Merge pull request #1883 from rhatdan/VERSION

Bump to v1.11.0
Move to v1.11.1-dev
2026-01-30 22:08:44 +00:00 · 2023-01-26 16:13:24 -05:00 · 2023-01-26 15:34:30 -05:00 · 2023-01-26 15:34:30 -05:00 · 2023-01-26 15:33:46 -05:00 · 2023-01-26 08:05:00 +01:00
2433 changed files with 278831 additions and 74543 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -23,20 +23,14 @@ env:
    ####
    #### Cache-image names to test with (double-quotes around names are critical)
    ####
-    FEDORA_NAME: "fedora-35"
-    PRIOR_FEDORA_NAME: "fedora-34"
-    UBUNTU_NAME: "ubuntu-2110"
+    FEDORA_NAME: "fedora-37"

    # Google-cloud VM Images
-    IMAGE_SUFFIX: "c4764556961513472"
+    IMAGE_SUFFIX: "c6300530360713216"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
-    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
-    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"

    # Container FQIN's
    FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
-    PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
-    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}"

    # Built along with the standard PR-based workflow in c/automation_images
    SKOPEO_CIDEV_CONTAINER_FQIN: "quay.io/libpod/skopeo_cidev:${IMAGE_SUFFIX}"
@@ -53,7 +47,7 @@ validate_task:
    # The git-validation tool doesn't work well on branch or tag push,
    # under Cirrus-CI, due to challenges obtaining the starting commit ID.
    # Only do validation for PRs.
-    only_if: $CIRRUS_PR != ''
+    only_if: &is_pr $CIRRUS_PR != ''
    container:
        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
        cpu: 4
@@ -63,7 +57,7 @@ validate_task:
        make vendor && hack/tree_status.sh

 doccheck_task:
-    only_if: $CIRRUS_PR != ''
+    only_if: *is_pr
    depends_on:
      - validate
    container:
@@ -81,16 +75,23 @@ doccheck_task:
      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck

 osx_task:
-    only_if: &not_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    # Don't run for docs-only or multi-arch image builds.
+    # Also don't run on release-branches or their PRs,
+    # since base container-image is not version-constrained.
+    only_if: &not_docs_or_release_branch >-
+        ($CIRRUS_BASE_BRANCH == $CIRRUS_DEFAULT_BRANCH ||
+         $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH ) &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
    macos_instance:
-        image: catalina-xcode
+        image: ghcr.io/cirruslabs/macos-ventura-base:latest
    setup_script: |
        export PATH=$GOPATH/bin:$PATH
        brew update
        brew install gpgme go go-md2man
-        go get -u golang.org/x/lint/golint
+        go install golang.org/x/lint/golint@latest
    test_script: |
        export PATH=$GOPATH/bin:$PATH
        go version
@@ -102,10 +103,12 @@ osx_task:

 cross_task:
    alias: cross
-    only_if: *not_docs
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
-    gce_instance:
+    gce_instance: &standardvm
        image_project: libpod-218412
        zone: "us-central1-f"
        cpu: 2
@@ -122,6 +125,42 @@ cross_task:
        "${GOSRC}/${SCRIPT_BASE}/runner.sh" cross


+ostree-rs-ext_task:
+    alias: proxy_ostree_ext
+    only_if: *not_docs_or_release_branch
+    # WARNING: This task potentially performs a container image
+    # build (on change) with runtime package installs.  Therefore,
+    # its behavior can be unpredictable and potentially flake-prone.
+    # In case of emergency, uncomment the next statement to bypass.
+    #
+    # skip: $CI == "true"
+    #
+    depends_on:
+        - validate
+    # Ref: https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
+    container:
+        # The runtime image will be rebuilt on change
+        dockerfile: contrib/cirrus/ostree_ext.dockerfile
+        docker_arguments:  # required build-args
+            BASE_FQIN: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+            CIRRUS_IMAGE_VERSION: 1
+    env:
+        EXT_REPO_NAME: ostree-rs-ext
+        EXT_REPO_HOME: $CIRRUS_WORKING_DIR/../$EXT_REPO_NAME
+        EXT_REPO: https://github.com/ostreedev/${EXT_REPO_NAME}.git
+    skopeo_build_script:
+        - dnf builddep -y skopeo
+        - make
+        - make install
+    proxy_ostree_ext_build_script:
+        - git clone --depth 1 $EXT_REPO $EXT_REPO_HOME
+        - cd $EXT_REPO_HOME
+        - cargo test --no-run
+    proxy_ostree_ext_test_script:
+        - cd $EXT_REPO_HOME
+        - cargo test -- --nocapture --quiet
+
+
 #####
 ##### NOTE: This task is subtantially duplicated in the containers/image
 ##### repository's `.cirrus.yml`.  Changes made here should be fully merged
@@ -129,7 +168,11 @@ cross_task:
 #####
 test_skopeo_task:
    alias: test_skopeo
-    only_if: *not_docs
+    # Don't test for [CI:DOCS], [CI:BUILD], or 'multiarch' cron.
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*' &&
+        $CIRRUS_CRON != 'multiarch'
    depends_on:
        - validate
    gce_instance:
@@ -162,6 +205,49 @@ test_skopeo_task:
        "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" system


