePassword(t *testing.T) {
+	for _, command := range []struct {
+		commandArgs        []string
+		expectedAuthConfig *types.DockerAuthConfig // data to expect, or nil if an error is expected
+	}{
+		// Set only username/password (without --creds), expected to pass
+		{
+			commandArgs:        []string{"--dest-username", "foo", "--dest-password", "bar"},
+			expectedAuthConfig: &types.DockerAuthConfig{Username: "foo", Password: "bar"},
+		},
+		// no username but set password, expect error
+		{
+			commandArgs:        []string{"--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+		// set username but no password. expected to fail (we currently don't allow a user without password)
+		{
+			commandArgs:        []string{"--dest-username", "bar"},
+			expectedAuthConfig: nil,
+		},
+		// set username with --creds, expected to fail
+		{
+			commandArgs:        []string{"--dest-username", "bar", "--dest-creds", "hello:world", "--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+		// set username with --no-creds, expected to fail
+		{
+			commandArgs:        []string{"--dest-username", "bar", "--dest-no-creds", "--dest-password", "foo"},
+			expectedAuthConfig: nil,
+		},
+	} {
+		opts := fakeImageDestOptions(t, "dest-", true, []string{}, command.commandArgs)
+		// parse the command options
+		res, err := opts.newSystemContext()
+		if command.expectedAuthConfig == nil {
+			assert.Error(t, err)
+		} else {
+			require.NoError(t, err)
+			assert.Equal(t, &types.SystemContext{
+				DockerRegistryUserAgent: defaultUserAgent,
+				DockerAuthConfig:        command.expectedAuthConfig,
+			}, res)
+		}
+	}
+}
+
 func TestTLSVerifyFlags(t *testing.T) {
 	type systemContextOpts interface { // Either *imageOptions or *imageDestOptions
 		newSystemContext() (*types.SystemContext, error)
--- a/completions/bash/skopeo
+++ b/completions/bash/skopeo
@@ -1,316 +0,0 @@
-#! /bin/bash
-
-_complete_() {
-    local options_with_args=$1
-    local boolean_options="$2 -h --help"
-    local transports=$3
-
-    local option_with_args
-    for option_with_args in $options_with_args $transports
-    do
-        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
-        then
-            return
-        fi
-    done
-
-    case "$cur" in
-        -*)
-            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-            ;;
-        *)
-            if [ -n "$transports" ]
-            then
-                compopt -o nospace
-                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
-            fi
-            ;;
-    esac
-}
-
-_skopeo_supported_transports() {
-    local subcommand=$1
-
-    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
-}
-
-_skopeo_copy() {
-    local options_with_args="
-    --authfile
-    --src-authfile
-    --dest-authfile
-    --format -f
-    --sign-by
-    --src-creds --screds
-    --src-cert-dir
-    --src-tls-verify
-    --dest-creds --dcreds
-    --dest-cert-dir
-    --dest-tls-verify
-    --src-daemon-host
-    --dest-daemon-host
-    --src-registry-token
-    --dest-registry-token
-    "
-
-    local boolean_options="
-    --all
-    --dest-compress
-    --dest-decompress
-    --remove-signatures
-    --src-no-creds
-    --dest-no-creds
-    --dest-oci-accept-uncompressed-layers
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_sync() {
-    local options_with_args="
-    --authfile
-    --dest
-    --dest-authfile
-    --dest-cert-
-    --dest-creds
-    --dest-registry-token string
-    --format
-    --retry-times
-    --sign-by
-    --src
-    --src-authfile
-    --src-cert-dir
-    --src-creds
-    --src-registry-token
-    "
-
-    local boolean_options="
-    --all
-    --dest-no-creds
-    --dest-tls-verify
-    --remove-signatures
-    --scoped
-    --src-no-creds
-    --src-tls-verify
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_inspect() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --format
-     --retry-times
-     --registry-token
-     "
-     local boolean_options="
-     --config
-     --raw
-     --tls-verify
-     --no-creds
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_standalone_sign() {
-     local options_with_args="
-       -o --output
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_standalone_verify() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_manifest_digest() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_delete() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-     "
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_layers() {
-     local options_with_args="
-       --authfile
-       --creds
-       --cert-dir
-       --registry-token
-     "
-     local boolean_options="
-       --tls-verify
-       --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_list_repository_tags() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-     "
-
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_login() {
-    local options_with_args="
-    --authfile
-    --cert-dir
-    --password -p
-    --username -u
-    "
-
-    local boolean_options="
-    --get-login
-    --tls-verify
-    --password-stdin
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_logout() {
-    local options_with_args="
-    --authfile
-    "
-
-    local boolean_options="
-    --all -a
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_skopeo() {
-     # XXX: Changes here need to be reflected in the manually expanded
-     # string in the `case` statement below as well.
-     local options_with_args="
-       --policy
-       --registries.d
-       --override-arch
-       --override-os
-       --override-variant
-       --command-timeout
-       --tmpdir
-     "
-     local boolean_options="
-       --insecure-policy
-       --debug
-       --version -v
-       --help -h
-     "
-
-     local commands=(
-       copy
-       delete
-       inspect
-       list-tags
-       login
-       logout
-       manifest-digest
-       standalone-sign
-       standalone-verify
-       sync
-       help
-       h
-     )
-
-     case "$prev" in
-         # XXX: Changes here need to be reflected in $options_with_args as well.
-         --policy|--registries.d|--override-arch|--override-os|--override-variant|--command-timeout)
-             return
-             ;;
-     esac
-
-     case "$cur" in
-         -*)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-             ;;
-         *)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
-             ;;
-     esac
-}
-
-_cli_bash_autocomplete() {
-     local cur
-
-     COMPREPLY=()
-     cur="${COMP_WORDS[COMP_CWORD]}"
-     COMPREPLY=()
-     local cur prev words cword
-
-     _get_comp_words_by_ref -n : cur prev words cword
-
-     local command="skopeo" cpos=0
-     local counter=1
-     while [ $counter -lt "$cword" ]; do
-         case "${words[$counter]}" in
-             skopeo|copy|sync|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h|list-repository-tags)
-                 command="${words[$counter]//-/_}"
-                 cpos=$counter
-                 (( cpos++ ))
-                 break
-                 ;;
-         esac
-         (( counter++ ))
-     done
-
-     local completions_func=_skopeo_${command}
-     declare -F "$completions_func" >/dev/null && $completions_func
-
-     return 0
-}
-
- complete -F _cli_bash_autocomplete skopeo
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -6,6 +6,19 @@

 set -e

+# BEGIN Global export of all variables
+set -a
+
+# Due to differences across platforms and runtime execution environments,
+# handling of the (otherwise) default shell setup is non-uniform.  Rather
+# than attempt to workaround differences, simply force-load/set required
+# items every time this library is utilized.
+USER="$(whoami)"
+HOME="$(getent passwd $USER | cut -d : -f 6)"
+# Some platforms set and make this read-only
+[[ -n "$UID" ]] || \
+    UID=$(getent passwd $USER | cut -d : -f 3)
+
 if [[ -r "/etc/automation_environment" ]]; then
    source /etc/automation_environment
    source $AUTOMATION_LIB_PATH/common_lib.sh
@@ -17,48 +30,81 @@ else
    ) > /dev/stderr
 fi

-OS_RELEASE_ID="$(source /etc/os-release; echo $ID)"
-# GCE image-name compatible string representation of distribution _major_ version
-OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | tr -d '.')"
-# Combined to ease some usage
-OS_REL_VER="${OS_RELEASE_ID}-${OS_RELEASE_VER}"
+# This is the magic interpreted by the tests to allow modifying local config/services.
+SKOPEO_CONTAINER_TESTS=1

-export "PATH=$PATH:$GOPATH/bin"
+PATH=$PATH:$GOPATH/bin
+
+# END Global export of all variables
+set +a

-podmanmake() {
-    req_env_vars GOPATH SKOPEO_PATH SKOPEO_CI_CONTAINER_FQIN
-    warn "Accumulated technical-debt requires execution inside a --privileged container.  This is very likely hiding bugs!"
-    showrun podman run -it --rm --privileged \
-        -e GOPATH=$GOPATH \
-        -v $GOPATH:$GOPATH:Z \
-        -w $SKOPEO_PATH \
-        $SKOPEO_CI_CONTAINER_FQIN \
-            make "$@"
-}

 _run_setup() {
-    if [[ "$OS_RELEASE_ID" == "fedora" ]]; then
-        # This is required as part of the standard Fedora VM setup
-        growpart /dev/sda 1
-        resize2fs /dev/sda1
-
-        # VM's come with the distro. skopeo pre-installed
-        dnf erase -y skopeo
-    else
+    local mnt
+    local errmsg
+    req_env_vars SKOPEO_CIDEV_CONTAINER_FQIN
+    if [[ "$OS_RELEASE_ID" != "fedora" ]]; then
        die "Unknown/unsupported distro. $OS_REL_VER"
    fi
+
+    if [[ -r "/.ci_setup_complete" ]]; then
+        warn "Thwarted an attempt to execute setup more than once."
+        return
+    fi
+
+    # VM's come with the distro. skopeo package pre-installed
+    dnf erase -y skopeo
+
+    # Required for testing the SIF transport
+    dnf install -y fakeroot squashfs-tools
+
+    msg "Removing systemd-resolved from nsswitch.conf"
+    # /etc/resolv.conf is already set to bypass systemd-resolvd
+    sed -i -r -e 's/^(hosts.+)resolve.+dns/\1dns/' /etc/nsswitch.conf
+
+    # A slew of compiled binaries are pre-built and distributed
+    # within the CI/Dev container image, but we want to run
+    # things directly on the host VM.  Fortunately they're all
+    # located in the container under /usr/local/bin
+    msg "Accessing contents of $SKOPEO_CIDEV_CONTAINER_FQIN"
+    podman pull --quiet $SKOPEO_CIDEV_CONTAINER_FQIN
+    mnt=$(podman mount $(podman create $SKOPEO_CIDEV_CONTAINER_FQIN))
+
+    # The container and VM images are built in tandem in the same repo.
+    # automation, but the sources are in different directories.  It's
+    # possible for a mismatch to happen, but should (hopefully) be unlikely.
+    # Double-check to make sure.
+    if ! fgrep -qx "ID=$OS_RELEASE_ID" $mnt/etc/os-release || \
+       ! fgrep -qx "VERSION_ID=$OS_RELEASE_VER" $mnt/etc/os-release; then
+            die "Somehow $SKOPEO_CIDEV_CONTAINER_FQIN is not based on $OS_REL_VER."
+    fi
+    msg "Copying test binaries from $SKOPEO_CIDEV_CONTAINER_FQIN /usr/local/bin/"
+    cp -a "$mnt/usr/local/bin/"* "/usr/local/bin/"
+    msg "Configuring the openshift registry"
+
+    # TODO: Put directory & yaml into more sensible place + update integration tests
+    mkdir -vp /registry
+    cp -a "$mnt/atomic-registry-config.yml" /
+
+    msg "Cleaning up"
+    podman umount --latest
+    podman rm --latest
+
+    # Ensure setup can only run once
+    touch "/.ci_setup_complete"
 }

 _run_vendor() {
-    podmanmake vendor BUILDTAGS="$BUILDTAGS"
+    make vendor BUILDTAGS="$BUILDTAGS"
 }

 _run_build() {
    make bin/skopeo BUILDTAGS="$BUILDTAGS"
+    make install PREFIX=/usr/local
 }

 _run_cross() {
-    podmanmake local-cross BUILDTAGS="$BUILDTAGS"
+    make local-cross BUILDTAGS="$BUILDTAGS"
 }

 _run_doccheck() {
@@ -66,18 +112,22 @@ _run_doccheck() {
 }

 _run_unit() {
-    podmanmake test-unit-local BUILDTAGS="$BUILDTAGS"
+    make test-unit-local BUILDTAGS="$BUILDTAGS"
 }

 _run_integration() {
-    podmanmake test-integration-local BUILDTAGS="$BUILDTAGS"
+    # Ensure we start with a clean-slate
+    podman system reset --force
+
+    make test-integration-local BUILDTAGS="$BUILDTAGS"
 }

 _run_system() {
    # Ensure we start with a clean-slate
    podman system reset --force
+
    # Executes with containers required for testing.
-    showrun make test-system-local BUILDTAGS="$BUILDTAGS"
+    make test-system-local BUILDTAGS="$BUILDTAGS"
 }

 req_env_vars SKOPEO_PATH BUILDTAGS
--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -6,7 +6,7 @@

 ## Overview

-This directory contains the Dockerfiles necessary to create the skopeoimage container
+This directory contains the Containerfiles necessary to create the skopeoimage container
 images that are housed on quay.io under the skopeo account.  All repositories where
 the images live are public and can be pulled without credentials.  These container images are secured and the
 resulting containers can run safely with privileges within the container.
@@ -18,22 +18,23 @@ default to `/`.

 The container images are:

-  * `quay.io/containers/skopeo:<version>` and `quay.io/skopeo/stable:<version>` -
-    These images are built when a new Skopeo version becomes available in
-    Fedora.  These images are intended to be unchanging and stable, they will
-    never be updated by automation once they've been pushed.  For build details,
-    please [see the configuration file](stable/Dockerfile).
+  * `quay.io/containers/skopeo:v<version>` and `quay.io/skopeo/stable:v<version>` -
+    These images are built daily.  These images are intended contain an unchanging
+    and stable version of skopeo.  For the most recent `<version>` tags (`vX`,
+    `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
+    (especially) security updates.  For build details, please[see the configuration
+    file](stable/Containerfile).
  * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
-    Built daily using the same Dockerfile as above.  The skopeo version
-    will remain the "latest" available in Fedora, however the image
+    Built daily using the same Containerfile as above.  The skopeo version
+    will remain the "latest" available in Fedora, however the other image
    contents may vary compared to the version-tagged images.
  * `quay.io/skopeo/testing:latest` - This image is built daily, using the
    latest version of Skopeo that was in the Fedora `updates-testing` repository.
-    The image is Built with [the testing Dockerfile](testing/Dockerfile).
+    The image is Built with [the testing Containerfile](testing/Containerfile).
  * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
    code found in this GitHub repository.  Due to the image changing frequently,
    it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Dockerfile](upstream/Dockerfile).
+    [the upstream Containerfile](upstream/Containerfile).


 ## Sample Usage
--- a/contrib/skopeoimage/stable/Containerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@@ -0,0 +1,47 @@
+# stable/Containerfile
+#
+# Build a Skopeo container image from the latest
+# stable version of Skopeo on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install skopeo fuse-overlayfs \
+        --exclude container-selinux && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/stable/Dockerfile
+++ b/contrib/skopeoimage/stable/Dockerfile
@@ -1,33 +0,0 @@
-# stable/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# stable version of Skopeo on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:33
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Containerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@@ -0,0 +1,49 @@
+# testing/Containerfile
+#
+# Build a Skopeo container image from the latest
+# version of Skopeo that is in updates-testing
+# on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install skopeo fuse-overlayfs \
+        --exclude container-selinux \
+        --enablerepo updates-testing && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Dockerfile
+++ b/contrib/skopeoimage/testing/Dockerfile
@@ -1,34 +0,0 @@
-# testing/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# version of Skopeo that is in updates-testing
-# on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:33
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Containerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@@ -0,0 +1,66 @@
+# upstream/Containerfile
+#
+# Build a Skopeo container image from the latest
+# upstream version of Skopeo on GitHub.
+# https://github.com/containers/skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y --enablerepo updates-testing --exclude container-selinux install \
+        make \
+        golang \
+        git \
+        go-md2man \
+        fuse-overlayfs \
+        fuse3 \
+        containers-common \
+        gpgme-devel \
+        libassuan-devel \
+        btrfs-progs-devel \
+        device-mapper-devel && \
+    mkdir /root/skopeo && \
+    git clone https://github.com/containers/skopeo \
+        /root/skopeo/src/github.com/containers/skopeo && \
+    export GOPATH=/root/skopeo && \
+    cd /root/skopeo/src/github.com/containers/skopeo && \
+    make bin/skopeo && \
+    make PREFIX=/usr install && \
+    rm -rf /root/skopeo/* && \
+    dnf -y remove git golang go-md2man make && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Dockerfile
+++ b/contrib/skopeoimage/upstream/Dockerfile
@@ -1,54 +0,0 @@
-# upstream/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# upstream version of Skopeo on GitHub.
-# https://github.com/containers/skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:33
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
-yum -y install make \
-golang \
-git \
-go-md2man \
-fuse-overlayfs \
-fuse3 \
-containers-common \
-gpgme-devel \
-libassuan-devel \
-btrfs-progs-devel \
-device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
-mkdir /root/skopeo; \
-git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
-export GOPATH=/root/skopeo; \
-cd /root/skopeo/src/github.com/containers/skopeo; \
-make bin/skopeo;\
-make PREFIX=/usr install;\
-rm -rf /root/skopeo/*; \
-yum -y remove git golang go-md2man make; \
-yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/default.yaml
+++ b/default.yaml
@@ -1,19 +1,19 @@
 # This is a default registries.d configuration file.  You may
 # add to this file or create additional files in registries.d/.
 #
-# sigstore: indicates a location that is read and write
-# sigstore-staging: indicates a location that is only for write
+# lookaside: indicates a location that is read and write
+# lookaside-staging: indicates a location that is only for write
 #
-# sigstore and sigstore-staging take a value of the following:
-#   sigstore:  {schema}://location
+# lookaside and lookaside-staging take a value of the following:
+#   lookaside:  {schema}://location
 #
 # For reading signatures, schema may be http, https, or file.
 # For writing signatures, schema may only be file.

 # This is the default signature write location for docker registries.
 default-docker:
-#  sigstore: file:///var/lib/containers/sigstore
-  sigstore-staging: file:///var/lib/containers/sigstore
+#  lookaside: file:///var/lib/containers/sigstore
+  lookaside-staging: file:///var/lib/containers/sigstore

 # The 'docker' indicator here is the start of the configuration
 # for docker registries.
@@ -21,6 +21,6 @@ default-docker:
 # docker:
 #
 #   privateregistry.com:
-#    sigstore: http://privateregistry.com/sigstore/
-#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+#    lookaside: http://privateregistry.com/sigstore/
+#    lookaside-staging: /mnt/nfs/privateregistry/sigstore

--- a/docs/skopeo-copy.1.md
+++ b/docs/skopeo-copy.1.md
@@ -54,6 +54,10 @@ Directory to use to share blobs across OCI repositories.

 After copying the image, write the digest of the resulting image to the file.

+**--preserve-digests**
+
+Preserve the digests during copying. Fail if the digest cannot be preserved.
+
 **--encrypt-layer** _ints_

 *Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)
@@ -66,6 +70,17 @@ MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifes

 Print usage statement

+**--multi-arch** _option_
+
+Control what is copied if _source-image_ refers to a multi-architecture image. Default is system.
+
+Options:
+- system: Copy only the image that matches the system architecture
+- all: Copy the full multi-architecture image
+- index-only: Copy only the index
+
+The index-only option usually fails unless the referenced per-architecture images are already present in the destination, or the target registry supports sparse indexes.
+
 **--quiet**, **-q**

 Suppress output information when copying images.
@@ -74,9 +89,21 @@ Suppress output information when copying images.

 Do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by**=_key-id_
+**--sign-by** _key-id_

-Add a signature using that key ID for an image name corresponding to _destination-image_
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+**--sign-identity** _reference_
+
+The identity to use when signing the image. The identity must be a fully specified docker reference. If the identity is not specified, the target docker reference will be used.

 **--src-shared-blob-dir** _directory_

@@ -94,15 +121,15 @@ Key to be used for decryption of images. Key can point to keys and/or certificat

 Credentials for accessing the source registry.

-**--dest-compress** _bool-value_
+**--dest-compress**

 Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).

-**--dest-decompress** _bool-value_
+**--dest-decompress**

 Decompress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source).

-**--dest-oci-accept-uncompressed-layers** _bool-value_
+**--dest-oci-accept-uncompressed-layers**

 Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed).

@@ -114,25 +141,25 @@ Credentials for accessing the destination registry.

 Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon.

-**--src-no-creds** _bool-value_
+**--src-no-creds**

 Access the registry anonymously.

-**--src-tls-verify** _bool-value_
+**--src-tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true).
+Require HTTPS and verify certificates when talking to container source registry or daemon. Default to source registry setting.

 **--dest-cert-dir** _path_

 Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon.

-**--dest-no-creds** _bool-value_
+**--dest-no-creds**

 Access the registry anonymously.

-**--dest-tls-verify** _bool-value_
+**--dest-tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true).
+Require HTTPS and verify certificates when talking to container destination registry or daemon. Default to destination registry setting.

 **--src-daemon-host** _host_

@@ -160,10 +187,30 @@ Bearer token for accessing the source registry.

 Bearer token for accessing the destination registry.

+**--dest-precompute-digests**
+
+Precompute digests to ensure layers are not uploaded that already exist on the destination registry. Layers with initially unknown digests (ex. compressing "on the fly") will be temporarily streamed to disk.
+
 **--retry-times**

 The number of times to retry. Retry wait time will be exponentially increased based on the number of failed attempts.

+**--src-username**
+
+The username to access the source registry.
+
+**--src-password**
+
+The password to access the source registry.
+
+**--dest-username**
+
+The username to access the destination registry.
+
+**--dest-password**
+
+The password to access the destination registry.
+
 ## EXAMPLES

 To just copy an image from one registry to another:
--- a/docs/skopeo-delete.1.md
+++ b/docs/skopeo-delete.1.md
@@ -6,17 +6,27 @@ skopeo\-delete - Mark the _image-name_ for later deletion by the registry's garb
 ## SYNOPSIS
 **skopeo delete** [*options*] _image-name_

-Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
+## DESCRIPTION
+
+Mark _image-name_ for deletion.
+The effect of this is registry-specific; many registries don’t support this operation, or don’t allow it in some circumstances / configurations.
+
+**WARNING**: If _image-name_ contains a digest, this affects the referenced manifest, and may delete all tags (within the current repository?) pointing to that manifest.
+
+**WARNING**: If _image-name_ contains a tag (but not a digest), in the current version of Skopeo this resolves the tag into a digest, and then deletes the manifest by digest, as described above (possibly deleting all tags pointing to that manifest, not just the provided tag). This behavior may change in the future.
+
+
+When using the github.com/distribution/distribution registry server:
+To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,

 ```
 /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
+```
 Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml

 If you are running the container registry inside of a container you would execute something like:
-
+```
 $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
 ```

 ## OPTIONS
@@ -42,7 +52,7 @@ Use docker daemon host at _host_ (`docker-daemon:` transport only)

 Print usage statement

-**--no-creds** _bool-value_
+**--no-creds**

 Access the registry anonymously.

@@ -62,13 +72,21 @@ Directory to use to share blobs across OCI repositories.

 **--tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.

 ## EXAMPLES

 Mark image example/pause for deletion from the registry.example.com registry:
 ```sh
-$ skopeo delete --force docker://registry.example.com/example/pause:latest
+$ skopeo delete docker://registry.example.com/example/pause:latest
 ```
 See above for additional details on using the command **delete**.

--- a/docs/skopeo-inspect.1.md
+++ b/docs/skopeo-inspect.1.md
@@ -8,9 +8,12 @@ skopeo\-inspect - Return low-level information about _image-name_ in a registry.

 ## DESCRIPTION

-Return low-level information about _image-name_ in a registry
+Return low-level information about _image-name_ in a registry.
+See [skopeo(1)](skopeo.1.md) for the format of _image-name_.

-_image-name_ name of image to retrieve information about
+The default output includes data from various sources: user input (**Name**), the remote repository, if any (**RepoTags**), the top-level manifest (**Digest**),
+and a per-architecture/OS image matching the current run-time environment (most other values).
+To see values for a different architecture/OS, use the **--override-os** / **--override-arch** options documented in [skopeo(1)](skopeo.1.md).

 ## OPTIONS

@@ -67,7 +70,19 @@ Directory to use to share blobs across OCI repositories.

 **--tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.
+
+**--no-tags**, **-n**
+
+Do not list the available tags from the repository in the output. When `true`, the `RepoTags` array will be empty.  Defaults to `false`, which includes all available tags.

 ## EXAMPLES

@@ -98,6 +113,42 @@ $ skopeo inspect docker://docker.io/fedora
 }
 ```

+To inspect python from the docker.io registry and not show the available tags:
+```sh
+$ skopeo inspect --no-tags docker://docker.io/library/python
+{
+    "Name": "docker.io/library/python",
+    "Digest": "sha256:5ca194a80ddff913ea49c8154f38da66a41d2b73028c5cf7e46bc3c1d6fda572",
+    "RepoTags": [],
+    "Created": "2021-10-05T23:40:54.936108045Z",
+    "DockerVersion": "20.10.7",
+    "Labels": null,
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:df5590a8898bedd76f02205dc8caa5cc9863267dbcd8aac038bcd212688c1cc7",
+        "sha256:705bb4cb554eb7751fd21a994f6f32aee582fbe5ea43037db6c43d321763992b",
+        "sha256:519df5fceacdeaadeec563397b1d9f4d7c29c9f6eff879739cab6f0c144f49e1",
+        "sha256:ccc287cbeddc96a0772397ca00ec85482a7b7f9a9fac643bfddd87b932f743db",
+        "sha256:e3f8e6af58ed3a502f0c3c15dce636d9d362a742eb5b67770d0cfcb72f3a9884",
+        "sha256:aebed27b2d86a5a3a2cbe186247911047a7e432b9d17daad8f226597c0ea4276",
+        "sha256:54c32182bdcc3041bf64077428467109a70115888d03f7757dcf614ff6d95ebe",
+        "sha256:cc8b7caedab13af07adf4836e13af2d4e9e54d794129b0fd4c83ece6b1112e86",
+        "sha256:462c3718af1d5cdc050cfba102d06c26f78fe3b738ce2ca2eb248034b1738945"
+    ],
+    "Env": [
+        "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "LANG=C.UTF-8",
+        "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
+        "PYTHON_VERSION=3.10.0",
+        "PYTHON_PIP_VERSION=21.2.4",
+        "PYTHON_SETUPTOOLS_VERSION=57.5.0",
+        "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/d781367b97acf0ece7e9e304bf281e99b618bf10/public/get-pip.py",
+        "PYTHON_GET_PIP_SHA256=01249aa3e58ffb3e1686b7141b4e9aac4d398ef4ac3012ed9dff8dd9f685ffe0"
+    ]
+}
+```
+
 ```
 $ /bin/skopeo inspect --config docker://registry.fedoraproject.org/fedora --format "{{ .Architecture }}"
 amd64
--- a/docs/skopeo-list-tags.1.md
+++ b/docs/skopeo-list-tags.1.md
@@ -1,14 +1,14 @@
 % skopeo-list-tags(1)

 ## NAME
-skopeo\-list\-tags - List tags in the transport-specific image repository.
+skopeo\-list\-tags - List image names in a transport-specific collection of images.