+image_build_task: &image-build
+    name: "Build multi-arch $CTXDIR"
+    alias: image_build
+    # Some of these container images take > 1h to build, limit
+    # this task to a specific Cirrus-Cron entry with this name.
+    only_if: $CIRRUS_CRON == 'multiarch'
+    timeout_in: 120m  # emulation is sssllllooooowwww
+    gce_instance:
+        <<: *standardvm
+        image_name: build-push-${IMAGE_SUFFIX}
+        # More muscle required for parallel multi-arch build
+        type: "n2-standard-4"
+    matrix:
+        - env:
+            CTXDIR: contrib/skopeoimage/upstream
+        - env:
+            CTXDIR: contrib/skopeoimage/testing
+        - env:
+            CTXDIR: contrib/skopeoimage/stable
+    env:
+        SKOPEO_USERNAME: ENCRYPTED[4195884d23b154553f2ddb26a63fc9fbca50ba77b3e447e4da685d8639ed9bc94b9a86a9c77272c8c80d32ead9ca48da]
+        SKOPEO_PASSWORD: ENCRYPTED[36e06f9befd17e5da2d60260edb9ef0d40e6312e2bba4cf881d383f1b8b5a18c8e5a553aea2fdebf39cebc6bd3b3f9de]
+        CONTAINERS_USERNAME: ENCRYPTED[dd722c734641f103b394a3a834d51ca5415347e378637cf98ee1f99e64aad2ec3dbd4664c0d94cb0e06b83d89e9bbe91]
+        CONTAINERS_PASSWORD: ENCRYPTED[d8b0fac87fe251cedd26c864ba800480f9e0570440b9eb264265b67411b253a626fb69d519e188e6c9a7f525860ddb26]
+    main_script:
+        - source /etc/automation_environment
+        - main.sh $CIRRUS_REPO_CLONE_URL $CTXDIR
+
+
+test_image_build_task:
+    <<: *image-build
+    alias: test_image_build
+    # Allow this to run inside a PR w/ [CI:BUILD] only.
+    only_if: $CIRRUS_PR != '' && $CIRRUS_CHANGE_TITLE =~ '.*CI:BUILD.*'
+    # This takes a LONG time, only run when requested.  N/B: Any task
+    # made to depend on this one will block FOREVER unless triggered.
+    # DO NOT ADD THIS TASK AS DEPENDENCY FOR `success_task`.
+    trigger_type: manual
+    # Overwrite all 'env', don't push anything, just do the build.
+    env:
+        DRYRUN: 1
+
+
 # This task is critical.  It updates the "last-used by" timestamp stored
 # in metadata for all VM images.  This mechanism functions in tandem with
 # an out-of-band pruning operation to remove disused VM images.
@@ -171,13 +257,12 @@ meta_task:
    container: &smallcontainer
        cpu: 2
        memory: 2
-        image: quay.io/libpod/imgts:$IMAGE_SUFFIX
+        image: quay.io/libpod/imgts:latest
    env:
        # Space-separated list of images used by this repository state
-        IMGNAMES: >-
+        IMGNAMES: |
            ${FEDORA_CACHE_IMAGE_NAME}
-            ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
-            ${UBUNTU_CACHE_IMAGE_NAME}
+            build-push-${IMAGE_SUFFIX}
        BUILDID: "${CIRRUS_BUILD_ID}"
        REPOREF: "${CIRRUS_REPO_NAME}"
        GCPJSON: ENCRYPTED[6867b5a83e960e7c159a98fe6c8360064567a071c6f4b5e7d532283ecd870aa65c94ccd74bdaa9bf7aadac9d42e20a67]
@@ -199,7 +284,9 @@ success_task:
        - doccheck
        - osx
        - cross
+        - proxy_ostree_ext
        - test_skopeo
+        - image_build
        - meta
    container: *smallcontainer
    env:
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -0,0 +1,74 @@
+/*
+   Renovate is a service similar to GitHub Dependabot, but with
+   (fantastically) more configuration options.  So many options
+   in fact, if you're new I recommend glossing over this cheat-sheet
+   prior to the official documentation:
+
+   https://www.augmentedmind.de/2021/07/25/renovate-bot-cheat-sheet
+
+   Configuration Update/Change Procedure:
+     1. Make changes
+     2. Manually validate changes (from repo-root):
+
+        podman run -it \
+            -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
+            docker.io/renovate/renovate:latest \
+            renovate-config-validator
+     3. Commit.
+
+   Configuration Reference:
+   https://docs.renovatebot.com/configuration-options/
+
+   Monitoring Dashboard:
+   https://app.renovatebot.com/dashboard#github/containers
+
+   Note: The Renovate bot will create/manage it's business on
+         branches named 'renovate/*'.  Otherwise, and by
+         default, the only the copy of this file that matters
+         is the one on the `main` branch.  No other branches
+         will be monitored or touched in any way.
+*/
+
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+
+  /*************************************************
+   ****** Global/general configuration options *****
+   *************************************************/
+
+  // Re-use predefined sets of configuration options to DRY
+  "extends": [
+    // https://github.com/containers/automation/blob/main/renovate/defaults.json5
+    "github>containers/automation//renovate/defaults.json5"
+  ],
+
+  // Permit automatic rebasing when base-branch changes by more than
+  // one commit.
+  "rebaseWhen": "behind-base-branch",
+
+  /*************************************************
+   *** Repository-specific configuration options ***
+   *************************************************/
+
+  // Don't leave dep. update. PRs "hanging", assign them to people.
+  "assignees": ["containers/image-maintainers"],  // same for skopeo
+
+  /*************************************************
+   ***** Golang-specific configuration options *****
+   *************************************************/
+
+  "golang": {
+    // N/B: LAST MATCHING RULE WINS
+    // https://docs.renovatebot.com/configuration-options/#packagerules
+    "packageRules": [
+      // Package version retraction (https://go.dev/ref/mod#go-mod-file-retract)
+      // is broken in Renovate
+      // ref: https://github.com/renovatebot/renovate/issues/13012
+      {
+        "matchPackageNames": ["github.com/containers/common"],
+        // Both v1.0.0 and v1.0.1 should be ignored.
+        "allowedVersions": "!/v((1.0.0)|(1.0.1))$/"
+      },
+    ],
+  },
+}
--- a/.github/workflows/check_cirrus_cron.yml
+++ b/.github/workflows/check_cirrus_cron.yml
@@ -3,100 +3,18 @@
 # See also:
 # https://github.com/containers/podman/blob/main/.github/workflows/check_cirrus_cron.yml

-# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
-
-# Required to un-FUBAR default ${{github.workflow}} value
-name: check_cirrus_cron
-
 on:
-    # Note: This only applies to the default branch.
-    schedule:
-        # N/B: This should correspond to a period slightly after
-        # the last job finishes running.  See job defs. at:
-        # https://cirrus-ci.com/settings/repository/6706677464432640
-        - cron:  '59 23 * * 1-5'
-    # Debug: Allow triggering job manually in github-actions WebUI
-    workflow_dispatch: {}
-
-env:
-    # Debug-mode can reveal secrets, only enable by a secret value.
-    # Ref: https://help.github.com/en/actions/configuring-and-managing-workflows/managing-a-workflow-run#enabling-step-debug-logging
-    ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
-    # CSV listing of e-mail addresses for delivery failure or error notices
-    RCPTCSV: rh.container.bot@gmail.com,podman-monitor@lists.podman.io
-    # Filename for table of cron-name to build-id data
-    # (must be in $GITHUB_WORKSPACE/artifacts/)
-    NAME_ID_FILEPATH: './artifacts/name_id.txt'
+  # Note: This only applies to the default branch.
+  schedule:
+    # N/B: This should correspond to a period slightly after
+    # the last job finishes running.  See job defs. at:
+    # https://cirrus-ci.com/settings/repository/6706677464432640
+    - cron:  '03 03 * * 1-5'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}

 jobs:
-    cron_failures:
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@v2
-              with:
-                  persist-credentials: false
-
-            # Avoid duplicating cron_failures.sh in skopeo repo.
-            - uses: actions/checkout@v2
-              with:
-                  repository: containers/podman
-                  path: '_podman'
-                  persist-credentials: false
-
-            - name: Get failed cron names and Build IDs
-              id: cron
-              run: './_podman/.github/actions/${{ github.workflow }}/${{ github.job }}.sh'
-
-            - if: steps.cron.outputs.failures > 0
-              shell: bash
-              # Must be inline, since context expressions are used.
-              # Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions
-              run: |
-                set -eo pipefail
-                (
-                echo "Detected one or more Cirrus-CI cron-triggered jobs have failed recently:"
-                echo ""
-
-                while read -r NAME BID; do
-                    echo "Cron build '$NAME' Failed: https://cirrus-ci.com/build/$BID"
-                done < "$NAME_ID_FILEPATH"
-
-                echo ""
-                echo "# Source: ${{ github.workflow }} workflow on ${{ github.repository }}."
-                # Separate content from sendgrid.com automatic footer.
-                echo ""
-                echo ""
-                ) > ./artifacts/email_body.txt
-
-            - if: steps.cron.outputs.failures > 0
-              name: Send failure notification e-mail
-              # Ref: https://github.com/dawidd6/action-send-mail
-              uses: dawidd6/action-send-mail@v2.2.2
-              with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
-                server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
-                subject: Cirrus-CI cron build failures on ${{github.repository}}
-                to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
-                body: file://./artifacts/email_body.txt
-
-            - if: always()
-              uses: actions/upload-artifact@v2
-              with:
-                  name: ${{ github.job }}_artifacts
-                  path: artifacts/*
-
-            - if: failure()
-              name: Send error notification e-mail
-              uses: dawidd6/action-send-mail@v2.2.2
-              with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
-                server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
-                subject: Github workflow error on ${{github.repository}}
-                to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
-                body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  call_cron_failures:
+    uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main
+    secrets: inherit
--- a/.github/workflows/multi-arch-build.yaml
+++ b/.github/workflows/multi-arch-build.yaml
@@ -1,209 +0,0 @@
---
-
-# Please see contrib/<reponame>image/README.md for details on the intentions
-# of this workflow.
-#
-# BIG FAT WARNING:  This workflow is duplicated across containers/skopeo,
-#                   containers/buildah, and containers/podman.  ANY AND
-#                   ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED
-#                   TO THE OTHER REPOS.
-
-name: build multi-arch images
-
-on:
-  # Upstream tends to be very active, with many merges per day.
-  # Only run this daily via cron schedule, or manually, not by branch push.
-  schedule:
-    - cron:  '0 8 * * *'
-  # allows to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  multi:
-    name: multi-arch image build
-    env:
-      REPONAME: skopeo  # No easy way to parse this out of $GITHUB_REPOSITORY
-      # Server/namespace value used to format FQIN
-      REPONAME_QUAY_REGISTRY: quay.io/skopeo
-      CONTAINERS_QUAY_REGISTRY: quay.io/containers
-      # list of architectures for build
-      PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
-      # Command to execute in container to obtain project version number
-      VERSION_CMD: "--version"  # skopeo is the entrypoint
-
-    # build several images (upstream, testing, stable) in parallel
-    strategy:
-      # By default, failure of one matrix item cancels all others
-      fail-fast: false
-      matrix:
-        # Builds are located under contrib/<reponame>image/<source> directory
-        source:
-          - upstream
-          - testing
-          - stable
-    runs-on: ubuntu-latest
-    # internal registry caches build for inspection before push
-    services:
-      registry:
-        image: quay.io/libpod/registry:2
-        ports:
-          - 5000:5000
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: network=host
-          install: true
-
-      - name: Build and locally push image
-        uses: docker/build-push-action@v2
-        with:
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-
-      # Simple verification that stable images work, and
-      # also grab version number use in forming the FQIN.
-      - name: amd64 container sniff test
-        if: matrix.source == 'stable'
-        id: sniff_test
-        run: |
-          podman pull --tls-verify=false \
-                            localhost:5000/$REPONAME/${{ matrix.source }}
-          VERSION_OUTPUT=$(podman run \
-                           localhost:5000/$REPONAME/${{ matrix.source }} \
-                           $VERSION_CMD)
-          echo "$VERSION_OUTPUT"
-          VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
-          test -n "$VERSION"
-          echo "::set-output name=version::$VERSION"
-
-      - name: Generate image FQIN(s) to push
-        id: reponame_reg
-        run: |
-          if [[ "${{ matrix.source }}" == 'stable' ]]; then
-            # The command version in image just built
-            VERSION='v${{ steps.sniff_test.outputs.version }}'