 ## SYNOPSIS
-**skopeo list-tags** [*options*] _repository-name_
+**skopeo list-tags** [*options*] _source-image_

-Return a list of tags from _repository-name_ in a registry.
+Return a list of tags from _source-image_ in a registry or a local docker-archive file.

-  _repository-name_ name of repository to retrieve tag listing from
+  _source-image_ name of the repository to retrieve a tag listing from or a local docker-archive file.

 ## OPTIONS

@@ -27,7 +27,7 @@ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry.

 Print usage statement

-**--no-creds** _bool-value_
+**--no-creds**

 Access the registry anonymously.

@@ -41,11 +41,19 @@ The number of times to retry. Retry wait time will be exponentially increased ba

 **--tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
+
+**--username**
+
+The username to access the registry.
+
+**--password**
+
+The password to access the registry.

 ## REPOSITORY NAMES

-Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported.
+Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags".

 This commands refers to repositories using a _transport_`:`_details_ format. The following formats are supported:

@@ -64,6 +72,8 @@ This commands refers to repositories using a _transport_`:`_details_ format. The
        "docker.io/myuser/myimage:v1.0"
        "docker.io/myuser/myimage@sha256:f48c4cc192f4c3c6a069cb5cca6d0a9e34d6076ba7c214fd0cc3ca60e0af76bb"

+  **docker-archive:path[:docker-reference]
+  more than one images were stored in a docker save-formatted file. 

 ## EXAMPLES

@@ -113,8 +123,48 @@ $ skopeo list-tags docker://localhost:5000/fedora

 ```

+### Docker-archive Transport
+
+To list the tags in a local docker-archive file:
+
+```sh
+$ skopeo list-tags docker-archive:/tmp/busybox.tar.gz
+{
+    "Tags": [
+        "busybox:1.28.3"
+    ]
+}
+```
+
+Also supports more than one tags in an archive:
+
+```sh
+$ skopeo list-tags docker-archive:/tmp/docker-two-images.tar.gz
+{
+    "Tags": [
+        "example.com/empty:latest",
+        "example.com/empty/but:different"
+    ]
+}
+```
+
+Will include a source-index entry for each untagged image:
+
+```sh
+$ skopeo list-tags docker-archive:/tmp/four-tags-with-an-untag.tar
+{
+    "Tags": [
+        "image1:tag1",
+        "image2:tag2",
+        "@2",
+        "image4:tag4"
+    ]
+}
+```
+
+
 # SEE ALSO
-skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-transports(1)

 ## AUTHORS

--- a/docs/skopeo-login.1.md
+++ b/docs/skopeo-login.1.md
@@ -49,7 +49,7 @@ Print usage statement

 **--tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.

 **--verbose**, **-v**

--- a/docs/skopeo-logout.1.md
+++ b/docs/skopeo-logout.1.md
@@ -31,7 +31,7 @@ Print usage statement

 **--tls-verify**=_bool_

-Require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)
+Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.

 ## EXAMPLES

--- a/docs/skopeo-standalone-sign.1.md
+++ b/docs/skopeo-standalone-sign.1.md
@@ -25,6 +25,10 @@ Print usage statement

 Write signature to _output file_.

+**--passphrase-file**=_path_
+
+The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
 ## EXAMPLES

 ```sh
--- a/docs/skopeo-sync.1.md
+++ b/docs/skopeo-sync.1.md
@@ -50,6 +50,10 @@ Path of the authentication file for the source registry. Uses path given by `--a

 Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.

+**--dry-run**
+
+Run the sync without actually copying data to the destination.
+
 **--src**, **-s** _transport_ Transport for the source repository.

 **--dest**, **-d** _transport_ Destination transport.
@@ -62,9 +66,21 @@ Print usage statement.

 **--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.

+**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved.
+
 **--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by**=_key-id_ Add a signature using that key ID for an image name corresponding to _destination-image_.
+**--sign-by** _key-id_
+
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

 **--src-creds** _username[:password]_ for accessing the source registry.

@@ -72,15 +88,15 @@ Print usage statement.

 **--src-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the source registry or daemon.

-**--src-no-creds** _bool-value_ Access the registry anonymously.
+**--src-no-creds** Access the registry anonymously.

-**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container source registry or daemon (defaults to true).
+**--src-tls-verify**=_bool_ Require HTTPS and verify certificates when talking to a container source registry or daemon. Default to source registry entry in registry.conf setting.

 **--dest-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the destination registry or daemon.

-**--dest-no-creds** _bool-value_  Access the registry anonymously.
+**--dest-no-creds** Access the registry anonymously.

-**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true).
+**--dest-tls-verify**=_bool_ Require HTTPS and verify certificates when talking to a container destination registry or daemon. Default to destination registry entry in registry.conf setting.

 **--src-registry-token** _Bearer token_ for accessing the source registry.

@@ -88,6 +104,25 @@ Print usage statement.

 **--retry-times**  the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts.

+**--keep-going**
+If any errors occur during copying of images, those errors are logged and the process continues syncing rest of the images and finally fails at the end.
+
+**--src-username**
+
+The username to access the source registry.
+
+**--src-password**
+
+The password to access the source registry.
+
+**--dest-username**
+
+The username to access the destination registry.
+
+**--dest-password**
+
+The password to access the destination registry.
+
 ## EXAMPLES

 ### Synchronizing to a local directory
--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -102,7 +102,7 @@ Print the version number
 | [skopeo-copy(1)](skopeo-copy.1.md)        | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
 | [skopeo-delete(1)](skopeo-delete.1.md)    | Mark the _image-name_ for later deletion by the registry's garbage collector.  |
 | [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about _image-name_ in a registry.                 |
-| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List tags in the transport-specific image repository.                      |
+| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List image names in a transport-specific collection of images.|
 | [skopeo-login(1)](skopeo-login.1.md)  | Login to a container registry. |
 | [skopeo-logout(1)](skopeo-logout.1.md)  | Logout of a container registry. |
 | [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output. |
--- a/docs/skopeo.svg
+++ b/docs/skopeo.svg
@@ -1,546 +1,74 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:xlink="http://www.w3.org/1999/xlink"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="480.61456"
-   height="472.66098"
-   viewBox="0 0 127.1626 125.05822"
-   version="1.1"
-   id="svg8"
-   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
-   sodipodi:docname="skopeo.svg"
-   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
-   inkscape:export-xdpi="90"
-   inkscape:export-ydpi="90">
-  <defs
-     id="defs2">
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84477">
-      <stop
-         style="stop-color:#0093d9;stop-opacity:1"
-         offset="0"
-         id="stop84473" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84475" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84469">
-      <stop
-         style="stop-color:#f6e6c8;stop-opacity:1"
-         offset="0"
-         id="stop84465" />
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1"
-         offset="1"
-         id="stop84467" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84461">
-      <stop
-         style="stop-color:#bfdce8;stop-opacity:1;"
-         offset="0"
-         id="stop84457" />
-      <stop
-         style="stop-color:#2a72ac;stop-opacity:1"
-         offset="1"
-         id="stop84459" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84420">
-      <stop
-         style="stop-color:#a7a9ac;stop-opacity:1;"
-         offset="0"
-         id="stop84416" />
-      <stop
-         style="stop-color:#e7e8e9;stop-opacity:1"
-         offset="1"
-         id="stop84418" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84347">
-      <stop
-         style="stop-color:#2c2d2f;stop-opacity:1;"
-         offset="0"
-         id="stop84343" />
-      <stop
-         style="stop-color:#000000;stop-opacity:1"
-         offset="1"
-         id="stop84345" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84339">
-      <stop
-         style="stop-color:#002442;stop-opacity:1;"
-         offset="0"
-         id="stop84335" />
-      <stop
-         style="stop-color:#151617;stop-opacity:1"
-         offset="1"
-         id="stop84337" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84331">
-      <stop
-         style="stop-color:#003d6e;stop-opacity:1;"
-         offset="0"
-         id="stop84327" />
-      <stop
-         style="stop-color:#59b5ff;stop-opacity:1"
-         offset="1"
-         id="stop84329" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84323">
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1;"
-         offset="0"
-         id="stop84319" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84321" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84325"
-       x1="221.5741"
-       y1="250.235"
-       x2="219.20772"
-       y2="221.99771"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84331"
-       id="linearGradient84333"
-       x1="223.23239"
-       y1="212.83418"
-       x2="245.52328"
-       y2="129.64345"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84341"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84347"
-       id="linearGradient84349"
-       x1="212.05453"
-       y1="215.20055"
-       x2="237.73705"
-       y2="230.02835"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84363"
-       x1="193.61516"
-       y1="225.045"
-       x2="224.08698"
-       y2="223.54327"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84377"
-       x1="182.72513"
-       y1="222.54439"
-       x2="184.01024"
-       y2="210.35291"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84408"
-       x1="211.73801"
-       y1="225.48302"
-       x2="204.24324"
-       y2="238.46432"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84422"
-       x1="190.931"
-       y1="221.83777"
-       x2="187.53873"
-       y2="229.26593"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84425"
-       gradientUnits="userSpaceOnUse"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84441"
-       x1="169.95944"
-       y1="215.77036"
-       x2="174.0289"
-       y2="207.81528"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84455"
-       x1="234.08092"
-       y1="252.39755"
-       x2="245.88477"
-       y2="251.21777"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84461"
-       id="radialGradient84463"
-       cx="213.19594"
-       cy="223.40646"
-       fx="214.12064"
-       fy="217.34077"
-       r="33.39888"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84469"
-       id="radialGradient84471"
-       cx="207.18298"
-       cy="211.06483"
-       fx="207.18298"
-       fy="211.06483"
-       r="2.77954"
-       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84477"
-       id="linearGradient84479"
-       x1="241.60336"
-       y1="255.46982"
-       x2="244.45177"
-       y2="250.4846"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
+<svg width="168.71024mm" height="145.54036mm" viewBox="0 0 168.71024 145.54036" version="1.1" id="svg2674" inkscape:version="1.2 (dc2aedaf03, 2022-05-15)" sodipodi:docname="skopeo-badge-full-vert.svg" inkscape:export-filename="skopeo-badge-full-vert.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs id="defs2668">
+    <inkscape:path-effect is_visible="true" id="path-effect10334" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10336" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect9986" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect9984" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10300" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect10304" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124972" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124976" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163593" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163605" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163611" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163615" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163619" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163629" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163633" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163651" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163655" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163597" effect="spiro" lpeversion="0"/>
  </defs>
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="1"
-     inkscape:cx="517.27113"
-     inkscape:cy="314.79773"
-     inkscape:document-units="mm"
-     inkscape:current-layer="layer1"
-     inkscape:document-rotation="0"
-     showgrid="false"
-     units="px"
-     inkscape:snap-global="false"
-     inkscape:window-width="2560"
-     inkscape:window-height="1376"
-     inkscape:window-x="0"
-     inkscape:window-y="27"
-     inkscape:window-maximized="1"
-     fit-margin-top="0"
-     fit-margin-left="0"
-     fit-margin-right="0"
-     fit-margin-bottom="0" />
-  <metadata
-     id="metadata5">
+  <sodipodi:namedview id="base" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:pageopacity="0.0" inkscape:pageshadow="2" inkscape:zoom="0.7" inkscape:cx="399.28571" inkscape:cy="187.14286" inkscape:document-units="mm" inkscape:current-layer="g1208" showgrid="false" fit-margin-top="10" fit-margin-left="10" fit-margin-right="10" fit-margin-bottom="10" inkscape:window-width="2560" inkscape:window-height="1403" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:pagecheckerboard="0" inkscape:showpageshadow="2" inkscape:deskcolor="#d1d1d1"/>
+  <metadata id="metadata2671">
    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
+      <cc:Work rdf:about="">
        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
      </cc:Work>
    </rdf:RDF>
  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-149.15784,-175.92614)">
-    <g
-       id="g84497"
-       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
-       transform="translate(0,10.583333)">
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84485"
-         width="31.605196"
-         height="19.16976"
-         x="299.48376"
-         y="87.963303"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84487"
-         width="16.725054"
-         height="9.8947001"
-         x="258.07639"
-         y="92.60083"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84489"
-         width="4.8383565"
-         height="11.503917"
-         x="253.2236"
-         y="91.796227"
-         transform="rotate(30)" />
-      <rect
-         y="86.859642"
-         x="331.21924"
-         height="21.377089"
-         width="4.521956"
-         id="rect84491"
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         transform="rotate(30)" />
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(378.90631,201.21016)">
+    <g id="g1208">
+      <g id="g81584" transform="matrix(1.7276536,0,0,1.7276536,-401.82487,-530.26362)" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/new skopeo/skopeo-logomark_medium_transparent-bg.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108">
+        <g style="fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-opacity:1" id="g81528" transform="translate(-734.38295,98.0028)">
+          <path inkscape:connector-curvature="0" style="opacity:1;fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-width:1.05833;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 796.57913,145.63255 -19.29817,-9.23285 -4.82036,-20.8616 13.2871,-16.780616 21.38926,-0.06408 13.38485,16.701146 -4.69887,20.8897 z" id="path81526"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,80.461942)" id="g81554">
+          <rect style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81530" width="16.725054" height="9.8947001" x="158.13725" y="255.21965" transform="rotate(30)"/>
+          <rect style="fill:#ffffff;stroke:#000000;stroke-width:1.32292;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6" id="rect81532" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+          <path sodipodi:nodetypes="cczc" inkscape:connector-curvature="0" id="path81534" d="m 78.802289,335.54596 -9.111984,15.78242 c 1.40192,0.25963 4.990131,-0.63196 7.869989,-5.61868 2.879866,-4.98671 2.168498,-9.07865 1.241995,-10.16374 z" style="fill:#9dc6e7;fill-opacity:1;stroke:#2a72ac;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" y="250.58212" x="199.54463" height="19.16976" width="31.605196" id="rect81536" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81538" width="16.459545" height="15.252436" x="178.48766" y="252.54079"/>
+          <g style="stroke:#808080;stroke-opacity:1" id="g81548">
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81540" width="4.521956" height="21.377089" x="195.04353" y="249.47847" transform="rotate(30)"/>
+            <rect y="251.64348" x="174.76939" height="17.047071" width="3.617183" id="rect81542" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81544" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+            <rect y="249.47847" x="231.28011" height="21.377089" width="4.521956" id="rect81546" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81574;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+          </g>
+          <path inkscape:connector-curvature="0" id="path81550" d="m 47.691007,322.31629 22.49734,12.98884" style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"/>
+          <path style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 27.886021,312.45704 9.423431,5.07506" id="path81552" inkscape:connector-curvature="0"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,101.28812)" id="g81568">
+          <path style="fill:#2a72ac;fill-opacity:1;stroke:#003e6f;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" d="m 34.507847,231.71327 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z" id="path81556" inkscape:connector-curvature="0" sodipodi:nodetypes="cccccc"/>
+          <path sodipodi:nodetypes="ccccc" inkscape:connector-curvature="0" id="path81558" d="m 28.119527,245.45648 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z" style="fill:#808080;fill-opacity:1;stroke:#000000;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6"/>
+          <path style="fill:#4d4d4d;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 24.616967,251.5299 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z" id="path81560" inkscape:connector-curvature="0" sodipodi:nodetypes="ccccc"/>
+          <ellipse ry="3.8438656" rx="3.8395541" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="ellipse81562" cx="39.230743" cy="255.66997"/>
+          <path sodipodi:nodetypes="ccc" style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 71.999346,266.02935 -8.9307,-5.38071 10.81942,-5.07707" id="path81564" inkscape:connector-curvature="0"/>
+          <path style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 35.169799,245.57008 10.37702,-6.1817 -7.12581,-2.30459" id="path81566" inkscape:connector-curvature="0" sodipodi:nodetypes="ccc"/>
+        </g>
+        <g style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-opacity:1" id="g81582" transform="translate(0.69195604,69.064926)">
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 83.087609,145.72448 -3.6551,1.27991" id="path81570" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 51.138114,129.84674 1.971302,3.71206" id="path81572" inkscape:connector-curvature="0" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" inkscape:connector-curvature="0" id="path81574" d="m 70.63337,129.84674 -2.345479,4.17978" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" inkscape:connector-curvature="0" id="path81576" d="m 61.405599,166.31541 v 5.83669" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" inkscape:connector-curvature="0" id="path81578" d="m 43.729779,164.25283 4.216366,-4.18995" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 79.100039,164.25283 -1.50358,-1.57071" id="path81580" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+        </g>
+      </g>
+      <text id="text81524" y="-73.044861" x="-363.40085" style="font-style:normal;font-weight:normal;font-size:37.592px;line-height:22.5552px;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#e1ae4f;fill-opacity:1;stroke:none;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" xml:space="preserve"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#e1ae4f;fill-opacity:1;stroke-width:0.264583px" y="-73.044861" x="-363.40085" id="tspan81522" sodipodi:role="line" dx="0 0 0 0 0 0"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81514">sk</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81516">o</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81518">pe</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81520">o</tspan></tspan></text>
    </g>
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       id="path84483"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="cccccc"
-       inkscape:connector-curvature="0"
-       id="path84481"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <circle
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="path84224"
-       cx="213.64427"
-       cy="234.18927"
-       r="35.482784" />
-    <circle
-       r="33.39888"
-       cy="234.18927"
-       cx="213.64427"
-       id="circle84226"
-       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84114"
-       width="31.605196"
-       height="19.16976"
-       x="304.77545"
-       y="97.128738"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84116"
-       width="4.521956"
-       height="21.377089"
-       x="300.27435"
-       y="96.025078"
-       transform="rotate(30)" />
-    <rect
-       y="99.087395"
-       x="283.71848"
-       height="15.252436"
-       width="16.459545"
-       id="rect84118"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       y="98.190086"
-       x="280.00021"
-       height="17.047071"
-       width="3.617183"
-       id="rect84120"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84122"
-       width="16.725054"
-       height="9.8947001"
-       x="263.36807"
-       y="101.76627"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84124"
-       width="4.8383565"
-       height="11.503917"
-       x="258.51526"
-       y="100.96166"
-       transform="rotate(30)" />
-    <rect
-       y="96.025078"
-       x="336.51093"
-       height="21.377089"
-       width="4.521956"
-       id="rect84126"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <path
-       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
-       id="rect84313"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84128"
-       d="m 215.3335,241.36799 22.49734,12.98884"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84130"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
-       id="path84134"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccccc" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       id="path84136"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
-       id="rect84410"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
-       id="path84284"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
-       id="rect84351"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
-       id="rect84365"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="ccccc"
-       inkscape:connector-curvature="0"
-       id="path84138"
-       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <ellipse
-       cy="223.01579"
-       cx="207.08998"
-       id="circle84140"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       rx="3.8395541"
-       ry="3.8438656" />
-    <path
-       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
-       id="path84272"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84142"
-       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84144"
-       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       sodipodi:nodetypes="ccc" />
-    <path
-       sodipodi:nodetypes="ccc"
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
-       id="path84280"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
-       id="path84290"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccc" />
-    <path
-       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
-       id="ellipse84292"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
-       id="path84298"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
-       id="path84379"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
-       id="rect84396"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
-       id="rect84429"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
-       id="rect84443"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 215.55025,240.82707 22.49734,12.98884"
-       id="path84521"
-       inkscape:connector-curvature="0" />
  </g>
 </svg>
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,108 @@
 module github.com/containers/skopeo

-go 1.12
+go 1.17

 require (
-	github.com/containers/common v0.42.0
-	github.com/containers/image/v5 v5.15.0
-	github.com/containers/ocicrypt v1.1.2
-	github.com/containers/storage v1.33.1
-	github.com/docker/docker v20.10.7+incompatible
-	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
-	github.com/go-check/check v0.0.0-20180628173108-788fd7840127
+	github.com/containers/common v0.49.0
+	github.com/containers/image/v5 v5.22.0
+	github.com/containers/ocicrypt v1.1.5
+	github.com/containers/storage v1.42.0
+	github.com/docker/docker v20.10.17+incompatible
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
-	github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d
-	github.com/pkg/errors v0.9.1
-	github.com/russross/blackfriday v2.0.0+incompatible // indirect
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.2.1
+	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
+	github.com/opencontainers/image-tools v1.0.0-rc3
+	github.com/sirupsen/logrus v1.9.0
+	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.8.0
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
-	go4.org v0.0.0-20190218023631-ce4c26f7be8e // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 )
+
+require (
+	github.com/BurntSushi/toml v1.2.0 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
+	github.com/Microsoft/hcsshim v0.9.3 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/containerd/cgroups v1.0.3 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
+	github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-containerregistry v0.10.0 // indirect
+	github.com/google/go-intervals v0.0.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/pgzip v1.2.5 // indirect
+	github.com/kr/pretty v0.2.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/opencontainers/runc v1.1.3 // indirect
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
+	github.com/opencontainers/selinux v1.10.1 // indirect
+	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/proglottis/gpgme v0.1.3 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/sigstore/sigstore v1.3.1-0.20220629021053-b95fc0d626c1 // indirect
+	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
+	github.com/sylabs/sif/v2 v2.7.1 // indirect
+	github.com/tchap/go-patricia v2.3.0+incompatible // indirect
+	github.com/theupdateframework/go-tuf v0.3.1 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/ulikunitz/xz v0.5.10 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vbauerster/mpb/v7 v7.4.2 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.etcd.io/bbolt v1.3.6 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	go.opentelemetry.io/otel/trace v1.3.0 // indirect
+	golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838 // indirect
+	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
+	google.golang.org/grpc v1.47.0 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
--- a/go.sum
+++ b/go.sum
--- a/hack/btrfs_installed_tag.sh
+++ b/hack/btrfs_installed_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 cc -E - > /dev/null 2> /dev/null << EOF
 #include <btrfs/ioctl.h>
 EOF
--- a/hack/btrfs_tag.sh
+++ b/hack/btrfs_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 cc -E - > /dev/null 2> /dev/null << EOF
 #include <btrfs/version.h>
 EOF
--- a/hack/get_fqin.sh
+++ b/hack/get_fqin.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# This script is intended to be called from the Makefile.  It's purpose
+# is to automation correspondence between the environment used for local
+# development and CI.
+
+set -e
+
+SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
+SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
+REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
+
+# When running under CI, we already have the necessary information,
+# simply provide it to the Makefile.
+if [[ -n "$SKOPEO_CIDEV_CONTAINER_FQIN" ]]; then
+    echo "$SKOPEO_CIDEV_CONTAINER_FQIN"
+    exit 0
+fi
+
+if [[ -n $(command -v podman) ]]; then CONTAINER_RUNTIME=podman; fi
+CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-docker}
+
+# Borrow the get_ci_vm container image since it's small, and
+# by necessity contains a script that can accurately interpret
+# env. var. values from any .cirrus.yml runtime context.
+$CONTAINER_RUNTIME run --rm \
+    --security-opt label=disable \
+    -v $REPO_DIRPATH:/src:ro \
+    --entrypoint=/usr/share/automation/bin/cirrus-ci_env.py \
+    quay.io/libpod/get_ci_vm:latest \
+    --envs="Skopeo Test" /src/.cirrus.yml | \
+    egrep -m1 '^SKOPEO_CIDEV_CONTAINER_FQIN' | \
+    awk -F "=" -e '{print $2}' | \
+    tr -d \'\"
--- a/hack/libdm_tag.sh
+++ b/hack/libdm_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
--- a/hack/libsubid_tag.sh
+++ b/hack/libsubid_tag.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+if test $(${GO:-go} env GOOS) != "linux" ; then
+	exit 0
+fi
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+cc -o "$tmpdir"/libsubid_tag -l subid -x c - > /dev/null 2> /dev/null << EOF
+#include <shadow/subid.h>
+int main() {
+	struct subid_range *ranges = NULL;
+	get_subuid_ranges("root", &ranges);
+	free(ranges);
+	return 0;
+}
+EOF
+if test $? -eq 0 ; then
+	echo libsubid
+fi
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -2,15 +2,14 @@
 set -e

 # This script builds various binary from a checkout of the skopeo
-# source code.
+# source code. DO NOT CALL THIS SCRIPT DIRECTLY.
 #
 # Requirements:
 # - The current directory should be a checkout of the skopeo source code
 #   (https://github.com/containers/skopeo). Whatever version is checked out
 #   will be built.
-# - The script is intended to be run inside the docker container specified
-#   in the Dockerfile at the root of the source. In other words:
-#   DO NOT CALL THIS SCRIPT DIRECTLY.
+# - The script is intended to be run inside the container specified
+#   in the output of hack/get_fqin.sh
 # - The right way to call this script is to invoke "make" from
 #   your checkout of the skopeo repository.
 #   the Makefile will do a "docker build -t skopeo ." and then
@@ -23,21 +22,19 @@ export SKOPEO_PKG='github.com/containers/skopeo'
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export MAKEDIR="$SCRIPTDIR/make"

-# We're a nice, sexy, little shell script, and people might try to run us;
-# but really, they shouldn't. We want to be in a container!
-# The magic value is defined inside our Dockerfile.
-if [[ "$container_magic" != "85531765-346b-4316-bdb8-358e4cca9e5d" ]]; then
-	{
-		echo "# WARNING! I don't seem to be running in a Docker container."
-		echo "# The result of this command might be an incorrect build, and will not be"
-		echo "# officially supported."
-		echo "#"
-		echo "# Try this instead: make all"
-		echo "#"
-	} >&2
-else
-    echo "# I appear to be running inside my designated container image, good!"
-    export SKOPEO_CONTAINER_TESTS=1
+# Set this to 1 to enable installation/modification of environment/services
+export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
+
+if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
+    (
+    echo "***************************************************************"
+    echo "WARNING: Executing tests directly on the local development"
+    echo "         host is highly discouraged.  Many important items"
+    echo "         will be skipped.  For manual execution, please utilize"
+    echo "         the Makefile targets WITHOUT the '-local' suffix."
+    echo "***************************************************************"
+    ) > /dev/stderr
+    sleep 5s
 fi

 echo
@@ -56,8 +53,6 @@ DEFAULT_BUNDLES=(
 	test-integration
 )

-TESTFLAGS+=" -test.timeout=15m"
-
 # Go module support: set `-mod=vendor` to use the vendored sources
 # See also the top-level Makefile.
 mod_vendor=
@@ -66,16 +61,6 @@ if go help mod >/dev/null 2>&1; then
  mod_vendor='-mod=vendor'
 fi

-# If $TESTFLAGS is set in the environment, it is passed as extra arguments to 'go test'.
-# You can use this to select certain tests to run, eg.
-#
-#     TESTFLAGS='-test.run ^TestBuild$' ./hack/make.sh test-unit
-#
-# For integration-cli test, we use [gocheck](https://labix.org/gocheck), if you want
-# to run certain tests on your local host, you should run with command:
-#
-#     TESTFLAGS='-check.f DockerSuite.TestBuild*' ./hack/make.sh binary test-integration-cli
-#
 go_test_dir() {
 	dir=$1
 	(
--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -2,13 +2,11 @@
 set -e

 bundle_test_integration() {
-	TESTFLAGS="$TESTFLAGS -check.v"
 	go_test_dir ./integration
 }

 # subshell so that we can export PATH without breaking other things
 (
-	make bin/skopeo ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
 	make PREFIX=/usr install
 	bundle_test_integration
 ) 2>&1
--- a/hack/make/test-system
+++ b/hack/make/test-system
@@ -1,17 +1,23 @@
 #!/bin/bash
 set -e

-# Before running podman for the first time, make sure
-# to set storage to vfs (not overlay): podman-in-podman
-# doesn't work with overlay. And, disable mountopt,
-# which causes error with vfs.
-sed -i \
-    -e 's/^driver\s*=.*/driver = "vfs"/' \
-    -e 's/^mountopt/#mountopt/' \
-    /etc/containers/storage.conf
+# These tests can run in/outside of a container.  However,
+# not all storage drivers are supported in a container
+# environment.  Detect this and setup storage when
+# running in a container.
+if ((SKOPEO_CONTAINER_TESTS)) && [[ -r /etc/containers/storage.conf ]]; then
+    sed -i \
+        -e 's/^driver\s*=.*/driver = "vfs"/' \
+        -e 's/^mountopt/#mountopt/' \
+        /etc/containers/storage.conf
+elif ((SKOPEO_CONTAINER_TESTS)); then
+    cat >> /etc/containers/storage.conf << EOF
+[storage]
+driver = "vfs"
+EOF
+fi

 # Build skopeo, install into /usr/bin
-make bin/skopeo ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
 make PREFIX=/usr install

 # Run tests
--- a/hack/make/validate-vet
+++ b/hack/make/validate-vet
@@ -1,6 +1,6 @@
 #!/bin/bash

-errors=$(go vet $mod_vendor $(go list $mod_vendor -e ./...))
+errors=$(go vet -tags="${BUILDTAGS}" $mod_vendor $(go list $mod_vendor -e ./...))

 if [ -z "$errors" ]; then
 	echo 'Congratulations!  All Go source files have been vetted.'
--- a/hack/tree_status.sh
+++ b/hack/tree_status.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e

 STATUS=$(git status --porcelain)
--- a/install.md
+++ b/install.md
@@ -1,7 +1,8 @@
-# Installing from packages
+# Installing Skopeo

 ## Distribution Packages
-`skopeo` may already be packaged in your distribution.
+`skopeo` may already be packaged in your distribution. This document lists the
+installation steps for many distros, along with their information and support links.