-            # workaround vim syntax-highlight bug: '
-            # Push both new|updated version-tag and latest-tag FQINs
-            FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
-          elif [[ "${{ matrix.source }}" == 'testing' ]]; then
-            # Assume some contents changed, always push latest testing.
-            FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
-          elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
-            # Assume some contents changed, always push latest upstream.
-            FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
-          else
-            echo "::error::Unknown matrix item '${{ matrix.source }}'"
-            exit 1
-          fi
-          echo "::warning::Pushing $FQIN"
-          echo "::set-output name=fqin::${FQIN}"
-          echo '::set-output name=push::true'
-
-      # This is substantially similar to the above logic,
-      # but only handles $CONTAINERS_QUAY_REGISTRY for
-      # the stable "latest" and named-version tagged images.
-      - name: Generate containers reg. image FQIN(s)
-        if: matrix.source == 'stable'
-        id: containers_reg
-        run: |
-          VERSION='v${{ steps.sniff_test.outputs.version }}'
-          # workaround vim syntax-highlight bug: '
-          # Push both new|updated version-tag and latest-tag FQINs
-          FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
-          echo "::warning::Pushing $FQIN"
-          echo "::set-output name=fqin::${FQIN}"
-          echo '::set-output name=push::true'
-
-      - name: Define LABELS multi-line env. var. value
-        run: |
-          # This is a really hacky/strange workflow idiom, required
-          # for setting multi-line $LABELS value for consumption in
-          # a future step.  There is literally no cleaner way to do this :<
-          # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
-          function set_labels() {
-            echo 'LABELS<<DELIMITER' >> "$GITHUB_ENV"
-            for line; do
-                echo "$line" | tee -a "$GITHUB_ENV"
-            done
-            echo "DELIMITER" >> "$GITHUB_ENV"
-          }
-
-          declare -a lines
-          lines=(\
-            "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git"
-            "org.opencontainers.image.revision=${GITHUB_SHA}"
-            "org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
-          )
-
-          # Only the 'stable' matrix source obtains $VERSION
-          if [[ "${{ matrix.source }}" == "stable" ]]; then
-            lines+=(\
-              "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}"
-            )
-          fi
-
-          set_labels "${lines[@]}"
-
-      # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
-      # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
-      # are used and namespaced within the registry.  At the same time, reuse
-      # of non-shell steps is not supported by Github Actions nor are YAML
-      # anchors/aliases, nor composite actions.
-
-      # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
-      - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
-        uses: docker/login-action@v1
-        if: steps.reponame_reg.outputs.push == 'true'
-        with:
-          registry: ${{ env.REPONAME_QUAY_REGISTRY }}
-          # N/B: Secrets are not passed to workflows that are triggered
-          #      by a pull request from a fork
-          username: ${{ secrets.REPONAME_QUAY_USERNAME }}
-          password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
-
-      - name: Push images to ${{ steps.reponame_reg.outputs.fqin }}
-        uses: docker/build-push-action@v2
-        if: steps.reponame_reg.outputs.push == 'true'
-        with:
-          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-          cache-to: type=inline
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: ${{ steps.reponame_reg.outputs.fqin }}
-          labels: |
-            ${{ env.LABELS }}
-
-      # Push to $CONTAINERS_QUAY_REGISTRY only stable
-      - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
-        if: steps.containers_reg.outputs.push == 'true'
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ env.CONTAINERS_QUAY_REGISTRY}}
-          username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
-          password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
-
-      - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
-        if: steps.containers_reg.outputs.push == 'true'
-        uses: docker/build-push-action@v2
-        with:
-          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-          cache-to: type=inline
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: ${{ steps.containers_reg.outputs.fqin }}
-          labels: |
-            ${{ env.LABELS }}
--- a/.github/workflows/rerun_cirrus_cron.yml
+++ b/.github/workflows/rerun_cirrus_cron.yml
@@ -0,0 +1,19 @@
+---
+
+# See also: https://github.com/containers/podman/blob/main/.github/workflows/rerun_cirrus_cron.yml
+
+on:
+  # Note: This only applies to the default branch.
+  schedule:
+    # N/B: This should correspond to a period slightly after
+    # the last job finishes running.  See job defs. at:
+    # https://cirrus-ci.com/settings/repository/6706677464432640
+    - cron:  '01 01 * * 1-5'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  call_cron_rerun:
+    uses: containers/podman/.github/workflows/rerun_cirrus_cron.yml@main
+    secrets: inherit
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,13 +7,17 @@ on:
  schedule:
  - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:
-
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
-
    steps:
-    - uses: actions/stale@v1
+    - uses: actions/stale@v7
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@
 /layers-*
 /skopeo
 result
-
+/completions/
 # ignore JetBrains IDEs (GoLand) config folder
 .idea

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -149,7 +149,7 @@ When new PRs for [containers/image](https://github.com/containers/image) break `
 ## Communications

 For general questions, or discussions, please use the 
-IRC group on `irc.freenode.net` called `container-projects`
+IRC channel on `irc.libera.chat` called `#container-projects`
 that has been setup.

 For discussions around issues/bugs and features, you can use the github
--- a/79
+++ b/79
@@ -2,23 +2,22 @@

 export GOPROXY=https://proxy.golang.org

-# On some platforms (eg. macOS, FreeBSD) gpgme is installed in /usr/local/ but /usr/local/include/ is
-# not in the default search path. Rather than hard-code this directory, use gpgme-config.
-# Sadly that must be done at the top-level user instead of locally in the gpgme subpackage, because cgo
-# supports only pkg-config, not general shell scripts, and gpgme does not install a pkg-config file.
-# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
-# (and the user will probably find out because the cgo compilation will fail).
-GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
-
 # The following variables very roughly follow https://www.gnu.org/prep/standards/standards.html#Makefile-Conventions .
 DESTDIR ?=
 PREFIX ?= /usr/local
+ifeq ($(shell uname -s),FreeBSD)
+CONTAINERSCONFDIR ?= /usr/local/etc/containers
+else
 CONTAINERSCONFDIR ?= /etc/containers
+endif
 REGISTRIESDDIR ?= ${CONTAINERSCONFDIR}/registries.d
-SIGSTOREDIR ?= /var/lib/containers/sigstore
+LOOKASIDEDIR ?= /var/lib/containers/sigstore
 BINDIR ?= ${PREFIX}/bin
 MANDIR ?= ${PREFIX}/share/man
-BASHCOMPLETIONSDIR ?= ${PREFIX}/share/bash-completion/completions
+
+BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+ZSHINSTALLDIR=${PREFIX}/share/zsh/site-functions
+FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d

 GO ?= go
 GOBIN := $(shell $(GO) env GOBIN)
@@ -29,10 +28,15 @@ ifeq ($(GOBIN),)
 GOBIN := $(GOPATH)/bin
 endif

-# Multiple scripts are sensitive to this value, make sure it's exported/available
-# N/B: Need to use 'command -v' here for compatibility with MacOS.
-export CONTAINER_RUNTIME ?= $(if $(shell command -v podman),podman,docker)
-GOMD2MAN ?= $(if $(shell command -v go-md2man),go-md2man,$(GOBIN)/go-md2man)
+# Scripts may also use CONTAINER_RUNTIME, so we need to export it.
+# Note possibly non-obvious aspects of this:
+# - We need to use 'command -v' here, not 'which', for compatibility with MacOS.
+# - GNU Make 4.2.1 (included in Ubuntu 20.04) incorrectly tries to avoid invoking
+#   a shell, and fails because there is no /usr/bin/command. The trailing ';' in
+#   $(shell … ;) defeats that heuristic (recommended in
+#   https://savannah.gnu.org/bugs/index.php?57625 ).
+export CONTAINER_RUNTIME ?= $(if $(shell command -v podman ;),podman,docker)
+GOMD2MAN ?= $(if $(shell command -v go-md2man ;),go-md2man,$(GOBIN)/go-md2man)

 # Go module support: set `-mod=vendor` to use the vendored sources.
 # See also hack/make.sh.
@@ -51,8 +55,6 @@ ifeq ($(GOOS), linux)
  endif
 endif

-GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
-
 # If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
 # You can increase test output verbosity with the option '-test.vv'.
 # You can select certain tests to run, with `-test.run <regex>` for example:
@@ -88,7 +90,7 @@ endif
 CONTAINER_GOSRC = /src/github.com/containers/skopeo
 CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN)

-GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)
+GIT_COMMIT := $(shell GIT_CEILING_DIRECTORIES=$$(cd ..; pwd) git rev-parse HEAD 2> /dev/null || true)