 ### Fedora

@@ -9,34 +10,26 @@
 sudo dnf -y install skopeo
 ```

-### RHEL/CentOS ≥ 8 and CentOS Stream
+[Package Info](https://src.fedoraproject.org/rpms/skopeo) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Fedora&component=skopeo&product=Fedora)
+
+Fedora bugs can be reported on the Skopeo GitHub [Issues](https://github.com/containers/skopeo/issues) page.
+
+### RHEL / CentOS Stream ≥ 8

 ```sh
 sudo dnf -y install skopeo
 ```

-Newer Skopeo releases may be available on the repositories provided by the
-Kubic project. Beware, these may not be suitable for production environments.
+If you are a RHEL customer, please reach out through the official RHEL support
+channels for any issues.

-on CentOS 8:
+CentOS Stream 9: [Package Info](https://gitlab.com/redhat/centos-stream/rpms/skopeo/-/tree/c9s) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%209&version=CentOS%20Stream)

-```sh
-sudo dnf -y module disable container-tools
-sudo dnf -y install 'dnf-command(copr)'
-sudo dnf -y copr enable rhcontainerbot/container-selinux
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo
-sudo dnf -y install skopeo
-```
+CentOS Stream 8: [Package Info](https://git.centos.org/rpms/skopeo/tree/c8s-stream-rhel8) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%208&version=CentOS%20Stream)

-on CentOS 8 Stream:
-
-```sh
-sudo dnf -y module disable container-tools
-sudo dnf -y install 'dnf-command(copr)'
-sudo dnf -y copr enable rhcontainerbot/container-selinux
-sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8_Stream/devel:kubic:libcontainers:stable.repo
-sudo dnf -y install skopeo
-```

 ### RHEL/CentOS ≤ 7.x

@@ -44,18 +37,24 @@ sudo dnf -y install skopeo
 sudo yum -y install skopeo
 ```

+CentOS 7: [Package Repo](https://git.centos.org/rpms/skopeo/tree/c7-extras)
+
 ### openSUSE

 ```sh
 sudo zypper install skopeo
 ```

+[Package Info](https://software.opensuse.org/package/skopeo)
+
 ### Alpine

 ```sh
 sudo apk add skopeo
 ```

+[Package Info](https://pkgs.alpinelinux.org/packages?name=skopeo)
+
 ### macOS

 ```sh
@@ -67,18 +66,21 @@ brew install skopeo
 $ nix-env -i skopeo
 ```

+[Package Info](https://search.nixos.org/packages?&show=skopeo&query=skopeo)
+
 ### Debian

-The skopeo package is available in
-the [Bullseye (testing) branch](https://packages.debian.org/bullseye/skopeo), which
-will be the next stable release (Debian 11) as well as Debian Unstable/Sid.
+The skopeo package is available on [Bullseye](https://packages.debian.org/bullseye/skopeo),
+and Debian Testing and Unstable.

 ```bash
-# Debian Testing/Bullseye or Unstable/Sid
+# Debian Bullseye, Testing or Unstable/Sid
 sudo apt-get update
 sudo apt-get -y install skopeo
 ```

+[Package Info](https://packages.debian.org/stable/skopeo)
+
 ### Raspberry Pi OS arm64 (beta)

 Raspberry Pi OS uses the standard Debian's repositories,
@@ -97,27 +99,27 @@ sudo apt-get -y update
 sudo apt-get -y install skopeo
 ```

-If you would prefer newer (though not as well-tested) packages,
-the [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-provides packages for active Ubuntu releases 20.04 and newer (it should also work with direct derivatives like Pop!\_OS).
-Checkout the [Kubic project page](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-for a list of supported Ubuntu version and
-architecture combinations. **NOTE:** The command `sudo apt-get -y upgrade`
-maybe required in some cases if Skopeo cannot be installed without it.
-The build sources for the Kubic packages can be found [here](https://gitlab.com/rhcontainerbot/skopeo/-/tree/debian/debian).
+[Package Info](https://packages.ubuntu.com/jammy/skopeo)

-CAUTION: On Ubuntu 20.10 and newer, we highly recommend you use Buildah, Podman and Skopeo ONLY from EITHER the Kubic repo
-OR the official Ubuntu repos. Mixing and matching may lead to unpredictable situations including installation conflicts.
+### Windows
+Skopeo has not yet been packaged for Windows. There is an [open feature
+request](https://github.com/containers/skopeo/issues/715) and contributions are
+always welcome.
+
+
+## Container Images
+
+Skopeo container images are available at `quay.io/skopeo/stable:latest`.
+For example,

 ```bash
-. /etc/os-release
-echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y upgrade
-sudo apt-get -y install skopeo
+podman run docker://quay.io/skopeo/stable:latest copy --help
 ```

+[Read more](./contrib/skopeoimage/README.md).
+
+
+## Building from Source

 Otherwise, read on for building and installing it from source:

@@ -126,8 +128,6 @@ To build the `skopeo` binary you need at least Go 1.12.
 There are two ways to build skopeo: in a container, or locally without a
 container. Choose the one which better matches your needs and environment.

-## Building from Source
-
 ### Building without a container

 Building without a container requires a bit more manual work and setup in your
@@ -168,6 +168,12 @@ cd $GOPATH/src/github.com/containers/skopeo && make bin/skopeo

 By default the `make` command (make all) will build bin/skopeo and the documentation locally.

+Building of documentation requires `go-md2man`. On systems that do not have this tool, the
+document generation can be skipped by passing `DISABLE_DOCS=1`:
+```
+DISABLE_DOCS=1 make
+```
+
 ### Building documentation

 To build the manual you will need go-md2man.
@@ -206,6 +212,13 @@ Building in a container is simpler, but more restrictive:
 $ make binary
 ```

+### Shell completion scripts
+
+Skopeo has shell completion scripts for bash, zsh, fish and powershell. They are installed as part of `make install`.
+You may have to restart your shell in order for them to take effect.
+
+For instructions to manually generate and load the scripts please see `skopeo completion --help`.
+
 ### Installation

 Finally, after the binary and documentation is built:
@@ -213,3 +226,41 @@ Finally, after the binary and documentation is built:
 ```bash
 sudo make install
 ```
+
+### Building a static binary
+
+There have been efforts in the past to produce and maintain static builds, but the maintainers prefer to run Skopeo using distro packages or within containers. This is because static builds of Skopeo tend to be unreliable and functionally restricted. Specifically:
+- Some features of Skopeo depend on non-Go libraries like `libgpgme` and `libdevmapper`.
+- Generating static Go binaries uses native Go libraries, which don't support e.g. `.local` or LDAP-based name resolution.
+
+That being said, if you would like to build Skopeo statically, you might be able to do it by combining all the following steps.
+- Export environment variable `CGO_ENABLED=0` (disabling CGO causes Go to prefer native libraries when possible, instead of dynamically linking against system libraries).
+- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this remove the dependency on `libgpgme` and its companion libraries).
+- Clear the `GO_DYN_FLAGS` Make variable (which otherwise seems to force the creation of a dynamic executable).
+
+The following command implements these steps to produce a static binary in the `bin` subdirectory of the repository:
+
+```bash
+docker run -v $PWD:/src -w /src -e CGO_ENABLED=0 golang \
+make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
+```
+
+Keep in mind that the resulting binary is unsupported and might crash randomly. Only use if you know what you're doing!
+
+For more information, history, and context about static builds, check the following issues:
+
+- [#391] - Consider distributing statically built binaries as part of release
+- [#669] - Static build fails with segmentation violation
+- [#670] - Fixing static binary build using container
+- [#755] - Remove static and in-container targets from Makefile
+- [#932] - Add nix derivation for static builds
+- [#1336] - Unable to run skopeo on Fedora 30 (due to dyn lib dependency)
+- [#1478] - Publish binary releases to GitHub (request+discussion)
+
+[#391]: https://github.com/containers/skopeo/issues/391
+[#669]: https://github.com/containers/skopeo/issues/669
+[#670]: https://github.com/containers/skopeo/issues/670
+[#755]: https://github.com/containers/skopeo/issues/755
+[#932]: https://github.com/containers/skopeo/issues/932
+[#1336]: https://github.com/containers/skopeo/issues/1336
+[#1478]: https://github.com/containers/skopeo/issues/1478
--- a/integration/blocked_test.go
+++ b/integration/blocked_test.go
@@ -1,7 +1,7 @@
 package main

 import (
-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -6,7 +6,7 @@ import (
 	"testing"

 	"github.com/containers/skopeo/version"
-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 const (
@@ -36,12 +36,12 @@ func (s *SkopeoSuite) SetUpSuite(c *check.C) {

 func (s *SkopeoSuite) TearDownSuite(c *check.C) {
 	if s.regV2 != nil {
-		s.regV2.Close()
+		s.regV2.tearDown(c)
 	}
 	if s.regV2WithAuth != nil {
 		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
 		//c.Assert(cmd.Run(), check.IsNil)
-		s.regV2WithAuth.Close()
+		s.regV2WithAuth.tearDown(c)
 	}
 }

--- a/integration/copy_test.go
+++ b/integration/copy_test.go
@@ -6,7 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"log"
 	"net/http"
 	"net/http/httptest"
@@ -17,10 +17,10 @@ import (
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/types"
-	"github.com/go-check/check"
 	digest "github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/image-tools/image"
+	"gopkg.in/check.v1"
 )

 func init() {
@@ -64,9 +64,7 @@ func (s *CopySuite) SetUpSuite(c *check.C) {
 	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, false, false)
 	s.s1Registry = setupRegistryV2At(c, v2s1DockerRegistryURL, false, true)

-	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	s.gpgHome = gpgHome
+	s.gpgHome = c.MkDir()
 	os.Setenv("GNUPGHOME", s.gpgHome)

 	for _, key := range []string{"personal", "official"} {
@@ -75,21 +73,18 @@ func (s *CopySuite) SetUpSuite(c *check.C) {
 		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")

 		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
-		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+		err := os.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
 			[]byte(out), 0600)
 		c.Assert(err, check.IsNil)
 	}
 }

 func (s *CopySuite) TearDownSuite(c *check.C) {
-	if s.gpgHome != "" {
-		os.RemoveAll(s.gpgHome)
-	}
 	if s.registry != nil {
-		s.registry.Close()
+		s.registry.tearDown(c)
 	}
 	if s.s1Registry != nil {
-		s.s1Registry.Close()
+		s.s1Registry.tearDown(c)
 	}
 	if s.cluster != nil {
 		s.cluster.tearDown(c)
@@ -97,104 +92,81 @@ func (s *CopySuite) TearDownSuite(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestList(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-manifest-list")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir)
+	dir := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "dir:"+dir)
 }

 func (s *CopySuite) TestCopyAllWithManifestList(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-all-manifest-list")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir)
+	dir := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", "--all", knownListImage, "dir:"+dir)
 }

 func (s *CopySuite) TestCopyAllWithManifestListRoundTrip(c *check.C) {
-	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
-	assertSkopeoSucceeds(c, "", "copy", "--all", knownListImage, "oci:"+oci1)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci1, "dir:"+dir1)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "dir:"+dir1, "oci:"+oci2)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci2, "dir:"+dir2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", knownListImage, "oci:"+oci1)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci1, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "dir:"+dir1, "oci:"+oci2)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci2, "dir:"+dir2)
 	assertDirImagesAreEqual(c, dir1, dir2)
 	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
 	c.Assert(out, check.Equals, "")
 }

 func (s *CopySuite) TestCopyAllWithManifestListConverge(c *check.C) {
-	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
-	assertSkopeoSucceeds(c, "", "copy", "--all", knownListImage, "oci:"+oci1)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci1, "dir:"+dir1)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "--format", "oci", knownListImage, "dir:"+dir2)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "dir:"+dir2, "oci:"+oci2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", knownListImage, "oci:"+oci1)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci1, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "--format", "oci", knownListImage, "dir:"+dir2)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "dir:"+dir2, "oci:"+oci2)
 	assertDirImagesAreEqual(c, dir1, dir2)
 	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
 	c.Assert(out, check.Equals, "")
 }

+func (s *CopySuite) TestCopyNoneWithManifestList(c *check.C) {
+	dir1 := c.MkDir()
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=index-only", knownListImage, "dir:"+dir1)
+
+	manifestPath := filepath.Join(dir1, "manifest.json")
+	readManifest, err := os.ReadFile(manifestPath)
+	c.Assert(err, check.IsNil)
+	mimeType := manifest.GuessMIMEType(readManifest)
+	c.Assert(mimeType, check.Equals, "application/vnd.docker.distribution.manifest.list.v2+json")
+	out := combinedOutputOfCommand(c, "ls", "-1", dir1)
+	c.Assert(out, check.Equals, "manifest.json\nversion\n")
+}
+
 func (s *CopySuite) TestCopyWithManifestListConverge(c *check.C) {
-	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "oci:"+oci1)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "oci:"+oci1, "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci1, "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "copy", "--format", "oci", knownListImage, "dir:"+dir2)
-	assertSkopeoSucceeds(c, "", "copy", "--all", "dir:"+dir2, "oci:"+oci2)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "dir:"+dir2, "oci:"+oci2)
 	assertDirImagesAreEqual(c, dir1, dir2)
 	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
 	c.Assert(out, check.Equals, "")
 }

 func (s *CopySuite) TestCopyAllWithManifestListStorageFails(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-storage")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	assertSkopeoFails(c, `.*destination transport .* does not support copying multiple images as a group.*`, "copy", "--all", knownListImage, "containers-storage:"+storage+"test")
+	assertSkopeoFails(c, `.*destination transport .* does not support copying multiple images as a group.*`, "copy", "--multi-arch=all", knownListImage, "containers-storage:"+storage+"test")
 }

 func (s *CopySuite) TestCopyWithManifestListStorage(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "containers-storage:"+storage+"test")
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "copy", "containers-storage:"+storage+"test", "dir:"+dir2)
@@ -203,16 +175,10 @@ func (s *CopySuite) TestCopyWithManifestListStorage(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListStorageMultiple(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "--override-arch", "amd64", "copy", knownListImage, "containers-storage:"+storage+"test")
 	assertSkopeoSucceeds(c, "", "--override-arch", "arm64", "copy", knownListImage, "containers-storage:"+storage+"test")
 	assertSkopeoSucceeds(c, "", "--override-arch", "arm64", "copy", knownListImage, "dir:"+dir1)
@@ -222,24 +188,16 @@ func (s *CopySuite) TestCopyWithManifestListStorageMultiple(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListDigest(c *check.C) {
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
-	oci1, err := ioutil.TempDir("", "copy-manifest-list-digest-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-manifest-list-digest-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
 	c.Assert(err, check.IsNil)
 	digest := manifestDigest.String()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage+"@"+digest, "dir:"+dir1)
-	assertSkopeoSucceeds(c, "", "copy", "--all", knownListImage+"@"+digest, "dir:"+dir2)
+	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", knownListImage+"@"+digest, "dir:"+dir2)
 	assertSkopeoSucceeds(c, "", "copy", "dir:"+dir1, "oci:"+oci1)
 	assertSkopeoSucceeds(c, "", "copy", "dir:"+dir2, "oci:"+oci2)
 	out := combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
@@ -247,31 +205,21 @@ func (s *CopySuite) TestCopyWithManifestListDigest(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithDigestfileOutput(c *check.C) {
-	tempdir, err := ioutil.TempDir("", "tempdir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tempdir)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
+	tempdir := c.MkDir()
+	dir1 := c.MkDir()
 	digestOutPath := filepath.Join(tempdir, "digest.txt")
 	assertSkopeoSucceeds(c, "", "copy", "--digestfile="+digestOutPath, knownListImage, "dir:"+dir1)
-	readDigest, err := ioutil.ReadFile(digestOutPath)
+	readDigest, err := os.ReadFile(digestOutPath)
 	c.Assert(err, check.IsNil)
 	_, err = digest.Parse(string(readDigest))
 	c.Assert(err, check.IsNil)
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
 	c.Assert(err, check.IsNil)
@@ -284,16 +232,10 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigest(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArches(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
 	c.Assert(err, check.IsNil)
@@ -306,9 +248,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArches(c *check
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesBothUseListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-both")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -328,9 +268,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesBothUseLi
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesFirstUsesListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-first")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -364,9 +302,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesFirstUses
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesSecondUsesListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-second")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -400,9 +336,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesSecondUse
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesThirdUsesListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-third")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -436,9 +370,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesThirdUses
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesTagAndDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-tag-digest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -481,28 +413,20 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesTagAndDig
 }

 func (s *CopySuite) TestCopyFailsWhenImageOSDoesNotMatchRuntimeOS(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-fails-image-does-not-match-runtime")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	assertSkopeoFails(c, `.*no image found in manifest list for architecture .*, variant .*, OS .*`, "copy", knownWindowsOnlyImage, "containers-storage:"+storage+"test")
 }

 func (s *CopySuite) TestCopySucceedsWhenImageDoesNotMatchRuntimeButWeOverride(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-succeeds-image-does-not-match-runtime-but-override")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	assertSkopeoSucceeds(c, "", "--override-os=windows", "--override-arch=amd64", "copy", knownWindowsOnlyImage, "containers-storage:"+storage+"test")
 }

 func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
-	dir1, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// "pull": docker: → dir:
@@ -518,12 +442,8 @@ func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
 func (s *CopySuite) TestCopySimple(c *check.C) {
 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	dir1, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// "pull": docker: → dir:
@@ -542,7 +462,7 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 	ociImgName := "pause"
 	defer os.RemoveAll(ociDest)
 	assertSkopeoSucceeds(c, "", "copy", "docker://k8s.gcr.io/pause:latest", "oci:"+ociDest+":"+ociImgName)
-	_, err = os.Stat(ociDest)
+	_, err := os.Stat(ociDest)
 	c.Assert(err, check.IsNil)

 	// docker v2s2 -> OCI image layout without image name
@@ -554,31 +474,14 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 }

 func (s *CopySuite) TestCopyEncryption(c *check.C) {
-
-	originalImageDir, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(originalImageDir)
-	encryptedImgDir, err := ioutil.TempDir("", "copy-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(encryptedImgDir)
-	decryptedImgDir, err := ioutil.TempDir("", "copy-3")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(decryptedImgDir)
-	keysDir, err := ioutil.TempDir("", "copy-4")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(keysDir)
-	undecryptedImgDir, err := ioutil.TempDir("", "copy-5")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(undecryptedImgDir)
-	multiLayerImageDir, err := ioutil.TempDir("", "copy-6")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(multiLayerImageDir)
-	partiallyEncryptedImgDir, err := ioutil.TempDir("", "copy-7")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(partiallyEncryptedImgDir)
-	partiallyDecryptedImgDir, err := ioutil.TempDir("", "copy-8")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(partiallyDecryptedImgDir)
+	originalImageDir := c.MkDir()
+	encryptedImgDir := c.MkDir()
+	decryptedImgDir := c.MkDir()
+	keysDir := c.MkDir()
+	undecryptedImgDir := c.MkDir()
+	multiLayerImageDir := c.MkDir()
+	partiallyEncryptedImgDir := c.MkDir()
+	partiallyDecryptedImgDir := c.MkDir()

 	// Create RSA key pair
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
@@ -587,9 +490,9 @@ func (s *CopySuite) TestCopyEncryption(c *check.C) {
 	privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey)
 	publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
 	c.Assert(err, check.IsNil)
-	err = ioutil.WriteFile(keysDir+"/private.key", privateKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/private.key", privateKeyBytes, 0644)
 	c.Assert(err, check.IsNil)
-	err = ioutil.WriteFile(keysDir+"/public.key", publicKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/public.key", publicKeyBytes, 0644)
 	c.Assert(err, check.IsNil)

 	// We can either perform encryption or decryption on the image.
@@ -613,7 +516,7 @@ func (s *CopySuite) TestCopyEncryption(c *check.C) {
 	invalidPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	c.Assert(err, check.IsNil)
 	invalidPrivateKeyBytes := x509.MarshalPKCS1PrivateKey(invalidPrivateKey)
-	err = ioutil.WriteFile(keysDir+"/invalid_private.key", invalidPrivateKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/invalid_private.key", invalidPrivateKeyBytes, 0644)
 	c.Assert(err, check.IsNil)
 	assertSkopeoFails(c, ".*no suitable key unwrapper found or none of the private keys could be used for decryption.*",
 		"copy", "--decryption-key", keysDir+"/invalid_private.key",
@@ -653,7 +556,7 @@ func (s *CopySuite) TestCopyEncryption(c *check.C) {
 }

 func matchLayerBlobBinaryType(c *check.C, ociImageDirPath string, contentType string, matchCount int) {
-	files, err := ioutil.ReadDir(ociImageDirPath)
+	files, err := os.ReadDir(ociImageDirPath)
 	c.Assert(err, check.IsNil)

 	foundCount := 0
@@ -689,7 +592,7 @@ func assertDirImagesAreEqual(c *check.C, dir1, dir2 string) {
 	digests := []digest.Digest{}
 	for _, dir := range []string{dir1, dir2} {
 		manifestPath := filepath.Join(dir, "manifest.json")
-		m, err := ioutil.ReadFile(manifestPath)
+		m, err := os.ReadFile(manifestPath)
 		c.Assert(err, check.IsNil)
 		digest, err := manifest.Digest(m)
 		c.Assert(err, check.IsNil)
@@ -707,7 +610,7 @@ func assertSchema1DirImagesAreEqualExceptNames(c *check.C, dir1, ref1, dir2, ref
 	manifests := []map[string]interface{}{}
 	for dir, ref := range map[string]string{dir1: ref1, dir2: ref2} {
 		manifestPath := filepath.Join(dir, "manifest.json")
-		m, err := ioutil.ReadFile(manifestPath)
+		m, err := os.ReadFile(manifestPath)
 		c.Assert(err, check.IsNil)
 		data := map[string]interface{}{}
 		err = json.Unmarshal(m, &data)
@@ -730,12 +633,8 @@ func assertSchema1DirImagesAreEqualExceptNames(c *check.C, dir1, ref1, dir2, ref

 // Streaming (skopeo copy)
 func (s *CopySuite) TestCopyStreaming(c *check.C) {
-	dir1, err := ioutil.TempDir("", "streaming-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "streaming-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// streaming: docker: → atomic:
@@ -755,12 +654,8 @@ func (s *CopySuite) TestCopyStreaming(c *check.C) {
 func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	oci1, err := ioutil.TempDir("", "oci-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "oci-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()

 	// Docker -> OCI
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", testFQIN, "oci:"+oci1+":latest")
@@ -783,7 +678,7 @@ func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
 	// Verify using the upstream OCI image validator, this should catch most
 	// non-compliance errors. DO NOT REMOVE THIS TEST UNLESS IT'S ABSOLUTELY
 	// NECESSARY.
-	err = image.ValidateLayout(oci1, nil, logger)
+	err := image.ValidateLayout(oci1, nil, logger)
 	c.Assert(err, check.IsNil)
 	err = image.ValidateLayout(oci2, nil, logger)
 	c.Assert(err, check.IsNil)
@@ -805,9 +700,7 @@ func (s *CopySuite) TestCopySignatures(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	dir, err := ioutil.TempDir("", "signatures-dest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir)
+	dir := c.MkDir()
 	dirDest := "dir:" + dir

 	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
@@ -861,9 +754,7 @@ func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	topDir, err := ioutil.TempDir("", "dir-signatures-top")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	topDirDest := "dir:" + topDir

 	for _, suffix := range []string{"/dir1", "/dir2", "/restricted/personal", "/restricted/official", "/restricted/badidentity", "/dest"} {
@@ -906,9 +797,7 @@ func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
 func (s *CopySuite) TestCopyCompression(c *check.C) {
 	const uncompresssedLayerFile = "160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"