 EXTRA_LDFLAGS ?=
 SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} $(EXTRA_LDFLAGS)'
@@ -137,7 +139,7 @@ binary: cmd/skopeo
 # Build w/o using containers
 .PHONY: bin/skopeo
 bin/skopeo:
-	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
+	$(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
 bin/skopeo.%:
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build $(MOD_VENDOR) ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
 local-cross: bin/skopeo.darwin.amd64 bin/skopeo.linux.arm bin/skopeo.linux.arm64 bin/skopeo.windows.386.exe bin/skopeo.windows.amd64.exe
@@ -152,11 +154,19 @@ docs: $(MANPAGES)
 docs-in-container:
 	${CONTAINER_RUN} $(MAKE) docs $(if $(DEBUG),DEBUG=$(DEBUG))

+.PHONY: completions
+completions: bin/skopeo
+	install -d -m 755 completions/bash completions/zsh completions/fish completions/powershell
+	./bin/skopeo completion bash >| completions/bash/skopeo
+	./bin/skopeo completion zsh >| completions/zsh/_skopeo
+	./bin/skopeo completion fish >| completions/fish/skopeo.fish
+	./bin/skopeo completion powershell >| completions/powershell/skopeo.ps1
+
 clean:
-	rm -rf bin docs/*.1
+	rm -rf bin docs/*.1 completions/

 install: install-binary install-docs install-completions
-	install -d -m 755 ${DESTDIR}${SIGSTOREDIR}
+	install -d -m 755 ${DESTDIR}${LOOKASIDEDIR}
 	install -d -m 755 ${DESTDIR}${CONTAINERSCONFDIR}
 	install -m 644 default-policy.json ${DESTDIR}${CONTAINERSCONFDIR}/policy.json
 	install -d -m 755 ${DESTDIR}${REGISTRIESDDIR}
@@ -172,9 +182,14 @@ ifneq ($(DISABLE_DOCS), 1)
 	install -m 644 docs/*.1 ${DESTDIR}${MANDIR}/man1
 endif

-install-completions:
-	install -m 755 -d ${DESTDIR}${BASHCOMPLETIONSDIR}
-	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHCOMPLETIONSDIR}/skopeo
+install-completions: completions
+	install -d -m 755 ${DESTDIR}${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${ZSHINSTALLDIR}
+	install -m 644 completions/zsh/_skopeo ${DESTDIR}${ZSHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${FISHINSTALLDIR}
+	install -m 644 completions/fish/skopeo.fish ${DESTDIR}${FISHINSTALLDIR}
+	# There is no common location for powershell files so do not install them. Users have to source the file from their powershell profile.

 shell:
 	$(CONTAINER_RUN) bash
@@ -182,7 +197,11 @@ shell:
 check: validate test-unit test-integration test-system

 test-integration:
-	$(CONTAINER_RUN) $(MAKE) test-integration-local
+# This is intended to be equal to $(CONTAINER_RUN), but with --cap-add=cap_mknod.
+# --cap-add=cap_mknod is important to allow skopeo to use containers-storage: directly as it exists in the callers’ environment, without
+# creating a nested user namespace (which requires /etc/subuid and /etc/subgid to be set up)
+	$(CONTAINER_CMD) --security-opt label=disable --cap-add=cap_mknod -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN) \
+		$(MAKE) test-integration-local


 # Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
@@ -190,7 +209,6 @@ test-integration-local: bin/skopeo
 	hack/make.sh test-integration

 # complicated set of options needed to run podman-in-podman
-# TODO: The $(RM) command will likely fail w/o `podman unshare`
 test-system:
 	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
 	$(CONTAINER_CMD) --privileged \
@@ -199,7 +217,7 @@ test-system:
 		"$(SKOPEO_CIDEV_CONTAINER_FQIN)" \
 			$(MAKE) test-system-local; \
 	rc=$$?; \
-	-$(RM) -rf $$DTEMP; \
+	$(CONTAINER_RUNTIME) unshare rm -rf $$DTEMP; # This probably doesn't work with Docker, oh well, better than nothing... \
 	exit $$rc

 # Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
@@ -227,7 +245,7 @@ validate-docs:
 	hack/xref-helpmsgs-manpages

 test-unit-local: bin/skopeo
-	$(GPGME_ENV) $(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+	$(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')

 vendor:
 	$(GO) mod tidy
@@ -235,4 +253,9 @@ vendor:
 	$(GO) mod verify

 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src quay.io/libpod/golang:1.16 $(MAKE) vendor
+	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src golang $(MAKE) vendor
+
+# CAUTION: This is not a replacement for RPMs provided by your distro.
+# Only intended to build and test the latest unreleased changes.
+rpm:
+	rpkg local
--- a/README.md
+++ b/README.md
@@ -1,7 +1,8 @@
-skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=master)](https://travis-ci.org/containers/skopeo)
+<!--- skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=main)](https://travis-ci.org/containers/skopeo)
 =
+--->