-	topDir, err := ioutil.TempDir("", "compression-top")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()

 	for i, t := range []struct{ fixture, remote string }{
 		{"uncompressed-image-s1", "docker://" + v2DockerRegistryURL + "/compression/compression:s1"},
@@ -943,21 +832,21 @@ func (s *CopySuite) TestCopyCompression(c *check.C) {

 func findRegularFiles(c *check.C, root string) []string {
 	result := []string{}
-	err := filepath.Walk(root, filepath.WalkFunc(func(path string, info os.FileInfo, err error) error {
+	err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if info.Mode().IsRegular() {
+		if d.Type().IsRegular() {
 			result = append(result, path)
 		}
 		return nil
-	}))
+	})
 	c.Assert(err, check.IsNil)
 	return result
 }

-// --sign-by and policy use for docker: with sigstore
-func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
+// --sign-by and policy use for docker: with lookaside
+func (s *CopySuite) TestCopyDockerLookaside(c *check.C) {
 	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
 	c.Assert(err, check.IsNil)
 	defer mech.Close()
@@ -967,21 +856,19 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {

 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "signatures-sigstore")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	copyDest := filepath.Join(tmpDir, "dest")
 	err = os.Mkdir(copyDest, 0755)
 	c.Assert(err, check.IsNil)
 	dirDest := "dir:" + copyDest
-	plainSigstore := filepath.Join(tmpDir, "sigstore")
-	splitSigstoreStaging := filepath.Join(tmpDir, "sigstore-staging")
+	plainLookaside := filepath.Join(tmpDir, "lookaside")
+	splitLookasideStaging := filepath.Join(tmpDir, "lookaside-staging")

-	splitSigstoreReadServerHandler := http.NotFoundHandler()
-	splitSigstoreReadServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		splitSigstoreReadServerHandler.ServeHTTP(w, r)
+	splitLookasideReadServerHandler := http.NotFoundHandler()
+	splitLookasideReadServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		splitLookasideReadServerHandler.ServeHTTP(w, r)
 	}))
-	defer splitSigstoreReadServer.Close()
+	defer splitLookasideReadServer.Close()

 	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
 	defer os.Remove(policy)
@@ -989,20 +876,20 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
 	err = os.Mkdir(registriesDir, 0755)
 	c.Assert(err, check.IsNil)
 	registriesFile := fileFromFixture(c, "fixtures/registries.yaml",
-		map[string]string{"@sigstore@": plainSigstore, "@split-staging@": splitSigstoreStaging, "@split-read@": splitSigstoreReadServer.URL})
+		map[string]string{"@lookaside@": plainLookaside, "@split-staging@": splitLookasideStaging, "@split-read@": splitLookasideReadServer.URL})
 	err = os.Symlink(registriesFile, filepath.Join(registriesDir, "registries.yaml"))
 	c.Assert(err, check.IsNil)

-	// Get an image to work with.  Also verifies that we can use Docker repositories with no sigstore configured.
+	// Get an image to work with.  Also verifies that we can use Docker repositories with no lookaside configured.
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", testFQIN, ourRegistry+"original/busybox")
 	// Pulling an unsigned image fails.
 	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
 		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"original/busybox", dirDest)

-	// Signing with sigstore defined succeeds,
+	// Signing with lookaside defined succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--sign-by", "personal@example.com", ourRegistry+"original/busybox", ourRegistry+"signed/busybox")
 	// a signature file has been created,
-	foundFiles := findRegularFiles(c, plainSigstore)
+	foundFiles := findRegularFiles(c, plainLookaside)
 	c.Assert(foundFiles, check.HasLen, 1)
 	// and pulling a signed image succeeds.
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"signed/busybox", dirDest)
@@ -1010,19 +897,19 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
 	// Deleting the image succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "delete", ourRegistry+"signed/busybox")
 	// and the signature file has been deleted (but we leave the directories around).
-	foundFiles = findRegularFiles(c, plainSigstore)
+	foundFiles = findRegularFiles(c, plainLookaside)
 	c.Assert(foundFiles, check.HasLen, 0)

-	// Signing with a read/write sigstore split succeeds,
+	// Signing with a read/write lookaside split succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--sign-by", "personal@example.com", ourRegistry+"original/busybox", ourRegistry+"public/busybox")
 	// and a signature file has been created.
-	foundFiles = findRegularFiles(c, splitSigstoreStaging)
+	foundFiles = findRegularFiles(c, splitLookasideStaging)
 	c.Assert(foundFiles, check.HasLen, 1)
-	// Pulling the image fails because the read sigstore URL has not been populated:
+	// Pulling the image fails because the read lookaside URL has not been populated:
 	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
 		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
-	// Pulling the image succeeds after the read sigstore URL is available:
-	splitSigstoreReadServerHandler = http.FileServer(http.Dir(splitSigstoreStaging))
+	// Pulling the image succeeds after the read lookaside URL is available:
+	splitLookasideReadServerHandler = http.FileServer(http.Dir(splitLookasideStaging))
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
 }

@@ -1035,9 +922,7 @@ func (s *CopySuite) TestCopyAtomicExtension(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	topDir, err := ioutil.TempDir("", "atomic-extension")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	for _, subdir := range []string{"dirAA", "dirAD", "dirDA", "dirDD", "registries.d"} {
 		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
 		c.Assert(err, check.IsNil)
@@ -1084,22 +969,6 @@ func (s *CopySuite) TestCopyAtomicExtension(c *check.C) {
 	assertDirImagesAreEqual(c, filepath.Join(topDir, "dirDA"), filepath.Join(topDir, "dirDD"))
 }

-// copyWithSignedIdentity creates a copy of an unsigned image, adding a signature for an unrelated identity
-// This should be easier than using standalone-sign.
-func copyWithSignedIdentity(c *check.C, src, dest, signedIdentity, signBy, registriesDir string) {
-	topDir, err := ioutil.TempDir("", "copyWithSignedIdentity")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
-
-	signingDir := filepath.Join(topDir, "signing-temp")
-	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", src, "dir:"+signingDir)
-	c.Logf("%s", combinedOutputOfCommand(c, "ls", "-laR", signingDir))
-	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", filepath.Join(signingDir, "signature-1"),
-		filepath.Join(signingDir, "manifest.json"), signedIdentity, signBy)
-	c.Logf("%s", combinedOutputOfCommand(c, "ls", "-laR", signingDir))
-	assertSkopeoSucceeds(c, "", "--registries.d", registriesDir, "copy", "--dest-tls-verify=false", "dir:"+signingDir, dest)
-}
-
 // Both mirroring support in registries.conf, and mirrored remapIdentity support in policy.json
 func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 	const regPrefix = "docker://localhost:5006/myns/mirroring-"
@@ -1111,16 +980,14 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	topDir, err := ioutil.TempDir("", "mirrored-signatures")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
-	registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable sigstore use
+	topDir := c.MkDir()
+	registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable lookaside use
 	dirDest := "dir:" + filepath.Join(topDir, "unused-dest")

 	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
 	defer os.Remove(policy)

-	// We use X-R-S-S for this testing to avoid having to deal with the sigstores.
+	// We use X-R-S-S for this testing to avoid having to deal with the lookasides.
 	// A downside is that OpenShift records signatures per image, so the error messages below
 	// list all signatures for other tags used for the same image as well.
 	// So, make sure to never create a signature that could be considered valid in a different part of the test (i.e. don't reuse tags).
@@ -1145,10 +1012,12 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 	assertSkopeoFails(c, ".*Source image rejected: None of the signatures were accepted, reasons: Signature for identity localhost:5006/myns/mirroring-primary:direct is not accepted; Signature for identity localhost:5006/myns/mirroring-mirror:mirror-signed is not accepted.*",
 		"--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"primary:mirror-signed", dirDest)

+	// Fail if we specify an unqualified identity
+	assertSkopeoFails(c, ".*Could not parse --sign-identity: repository name must be canonical.*",
+		"--registries.d", registriesDir, "copy", "--src-tls-verify=false", "--dest-tls-verify=false", "--sign-by=personal@example.com", "--sign-identity=this-is-not-fully-specified", regPrefix+"primary:unsigned", regPrefix+"mirror:primary-signed")
+
 	// Create a signature for mirroring-primary:primary-signed without pushing there.
-	copyWithSignedIdentity(c, regPrefix+"primary:unsigned", regPrefix+"mirror:primary-signed",
-		"localhost:5006/myns/mirroring-primary:primary-signed", "personal@example.com",
-		registriesDir)
+	assertSkopeoSucceeds(c, "", "--registries.d", registriesDir, "copy", "--src-tls-verify=false", "--dest-tls-verify=false", "--sign-by=personal@example.com", "--sign-identity=localhost:5006/myns/mirroring-primary:primary-signed", regPrefix+"primary:unsigned", regPrefix+"mirror:primary-signed")
 	// Verify that a correctly signed image for the primary is accessible using the primary's reference
 	assertSkopeoSucceeds(c, "", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"primary:primary-signed", dirDest)
 	// … but verify that while it is accessible using the mirror location
@@ -1163,9 +1032,7 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 	// … it is NOT accessible when requiring a signature …
 	assertSkopeoFails(c, ".*Source image rejected: None of the signatures were accepted, reasons: Signature for identity localhost:5006/myns/mirroring-primary:direct is not accepted; Signature for identity localhost:5006/myns/mirroring-mirror:mirror-signed is not accepted; Signature for identity localhost:5006/myns/mirroring-primary:primary-signed is not accepted.*", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"remap:remapped", dirDest)
 	// … until signed.
-	copyWithSignedIdentity(c, regPrefix+"remap:remapped", regPrefix+"remap:remapped",
-		"localhost:5006/myns/mirroring-primary:remapped", "personal@example.com",
-		registriesDir)
+	assertSkopeoSucceeds(c, "", "--registries.d", registriesDir, "copy", "--src-tls-verify=false", "--dest-tls-verify=false", "--sign-by=personal@example.com", "--sign-identity=localhost:5006/myns/mirroring-primary:remapped", regPrefix+"remap:remapped", regPrefix+"remap:remapped")
 	assertSkopeoSucceeds(c, "", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"remap:remapped", dirDest)
 	// To be extra clear about the semantics, verify that the signedPrefix (primary) location never exists
 	// and only the remapped prefix (mirror) is accessed.
@@ -1174,9 +1041,7 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {

 func (s *SkopeoSuite) TestCopySrcWithAuth(c *check.C) {
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", testFQIN, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
-	dir1, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--src-creds=testuser:testpassword", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "dir:"+dir1)
 }

@@ -1190,12 +1055,12 @@ func (s *SkopeoSuite) TestCopySrcAndDestWithAuth(c *check.C) {
 }

 func (s *CopySuite) TestCopyNoPanicOnHTTPResponseWithoutTLSVerifyFalse(c *check.C) {
+	topDir := c.MkDir()
+
 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	// dir:test isn't created beforehand just because we already know this could
-	// just fail when evaluating the src
 	assertSkopeoFails(c, ".*server gave HTTP response to HTTPS client.*",
-		"copy", ourRegistry+"foobar", "dir:test")
+		"copy", ourRegistry+"foobar", "dir:"+topDir)
 }

 func (s *CopySuite) TestCopySchemaConversion(c *check.C) {
@@ -1206,9 +1071,7 @@ func (s *CopySuite) TestCopySchemaConversion(c *check.C) {
 }

 func (s *CopySuite) TestCopyManifestConversion(c *check.C) {
-	topDir, err := ioutil.TempDir("", "manifest-conversion")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	srcDir := filepath.Join(topDir, "source")
 	destDir1 := filepath.Join(topDir, "dest1")
 	destDir2 := filepath.Join(topDir, "dest2")
@@ -1231,10 +1094,15 @@ func (s *CopySuite) TestCopyManifestConversion(c *check.C) {
 	verifyManifestMIMEType(c, destDir2, manifest.DockerV2Schema2MediaType)
 }

+func (s *CopySuite) TestCopyPreserveDigests(c *check.C) {
+	topDir := c.MkDir()
+
+	assertSkopeoSucceeds(c, "", "copy", knownListImage, "--multi-arch=all", "--preserve-digests", "dir:"+topDir)
+	assertSkopeoFails(c, ".*Instructed to preserve digests.*", "copy", knownListImage, "--multi-arch=all", "--preserve-digests", "--format=oci", "dir:"+topDir)
+}
+
 func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Registry, schema2Registry string) {
-	topDir, err := ioutil.TempDir("", "schema-conversion")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	for _, subdir := range []string{"input1", "input2", "dest2"} {
 		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
 		c.Assert(err, check.IsNil)
@@ -1268,35 +1136,35 @@ func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Regist
 const regConfFixture = "./fixtures/registries.conf"

 func (s *SkopeoSuite) TestSuccessCopySrcWithMirror(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

 	assertSkopeoSucceeds(c, "", "--registries-conf="+regConfFixture, "copy",
 		"docker://mirror.invalid/busybox", "dir:"+dir)
 }

 func (s *SkopeoSuite) TestFailureCopySrcWithMirrorsUnavailable(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

-	assertSkopeoFails(c, ".*no such host.*", "--registries-conf="+regConfFixture, "copy",
-		"docker://invalid.invalid/busybox", "dir:"+dir)
+	// .invalid domains are, per RFC 6761, supposed to result in NXDOMAIN.
+	// With systemd-resolved (used only via NSS?), we instead seem to get “Temporary failure in name resolution”
+	assertSkopeoFails(c, ".*(no such host|Temporary failure in name resolution).*",
+		"--registries-conf="+regConfFixture, "copy", "docker://invalid.invalid/busybox", "dir:"+dir)
 }

 func (s *SkopeoSuite) TestSuccessCopySrcWithMirrorAndPrefix(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

 	assertSkopeoSucceeds(c, "", "--registries-conf="+regConfFixture, "copy",
 		"docker://gcr.invalid/foo/bar/busybox", "dir:"+dir)
 }

 func (s *SkopeoSuite) TestFailureCopySrcWithMirrorAndPrefixUnavailable(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

-	assertSkopeoFails(c, ".*no such host.*", "--registries-conf="+regConfFixture, "copy",
-		"docker://gcr.invalid/wrong/prefix/busybox", "dir:"+dir)
+	// .invalid domains are, per RFC 6761, supposed to result in NXDOMAIN.
+	// With systemd-resolved (used only via NSS?), we instead seem to get “Temporary failure in name resolution”
+	assertSkopeoFails(c, ".*(no such host|Temporary failure in name resolution).*",
+		"--registries-conf="+regConfFixture, "copy", "docker://gcr.invalid/wrong/prefix/busybox", "dir:"+dir)
 }

 func (s *CopySuite) TestCopyFailsWhenReferenceIsInvalid(c *check.C) {
--- a/integration/fixtures/registries.yaml
+++ b/integration/fixtures/registries.yaml
@@ -1,6 +1,6 @@
 docker:
   localhost:5555:
-        sigstore: file://@sigstore@
+        lookaside: file://@lookaside@
   localhost:5555/public:
-        sigstore-staging: file://@split-staging@
-        sigstore: @split-read@
+        lookaside-staging: file://@split-staging@
+        lookaside: @split-read@
--- a/integration/openshift.go
+++ b/integration/openshift.go
@@ -5,7 +5,6 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -13,7 +12,7 @@ import (
 	"time"

 	"github.com/docker/docker/pkg/homedir"
-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 var adminKUBECONFIG = map[string]string{
@@ -33,10 +32,7 @@ type openshiftCluster struct {
 // in isolated test environment.
 func startOpenshiftCluster(c *check.C) *openshiftCluster {
 	cluster := &openshiftCluster{}
-
-	dir, err := ioutil.TempDir("", "openshift-cluster")
-	c.Assert(err, check.IsNil)
-	cluster.workingDir = dir
+	cluster.workingDir = c.MkDir()

 	cluster.startMaster(c)
 	cluster.prepareRegistryConfig(c)
@@ -196,7 +192,7 @@ func (cluster *openshiftCluster) startRegistry(c *check.C) {
 		// The default configuration currently already contains acceptschema2: false
 	})
 	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
-	configContents, err := ioutil.ReadFile(schema1Config)
+	configContents, err := os.ReadFile(schema1Config)
 	c.Assert(err, check.IsNil)
 	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
 	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
@@ -240,7 +236,7 @@ func (cluster *openshiftCluster) dockerLogin(c *check.C) {
 			}`, port, authValue))
 	}
 	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
-	err = ioutil.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
+	err = os.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
 	c.Assert(err, check.IsNil)
 }

@@ -258,12 +254,12 @@ func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
 // tearDown stops the cluster services and deletes (only some!) of the state.
 func (cluster *openshiftCluster) tearDown(c *check.C) {
 	for i := len(cluster.processes) - 1; i >= 0; i-- {
-		cluster.processes[i].Process.Kill()
-	}
-	if cluster.workingDir != "" {
-		os.RemoveAll(cluster.workingDir)
+		// It’s undocumented what Kill() returns if the process has terminated,
+		// so we couldn’t check just for that. This is running in a container anyway…
+		_ = cluster.processes[i].Process.Kill()
 	}
 	if cluster.dockerDir != "" {
-		os.RemoveAll(cluster.dockerDir)
+		err := os.RemoveAll(cluster.dockerDir)
+		c.Assert(err, check.IsNil)
 	}
 }
--- a/integration/openshift_shell_test.go
+++ b/integration/openshift_shell_test.go
@@ -1,3 +1,4 @@
+//go:build openshift_shell
 // +build openshift_shell

 package main
@@ -6,7 +7,7 @@ import (
 	"os"
 	"os/exec"

-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 /*
--- a/integration/procutils.go
+++ b/integration/procutils.go
@@ -0,0 +1,12 @@
+//go:build !linux
+// +build !linux
+
+package main
+
+import (
+	"os/exec"
+)
+
+// cmdLifecycleToParentIfPossible tries to exit if the parent process exits (only works on Linux)
+func cmdLifecycleToParentIfPossible(c *exec.Cmd) {
+}
--- a/integration/procutils_linux.go
+++ b/integration/procutils_linux.go
@@ -0,0 +1,14 @@
+package main
+
+import (
+	"os/exec"
+	"syscall"
+)
+
+// cmdLifecyleToParentIfPossible is a thin wrapper around prctl(PR_SET_PDEATHSIG)
+// on Linux.
+func cmdLifecycleToParentIfPossible(c *exec.Cmd) {
+	c.SysProcAttr = &syscall.SysProcAttr{
+		Pdeathsig: syscall.SIGTERM,
+	}
+}
--- a/integration/proxy_test.go
+++ b/integration/proxy_test.go
@@ -0,0 +1,310 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"strings"
+	"syscall"
+	"time"
+
+	"gopkg.in/check.v1"
+
+	"github.com/containers/image/v5/manifest"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// This image is known to be x86_64 only right now
+const knownNotManifestListedImage_x8664 = "docker://quay.io/coreos/11bot"
+
+const expectedProxySemverMajor = "0.2"
+
+// request is copied from proxy.go
+// We intentionally copy to ensure that we catch any unexpected "API" changes
+// in the JSON.
+type request struct {
+	// Method is the name of the function
+	Method string `json:"method"`
+	// Args is the arguments (parsed inside the function)
+	Args []interface{} `json:"args"`
+}
+
+// reply is copied from proxy.go
+type reply struct {
+	// Success is true if and only if the call succeeded.
+	Success bool `json:"success"`
+	// Value is an arbitrary value (or values, as array/map) returned from the call.
+	Value interface{} `json:"value"`
+	// PipeID is an index into open pipes, and should be passed to FinishPipe
+	PipeID uint32 `json:"pipeid"`
+	// Error should be non-empty if Success == false
+	Error string `json:"error"`
+}
+
+// maxMsgSize is also copied from proxy.go
+const maxMsgSize = 32 * 1024
+
+type proxy struct {
+	c *net.UnixConn
+}
+
+type pipefd struct {
+	// id is the remote identifier "pipeid"
+	id uint
+	fd *os.File
+}
+
+func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *pipefd, err error) {
+	req := request{
+		Method: method,
+		Args:   args,
+	}
+	reqbuf, err := json.Marshal(&req)
+	if err != nil {
+		return
+	}
+	n, err := p.c.Write(reqbuf)
+	if err != nil {
+		return
+	}
+	if n != len(reqbuf) {
+		err = fmt.Errorf("short write during call of %d bytes", n)
+		return
+	}
+	oob := make([]byte, syscall.CmsgSpace(1))
+	replybuf := make([]byte, maxMsgSize)
+	n, oobn, _, _, err := p.c.ReadMsgUnix(replybuf, oob)
+	if err != nil {
+		err = fmt.Errorf("reading reply: %v", err)
+		return
+	}
+	var reply reply
+	err = json.Unmarshal(replybuf[0:n], &reply)
+	if err != nil {
+		err = fmt.Errorf("Failed to parse reply: %w", err)
+		return
+	}
+	if !reply.Success {
+		err = fmt.Errorf("remote error: %s", reply.Error)
+		return
+	}
+
+	if reply.PipeID > 0 {
+		var scms []syscall.SocketControlMessage
+		scms, err = syscall.ParseSocketControlMessage(oob[:oobn])
+		if err != nil {
+			err = fmt.Errorf("failed to parse control message: %v", err)
+			return
+		}
+		if len(scms) != 1 {
+			err = fmt.Errorf("Expected 1 received fd, found %d", len(scms))
+			return
+		}
+		var fds []int
+		fds, err = syscall.ParseUnixRights(&scms[0])
+		if err != nil {
+			err = fmt.Errorf("failed to parse unix rights: %v", err)
+			return
+		}
+		fd = &pipefd{
+			fd: os.NewFile(uintptr(fds[0]), "replyfd"),
+			id: uint(reply.PipeID),
+		}
+	}
+
+	rval = reply.Value
+	return
+}
+
+func (p *proxy) callNoFd(method string, args []interface{}) (rval interface{}, err error) {
+	var fd *pipefd
+	rval, fd, err = p.call(method, args)
+	if err != nil {
+		return
+	}
+	if fd != nil {
+		err = fmt.Errorf("Unexpected fd from method %s", method)
+		return
+	}
+	return rval, nil
+}
+
+func (p *proxy) callReadAllBytes(method string, args []interface{}) (rval interface{}, buf []byte, err error) {
+	var fd *pipefd
+	rval, fd, err = p.call(method, args)
+	if err != nil {
+		return
+	}
+	if fd == nil {
+		err = fmt.Errorf("Expected fd from method %s", method)
+		return
+	}
+	fetchchan := make(chan byteFetch)
+	go func() {
+		manifestBytes, err := io.ReadAll(fd.fd)
+		fetchchan <- byteFetch{
+			content: manifestBytes,
+			err:     err,
+		}
+	}()
+	_, err = p.callNoFd("FinishPipe", []interface{}{fd.id})
+	if err != nil {
+		return
+	}
+	select {
+	case fetchRes := <-fetchchan:
+		err = fetchRes.err
+		if err != nil {
+			return
+		}
+
+		buf = fetchRes.content
+	case <-time.After(5 * time.Minute):
+		err = fmt.Errorf("timed out during proxy fetch")
+	}
+	return
+}
+
+func newProxy() (*proxy, error) {
+	fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_SEQPACKET, 0)
+	if err != nil {
+		return nil, err
+	}
+	myfd := os.NewFile(uintptr(fds[0]), "myfd")
+	defer myfd.Close()
+	theirfd := os.NewFile(uintptr(fds[1]), "theirfd")
+	defer theirfd.Close()
+
+	mysock, err := net.FileConn(myfd)
+	if err != nil {
+		return nil, err
+	}
+
+	// Note ExtraFiles starts at 3
+	proc := exec.Command("skopeo", "experimental-image-proxy", "--sockfd", "3")
+	proc.Stderr = os.Stderr
+	cmdLifecycleToParentIfPossible(proc)
+	proc.ExtraFiles = append(proc.ExtraFiles, theirfd)
+
+	if err = proc.Start(); err != nil {
+		return nil, err
+	}
+
+	p := &proxy{
+		c: mysock.(*net.UnixConn),
+	}
+
+	v, err := p.callNoFd("Initialize", nil)
+	if err != nil {
+		return nil, err
+	}
+	semver, ok := v.(string)
+	if !ok {
+		return nil, fmt.Errorf("proxy Initialize: Unexpected value %T", v)
+	}
+	if !strings.HasPrefix(semver, expectedProxySemverMajor) {
+		return nil, fmt.Errorf("Unexpected semver %s", semver)
+	}
+	return p, nil
+}
+
+func init() {
+	check.Suite(&ProxySuite{})
+}
+
+type ProxySuite struct {
+}
+
+func (s *ProxySuite) SetUpSuite(c *check.C) {
+}
+
+func (s *ProxySuite) TearDownSuite(c *check.C) {
+}
+
+type byteFetch struct {
+	content []byte
+	err     error
+}
+
+func runTestGetManifestAndConfig(p *proxy, img string) error {
+	v, err := p.callNoFd("OpenImage", []interface{}{knownNotManifestListedImage_x8664})
+	if err != nil {
+		return err
+	}
+
+	imgidv, ok := v.(float64)
+	if !ok {
+		return fmt.Errorf("OpenImage return value is %T", v)
+	}
+	imgid := uint32(imgidv)
+
+	_, manifestBytes, err := p.callReadAllBytes("GetManifest", []interface{}{imgid})
+	if err != nil {
+		return err
+	}
+	_, err = manifest.OCI1FromManifest(manifestBytes)
+	if err != nil {
+		return err
+	}
+
+	_, configBytes, err := p.callReadAllBytes("GetFullConfig", []interface{}{imgid})
+	if err != nil {
+		return err
+	}
+	var config imgspecv1.Image
+	err = json.Unmarshal(configBytes, &config)
+	if err != nil {
+		return err
+	}
+
+	// Validate that the image config seems sane
+	if config.Architecture == "" {
+		return fmt.Errorf("No architecture found")
+	}
+	if len(config.Config.Cmd) == 0 && len(config.Config.Entrypoint) == 0 {
+		return fmt.Errorf("No CMD or ENTRYPOINT set")
+	}
+
+	// Also test this legacy interface
+	_, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []interface{}{imgid})
+	if err != nil {
+		return err
+	}
+	var ctrconfig imgspecv1.ImageConfig
+	err = json.Unmarshal(ctrconfigBytes, &ctrconfig)
+	if err != nil {
+		return err
+	}
+
+	// Validate that the config seems sane
+	if len(ctrconfig.Cmd) == 0 && len(ctrconfig.Entrypoint) == 0 {
+		return fmt.Errorf("No CMD or ENTRYPOINT set")
+	}
+
+	_, err = p.callNoFd("CloseImage", []interface{}{imgid})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (s *ProxySuite) TestProxy(c *check.C) {
+	p, err := newProxy()
+	c.Assert(err, check.IsNil)
+
+	err = runTestGetManifestAndConfig(p, knownNotManifestListedImage_x8664)
+	if err != nil {
+		err = fmt.Errorf("Testing image %s: %v", knownNotManifestListedImage_x8664, err)
+	}
+	c.Assert(err, check.IsNil)
+
+	err = runTestGetManifestAndConfig(p, knownListImage)
+	if err != nil {
+		err = fmt.Errorf("Testing image %s: %v", knownListImage, err)
+	}
+	c.Assert(err, check.IsNil)
+}
--- a/integration/registry.go
+++ b/integration/registry.go
@@ -2,14 +2,13 @@ package main

 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"time"

-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 const (
@@ -20,7 +19,6 @@ const (
 type testRegistryV2 struct {
 	cmd      *exec.Cmd
 	url      string
-	dir      string
 	username string
 	password string
 	email    string
@@ -45,10 +43,7 @@ func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistry
 }

 func newTestRegistryV2At(c *check.C, url string, auth, schema1 bool) (*testRegistryV2, error) {
-	tmp, err := ioutil.TempDir("", "registry-test-")
-	if err != nil {
-		return nil, err
-	}
+	tmp := c.MkDir()
 	template := `version: 0.1
 loglevel: debug
 storage:
@@ -58,6 +53,9 @@ storage:
        enabled: true
 http:
    addr: %s
+compatibility:
+    schema1:
+        enabled: true
 %s`
 	var (
 		htpasswd string
@@ -71,7 +69,7 @@ http:
 		username = "testuser"
 		password = "testpassword"
 		email = "test@test.org"
-		if err := ioutil.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
+		if err := os.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
 			return nil, err
 		}
 		htpasswd = fmt.Sprintf(`auth:
@@ -86,19 +84,18 @@ http:
 		return nil, err
 	}
 	if _, err := fmt.Fprintf(config, template, tmp, url, htpasswd); err != nil {
-		os.RemoveAll(tmp)
 		return nil, err
 	}

-	binary := binaryV2
+	var cmd *exec.Cmd
 	if schema1 {
-		binary = binaryV2Schema1
+		cmd = exec.Command(binaryV2Schema1, confPath)
+	} else {
+		cmd = exec.Command(binaryV2, "serve", confPath)
 	}

-	cmd := exec.Command(binary, confPath)
 	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
-		os.RemoveAll(tmp)
 		if os.IsNotExist(err) {
 			c.Skip(err.Error())
 		}
@@ -107,7 +104,6 @@ http:
 	return &testRegistryV2{
 		cmd:      cmd,
 		url:      url,
-		dir:      tmp,
 		username: username,
 		password: password,
 		email:    email,
@@ -126,7 +122,8 @@ func (t *testRegistryV2) Ping() error {
 	return nil
 }

-func (t *testRegistryV2) Close() {
-	t.cmd.Process.Kill()
-	os.RemoveAll(t.dir)
+func (t *testRegistryV2) tearDown(c *check.C) {
+	// It’s undocumented what Kill() returns if the process has terminated,
+	// so we couldn’t check just for that. This is running in a container anyway…
+	_ = t.cmd.Process.Kill()
 }
--- a/integration/signing_test.go
+++ b/integration/signing_test.go
@@ -3,13 +3,12 @@ package main
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"strings"

 	"github.com/containers/image/v5/signature"
-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 const (
@@ -21,7 +20,6 @@ func init() {
 }

 type SigningSuite struct {
-	gpgHome     string
 	fingerprint string
 }

@@ -40,25 +38,18 @@ func (s *SigningSuite) SetUpSuite(c *check.C) {
 	_, err := exec.LookPath(skopeoBinary)
 	c.Assert(err, check.IsNil)

-	s.gpgHome, err = ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	os.Setenv("GNUPGHOME", s.gpgHome)
+	gpgHome := c.MkDir()
+	os.Setenv("GNUPGHOME", gpgHome)

-	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")
+	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", gpgHome, "--batch", "--gen-key")

-	lines, err := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
+	lines, err := exec.Command(gpgBinary, "--homedir", gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
 	c.Assert(err, check.IsNil)
 	s.fingerprint, err = findFingerprint(lines)
 	c.Assert(err, check.IsNil)
 }

 func (s *SigningSuite) TearDownSuite(c *check.C) {
-	if s.gpgHome != "" {
-		err := os.RemoveAll(s.gpgHome)
-		c.Assert(err, check.IsNil)
-	}
-	s.gpgHome = ""
-
 	os.Unsetenv("GNUPGHOME")
 }

@@ -73,7 +64,7 @@ func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/smoketest"

-	sigOutput, err := ioutil.TempFile("", "sig")
+	sigOutput, err := os.CreateTemp("", "sig")
 	c.Assert(err, check.IsNil)
 	defer os.Remove(sigOutput.Name())
 	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
--- a/integration/sync_test.go
+++ b/integration/sync_test.go
@@ -3,7 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
@@ -14,8 +14,8 @@ import (
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/types"
-	"github.com/go-check/check"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"gopkg.in/check.v1"
 )

 const (
@@ -40,7 +40,6 @@ func init() {
 type SyncSuite struct {
 	cluster  *openshiftCluster
 	registry *testRegistryV2
-	gpgHome  string
 }

 func (s *SyncSuite) SetUpSuite(c *check.C) {
@@ -74,10 +73,8 @@ func (s *SyncSuite) SetUpSuite(c *check.C) {
 	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
 	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, registryAuth, registrySchema1)

-	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	s.gpgHome = gpgHome
-	os.Setenv("GNUPGHOME", s.gpgHome)
+	gpgHome := c.MkDir()
+	os.Setenv("GNUPGHOME", gpgHome)

 	for _, key := range []string{"personal", "official"} {
 		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%no-protection\n%%commit\n",
@@ -85,7 +82,7 @@ func (s *SyncSuite) SetUpSuite(c *check.C) {
 		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")

 		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
-		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+		err := os.WriteFile(filepath.Join(gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
 			[]byte(out), 0600)
 		c.Assert(err, check.IsNil)
 	}
@@ -96,21 +93,32 @@ func (s *SyncSuite) TearDownSuite(c *check.C) {
 		return
 	}

-	if s.gpgHome != "" {
-		os.RemoveAll(s.gpgHome)
-	}
 	if s.registry != nil {
-		s.registry.Close()
+		s.registry.tearDown(c)
 	}
 	if s.cluster != nil {
 		s.cluster.tearDown(c)
 	}
 }

-func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+func assertNumberOfManifestsInSubdirs(c *check.C, dir string, expectedCount int) {
+	nManifests := 0
+	err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.IsDir() && d.Name() == "manifest.json" {
+			nManifests++
+			return filepath.SkipDir
+		}
+		return nil
+	})
 	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	c.Assert(nManifests, check.Equals, expectedCount)
+}
+
+func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
@@ -136,9 +144,7 @@ func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
 }

 func (s *SyncSuite) TestDocker2DirTaggedAll(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList
@@ -163,6 +169,20 @@ func (s *SyncSuite) TestDocker2DirTaggedAll(c *check.C) {
 	c.Assert(out, check.Equals, "")
 }

+func (s *SyncSuite) TestPreserveDigests(c *check.C) {
+	tmpDir := c.MkDir()
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
+	image := pullableTaggedManifestList
+
+	// copy docker => dir
+	assertSkopeoSucceeds(c, "", "copy", "--all", "--preserve-digests", "docker://"+image, "dir:"+tmpDir)
+	_, err := os.Stat(path.Join(tmpDir, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	assertSkopeoFails(c, ".*Instructed to preserve digests.*", "copy", "--all", "--preserve-digests", "--format=oci", "docker://"+image, "dir:"+tmpDir)
+}
+
 func (s *SyncSuite) TestScoped(c *check.C) {
 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
@@ -170,8 +190,7 @@ func (s *SyncSuite) TestScoped(c *check.C) {
 	c.Assert(err, check.IsNil)
 	imagePath := imageRef.DockerReference().String()

-	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
 	c.Assert(err, check.IsNil)
@@ -179,8 +198,6 @@ func (s *SyncSuite) TestScoped(c *check.C) {
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
 	c.Assert(err, check.IsNil)
-
-	os.RemoveAll(dir1)
 }

 func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
@@ -194,8 +211,7 @@ func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
 	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))

 	//sync upstream image to dir, not scoped
-	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
 	c.Assert(err, check.IsNil)
@@ -210,14 +226,10 @@ func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
 	c.Assert(err, check.IsNil)
-	os.RemoveAll(dir1)
 }

 func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
-
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepo
@@ -239,9 +251,7 @@ func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
 }

 func (s *SyncSuite) TestYamlUntagged(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	image := pullableRepo
@@ -262,7 +272,8 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {

 	// sync to the local registry
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	c.Assert(err, check.IsNil)
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
 	// sync back from local registry to a folder
 	os.Remove(yamlFile)
@@ -273,7 +284,8 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
    %s: []
 `, v2DockerRegistryURL, imagePath)

-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	c.Assert(err, check.IsNil)
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)

 	sysCtx = types.SystemContext{
@@ -285,27 +297,11 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Check(len(localTags), check.Not(check.Equals), 0)
 	c.Assert(len(localTags), check.Equals, len(tags))
-
-	nManifests := 0
-	//count the number of manifest.json in dir1
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, len(tags))
+	assertNumberOfManifestsInSubdirs(c, dir1, len(tags))
 }

 func (s *SyncSuite) TestYamlRegex2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -318,28 +314,14 @@ k8s.gcr.io:
 	c.Assert(nTags, check.Not(check.Equals), 0)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
 	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, nTags)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(c, dir1, nTags)
 }

 func (s *SyncSuite) TestYamlDigest2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -349,28 +331,14 @@ k8s.gcr.io:
    - sha256:59eec8837a4d942cc19a52b8c09ea75121acc38114a2c68b98983ce9356b8610
 `
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
 	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, 1)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(c, dir1, 1)
 }

 func (s *SyncSuite) TestYaml2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -401,29 +369,15 @@ quay.io:
 	c.Assert(nTags, check.Not(check.Equals), 0)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
 	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, nTags)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(c, dir1, nTags)
 }

 func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")
 	image := pullableRepoWithLatestTag
 	tag := "latest"
@@ -465,7 +419,8 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	for _, cfg := range testCfg {
 		yamlConfig := fmt.Sprintf(yamlTemplate, v2DockerRegistryURL, cfg.tlsVerify, image, tag)
 		yamlFile := path.Join(tmpDir, "registries.yaml")
-		ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		c.Assert(err, check.IsNil)

 		cfg.checker(c, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 		os.Remove(yamlFile)
@@ -475,9 +430,7 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 }

 func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "sync-manifest-output")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	destDir1 := filepath.Join(tmpDir, "dest1")
 	destDir2 := filepath.Join(tmpDir, "dest2")
@@ -497,9 +450,7 @@ func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
 func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
@@ -530,15 +481,13 @@ func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
 func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepoWithLatestTag

 	dir1 := path.Join(tmpDir, "dir1")
-	err = os.Mkdir(dir1, 0755)
+	err := os.Mkdir(dir1, 0755)
 	c.Assert(err, check.IsNil)
 	dir2 := path.Join(tmpDir, "dir2")
 	err = os.Mkdir(dir2, 0755)
@@ -570,9 +519,7 @@ func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
 }

 func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")
@@ -582,9 +529,7 @@ func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
 }

 func (s *SyncSuite) TestFailsNoSourceImages(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	assertSkopeoFails(c, ".*No images to sync found in .*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)
@@ -596,9 +541,7 @@ func (s *SyncSuite) TestFailsNoSourceImages(c *check.C) {
 func (s *SyncSuite) TestFailsWithDockerSourceNoRegistry(c *check.C) {
 	const regURL = "google.com/namespace/imagename"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	//untagged
 	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
@@ -611,9 +554,7 @@ func (s *SyncSuite) TestFailsWithDockerSourceNoRegistry(c *check.C) {

 func (s *SyncSuite) TestFailsWithDockerSourceUnauthorized(c *check.C) {
 	const repo = "privateimagenamethatshouldnotbepublic"
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	//untagged
 	assertSkopeoFails(c, ".*Registry disallows tag list retrieval.*",
@@ -626,9 +567,7 @@ func (s *SyncSuite) TestFailsWithDockerSourceUnauthorized(c *check.C) {

 func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {
 	repo := path.Join(v2DockerRegistryURL, "imagedoesnotexist")
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	//untagged
 	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
@@ -641,9 +580,9 @@ func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {

 func (s *SyncSuite) TestFailsWithDirSourceNotExisting(c *check.C) {
 	// Make sure the dir does not exist!
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	err = os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
+	tmpDir = filepath.Join(tmpDir, "this-does-not-exist")
+	err := os.RemoveAll(tmpDir)
 	c.Assert(err, check.IsNil)
 	_, err = os.Stat(path.Join(tmpDir))
 	c.Check(os.IsNotExist(err), check.Equals, true)
--- a/integration/utils.go
+++ b/integration/utils.go
@@ -3,15 +3,15 @@ package main
 import (
 	"bytes"
 	"io"
-	"io/ioutil"
 	"net"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"

 	"github.com/containers/image/v5/manifest"
-	"github.com/go-check/check"
+	"gopkg.in/check.v1"
 )

 const skopeoBinary = "skopeo"
@@ -163,15 +163,15 @@ func modifyEnviron(env []string, name, value string) []string {
 // fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
 // Callers should defer os.Remove(the_returned_path)
 func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
-	contents, err := ioutil.ReadFile(inputPath)
+	contents, err := os.ReadFile(inputPath)
 	c.Assert(err, check.IsNil)
 	for template, value := range edits {
-		updated := bytes.Replace(contents, []byte(template), []byte(value), -1)
+		updated := bytes.ReplaceAll(contents, []byte(template), []byte(value))
 		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
 		contents = updated
 	}

-	file, err := ioutil.TempFile("", "policy.json")
+	file, err := os.CreateTemp("", "policy.json")
 	c.Assert(err, check.IsNil)
 	path := file.Name()

@@ -187,7 +187,7 @@ func fileFromFixture(c *check.C, inputPath string, edits map[string]string) stri
 func runDecompressDirs(c *check.C, regexp string, args ...string) {
 	c.Logf("Running %s %s", decompressDirsBinary, strings.Join(args, " "))
 	for i, dir := range args {
-		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
 		c.Assert(err, check.IsNil)
 		c.Logf("manifest %d before: %s", i+1, string(m))
 	}
@@ -197,7 +197,7 @@ func runDecompressDirs(c *check.C, regexp string, args ...string) {
 		if len(out) > 0 {
 			c.Logf("output: %s", out)
 		}
-		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
 		c.Assert(err, check.IsNil)
 		c.Logf("manifest %d after: %s", i+1, string(m))
 	}
@@ -208,7 +208,7 @@ func runDecompressDirs(c *check.C, regexp string, args ...string) {

 // Verify manifest in a dir: image at dir is expectedMIMEType.
 func verifyManifestMIMEType(c *check.C, dir string, expectedMIMEType string) {
-	manifestBlob, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
 	c.Assert(err, check.IsNil)
 	mimeType := manifest.GuessMIMEType(manifestBlob)
 	c.Assert(mimeType, check.Equals, expectedMIMEType)
--- a/nix/default-arm64.nix
+++ b/nix/default-arm64.nix
@@ -1,85 +0,0 @@
-let
-  pkgs = (import ./nixpkgs.nix {
-    crossSystem = {
-      config = "aarch64-unknown-linux-gnu";
-    };
-    config = {
-      packageOverrides = pkg: {
-        gpgme = (static pkg.gpgme);
-        libassuan = (static pkg.libassuan);
-        libgpgerror = (static pkg.libgpgerror);
-        libseccomp = (static pkg.libseccomp);
-        glib = (static pkg.glib).overrideAttrs (x: {
-          outputs = [ "bin" "out" "dev" ];
-          mesonFlags = [
-            "-Ddefault_library=static"
-            "-Ddevbindir=${placeholder ''dev''}/bin"
-            "-Dgtk_doc=false"
-            "-Dnls=disabled"
-          ];
-          postInstall = ''
-            moveToOutput "share/glib-2.0" "$dev"
-            substituteInPlace "$dev/bin/gdbus-codegen" --replace "$out" "$dev"
-            sed -i "$dev/bin/glib-gettextize" -e "s|^gettext_dir=.*|gettext_dir=$dev/share/glib-2.0/gettext|"
-            sed '1i#line 1 "${x.pname}-${x.version}/include/glib-2.0/gobject/gobjectnotifyqueue.c"' \
-              -i "$dev"/include/glib-2.0/gobject/gobjectnotifyqueue.c
-          '';
-        });
-        pcsclite = (static pkg.pcsclite).overrideAttrs (x: {
-          configureFlags = [
-            "--enable-confdir=/etc"
-            "--enable-usbdropdir=/var/lib/pcsc/drivers"
-            "--disable-libsystemd"
-            "--disable-libudev"
-            "--disable-libusb"
-          ];
-          buildInputs = [ pkgs.python3 pkgs.dbus ];
-        });
-        systemd = (static pkg.systemd).overrideAttrs (x: {
-          outputs = [ "out" "dev" ];
-          mesonFlags = x.mesonFlags ++ [
-            "-Dglib=false"
-            "-Dstatic-libsystemd=true"
-          ];
-        });
-      };
-    };
-  });
-
-  static = pkg: pkg.overrideAttrs (x: {
-    doCheck = false;
-    configureFlags = (x.configureFlags or [ ]) ++ [
-      "--without-shared"
-      "--disable-shared"
-    ];
-    dontDisableStatic = true;
-    enableSharedExecutables = false;
-    enableStatic = true;
-  });
-
-  self = with pkgs; buildGoModule rec {
-    name = "skopeo";
-    src = ./..;
-    vendorSha256 = null;
-    doCheck = false;
-    enableParallelBuilding = true;
-    outputs = [ "out" ];
-    nativeBuildInputs = [ bash gitMinimal go-md2man pkg-config which ];
-    buildInputs = [ glibc glibc.static glib gpgme libassuan libgpgerror libseccomp ];
-    prePatch = ''
-      export CFLAGS='-static -pthread'
-      export LDFLAGS='-s -w -static-libgcc -static'
-      export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"'
-      export BUILDTAGS='static netgo osusergo exclude_graphdriver_btrfs exclude_graphdriver_devicemapper'
-      export CGO_ENABLED=1
-    '';
-    buildPhase = ''
-      patchShebangs .
-      make bin/skopeo
-    '';
-    installPhase = ''
-      install -Dm755 bin/skopeo $out/bin/skopeo
-    '';
-  };
-in
-self
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -1,83 +0,0 @@
-{ system ? builtins.currentSystem }:
-let
-  pkgs = (import ./nixpkgs.nix {
-    config = {
-      packageOverrides = pkg: {
-        gpgme = (static pkg.gpgme);
-        libassuan = (static pkg.libassuan);
-        libgpgerror = (static pkg.libgpgerror);
-        libseccomp = (static pkg.libseccomp);
-        glib = (static pkg.glib).overrideAttrs (x: {
-          outputs = [ "bin" "out" "dev" ];
-          mesonFlags = [
-            "-Ddefault_library=static"
-            "-Ddevbindir=${placeholder ''dev''}/bin"
-            "-Dgtk_doc=false"
-            "-Dnls=disabled"
-          ];
-          postInstall = ''
-            moveToOutput "share/glib-2.0" "$dev"
-            substituteInPlace "$dev/bin/gdbus-codegen" --replace "$out" "$dev"
-            sed -i "$dev/bin/glib-gettextize" -e "s|^gettext_dir=.*|gettext_dir=$dev/share/glib-2.0/gettext|"
-            sed '1i#line 1 "${x.pname}-${x.version}/include/glib-2.0/gobject/gobjectnotifyqueue.c"' \
-              -i "$dev"/include/glib-2.0/gobject/gobjectnotifyqueue.c
-          '';
-        });
-        pcsclite = (static pkg.pcsclite).overrideAttrs (x: {
-          configureFlags = [
-            "--enable-confdir=/etc"
-            "--enable-usbdropdir=/var/lib/pcsc/drivers"
-            "--disable-libsystemd"
-            "--disable-libudev"
-            "--disable-libusb"
-          ];
-          buildInputs = [ pkgs.python3 pkgs.dbus ];
-        });
-        systemd = (static pkg.systemd).overrideAttrs (x: {
-          outputs = [ "out" "dev" ];
-          mesonFlags = x.mesonFlags ++ [
-            "-Dglib=false"
-            "-Dstatic-libsystemd=true"
-          ];
-        });
-      };
-    };
-  });
-
-  static = pkg: pkg.overrideAttrs (x: {
-    doCheck = false;
-    configureFlags = (x.configureFlags or [ ]) ++ [
-      "--without-shared"
-      "--disable-shared"
-    ];
-    dontDisableStatic = true;
-    enableSharedExecutables = false;
-    enableStatic = true;
-  });
-
-  self = with pkgs; buildGoModule rec {
-    name = "skopeo";
-    src = ./..;
-    vendorSha256 = null;
-    doCheck = false;
-    enableParallelBuilding = true;
-    outputs = [ "out" ];
-    nativeBuildInputs = [ bash gitMinimal go-md2man pkg-config which ];
-    buildInputs = [ glibc glibc.static glib gpgme libassuan libgpgerror libseccomp ];
-    prePatch = ''
-      export CFLAGS='-static -pthread'
-      export LDFLAGS='-s -w -static-libgcc -static'
-      export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"'
-      export BUILDTAGS='static netgo osusergo exclude_graphdriver_btrfs exclude_graphdriver_devicemapper'
-      export CGO_ENABLED=1
-    '';
-    buildPhase = ''
-      patchShebangs .
-      make bin/skopeo
-    '';
-    installPhase = ''
-      install -Dm755 bin/skopeo $out/bin/skopeo
-    '';
-  };
-in
-self
--- a/nix/nixpkgs.json
+++ b/nix/nixpkgs.json
@@ -1,10 +0,0 @@
-{
-  "url": "https://github.com/nixos/nixpkgs",
-  "rev": "2a96414d7e350160a33ed0978449c9ff5b5a6eb3",
-  "date": "2021-07-13T18:21:47+02:00",
-  "path": "/nix/store/2ai9q8ac6vxb2rrngdz82y8jxnk15cvm-nixpkgs",
-  "sha256": "1dzrfqdjq3yq5jjskiqflzy58l2xx6059gay9p1k07zrlm1wigy5",
-  "fetchSubmodules": false,
-  "deepClone": false,
-  "leaveDotGit": false
-}
--- a/nix/nixpkgs.nix
+++ b/nix/nixpkgs.nix
@@ -1,9 +0,0 @@
-let
-  json = builtins.fromJSON (builtins.readFile ./nixpkgs.json);
-  nixpkgs = import (builtins.fetchTarball {
-    name = "nixos-unstable";
-    url = "${json.url}/archive/${json.rev}.tar.gz";
-    inherit (json) sha256;
-  });
-in
-nixpkgs
--- a/skopeo.spec.rpkg
+++ b/skopeo.spec.rpkg
@@ -0,0 +1,132 @@
+# For automatic rebuilds in COPR
+
+# The following tag is to get correct syntax highlighting for this file in vim text editor
+# vim: syntax=spec
+
+# Any additinoal comments should go below this line or else syntax highlighting
+# may not work.
+
+# CAUTION: This is not a replacement for RPMs provided by your distro.
+# Only intended to build and test the latest unreleased changes.
+
+%global gomodulesmode GO111MODULE=on
+%global with_debug 1
+
+%if 0%{?with_debug}
+%global _find_debuginfo_dwz_opts %{nil}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package %{nil}
+%endif
+
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
+%endif
+
+Name: {{{ git_dir_name }}}
+Epoch: 101
+Version: {{{ git_dir_version }}}
+Release: 1%{?dist}
+Summary: Inspect container images and repositories on registries
+License: ASL 2.0
+URL: https://github.com/containers/skopeo
+VCS: {{{ git_dir_vcs }}}
+Source: {{{ git_dir_pack }}}
+%if 0%{?fedora} && ! 0%{?rhel}
+BuildRequires: btrfs-progs-devel
+%endif
+BuildRequires: golang >= 1.16.6
+BuildRequires: glib2-devel
+BuildRequires: git-core
+BuildRequires: go-md2man
+%if 0%{?fedora} || 0%{?rhel} >= 9
+BuildRequires: go-rpm-macros
+%endif
+BuildRequires: pkgconfig(devmapper)
+BuildRequires: gpgme-devel
+BuildRequires: libassuan-devel
+BuildRequires: pkgconfig
+BuildRequires: make
+BuildRequires: ostree-devel
+%if 0%{?fedora} <= 35
+Requires: containers-common >= 4:1-39
+%else
+Requires: containers-common >= 4:1-46
+%endif
+
+%description
+Command line utility to inspect images and repositories directly on Docker
+registries without the need to pull them.
+
+%package tests
+Summary: Tests for %{name}
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: bats
+Requires: gnupg
+Requires: jq
+Requires: podman
+Requires: httpd-tools
+Requires: openssl
+Requires: fakeroot
+Requires: squashfs-tools
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
+%prep
+{{{ git_dir_setup_macro }}}
+
+sed -i 's/install-binary: bin\/skopeo/install-binary:/' Makefile
+
+# This will invoke `make` command in the directory with the extracted sources.
+%build
+%set_build_flags
+export CGO_CFLAGS=$CFLAGS
+# These extra flags present in $CFLAGS have been skipped for now as they break the build
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
+
+%ifarch x86_64
+export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
+%endif
+
+LDFLAGS=""
+
+export BUILDTAGS="$(hack/libdm_tag.sh)"
+%if 0%{?rhel}
+export BUILDTAGS="$BUILDTAGS exclude_graphdriver_btrfs btrfs_noversion"
+%endif
+
+%gobuild -o bin/%{name} ./cmd/%{name}
+
+%install
+%{__make} PREFIX=%{buildroot}%{_prefix} install-binary install-docs install-completions
+
+# system tests
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man1/%%{name}*
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/%{name}
+%dir %{_datadir}/fish
+%dir %{_datadir}/fish/vendor_completions.d
+%{_datadir}/fish/vendor_completions.d/%{name}.fish
+%dir %{_datadir}/zsh
+%dir %{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/_%{name}
+
+%files tests
+%license LICENSE
+%{_datadir}/%{name}/test
+
+%changelog
+{{{ git_dir_changelog }}}
--- a/systemtest/010-inspect.bats
+++ b/systemtest/010-inspect.bats
@@ -27,11 +27,20 @@ load helpers
    # Now run inspect locally
    run_skopeo inspect dir:$workdir
    inspect_local=$output
+    run_skopeo inspect --raw dir:$workdir
+    inspect_local_raw=$output
+    config_digest=$(jq -r '.config.digest' <<<"$inspect_local_raw")

-    # Each SHA-named file must be listed in the output of 'inspect'
+    # Each SHA-named layer file (but not the config) must be listed in the output of 'inspect'.
+    # In all existing versions of Skopeo (with 1.6 being the current as of this comment),
+    # the output of 'inspect' lists layer digests,
+    # but not the digest of the config blob ($config_digest), if any.
+    layers=$(jq -r '.Layers' <<<"$inspect_local")
    for sha in $(find $workdir -type f | xargs -l1 basename | egrep '^[0-9a-f]{64}$'); do
-        expect_output --from="$inspect_local" --substring "sha256:$sha" \
-                      "Locally-extracted SHA file is present in 'inspect'"
+        if [ "sha256:$sha" != "$config_digest" ]; then
+            expect_output --from="$layers" --substring "sha256:$sha" \
+                        "Locally-extracted SHA file is present in 'inspect'"
+        fi
    done

    # Simple sanity check on 'inspect' output.
@@ -108,4 +117,15 @@ END_EXPECT
                  "os - variant - architecture of $img"
 }

+@test "inspect: don't list tags" {
+    remote_image=docker://quay.io/fedora/fedora
+    # use --no-tags to not list any tags
+    run_skopeo inspect --no-tags $remote_image
+    inspect_output=$output
+    # extract the content of "RepoTags" property from the JSON output
+    repo_tags=$(jq '.RepoTags[]' <<<"$inspect_output")
+    # verify that the RepoTags was empty
+    expect_output --from="$repo_tags" "" "inspect --no-tags was expected to return empty RepoTags[]"
+}
+
 # vim: filetype=sh
--- a/systemtest/020-copy.bats
+++ b/systemtest/020-copy.bats
@@ -125,6 +125,10 @@ function setup() {
    run podman --root $TESTDIR/podmanroot images
    expect_output --substring "mine"

+    # rootless cleanup needs to be done with unshare due to subuids
+    if [[ "$(id -u)" != "0" ]]; then
+        run podman unshare rm -rf $TESTDIR/podmanroot
+    fi
 }

 # shared blob directory
@@ -144,6 +148,16 @@ function setup() {
    diff -urN $shareddir $dir2/blobs
 }

+@test "copy: sif image" {
+    type -path fakeroot || skip "'fakeroot' tool not available"
+
+    local localimg=dir:$TESTDIR/dir
+
+    run_skopeo copy sif:${TEST_SOURCE_DIR}/testdata/busybox_latest.sif $localimg
+    run_skopeo inspect $localimg --format "{{.Architecture}}"
+    expect_output "amd64"
+}
+
 teardown() {
    podman rm -f reg

--- a/systemtest/050-signing.bats
+++ b/systemtest/050-signing.bats
@@ -12,6 +12,13 @@ function setup() {
    export GNUPGHOME=$TESTDIR/skopeo-gpg
    mkdir --mode=0700 $GNUPGHOME

+    PASSPHRASE_FILE=$TESTDIR/passphrase-file
+    passphrase=$(random_string 20)
+    echo $passphrase > $PASSPHRASE_FILE
+
+    PASSPHRASE_FILE_WRONG=$TESTDIR/passphrase-file-wrong
+    echo $(random_string 10) > $PASSPHRASE_FILE_WRONG
+
    # gpg on f30 needs this, otherwise:
    #   gpg: agent_genkey failed: Inappropriate ioctl for device
    # ...but gpg on f29 (and, probably, Ubuntu) doesn't grok this
@@ -21,7 +28,7 @@ function setup() {
    fi

    for k in alice bob;do
-        gpg --batch $GPGOPTS --gen-key --passphrase '' <<END_GPG
+        gpg --batch $GPGOPTS --gen-key --passphrase $passphrase <<END_GPG
 Key-Type: RSA
 Name-Real: Test key - $k
 Name-email: $k@test.redhat.com
@@ -81,8 +88,18 @@ END_POLICY_JSON
    start_registry reg
 }

+function kill_gpg_agent {
+    # Kill the running gpg-agent to drop unlocked keys. This allows for testing
+    # handling of invalid passphrases.
+    run gpgconf --kill gpg-agent
+    if [ "$status" -ne 0 ]; then
+        die "could not restart gpg-agent: $output"
+    fi
+}
+
@test "signing" {
-    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null
+    kill_gpg_agent
+    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null --passphrase-file $PASSPHRASE_FILE
    if [[ "$output" =~ 'signing is not supported' ]]; then
        skip "skopeo built without support for creating signatures"
        return 1
@@ -100,7 +117,8 @@ END_POLICY_JSON
    while read path sig comments; do
        local sign_opt=
        if [[ $sig != '-' ]]; then
-            sign_opt="--sign-by=${sig}@test.redhat.com"
+            kill_gpg_agent
+            sign_opt=" --sign-passphrase-file=$PASSPHRASE_FILE --sign-by=${sig}@test.redhat.com"
        fi
        run_skopeo --registries.d $REGISTRIES_D \
                   copy --dest-tls-verify=false \
@@ -144,7 +162,8 @@ END_TESTS
 }

@test "signing: remove signature" {
-    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null
+    kill_gpg_agent
+    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null --passphrase-file $PASSPHRASE_FILE
    if [[ "$output" =~ 'signing is not supported' ]]; then
        skip "skopeo built without support for creating signatures"
        return 1
@@ -157,11 +176,24 @@ END_TESTS
    run_skopeo copy docker://quay.io/libpod/busybox:latest \
               dir:$TESTDIR/busybox
    # Push a signed image
+    kill_gpg_agent
    run_skopeo --registries.d $REGISTRIES_D \
               copy --dest-tls-verify=false \
               --sign-by=alice@test.redhat.com \
+               --sign-passphrase-file $PASSPHRASE_FILE \
               dir:$TESTDIR/busybox \
               docker://localhost:5000/myns/alice:signed
+
+    # Wrong passphrase file
+    kill_gpg_agent
+    run_skopeo 1 --registries.d $REGISTRIES_D \
+               copy --dest-tls-verify=false \
+               --sign-by=alice@test.redhat.com \
+               --sign-passphrase-file $PASSPHRASE_FILE_WRONG \
+               dir:$TESTDIR/busybox \
+               docker://localhost:5000/myns/alice:signed
+    expect_output --substring "Bad passphrase"
+
    # Fetch the image with signature
    run_skopeo  --registries.d $REGISTRIES_D \
                --policy $POLICY_JSON \
@@ -180,7 +212,8 @@ END_TESTS
 }

@test "signing: standalone" {
-    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null
+    kill_gpg_agent
+    run_skopeo '?' standalone-sign /dev/null busybox alice@test.redhat.com -o /dev/null --passphrase-file $PASSPHRASE_FILE
    if [[ "$output" =~ 'signing is not supported' ]]; then
        skip "skopeo built without support for creating signatures"
        return 1
@@ -196,7 +229,9 @@ END_TESTS
               docker://localhost:5000/busybox:latest \
               dir:$TESTDIR/busybox
    # Standalone sign
+    kill_gpg_agent
    run_skopeo standalone-sign -o $TESTDIR/busybox.signature \
+               --passphrase-file $PASSPHRASE_FILE \
               $TESTDIR/busybox/manifest.json \
               localhost:5000/busybox:latest \
               alice@test.redhat.com
--- a/systemtest/070-list-tags.bats
+++ b/systemtest/070-list-tags.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+#
+# list-tags tests
+#
+
+load helpers
+
+# list from registry
+@test "list-tags: remote repository on a registry" {
+    local remote_image=quay.io/libpod/alpine_labels
+
+    run_skopeo list-tags "docker://${remote_image}"
+    expect_output --substring "quay.io/libpod/alpine_labels"
+    expect_output --substring "latest"
+}
+
+# list from a local docker-archive file
+@test "list-tags: from a docker-archive file" {
+    local file_name=${TEST_SOURCE_DIR}/testdata/docker-two-images.tar.xz
+
+    run_skopeo list-tags docker-archive:$file_name
+    expect_output --substring "example.com/empty:latest"
+    expect_output --substring "example.com/empty/but:different"
+
+}
+
+
+# vim: filetype=sh
--- a/systemtest/080-sync.bats
+++ b/systemtest/080-sync.bats
@@ -0,0 +1,26 @@
+#!/usr/bin/env bats
+#
+# Sync tests
+#
+
+load helpers
+
+function setup() {
+    standard_setup
+}
+
+@test "sync: --dry-run" {
+    local remote_image=quay.io/libpod/busybox:latest
+    local dir=$TESTDIR/dir
+
+    run_skopeo sync --dry-run --src docker --dest dir --scoped $remote_image $dir
+    expect_output --substring "Would have copied image"
+    expect_output --substring "from=\"docker://${remote_image}\" to=\"dir:${dir}/${remote_image}\""
+    expect_output --substring "Would have synced 1 images from 1 sources"
+}
+
+teardown() {
+    standard_teardown
+}
+
+# vim: filetype=sh
--- a/systemtest/helpers.bash
+++ b/systemtest/helpers.bash
@@ -1,6 +1,10 @@
 #!/bin/bash

-SKOPEO_BINARY=${SKOPEO_BINARY:-$(dirname ${BASH_SOURCE})/../skopeo}
+# Directory containing system test sources
+TEST_SOURCE_DIR=${TEST_SOURCE_DIR:-$(dirname ${BASH_SOURCE})}
+
+# Skopeo executable
+SKOPEO_BINARY=${SKOPEO_BINARY:-${TEST_SOURCE_DIR}/../bin/skopeo}

 # Default timeout for a skopeo command.
 SKOPEO_TIMEOUT=${SKOPEO_TIMEOUT:-300}
@@ -356,9 +360,10 @@ start_registry() {
            return
        fi

-        timeout=$(expr $timeout - 1)
+        timeout=$(( timeout - 1 ))
        sleep 1
    done
+    log_and_run $PODMAN logs $name
    die "Timed out waiting for registry container to respond on :$port"
 }

--- a/systemtest/testdata/busybox_latest.sif
+++ b/systemtest/testdata/busybox_latest.sif
--- a/systemtest/testdata/docker-two-images.tar.xz
+++ b/systemtest/testdata/docker-two-images.tar.xz
--- a/vendor/github.com/BurntSushi/toml/.gitignore
+++ b/vendor/github.com/BurntSushi/toml/.gitignore
@@ -1,5 +1,2 @@
-TAGS
-tags
-.*.swp
-tomlcheck/tomlcheck
-toml.test
+/toml.test
+/toml-test
--- a/vendor/github.com/BurntSushi/toml/.travis.yml
+++ b/vendor/github.com/BurntSushi/toml/.travis.yml
@@ -1,15 +0,0 @@
-language: go
-go:
-  - 1.1
-  - 1.2
-  - 1.3
-  - 1.4
-  - 1.5
-  - 1.6
-  - tip
-install:
-  - go install ./...
-  - go get github.com/BurntSushi/toml-test
-script:
-  - export PATH="$PATH:$HOME/gopath/bin"
-  - make test
--- a/vendor/github.com/BurntSushi/toml/COMPATIBLE
+++ b/vendor/github.com/BurntSushi/toml/COMPATIBLE
@@ -1,3 +0,0 @@
-Compatible with TOML version
-[v0.4.0](https://github.com/toml-lang/toml/blob/v0.4.0/versions/en/toml-v0.4.0.md)
-
--- a/vendor/github.com/BurntSushi/toml/Makefile
+++ b/vendor/github.com/BurntSushi/toml/Makefile
@@ -1,19 +0,0 @@
-install:
-	go install ./...
-
-test: install
-	go test -v
-	toml-test toml-test-decoder
-	toml-test -encoder toml-test-encoder
-
-fmt:
-	gofmt -w *.go */*.go
-	colcheck *.go */*.go
-
-tags:
-	find ./ -name '*.go' -print0 | xargs -0 gotags > TAGS
-
-push:
-	git push origin master
-	git push github master
-
--- a/vendor/github.com/BurntSushi/toml/README.md
+++ b/vendor/github.com/BurntSushi/toml/README.md
@@ -1,46 +1,26 @@
-## TOML parser and encoder for Go with reflection
-
 TOML stands for Tom's Obvious, Minimal Language. This Go package provides a
-reflection interface similar to Go's standard library `json` and `xml`
-packages. This package also supports the `encoding.TextUnmarshaler` and
-`encoding.TextMarshaler` interfaces so that you can define custom data
-representations. (There is an example of this below.)
+reflection interface similar to Go's standard library `json` and `xml` packages.

-Spec: https://github.com/toml-lang/toml
+Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).

-Compatible with TOML version
-[v0.4.0](https://github.com/toml-lang/toml/blob/master/versions/en/toml-v0.4.0.md)
+Documentation: https://godocs.io/github.com/BurntSushi/toml

-Documentation: https://godoc.org/github.com/BurntSushi/toml
+See the [releases page](https://github.com/BurntSushi/toml/releases) for a
+changelog; this information is also in the git tag annotations (e.g. `git show
+v0.4.0`).

-Installation:
+This library requires Go 1.13 or newer; add it to your go.mod with:

-```bash
-go get github.com/BurntSushi/toml
-```
+    % go get github.com/BurntSushi/toml@latest

-Try the toml validator:
+It also comes with a TOML validator CLI tool:

-```bash
-go get github.com/BurntSushi/toml/cmd/tomlv
-tomlv some-toml-file.toml
-```
-
-[![Build Status](https://travis-ci.org/BurntSushi/toml.svg?branch=master)](https://travis-ci.org/BurntSushi/toml) [![GoDoc](https://godoc.org/github.com/BurntSushi/toml?status.svg)](https://godoc.org/github.com/BurntSushi/toml)
-
-### Testing
-
-This package passes all tests in
-[toml-test](https://github.com/BurntSushi/toml-test) for both the decoder
-and the encoder.
+    % go install github.com/BurntSushi/toml/cmd/tomlv@latest
+    % tomlv some-toml-file.toml

 ### Examples
-
-This package works similarly to how the Go standard library handles `XML`
-and `JSON`. Namely, data is loaded into Go values via reflection.
-
-For the simplest example, consider some TOML file as just a list of keys
-and values:
+For the simplest example, consider some TOML file as just a list of keys and
+values:

 ```toml
 Age = 25
@@ -50,29 +30,23 @@ Perfection = [ 6, 28, 496, 8128 ]
 DOB = 1987-07-05T05:45:00Z
 ```

-Which could be defined in Go as:
+Which can be decoded with:

 ```go
 type Config struct {
-  Age int
-  Cats []string
-  Pi float64
-  Perfection []int
-  DOB time.Time // requires `import time`
+	Age        int
+	Cats       []string
+	Pi         float64
+	Perfection []int
+	DOB        time.Time
 }
-```

-And then decoded with:
-
-```go
 var conf Config
-if _, err := toml.Decode(tomlData, &conf); err != nil {
-  // handle error
-}
+_, err := toml.Decode(tomlData, &conf)
 ```

-You can also use struct tags if your struct field name doesn't map to a TOML
-key value directly:
+You can also use struct tags if your struct field name doesn't map to a TOML key
+value directly:

 ```toml
 some_key_NAME = "wat"
@@ -80,139 +54,67 @@ some_key_NAME = "wat"

 ```go
 type TOML struct {
-  ObscureKey string `toml:"some_key_NAME"`
+    ObscureKey string `toml:"some_key_NAME"`
 }
 ```

-### Using the `encoding.TextUnmarshaler` interface
+Beware that like other decoders **only exported fields** are considered when
+encoding and decoding; private fields are silently ignored.

-Here's an example that automatically parses duration strings into
-`time.Duration` values:
+### Using the `Marshaler` and `encoding.TextUnmarshaler` interfaces
+Here's an example that automatically parses values in a `mail.Address`:

 ```toml
-[[song]]
-name = "Thunder Road"
-duration = "4m49s"
-
-[[song]]
-name = "Stairway to Heaven"
-duration = "8m03s"
-```
-
-Which can be decoded with:
-
-```go
-type song struct {
-  Name     string
-  Duration duration
-}
-type songs struct {
-  Song []song
-}
-var favorites songs
-if _, err := toml.Decode(blob, &favorites); err != nil {
-  log.Fatal(err)
-}
-
-for _, s := range favorites.Song {
-  fmt.Printf("%s (%s)\n", s.Name, s.Duration)
-}
-```
-
-And you'll also need a `duration` type that satisfies the
-`encoding.TextUnmarshaler` interface:
-
-```go
-type duration struct {
-	time.Duration
-}
-
-func (d *duration) UnmarshalText(text []byte) error {
-	var err error
-	d.Duration, err = time.ParseDuration(string(text))
-	return err
-}
-```
-
-### More complex usage
-
-Here's an example of how to load the example from the official spec page:
-
-```toml
-# This is a TOML document. Boom.
-
-title = "TOML Example"
-
-[owner]
-name = "Tom Preston-Werner"
-organization = "GitHub"
-bio = "GitHub Cofounder & CEO\nLikes tater tots and beer."
-dob = 1979-05-27T07:32:00Z # First class dates? Why not?
-
-[database]
-server = "192.168.1.1"
-ports = [ 8001, 8001, 8002 ]
-connection_max = 5000
-enabled = true
-
-[servers]
-
-  # You can indent as you please. Tabs or spaces. TOML don't care.
-  [servers.alpha]
-  ip = "10.0.0.1"
-  dc = "eqdc10"
-
-  [servers.beta]
-  ip = "10.0.0.2"
-  dc = "eqdc10"
-
-[clients]
-data = [ ["gamma", "delta"], [1, 2] ] # just an update to make sure parsers support it
-
-# Line breaks are OK when inside arrays
-hosts = [
-  "alpha",
-  "omega"
+contacts = [
+    "Donald Duck <donald@duckburg.com>",
+    "Scrooge McDuck <scrooge@duckburg.com>",
 ]
 ```

-And the corresponding Go types are:
+Can be decoded with:

 ```go
-type tomlConfig struct {
-	Title string
-	Owner ownerInfo
-	DB database `toml:"database"`
-	Servers map[string]server
-	Clients clients
+// Create address type which satisfies the encoding.TextUnmarshaler interface.
+type address struct {
+	*mail.Address
 }

-type ownerInfo struct {
-	Name string
-	Org string `toml:"organization"`
-	Bio string
-	DOB time.Time
+func (a *address) UnmarshalText(text []byte) error {
+	var err error
+	a.Address, err = mail.ParseAddress(string(text))
+	return err
 }

-type database struct {
-	Server string
-	Ports []int
-	ConnMax int `toml:"connection_max"`
-	Enabled bool
-}
+// Decode it.
+func decode() {
+	blob := `
+		contacts = [
+			"Donald Duck <donald@duckburg.com>",
+			"Scrooge McDuck <scrooge@duckburg.com>",
+		]
+	`

-type server struct {
-	IP string
-	DC string
-}
+	var contacts struct {
+		Contacts []address
+	}

-type clients struct {
-	Data [][]interface{}
-	Hosts []string
+	_, err := toml.Decode(blob, &contacts)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, c := range contacts.Contacts {
+		fmt.Printf("%#v\n", c.Address)
+	}
+
+	// Output:
+	// &mail.Address{Name:"Donald Duck", Address:"donald@duckburg.com"}
+	// &mail.Address{Name:"Scrooge McDuck", Address:"scrooge@duckburg.com"}
 }
 ```

-Note that a case insensitive match will be tried if an exact match can't be
-found.
+To target TOML specifically you can implement `UnmarshalTOML` TOML interface in
+a similar way.

-A working example of the above can be found in `_examples/example.{go,toml}`.
+### More complex usage
+See the [`_example/`](/_example) directory for a more complex example.
--- a/vendor/github.com/BurntSushi/toml/decode.go
+++ b/vendor/github.com/BurntSushi/toml/decode.go
@@ -1,54 +1,171 @@
 package toml

 import (
+	"bytes"
+	"encoding"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"math"
+	"os"
 	"reflect"
+	"strconv"
 	"strings"
 	"time"
 )

-func e(format string, args ...interface{}) error {
-	return fmt.Errorf("toml: "+format, args...)
-}
-
 // Unmarshaler is the interface implemented by objects that can unmarshal a
 // TOML description of themselves.
 type Unmarshaler interface {
 	UnmarshalTOML(interface{}) error
 }

-// Unmarshal decodes the contents of `p` in TOML format into a pointer `v`.
-func Unmarshal(p []byte, v interface{}) error {
-	_, err := Decode(string(p), v)
+// Unmarshal decodes the contents of `data` in TOML format into a pointer `v`.
+func Unmarshal(data []byte, v interface{}) error {
+	_, err := NewDecoder(bytes.NewReader(data)).Decode(v)
 	return err
 }

+// Decode the TOML data in to the pointer v.
+//
+// See the documentation on Decoder for a description of the decoding process.
+func Decode(data string, v interface{}) (MetaData, error) {
+	return NewDecoder(strings.NewReader(data)).Decode(v)
+}
+
+// DecodeFile is just like Decode, except it will automatically read the
+// contents of the file at path and decode it for you.
+func DecodeFile(path string, v interface{}) (MetaData, error) {
+	fp, err := os.Open(path)
+	if err != nil {
+		return MetaData{}, err
+	}
+	defer fp.Close()
+	return NewDecoder(fp).Decode(v)
+}
+
 // Primitive is a TOML value that hasn't been decoded into a Go value.
-// When using the various `Decode*` functions, the type `Primitive` may
-// be given to any value, and its decoding will be delayed.
 //
-// A `Primitive` value can be decoded using the `PrimitiveDecode` function.
+// This type can be used for any value, which will cause decoding to be delayed.
+// You can use the PrimitiveDecode() function to "manually" decode these values.
 //
-// The underlying representation of a `Primitive` value is subject to change.
-// Do not rely on it.
+// NOTE: The underlying representation of a `Primitive` value is subject to
+// change. Do not rely on it.
 //
-// N.B. Primitive values are still parsed, so using them will only avoid
-// the overhead of reflection. They can be useful when you don't know the
-// exact type of TOML data until run time.
+// NOTE: Primitive values are still parsed, so using them will only avoid the
+// overhead of reflection. They can be useful when you don't know the exact type
+// of TOML data until runtime.
 type Primitive struct {
 	undecoded interface{}
 	context   Key
 }

-// DEPRECATED!
+// The significand precision for float32 and float64 is 24 and 53 bits; this is
+// the range a natural number can be stored in a float without loss of data.
+const (
+	maxSafeFloat32Int = 16777215                // 2^24-1
+	maxSafeFloat64Int = int64(9007199254740991) // 2^53-1
+)
+
+// Decoder decodes TOML data.
 //
-// Use MetaData.PrimitiveDecode instead.
-func PrimitiveDecode(primValue Primitive, v interface{}) error {
-	md := MetaData{decoded: make(map[string]bool)}
-	return md.unify(primValue.undecoded, rvalue(v))
+// TOML tables correspond to Go structs or maps (dealer's choice – they can be
+// used interchangeably).
+//
+// TOML table arrays correspond to either a slice of structs or a slice of maps.
+//
+// TOML datetimes correspond to Go time.Time values. Local datetimes are parsed
+// in the local timezone.
+//
+// time.Duration types are treated as nanoseconds if the TOML value is an
+// integer, or they're parsed with time.ParseDuration() if they're strings.
+//
+// All other TOML types (float, string, int, bool and array) correspond to the
+// obvious Go types.
+//
+// An exception to the above rules is if a type implements the TextUnmarshaler
+// interface, in which case any primitive TOML value (floats, strings, integers,
+// booleans, datetimes) will be converted to a []byte and given to the value's
+// UnmarshalText method. See the Unmarshaler example for a demonstration with
+// email addresses.
+//
+// Key mapping
+//
+// TOML keys can map to either keys in a Go map or field names in a Go struct.
+// The special `toml` struct tag can be used to map TOML keys to struct fields
+// that don't match the key name exactly (see the example). A case insensitive
+// match to struct names will be tried if an exact match can't be found.
+//
+// The mapping between TOML values and Go values is loose. That is, there may
+// exist TOML values that cannot be placed into your representation, and there
+// may be parts of your representation that do not correspond to TOML values.
+// This loose mapping can be made stricter by using the IsDefined and/or
+// Undecoded methods on the MetaData returned.
+//
+// This decoder does not handle cyclic types. Decode will not terminate if a
+// cyclic type is passed.
+type Decoder struct {
+	r io.Reader
+}
+
+// NewDecoder creates a new Decoder.
+func NewDecoder(r io.Reader) *Decoder {
+	return &Decoder{r: r}
+}
+
+var (
+	unmarshalToml = reflect.TypeOf((*Unmarshaler)(nil)).Elem()
+	unmarshalText = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+	primitiveType = reflect.TypeOf((*Primitive)(nil)).Elem()
+)
+
+// Decode TOML data in to the pointer `v`.
+func (dec *Decoder) Decode(v interface{}) (MetaData, error) {
+	rv := reflect.ValueOf(v)
+	if rv.Kind() != reflect.Ptr {
+		s := "%q"
+		if reflect.TypeOf(v) == nil {
+			s = "%v"
+		}
+
+		return MetaData{}, fmt.Errorf("toml: cannot decode to non-pointer "+s, reflect.TypeOf(v))
+	}
+	if rv.IsNil() {
+		return MetaData{}, fmt.Errorf("toml: cannot decode to nil value of %q", reflect.TypeOf(v))
+	}
+
+	// Check if this is a supported type: struct, map, interface{}, or something
+	// that implements UnmarshalTOML or UnmarshalText.
+	rv = indirect(rv)
+	rt := rv.Type()
+	if rv.Kind() != reflect.Struct && rv.Kind() != reflect.Map &&
+		!(rv.Kind() == reflect.Interface && rv.NumMethod() == 0) &&
+		!rt.Implements(unmarshalToml) && !rt.Implements(unmarshalText) {
+		return MetaData{}, fmt.Errorf("toml: cannot decode to type %s", rt)
+	}
+
+	// TODO: parser should read from io.Reader? Or at the very least, make it
+	// read from []byte rather than string
+	data, err := ioutil.ReadAll(dec.r)
+	if err != nil {
+		return MetaData{}, err
+	}
+
+	p, err := parse(string(data))
+	if err != nil {
+		return MetaData{}, err
+	}
+
+	md := MetaData{
+		mapping: p.mapping,
+		keyInfo: p.keyInfo,
+		keys:    p.ordered,
+		decoded: make(map[string]struct{}, len(p.ordered)),
+		context: nil,
+		data:    data,
+	}
+	return md, md.unify(p.mapping, rv)
 }

 // PrimitiveDecode is just like the other `Decode*` functions, except it
@@ -68,90 +185,15 @@ func (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error {
 	return md.unify(primValue.undecoded, rvalue(v))
 }

-// Decode will decode the contents of `data` in TOML format into a pointer
-// `v`.
-//
-// TOML hashes correspond to Go structs or maps. (Dealer's choice. They can be
-// used interchangeably.)
-//
-// TOML arrays of tables correspond to either a slice of structs or a slice
-// of maps.
-//
-// TOML datetimes correspond to Go `time.Time` values.
-//
-// All other TOML types (float, string, int, bool and array) correspond
-// to the obvious Go types.
-//
-// An exception to the above rules is if a type implements the
-// encoding.TextUnmarshaler interface. In this case, any primitive TOML value
-// (floats, strings, integers, booleans and datetimes) will be converted to
-// a byte string and given to the value's UnmarshalText method. See the
-// Unmarshaler example for a demonstration with time duration strings.
-//
-// Key mapping
-//
-// TOML keys can map to either keys in a Go map or field names in a Go
-// struct. The special `toml` struct tag may be used to map TOML keys to
-// struct fields that don't match the key name exactly. (See the example.)
-// A case insensitive match to struct names will be tried if an exact match
-// can't be found.
-//
-// The mapping between TOML values and Go values is loose. That is, there
-// may exist TOML values that cannot be placed into your representation, and
-// there may be parts of your representation that do not correspond to
-// TOML values. This loose mapping can be made stricter by using the IsDefined
-// and/or Undecoded methods on the MetaData returned.
-//
-// This decoder will not handle cyclic types. If a cyclic type is passed,
-// `Decode` will not terminate.
-func Decode(data string, v interface{}) (MetaData, error) {
-	rv := reflect.ValueOf(v)
-	if rv.Kind() != reflect.Ptr {
-		return MetaData{}, e("Decode of non-pointer %s", reflect.TypeOf(v))
-	}
-	if rv.IsNil() {
-		return MetaData{}, e("Decode of nil %s", reflect.TypeOf(v))
-	}
-	p, err := parse(data)
-	if err != nil {
-		return MetaData{}, err
-	}
-	md := MetaData{
-		p.mapping, p.types, p.ordered,
-		make(map[string]bool, len(p.ordered)), nil,
-	}
-	return md, md.unify(p.mapping, indirect(rv))
-}
-
-// DecodeFile is just like Decode, except it will automatically read the
-// contents of the file at `fpath` and decode it for you.
-func DecodeFile(fpath string, v interface{}) (MetaData, error) {
-	bs, err := ioutil.ReadFile(fpath)
-	if err != nil {
-		return MetaData{}, err
-	}
-	return Decode(string(bs), v)
-}
-
-// DecodeReader is just like Decode, except it will consume all bytes
-// from the reader and decode it for you.
-func DecodeReader(r io.Reader, v interface{}) (MetaData, error) {
-	bs, err := ioutil.ReadAll(r)
-	if err != nil {
-		return MetaData{}, err
-	}
-	return Decode(string(bs), v)
-}
-
 // unify performs a sort of type unification based on the structure of `rv`,
 // which is the client representation.
 //
 // Any type mismatch produces an error. Finding a type that we don't know
 // how to handle produces an unsupported type error.
 func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
-
 	// Special case. Look for a `Primitive` value.
-	if rv.Type() == reflect.TypeOf((*Primitive)(nil)).Elem() {
+	// TODO: #76 would make this superfluous after implemented.
+	if rv.Type() == primitiveType {
 		// Save the undecoded data and the key context into the primitive
 		// value.
 		context := make(Key, len(md.context))
@@ -163,36 +205,24 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
 		return nil
 	}

-	// Special case. Unmarshaler Interface support.
-	if rv.CanAddr() {
-		if v, ok := rv.Addr().Interface().(Unmarshaler); ok {
-			return v.UnmarshalTOML(data)
-		}
+	rvi := rv.Interface()
+	if v, ok := rvi.(Unmarshaler); ok {
+		return v.UnmarshalTOML(data)
 	}
-
-	// Special case. Handle time.Time values specifically.
-	// TODO: Remove this code when we decide to drop support for Go 1.1.
-	// This isn't necessary in Go 1.2 because time.Time satisfies the encoding
-	// interfaces.
-	if rv.Type().AssignableTo(rvalue(time.Time{}).Type()) {
-		return md.unifyDatetime(data, rv)
-	}
-
-	// Special case. Look for a value satisfying the TextUnmarshaler interface.
-	if v, ok := rv.Interface().(TextUnmarshaler); ok {
+	if v, ok := rvi.(encoding.TextUnmarshaler); ok {
 		return md.unifyText(data, v)
 	}
-	// BUG(burntsushi)
+
+	// TODO:
 	// The behavior here is incorrect whenever a Go type satisfies the
-	// encoding.TextUnmarshaler interface but also corresponds to a TOML
-	// hash or array. In particular, the unmarshaler should only be applied
-	// to primitive TOML values. But at this point, it will be applied to
-	// all kinds of values and produce an incorrect error whenever those values
-	// are hashes or arrays (including arrays of tables).
+	// encoding.TextUnmarshaler interface but also corresponds to a TOML hash or
+	// array. In particular, the unmarshaler should only be applied to primitive
+	// TOML values. But at this point, it will be applied to all kinds of values
+	// and produce an incorrect error whenever those values are hashes or arrays
+	// (including arrays of tables).

 	k := rv.Kind()

-	// laziness
 	if k >= reflect.Int && k <= reflect.Uint64 {
 		return md.unifyInt(data, rv)
 	}
@@ -218,17 +248,14 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
 	case reflect.Bool:
 		return md.unifyBool(data, rv)
 	case reflect.Interface:
-		// we only support empty interfaces.
-		if rv.NumMethod() > 0 {
-			return e("unsupported type %s", rv.Type())
+		if rv.NumMethod() > 0 { // Only support empty interfaces are supported.
+			return md.e("unsupported type %s", rv.Type())
 		}
 		return md.unifyAnything(data, rv)
-	case reflect.Float32:
-		fallthrough
-	case reflect.Float64:
+	case reflect.Float32, reflect.Float64:
 		return md.unifyFloat64(data, rv)
 	}
-	return e("unsupported type %s", rv.Kind())
+	return md.e("unsupported type %s", rv.Kind())
 }

 func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
@@ -237,7 +264,7 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
 		if mapping == nil {
 			return nil
 		}
-		return e("type mismatch for %s: expected table but found %T",
+		return md.e("type mismatch for %s: expected table but found %T",
 			rv.Type().String(), mapping)
 	}

@@ -259,17 +286,18 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
 			for _, i := range f.index {
 				subv = indirect(subv.Field(i))
 			}
+
 			if isUnifiable(subv) {
-				md.decoded[md.context.add(key).String()] = true
+				md.decoded[md.context.add(key).String()] = struct{}{}
 				md.context = append(md.context, key)
-				if err := md.unify(datum, subv); err != nil {
+
+				err := md.unify(datum, subv)
+				if err != nil {
 					return err
 				}
 				md.context = md.context[0 : len(md.context)-1]
 			} else if f.name != "" {
-				// Bad user! No soup for you!
-				return e("cannot write unexported field %s.%s",
-					rv.Type().String(), f.name)
+				return md.e("cannot write unexported field %s.%s", rv.Type().String(), f.name)
 			}
 		}
 	}
@@ -277,28 +305,43 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
 }

 func (md *MetaData) unifyMap(mapping interface{}, rv reflect.Value) error {
+	keyType := rv.Type().Key().Kind()
+	if keyType != reflect.String && keyType != reflect.Interface {
+		return fmt.Errorf("toml: cannot decode to a map with non-string key type (%s in %q)",
+			keyType, rv.Type())
+	}
+
 	tmap, ok := mapping.(map[string]interface{})
 	if !ok {
 		if tmap == nil {
 			return nil
 		}
-		return badtype("map", mapping)
+		return md.badtype("map", mapping)
 	}
 	if rv.IsNil() {
 		rv.Set(reflect.MakeMap(rv.Type()))
 	}
 	for k, v := range tmap {
-		md.decoded[md.context.add(k).String()] = true
+		md.decoded[md.context.add(k).String()] = struct{}{}
 		md.context = append(md.context, k)

-		rvkey := indirect(reflect.New(rv.Type().Key()))
 		rvval := reflect.Indirect(reflect.New(rv.Type().Elem()))
-		if err := md.unify(v, rvval); err != nil {
+
+		err := md.unify(v, indirect(rvval))
+		if err != nil {
 			return err
 		}
 		md.context = md.context[0 : len(md.context)-1]

-		rvkey.SetString(k)
+		rvkey := indirect(reflect.New(rv.Type().Key()))
+
+		switch keyType {
+		case reflect.Interface:
+			rvkey.Set(reflect.ValueOf(k))
+		case reflect.String:
+			rvkey.SetString(k)
+		}
+
 		rv.SetMapIndex(rvkey, rvval)
 	}
 	return nil
@@ -310,12 +353,10 @@ func (md *MetaData) unifyArray(data interface{}, rv reflect.Value) error {
 		if !datav.IsValid() {
 			return nil
 		}
-		return badtype("slice", data)
+		return md.badtype("slice", data)
 	}
-	sliceLen := datav.Len()
-	if sliceLen != rv.Len() {
-		return e("expected array length %d; got TOML array of length %d",
-			rv.Len(), sliceLen)
+	if l := datav.Len(); l != rv.Len() {
+		return md.e("expected array length %d; got TOML array of length %d", rv.Len(), l)
 	}
 	return md.unifySliceArray(datav, rv)
 }
@@ -326,7 +367,7 @@ func (md *MetaData) unifySlice(data interface{}, rv reflect.Value) error {
 		if !datav.IsValid() {
 			return nil
 		}
-		return badtype("slice", data)
+		return md.badtype("slice", data)
 	}
 	n := datav.Len()
 	if rv.IsNil() || rv.Cap() < n {
@@ -337,37 +378,45 @@ func (md *MetaData) unifySlice(data interface{}, rv reflect.Value) error {
 }

 func (md *MetaData) unifySliceArray(data, rv reflect.Value) error {
-	sliceLen := data.Len()
-	for i := 0; i < sliceLen; i++ {
-		v := data.Index(i).Interface()
-		sliceval := indirect(rv.Index(i))
-		if err := md.unify(v, sliceval); err != nil {
+	l := data.Len()
+	for i := 0; i < l; i++ {
+		err := md.unify(data.Index(i).Interface(), indirect(rv.Index(i)))
+		if err != nil {
 			return err
 		}
 	}
 	return nil
 }

-func (md *MetaData) unifyDatetime(data interface{}, rv reflect.Value) error {
-	if _, ok := data.(time.Time); ok {
-		rv.Set(reflect.ValueOf(data))
+func (md *MetaData) unifyString(data interface{}, rv reflect.Value) error {
+	_, ok := rv.Interface().(json.Number)
+	if ok {
+		if i, ok := data.(int64); ok {
+			rv.SetString(strconv.FormatInt(i, 10))
+		} else if f, ok := data.(float64); ok {
+			rv.SetString(strconv.FormatFloat(f, 'f', -1, 64))
+		} else {
+			return md.badtype("string", data)
+		}
 		return nil
 	}
-	return badtype("time.Time", data)
-}

-func (md *MetaData) unifyString(data interface{}, rv reflect.Value) error {
 	if s, ok := data.(string); ok {
 		rv.SetString(s)
 		return nil
 	}
-	return badtype("string", data)
+	return md.badtype("string", data)
 }

 func (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {
+	rvk := rv.Kind()
+
 	if num, ok := data.(float64); ok {
-		switch rv.Kind() {
+		switch rvk {
 		case reflect.Float32:
+			if num < -math.MaxFloat32 || num > math.MaxFloat32 {
+				return md.parseErr(errParseRange{i: num, size: rvk.String()})
+			}
 			fallthrough
 		case reflect.Float64:
 			rv.SetFloat(num)
@@ -376,54 +425,60 @@ func (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {
 		}
 		return nil
 	}
-	return badtype("float", data)
+
+	if num, ok := data.(int64); ok {
+		if (rvk == reflect.Float32 && (num < -maxSafeFloat32Int || num > maxSafeFloat32Int)) ||
+			(rvk == reflect.Float64 && (num < -maxSafeFloat64Int || num > maxSafeFloat64Int)) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetFloat(float64(num))
+		return nil
+	}
+
+	return md.badtype("float", data)
 }

 func (md *MetaData) unifyInt(data interface{}, rv reflect.Value) error {
-	if num, ok := data.(int64); ok {
-		if rv.Kind() >= reflect.Int && rv.Kind() <= reflect.Int64 {
-			switch rv.Kind() {
-			case reflect.Int, reflect.Int64:
-				// No bounds checking necessary.
-			case reflect.Int8:
-				if num < math.MinInt8 || num > math.MaxInt8 {
-					return e("value %d is out of range for int8", num)
-				}
-			case reflect.Int16:
-				if num < math.MinInt16 || num > math.MaxInt16 {
-					return e("value %d is out of range for int16", num)
-				}
-			case reflect.Int32:
-				if num < math.MinInt32 || num > math.MaxInt32 {
-					return e("value %d is out of range for int32", num)
-				}
+	_, ok := rv.Interface().(time.Duration)
+	if ok {
+		// Parse as string duration, and fall back to regular integer parsing
+		// (as nanosecond) if this is not a string.
+		if s, ok := data.(string); ok {
+			dur, err := time.ParseDuration(s)
+			if err != nil {
+				return md.parseErr(errParseDuration{s})
 			}
-			rv.SetInt(num)
-		} else if rv.Kind() >= reflect.Uint && rv.Kind() <= reflect.Uint64 {
-			unum := uint64(num)
-			switch rv.Kind() {
-			case reflect.Uint, reflect.Uint64:
-				// No bounds checking necessary.
-			case reflect.Uint8:
-				if num < 0 || unum > math.MaxUint8 {
-					return e("value %d is out of range for uint8", num)
-				}
-			case reflect.Uint16:
-				if num < 0 || unum > math.MaxUint16 {
-					return e("value %d is out of range for uint16", num)
-				}
-			case reflect.Uint32:
-				if num < 0 || unum > math.MaxUint32 {
-					return e("value %d is out of range for uint32", num)
-				}
-			}
-			rv.SetUint(unum)
-		} else {
-			panic("unreachable")
+			rv.SetInt(int64(dur))
+			return nil
 		}
-		return nil
 	}
-	return badtype("integer", data)
+
+	num, ok := data.(int64)
+	if !ok {
+		return md.badtype("integer", data)
+	}
+
+	rvk := rv.Kind()
+	switch {
+	case rvk >= reflect.Int && rvk <= reflect.Int64:
+		if (rvk == reflect.Int8 && (num < math.MinInt8 || num > math.MaxInt8)) ||
+			(rvk == reflect.Int16 && (num < math.MinInt16 || num > math.MaxInt16)) ||
+			(rvk == reflect.Int32 && (num < math.MinInt32 || num > math.MaxInt32)) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetInt(num)
+	case rvk >= reflect.Uint && rvk <= reflect.Uint64:
+		unum := uint64(num)
+		if rvk == reflect.Uint8 && (num < 0 || unum > math.MaxUint8) ||
+			rvk == reflect.Uint16 && (num < 0 || unum > math.MaxUint16) ||
+			rvk == reflect.Uint32 && (num < 0 || unum > math.MaxUint32) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetUint(unum)
+	default:
+		panic("unreachable")
+	}
+	return nil
 }

 func (md *MetaData) unifyBool(data interface{}, rv reflect.Value) error {
@@ -431,7 +486,7 @@ func (md *MetaData) unifyBool(data interface{}, rv reflect.Value) error {
 		rv.SetBool(b)
 		return nil
 	}
-	return badtype("boolean", data)
+	return md.badtype("boolean", data)
 }

 func (md *MetaData) unifyAnything(data interface{}, rv reflect.Value) error {
@@ -439,10 +494,16 @@ func (md *MetaData) unifyAnything(data interface{}, rv reflect.Value) error {
 	return nil
 }

-func (md *MetaData) unifyText(data interface{}, v TextUnmarshaler) error {
+func (md *MetaData) unifyText(data interface{}, v encoding.TextUnmarshaler) error {
 	var s string
 	switch sdata := data.(type) {
-	case TextMarshaler:
+	case Marshaler:
+		text, err := sdata.MarshalTOML()
+		if err != nil {
+			return err
+		}
+		s = string(text)
+	case encoding.TextMarshaler:
 		text, err := sdata.MarshalText()
 		if err != nil {
 			return err
@@ -459,7 +520,7 @@ func (md *MetaData) unifyText(data interface{}, v TextUnmarshaler) error {
 	case float64:
 		s = fmt.Sprintf("%f", sdata)
 	default:
-		return badtype("primitive (string-like)", data)
+		return md.badtype("primitive (string-like)", data)
 	}
 	if err := v.UnmarshalText([]byte(s)); err != nil {
 		return err
@@ -467,22 +528,54 @@ func (md *MetaData) unifyText(data interface{}, v TextUnmarshaler) error {
 	return nil
 }

+func (md *MetaData) badtype(dst string, data interface{}) error {
+	return md.e("incompatible types: TOML value has type %T; destination has type %s", data, dst)
+}
+
+func (md *MetaData) parseErr(err error) error {
+	k := md.context.String()
+	return ParseError{
+		LastKey:  k,
+		Position: md.keyInfo[k].pos,
+		Line:     md.keyInfo[k].pos.Line,
+		err:      err,
+		input:    string(md.data),
+	}
+}
+
+func (md *MetaData) e(format string, args ...interface{}) error {
+	f := "toml: "
+	if len(md.context) > 0 {
+		f = fmt.Sprintf("toml: (last key %q): ", md.context)
+		p := md.keyInfo[md.context.String()].pos
+		if p.Line > 0 {
+			f = fmt.Sprintf("toml: line %d (last key %q): ", p.Line, md.context)
+		}
+	}
+	return fmt.Errorf(f+format, args...)
+}
+
 // rvalue returns a reflect.Value of `v`. All pointers are resolved.
 func rvalue(v interface{}) reflect.Value {
 	return indirect(reflect.ValueOf(v))
 }

 // indirect returns the value pointed to by a pointer.
-// Pointers are followed until the value is not a pointer.
-// New values are allocated for each nil pointer.
 //
-// An exception to this rule is if the value satisfies an interface of
-// interest to us (like encoding.TextUnmarshaler).
+// Pointers are followed until the value is not a pointer. New values are
+// allocated for each nil pointer.
+//
+// An exception to this rule is if the value satisfies an interface of interest
+// to us (like encoding.TextUnmarshaler).
 func indirect(v reflect.Value) reflect.Value {
 	if v.Kind() != reflect.Ptr {
 		if v.CanSet() {
 			pv := v.Addr()
-			if _, ok := pv.Interface().(TextUnmarshaler); ok {
+			pvi := pv.Interface()
+			if _, ok := pvi.(encoding.TextUnmarshaler); ok {
+				return pv
+			}
+			if _, ok := pvi.(Unmarshaler); ok {
 				return pv
 			}
 		}
@@ -498,12 +591,12 @@ func isUnifiable(rv reflect.Value) bool {
 	if rv.CanSet() {
 		return true
 	}
-	if _, ok := rv.Interface().(TextUnmarshaler); ok {
+	rvi := rv.Interface()
+	if _, ok := rvi.(encoding.TextUnmarshaler); ok {
+		return true
+	}
+	if _, ok := rvi.(Unmarshaler); ok {
 		return true
 	}
 	return false
 }
-
-func badtype(expected string, data interface{}) error {
-	return e("cannot load TOML value of type %T into a Go %s", data, expected)
-}
--- a/vendor/github.com/BurntSushi/toml/decode_go116.go
+++ b/vendor/github.com/BurntSushi/toml/decode_go116.go
@@ -0,0 +1,19 @@
+//go:build go1.16
+// +build go1.16
+
+package toml
+
+import (
+	"io/fs"
+)
+
+// DecodeFS is just like Decode, except it will automatically read the contents
+// of the file at `path` from a fs.FS instance.
+func DecodeFS(fsys fs.FS, path string, v interface{}) (MetaData, error) {
+	fp, err := fsys.Open(path)
+	if err != nil {
+		return MetaData{}, err
+	}
+	defer fp.Close()
+	return NewDecoder(fp).Decode(v)
+}
--- a/vendor/github.com/BurntSushi/toml/deprecated.go
+++ b/vendor/github.com/BurntSushi/toml/deprecated.go
@@ -0,0 +1,21 @@
+package toml
+
+import (
+	"encoding"
+	"io"
+)
+
+// Deprecated: use encoding.TextMarshaler
+type TextMarshaler encoding.TextMarshaler
+
+// Deprecated: use encoding.TextUnmarshaler
+type TextUnmarshaler encoding.TextUnmarshaler
+
+// Deprecated: use MetaData.PrimitiveDecode.
+func PrimitiveDecode(primValue Primitive, v interface{}) error {
+	md := MetaData{decoded: make(map[string]struct{})}
+	return md.unify(primValue.undecoded, rvalue(v))
+}
+
+// Deprecated: use NewDecoder(reader).Decode(&value).
+func DecodeReader(r io.Reader, v interface{}) (MetaData, error) { return NewDecoder(r).Decode(v) }
--- a/vendor/github.com/BurntSushi/toml/doc.go
+++ b/vendor/github.com/BurntSushi/toml/doc.go
@@ -1,27 +1,13 @@
 /*
-Package toml provides facilities for decoding and encoding TOML configuration
-files via reflection. There is also support for delaying decoding with
-the Primitive type, and querying the set of keys in a TOML document with the
-MetaData type.
+Package toml implements decoding and encoding of TOML files.

-The specification implemented: https://github.com/toml-lang/toml
+This package supports TOML v1.0.0, as listed on https://toml.io

-The sub-command github.com/BurntSushi/toml/cmd/tomlv can be used to verify
-whether a file is a valid TOML document. It can also be used to print the
-type of each key in a TOML document.
+There is also support for delaying decoding with the Primitive type, and
+querying the set of keys in a TOML document with the MetaData type.

-Testing
-
-There are two important types of tests used for this package. The first is
-contained inside '*_test.go' files and uses the standard Go unit testing
-framework. These tests are primarily devoted to holistically testing the
-decoder and encoder.
-
-The second type of testing is used to verify the implementation's adherence
-to the TOML specification. These tests have been factored into their own
-project: https://github.com/BurntSushi/toml-test
-
-The reason the tests are in a separate project is so that they can be used by
-any implementation of TOML. Namely, it is language agnostic.
+The github.com/BurntSushi/toml/cmd/tomlv package implements a TOML validator,
+and can be used to verify if TOML document is valid. It can also be used to
+print the type of each key.
 */
 package toml
--- a/vendor/github.com/BurntSushi/toml/encode.go
+++ b/vendor/github.com/BurntSushi/toml/encode.go
@@ -2,57 +2,127 @@ package toml

 import (
 	"bufio"
+	"encoding"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"reflect"
 	"sort"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/BurntSushi/toml/internal"
 )

 type tomlEncodeError struct{ error }

 var (
-	errArrayMixedElementTypes = errors.New(
-		"toml: cannot encode array with mixed element types")
-	errArrayNilElement = errors.New(
-		"toml: cannot encode array with nil element")
-	errNonString = errors.New(
-		"toml: cannot encode a map with non-string key type")
-	errAnonNonStruct = errors.New(
-		"toml: cannot encode an anonymous field that is not a struct")
-	errArrayNoTable = errors.New(
-		"toml: TOML array element cannot contain a table")
-	errNoKey = errors.New(
-		"toml: top-level values must be Go maps or structs")
-	errAnything = errors.New("") // used in testing
+	errArrayNilElement = errors.New("toml: cannot encode array with nil element")
+	errNonString       = errors.New("toml: cannot encode a map with non-string key type")
+	errNoKey           = errors.New("toml: top-level values must be Go maps or structs")
+	errAnything        = errors.New("") // used in testing
 )

-var quotedReplacer = strings.NewReplacer(
-	"\t", "\\t",
-	"\n", "\\n",
-	"\r", "\\r",
+var dblQuotedReplacer = strings.NewReplacer(
 	"\"", "\\\"",
 	"\\", "\\\\",
+	"\x00", `\u0000`,
+	"\x01", `\u0001`,
+	"\x02", `\u0002`,
+	"\x03", `\u0003`,
+	"\x04", `\u0004`,
+	"\x05", `\u0005`,
+	"\x06", `\u0006`,
+	"\x07", `\u0007`,
+	"\b", `\b`,
+	"\t", `\t`,
+	"\n", `\n`,
+	"\x0b", `\u000b`,
+	"\f", `\f`,
+	"\r", `\r`,
+	"\x0e", `\u000e`,
+	"\x0f", `\u000f`,
+	"\x10", `\u0010`,
+	"\x11", `\u0011`,
+	"\x12", `\u0012`,
+	"\x13", `\u0013`,
+	"\x14", `\u0014`,
+	"\x15", `\u0015`,
+	"\x16", `\u0016`,
+	"\x17", `\u0017`,
+	"\x18", `\u0018`,
+	"\x19", `\u0019`,
+	"\x1a", `\u001a`,
+	"\x1b", `\u001b`,
+	"\x1c", `\u001c`,
+	"\x1d", `\u001d`,
+	"\x1e", `\u001e`,
+	"\x1f", `\u001f`,
+	"\x7f", `\u007f`,
 )

-// Encoder controls the encoding of Go values to a TOML document to some
-// io.Writer.
-//
-// The indentation level can be controlled with the Indent field.
-type Encoder struct {
-	// A single indentation level. By default it is two spaces.
-	Indent string
+var (
+	marshalToml = reflect.TypeOf((*Marshaler)(nil)).Elem()
+	marshalText = reflect.TypeOf((*encoding.TextMarshaler)(nil)).Elem()
+	timeType    = reflect.TypeOf((*time.Time)(nil)).Elem()
+)

-	// hasWritten is whether we have written any output to w yet.
-	hasWritten bool
-	w          *bufio.Writer
+// Marshaler is the interface implemented by types that can marshal themselves
+// into valid TOML.
+type Marshaler interface {
+	MarshalTOML() ([]byte, error)
 }

-// NewEncoder returns a TOML encoder that encodes Go values to the io.Writer
-// given. By default, a single indentation level is 2 spaces.
+// Encoder encodes a Go to a TOML document.
+//
+// The mapping between Go values and TOML values should be precisely the same as
+// for the Decode* functions.
+//
+// time.Time is encoded as a RFC 3339 string, and time.Duration as its string
+// representation.
+//
+// The toml.Marshaler and encoder.TextMarshaler interfaces are supported to
+// encoding the value as custom TOML.
+//
+// If you want to write arbitrary binary data then you will need to use
+// something like base64 since TOML does not have any binary types.
+//
+// When encoding TOML hashes (Go maps or structs), keys without any sub-hashes
+// are encoded first.
+//
+// Go maps will be sorted alphabetically by key for deterministic output.
+//
+// The toml struct tag can be used to provide the key name; if omitted the
+// struct field name will be used. If the "omitempty" option is present the
+// following value will be skipped:
+//
+//   - arrays, slices, maps, and string with len of 0
+//   - struct with all zero values
+//   - bool false
+//
+// If omitzero is given all int and float types with a value of 0 will be
+// skipped.
+//
+// Encoding Go values without a corresponding TOML representation will return an
+// error. Examples of this includes maps with non-string keys, slices with nil
+// elements, embedded non-struct types, and nested slices containing maps or
+// structs. (e.g. [][]map[string]string is not allowed but []map[string]string
+// is okay, as is []map[string][]string).
+//
+// NOTE: only exported keys are encoded due to the use of reflection. Unexported
+// keys are silently discarded.
+type Encoder struct {
+	// String to use for a single indentation level; default is two spaces.
+	Indent string
+
+	w          *bufio.Writer
+	hasWritten bool // written any output to w yet?
+}
+
+// NewEncoder create a new Encoder.
 func NewEncoder(w io.Writer) *Encoder {
 	return &Encoder{
 		w:      bufio.NewWriter(w),
@@ -60,29 +130,10 @@ func NewEncoder(w io.Writer) *Encoder {
 	}
 }

-// Encode writes a TOML representation of the Go value to the underlying
-// io.Writer. If the value given cannot be encoded to a valid TOML document,
-// then an error is returned.
+// Encode writes a TOML representation of the Go value to the Encoder's writer.
 //
-// The mapping between Go values and TOML values should be precisely the same
-// as for the Decode* functions. Similarly, the TextMarshaler interface is
-// supported by encoding the resulting bytes as strings. (If you want to write
-// arbitrary binary data then you will need to use something like base64 since
-// TOML does not have any binary types.)
-//
-// When encoding TOML hashes (i.e., Go maps or structs), keys without any
-// sub-hashes are encoded first.
-//
-// If a Go map is encoded, then its keys are sorted alphabetically for
-// deterministic output. More control over this behavior may be provided if
-// there is demand for it.
-//
-// Encoding Go values without a corresponding TOML representation---like map
-// types with non-string keys---will cause an error to be returned. Similarly
-// for mixed arrays/slices, arrays/slices with nil elements, embedded
-// non-struct types and nested slices containing maps or structs.
-// (e.g., [][]map[string]string is not allowed but []map[string]string is OK
-// and so is []map[string][]string.)
+// An error is returned if the value given cannot be encoded to a valid TOML
+// document.
 func (enc *Encoder) Encode(v interface{}) error {
 	rv := eindirect(reflect.ValueOf(v))
 	if err := enc.safeEncode(Key([]string{}), rv); err != nil {
@@ -106,13 +157,15 @@ func (enc *Encoder) safeEncode(key Key, rv reflect.Value) (err error) {
 }

 func (enc *Encoder) encode(key Key, rv reflect.Value) {
-	// Special case. Time needs to be in ISO8601 format.
-	// Special case. If we can marshal the type to text, then we used that.
-	// Basically, this prevents the encoder for handling these types as
-	// generic structs (or whatever the underlying type of a TextMarshaler is).
-	switch rv.Interface().(type) {
-	case time.Time, TextMarshaler:
-		enc.keyEqElement(key, rv)
+	// If we can marshal the type to text, then we use that. This prevents the
+	// encoder for handling these types as generic structs (or whatever the
+	// underlying type of a TextMarshaler is).
+	switch {
+	case isMarshaler(rv):
+		enc.writeKeyValue(key, rv, false)
+		return
+	case rv.Type() == primitiveType: // TODO: #76 would make this superfluous after implemented.
+		enc.encode(key, reflect.ValueOf(rv.Interface().(Primitive).undecoded))
 		return
 	}

@@ -123,12 +176,12 @@ func (enc *Encoder) encode(key Key, rv reflect.Value) {
 		reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32,
 		reflect.Uint64,
 		reflect.Float32, reflect.Float64, reflect.String, reflect.Bool:
-		enc.keyEqElement(key, rv)
+		enc.writeKeyValue(key, rv, false)
 	case reflect.Array, reflect.Slice:
 		if typeEqual(tomlArrayHash, tomlTypeOfGo(rv)) {
 			enc.eArrayOfTables(key, rv)
 		} else {
-			enc.keyEqElement(key, rv)
+			enc.writeKeyValue(key, rv, false)
 		}
 	case reflect.Interface:
 		if rv.IsNil() {
@@ -148,55 +201,114 @@ func (enc *Encoder) encode(key Key, rv reflect.Value) {
 	case reflect.Struct:
 		enc.eTable(key, rv)
 	default:
-		panic(e("unsupported type for key '%s': %s", key, k))
+		encPanic(fmt.Errorf("unsupported type for key '%s': %s", key, k))
 	}
 }

-// eElement encodes any value that can be an array element (primitives and
-// arrays).
+// eElement encodes any value that can be an array element.
 func (enc *Encoder) eElement(rv reflect.Value) {
 	switch v := rv.Interface().(type) {
-	case time.Time:
-		// Special case time.Time as a primitive. Has to come before
-		// TextMarshaler below because time.Time implements
-		// encoding.TextMarshaler, but we need to always use UTC.
-		enc.wf(v.UTC().Format("2006-01-02T15:04:05Z"))
-		return
-	case TextMarshaler:
-		// Special case. Use text marshaler if it's available for this value.
-		if s, err := v.MarshalText(); err != nil {
-			encPanic(err)
-		} else {
-			enc.writeQuoted(string(s))
+	case time.Time: // Using TextMarshaler adds extra quotes, which we don't want.
+		format := time.RFC3339Nano
+		switch v.Location() {
+		case internal.LocalDatetime:
+			format = "2006-01-02T15:04:05.999999999"
+		case internal.LocalDate:
+			format = "2006-01-02"
+		case internal.LocalTime:
+			format = "15:04:05.999999999"
+		}
+		switch v.Location() {
+		default:
+			enc.wf(v.Format(format))
+		case internal.LocalDatetime, internal.LocalDate, internal.LocalTime:
+			enc.wf(v.In(time.UTC).Format(format))
 		}
 		return
+	case Marshaler:
+		s, err := v.MarshalTOML()
+		if err != nil {
+			encPanic(err)
+		}
+		if s == nil {
+			encPanic(errors.New("MarshalTOML returned nil and no error"))
+		}
+		enc.w.Write(s)
+		return
+	case encoding.TextMarshaler:
+		s, err := v.MarshalText()
+		if err != nil {
+			encPanic(err)
+		}
+		if s == nil {
+			encPanic(errors.New("MarshalText returned nil and no error"))
+		}
+		enc.writeQuoted(string(s))
+		return
+	case time.Duration:
+		enc.writeQuoted(v.String())
+		return
+	case json.Number:
+		n, _ := rv.Interface().(json.Number)
+
+		if n == "" { /// Useful zero value.
+			enc.w.WriteByte('0')
+			return
+		} else if v, err := n.Int64(); err == nil {
+			enc.eElement(reflect.ValueOf(v))
+			return
+		} else if v, err := n.Float64(); err == nil {
+			enc.eElement(reflect.ValueOf(v))
+			return
+		}
+		encPanic(errors.New(fmt.Sprintf("Unable to convert \"%s\" to neither int64 nor float64", n)))
 	}
+
 	switch rv.Kind() {
-	case reflect.Bool:
-		enc.wf(strconv.FormatBool(rv.Bool()))
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32,
-		reflect.Int64:
-		enc.wf(strconv.FormatInt(rv.Int(), 10))
-	case reflect.Uint, reflect.Uint8, reflect.Uint16,
-		reflect.Uint32, reflect.Uint64:
-		enc.wf(strconv.FormatUint(rv.Uint(), 10))
-	case reflect.Float32:
-		enc.wf(floatAddDecimal(strconv.FormatFloat(rv.Float(), 'f', -1, 32)))
-	case reflect.Float64:
-		enc.wf(floatAddDecimal(strconv.FormatFloat(rv.Float(), 'f', -1, 64)))
-	case reflect.Array, reflect.Slice:
-		enc.eArrayOrSliceElement(rv)
-	case reflect.Interface:
+	case reflect.Ptr:
 		enc.eElement(rv.Elem())
+		return
 	case reflect.String:
 		enc.writeQuoted(rv.String())
+	case reflect.Bool:
+		enc.wf(strconv.FormatBool(rv.Bool()))
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		enc.wf(strconv.FormatInt(rv.Int(), 10))
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		enc.wf(strconv.FormatUint(rv.Uint(), 10))
+	case reflect.Float32:
+		f := rv.Float()
+		if math.IsNaN(f) {
+			enc.wf("nan")
+		} else if math.IsInf(f, 0) {
+			enc.wf("%cinf", map[bool]byte{true: '-', false: '+'}[math.Signbit(f)])
+		} else {
+			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 32)))
+		}
+	case reflect.Float64:
+		f := rv.Float()
+		if math.IsNaN(f) {
+			enc.wf("nan")
+		} else if math.IsInf(f, 0) {
+			enc.wf("%cinf", map[bool]byte{true: '-', false: '+'}[math.Signbit(f)])
+		} else {
+			enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 64)))
+		}
+	case reflect.Array, reflect.Slice:
+		enc.eArrayOrSliceElement(rv)
+	case reflect.Struct:
+		enc.eStruct(nil, rv, true)
+	case reflect.Map:
+		enc.eMap(nil, rv, true)
+	case reflect.Interface:
+		enc.eElement(rv.Elem())
 	default:
-		panic(e("unexpected primitive type: %s", rv.Kind()))
+		encPanic(fmt.Errorf("unexpected type: %T", rv.Interface()))
 	}
 }

-// By the TOML spec, all floats must have a decimal with at least one
-// number on either side.
+// By the TOML spec, all floats must have a decimal with at least one number on
+// either side.
 func floatAddDecimal(fstr string) string {
 	if !strings.Contains(fstr, ".") {
 		return fstr + ".0"
@@ -205,14 +317,14 @@ func floatAddDecimal(fstr string) string {
 }

 func (enc *Encoder) writeQuoted(s string) {
-	enc.wf("\"%s\"", quotedReplacer.Replace(s))
+	enc.wf("\"%s\"", dblQuotedReplacer.Replace(s))
 }

 func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {
 	length := rv.Len()
 	enc.wf("[")
 	for i := 0; i < length; i++ {
-		elem := rv.Index(i)
+		elem := eindirect(rv.Index(i))
 		enc.eElement(elem)
 		if i != length-1 {
 			enc.wf(", ")
@@ -226,44 +338,43 @@ func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
 		encPanic(errNoKey)
 	}
 	for i := 0; i < rv.Len(); i++ {
-		trv := rv.Index(i)
+		trv := eindirect(rv.Index(i))
 		if isNil(trv) {
 			continue
 		}
-		panicIfInvalidKey(key)
 		enc.newline()
-		enc.wf("%s[[%s]]", enc.indentStr(key), key.maybeQuotedAll())
+		enc.wf("%s[[%s]]", enc.indentStr(key), key)
 		enc.newline()
-		enc.eMapOrStruct(key, trv)
+		enc.eMapOrStruct(key, trv, false)
 	}
 }

 func (enc *Encoder) eTable(key Key, rv reflect.Value) {
-	panicIfInvalidKey(key)
 	if len(key) == 1 {
 		// Output an extra newline between top-level tables.
 		// (The newline isn't written if nothing else has been written though.)
 		enc.newline()
 	}
 	if len(key) > 0 {
-		enc.wf("%s[%s]", enc.indentStr(key), key.maybeQuotedAll())
+		enc.wf("%s[%s]", enc.indentStr(key), key)
 		enc.newline()
 	}
-	enc.eMapOrStruct(key, rv)
+	enc.eMapOrStruct(key, rv, false)
 }

-func (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value) {
-	switch rv := eindirect(rv); rv.Kind() {
+func (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value, inline bool) {
+	switch rv.Kind() {
 	case reflect.Map:
-		enc.eMap(key, rv)
+		enc.eMap(key, rv, inline)
 	case reflect.Struct:
-		enc.eStruct(key, rv)
+		enc.eStruct(key, rv, inline)
 	default:
+		// Should never happen?
 		panic("eTable: unhandled reflect.Value Kind: " + rv.Kind().String())
 	}
 }

-func (enc *Encoder) eMap(key Key, rv reflect.Value) {
+func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 	rt := rv.Type()
 	if rt.Key().Kind() != reflect.String {
 		encPanic(errNonString)
@@ -274,118 +385,179 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value) {
 	var mapKeysDirect, mapKeysSub []string
 	for _, mapKey := range rv.MapKeys() {
 		k := mapKey.String()
-		if typeIsHash(tomlTypeOfGo(rv.MapIndex(mapKey))) {
+		if typeIsTable(tomlTypeOfGo(eindirect(rv.MapIndex(mapKey)))) {
 			mapKeysSub = append(mapKeysSub, k)
 		} else {
 			mapKeysDirect = append(mapKeysDirect, k)
 		}
 	}

-	var writeMapKeys = func(mapKeys []string) {
+	var writeMapKeys = func(mapKeys []string, trailC bool) {
 		sort.Strings(mapKeys)
-		for _, mapKey := range mapKeys {
-			mrv := rv.MapIndex(reflect.ValueOf(mapKey))
-			if isNil(mrv) {
-				// Don't write anything for nil fields.
+		for i, mapKey := range mapKeys {
+			val := eindirect(rv.MapIndex(reflect.ValueOf(mapKey)))
+			if isNil(val) {
 				continue
 			}
-			enc.encode(key.add(mapKey), mrv)
+
+			if inline {
+				enc.writeKeyValue(Key{mapKey}, val, true)
+				if trailC || i != len(mapKeys)-1 {
+					enc.wf(", ")
+				}
+			} else {
+				enc.encode(key.add(mapKey), val)
+			}
 		}
 	}
-	writeMapKeys(mapKeysDirect)
-	writeMapKeys(mapKeysSub)
+
+	if inline {
+		enc.wf("{")
+	}
+	writeMapKeys(mapKeysDirect, len(mapKeysSub) > 0)
+	writeMapKeys(mapKeysSub, false)
+	if inline {
+		enc.wf("}")
+	}
 }

-func (enc *Encoder) eStruct(key Key, rv reflect.Value) {
+const is32Bit = (32 << (^uint(0) >> 63)) == 32
+
+func pointerTo(t reflect.Type) reflect.Type {
+	if t.Kind() == reflect.Ptr {
+		return pointerTo(t.Elem())
+	}
+	return t
+}
+
+func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	// Write keys for fields directly under this key first, because if we write
-	// a field that creates a new table, then all keys under it will be in that
+	// a field that creates a new table then all keys under it will be in that
 	// table (not the one we're writing here).
-	rt := rv.Type()
-	var fieldsDirect, fieldsSub [][]int
-	var addFields func(rt reflect.Type, rv reflect.Value, start []int)
+	//
+	// Fields is a [][]int: for fieldsDirect this always has one entry (the
+	// struct index). For fieldsSub it contains two entries: the parent field
+	// index from tv, and the field indexes for the fields of the sub.
+	var (
+		rt                      = rv.Type()
+		fieldsDirect, fieldsSub [][]int
+		addFields               func(rt reflect.Type, rv reflect.Value, start []int)
+	)
 	addFields = func(rt reflect.Type, rv reflect.Value, start []int) {
 		for i := 0; i < rt.NumField(); i++ {
 			f := rt.Field(i)
-			// skip unexported fields
-			if f.PkgPath != "" && !f.Anonymous {
+			isEmbed := f.Anonymous && pointerTo(f.Type).Kind() == reflect.Struct
+			if f.PkgPath != "" && !isEmbed { /// Skip unexported fields.
 				continue
 			}
-			frv := rv.Field(i)
-			if f.Anonymous {
-				t := f.Type
-				switch t.Kind() {
-				case reflect.Struct:
-					// Treat anonymous struct fields with
-					// tag names as though they are not
-					// anonymous, like encoding/json does.
-					if getOptions(f.Tag).name == "" {
-						addFields(t, frv, f.Index)
-						continue
-					}
-				case reflect.Ptr:
-					if t.Elem().Kind() == reflect.Struct &&
-						getOptions(f.Tag).name == "" {
-						if !frv.IsNil() {
-							addFields(t.Elem(), frv.Elem(), f.Index)
-						}
-						continue
-					}
-					// Fall through to the normal field encoding logic below
-					// for non-struct anonymous fields.
+			opts := getOptions(f.Tag)
+			if opts.skip {
+				continue
+			}
+
+			frv := eindirect(rv.Field(i))
+
+			// Treat anonymous struct fields with tag names as though they are
+			// not anonymous, like encoding/json does.
+			//
+			// Non-struct anonymous fields use the normal encoding logic.
+			if isEmbed {
+				if getOptions(f.Tag).name == "" && frv.Kind() == reflect.Struct {
+					addFields(frv.Type(), frv, append(start, f.Index...))
+					continue
 				}
 			}

-			if typeIsHash(tomlTypeOfGo(frv)) {
+			if typeIsTable(tomlTypeOfGo(frv)) {
 				fieldsSub = append(fieldsSub, append(start, f.Index...))
 			} else {
-				fieldsDirect = append(fieldsDirect, append(start, f.Index...))
+				// Copy so it works correct on 32bit archs; not clear why this
+				// is needed. See #314, and https://www.reddit.com/r/golang/comments/pnx8v4
+				// This also works fine on 64bit, but 32bit archs are somewhat
+				// rare and this is a wee bit faster.
+				if is32Bit {
+					copyStart := make([]int, len(start))
+					copy(copyStart, start)
+					fieldsDirect = append(fieldsDirect, append(copyStart, f.Index...))
+				} else {
+					fieldsDirect = append(fieldsDirect, append(start, f.Index...))
+				}
 			}
 		}
 	}
 	addFields(rt, rv, nil)

-	var writeFields = func(fields [][]int) {
+	writeFields := func(fields [][]int) {
 		for _, fieldIndex := range fields {
-			sft := rt.FieldByIndex(fieldIndex)
-			sf := rv.FieldByIndex(fieldIndex)
-			if isNil(sf) {
-				// Don't write anything for nil fields.
+			fieldType := rt.FieldByIndex(fieldIndex)
+			fieldVal := eindirect(rv.FieldByIndex(fieldIndex))
+
+			if isNil(fieldVal) { /// Don't write anything for nil fields.
 				continue
 			}

-			opts := getOptions(sft.Tag)
+			opts := getOptions(fieldType.Tag)
 			if opts.skip {
 				continue
 			}
-			keyName := sft.Name
+			keyName := fieldType.Name
 			if opts.name != "" {
 				keyName = opts.name
 			}
-			if opts.omitempty && isEmpty(sf) {
+			if opts.omitempty && isEmpty(fieldVal) {
 				continue
 			}
-			if opts.omitzero && isZero(sf) {
+			if opts.omitzero && isZero(fieldVal) {
 				continue
 			}

-			enc.encode(key.add(keyName), sf)
+			if inline {
+				enc.writeKeyValue(Key{keyName}, fieldVal, true)
+				if fieldIndex[0] != len(fields)-1 {
+					enc.wf(", ")
+				}
+			} else {
+				enc.encode(key.add(keyName), fieldVal)
+			}
 		}
 	}
+
+	if inline {
+		enc.wf("{")
+	}
 	writeFields(fieldsDirect)
 	writeFields(fieldsSub)
+	if inline {
+		enc.wf("}")
+	}
 }

-// tomlTypeName returns the TOML type name of the Go value's type. It is
-// used to determine whether the types of array elements are mixed (which is
-// forbidden). If the Go value is nil, then it is illegal for it to be an array
-// element, and valueIsNil is returned as true.
-
-// Returns the TOML type of a Go value. The type may be `nil`, which means
-// no concrete TOML type could be found.
+// tomlTypeOfGo returns the TOML type name of the Go value's type.
+//
+// It is used to determine whether the types of array elements are mixed (which
+// is forbidden). If the Go value is nil, then it is illegal for it to be an
+// array element, and valueIsNil is returned as true.
+//
+// The type may be `nil`, which means no concrete TOML type could be found.
 func tomlTypeOfGo(rv reflect.Value) tomlType {
 	if isNil(rv) || !rv.IsValid() {
 		return nil
 	}
+
+	if rv.Kind() == reflect.Struct {
+		if rv.Type() == timeType {
+			return tomlDatetime
+		}
+		if isMarshaler(rv) {
+			return tomlString
+		}
+		return tomlHash
+	}
+
+	if isMarshaler(rv) {
+		return tomlString
+	}
+
 	switch rv.Kind() {
 	case reflect.Bool:
 		return tomlBool
@@ -397,7 +569,7 @@ func tomlTypeOfGo(rv reflect.Value) tomlType {
 	case reflect.Float32, reflect.Float64:
 		return tomlFloat
 	case reflect.Array, reflect.Slice:
-		if typeEqual(tomlHash, tomlArrayType(rv)) {
+		if isTableArray(rv) {
 			return tomlArrayHash
 		}
 		return tomlArray
@@ -407,54 +579,35 @@ func tomlTypeOfGo(rv reflect.Value) tomlType {
 		return tomlString
 	case reflect.Map:
 		return tomlHash
-	case reflect.Struct:
-		switch rv.Interface().(type) {
-		case time.Time:
-			return tomlDatetime
-		case TextMarshaler:
-			return tomlString
-		default:
-			return tomlHash
-		}
 	default:
-		panic("unexpected reflect.Kind: " + rv.Kind().String())
+		encPanic(errors.New("unsupported type: " + rv.Kind().String()))
+		panic("unreachable")
 	}
 }

-// tomlArrayType returns the element type of a TOML array. The type returned
-// may be nil if it cannot be determined (e.g., a nil slice or a zero length
-// slize). This function may also panic if it finds a type that cannot be
-// expressed in TOML (such as nil elements, heterogeneous arrays or directly
-// nested arrays of tables).
-func tomlArrayType(rv reflect.Value) tomlType {
-	if isNil(rv) || !rv.IsValid() || rv.Len() == 0 {
-		return nil
-	}
-	firstType := tomlTypeOfGo(rv.Index(0))
-	if firstType == nil {
-		encPanic(errArrayNilElement)
+func isMarshaler(rv reflect.Value) bool {
+	return rv.Type().Implements(marshalText) || rv.Type().Implements(marshalToml)
+}
+
+// isTableArray reports if all entries in the array or slice are a table.
+func isTableArray(arr reflect.Value) bool {
+	if isNil(arr) || !arr.IsValid() || arr.Len() == 0 {
+		return false
 	}

-	rvlen := rv.Len()
-	for i := 1; i < rvlen; i++ {
-		elem := rv.Index(i)
-		switch elemType := tomlTypeOfGo(elem); {
-		case elemType == nil:
+	ret := true
+	for i := 0; i < arr.Len(); i++ {
+		tt := tomlTypeOfGo(eindirect(arr.Index(i)))
+		// Don't allow nil.
+		if tt == nil {
 			encPanic(errArrayNilElement)
-		case !typeEqual(firstType, elemType):
-			encPanic(errArrayMixedElementTypes)
+		}
+
+		if ret && !typeEqual(tomlHash, tt) {
+			ret = false
 		}
 	}
-	// If we have a nested array, then we must make sure that the nested
-	// array contains ONLY primitives.
-	// This checks arbitrarily nested arrays.
-	if typeEqual(firstType, tomlArray) || typeEqual(firstType, tomlArrayHash) {
-		nest := tomlArrayType(eindirect(rv.Index(0)))
-		if typeEqual(nest, tomlHash) || typeEqual(nest, tomlArrayHash) {
-			encPanic(errArrayNoTable)
-		}
-	}
-	return firstType
+	return ret
 }

 type tagOptions struct {
@@ -499,6 +652,8 @@ func isEmpty(rv reflect.Value) bool {
 	switch rv.Kind() {
 	case reflect.Array, reflect.Slice, reflect.Map, reflect.String:
 		return rv.Len() == 0
+	case reflect.Struct:
+		return reflect.Zero(rv.Type()).Interface() == rv.Interface()
 	case reflect.Bool:
 		return !rv.Bool()
 	}
@@ -511,18 +666,32 @@ func (enc *Encoder) newline() {
 	}
 }

-func (enc *Encoder) keyEqElement(key Key, val reflect.Value) {
+// Write a key/value pair:
+//
+//   key = <any value>
+//
+// This is also used for "k = v" in inline tables; so something like this will
+// be written in three calls:
+//
+//     ┌────────────────────┐
+//     │      ┌───┐  ┌─────┐│
+//     v      v   v  v     vv
+//     key = {k = v, k2 = v2}
+//
+func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {
 	if len(key) == 0 {
 		encPanic(errNoKey)
 	}
-	panicIfInvalidKey(key)
 	enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1))
 	enc.eElement(val)
-	enc.newline()
+	if !inline {
+		enc.newline()
+	}
 }

 func (enc *Encoder) wf(format string, v ...interface{}) {
-	if _, err := fmt.Fprintf(enc.w, format, v...); err != nil {
+	_, err := fmt.Fprintf(enc.w, format, v...)
+	if err != nil {
 		encPanic(err)
 	}
 	enc.hasWritten = true
@@ -536,13 +705,25 @@ func encPanic(err error) {
 	panic(tomlEncodeError{err})
 }

+// Resolve any level of pointers to the actual value (e.g. **string → string).
 func eindirect(v reflect.Value) reflect.Value {
-	switch v.Kind() {
-	case reflect.Ptr, reflect.Interface:
-		return eindirect(v.Elem())
-	default:
+	if v.Kind() != reflect.Ptr && v.Kind() != reflect.Interface {
+		if isMarshaler(v) {
+			return v
+		}
+		if v.CanAddr() { /// Special case for marshalers; see #358.
+			if pv := v.Addr(); isMarshaler(pv) {
+				return pv
+			}
+		}
 		return v
 	}
+
+	if v.IsNil() {
+		return v
+	}
+
+	return eindirect(v.Elem())
 }

 func isNil(rv reflect.Value) bool {
@@ -553,16 +734,3 @@ func isNil(rv reflect.Value) bool {
 		return false
 	}
 }
-
-func panicIfInvalidKey(key Key) {
-	for _, k := range key {
-		if len(k) == 0 {
-			encPanic(e("Key '%s' is not a valid table name. Key names "+
-				"cannot be empty.", key.maybeQuotedAll()))
-		}
-	}
-}
-
-func isValidKeyName(s string) bool {
-	return len(s) != 0
-}
--- a/Show More
+++ b/Show More