-<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
+<img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250">

 ----

@@ -56,29 +57,37 @@ Examples:
 $ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
 {
    "Name": "registry.fedoraproject.org/fedora",
-    "Digest": "sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9",
+    "Digest": "sha256:0f65bee641e821f8118acafb44c2f8fe30c2fc6b9a2b3729c0660376391aa117",
    "RepoTags": [
-        "24",
-        "25",
-        "26-modular",
-	...
+        "34-aarch64",
+        "34",
+        "latest",
+        ...
    ],
-    "Created": "2020-04-29T06:48:16Z",
+    "Created": "2022-11-24T13:54:18Z",
    "DockerVersion": "1.10.1",
    "Labels": {
        "license": "MIT",
        "name": "fedora",
        "vendor": "Fedora Project",
-        "version": "32"
+        "version": "37"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-        "sha256:3088721d7dbf674fc0be64cd3cf00c25aab921cacf35fa0e7b1578500a3e1653"
+        "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0"
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0",
+            "Size": 71355009,
+            "Annotations": null
+        }
    ],
    "Env": [
-        "DISTTAG=f32container",
-        "FGC=f32",
+        "DISTTAG=f37container",
+        "FGC=f37",
        "container=oci"
    ]
 }
@@ -200,6 +209,7 @@ Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate
 | -------------------------------------------------- | ---------------------------------------------------------------------------------------------|
 | [skopeo-copy(1)](/docs/skopeo-copy.1.md)           | Copy an image (manifest, filesystem layers, signatures) from one location to another.        |
 | [skopeo-delete(1)](/docs/skopeo-delete.1.md)       | Mark the image-name for later deletion by the registry's garbage collector.                                                                |
+| [skopeo-generate-sigstore-key(1)](/docs/skopeo-generate-sigstore-key.1.md)    | Generate a sigstore public/private key pair.  |
 | [skopeo-inspect(1)](/docs/skopeo-inspect.1.md)     | Return  low-level  information about image-name in a registry.                                |
 | [skopeo-list-tags(1)](/docs/skopeo-list-tags.1.md) | Return a list of tags for the transport-specific image repository.                               |
 | [skopeo-login(1)](/docs/skopeo-login.1.md)         | Login to a container registry.                                                               |
@@ -207,7 +217,7 @@ Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate
 | [skopeo-manifest-digest(1)](/docs/skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output.   |
 | [skopeo-standalone-sign(1)](/docs/skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.                                                         |
 | [skopeo-standalone-verify(1)](/docs/skopeo-standalone-verify.1.md)| Verify an image signature.                                                    |
-| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between container registries and local directories.                       |
+| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between registry repositories and local directories.                      |

 License
 -
--- a/cmd/skopeo/cgo_pthread_ordering_workaround.go
+++ b/cmd/skopeo/cgo_pthread_ordering_workaround.go
@@ -1,35 +0,0 @@
-//go:build !containers_image_openpgp
-// +build !containers_image_openpgp
-
-package main
-
-/*
-This is a pretty horrible workaround.  Due to a glibc bug
-https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
-with -lgpgme before -lpthread.  Such arguments come from various packages
-using cgo, and the ordering of these arguments is, with current (go tool link),
-dependent on the order in which the cgo-using packages are found in a
-breadth-first search following dependencies, starting from “main”.
-
-Thus, if
-   import "net"
-is processed before
-   import "…/skopeo/signature"
-it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
-"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
-lpthread (used by "runtime/cgo") to be used before -lgpgme.
-
-This might be possible to work around by careful import ordering, or by removing
-a direct dependency on "net", but that would be very fragile.
-
-So, until the above bug is fixed, add -lgpgme directly in the "main" package
-to ensure the needed build order.
-
-Unfortunately, this workaround needs to be applied at the top level of any user
-of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
-by that time this package is first processed by the linker, a -lpthread may
-already be queued and it would be too late.
-*/
-
-// #cgo LDFLAGS: -lgpgme
-import "C"
--- a/cmd/skopeo/completions.go
+++ b/cmd/skopeo/completions.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"github.com/containers/image/v5/transports"
+	"github.com/spf13/cobra"
+)
+
+// autocompleteSupportedTransports list all supported transports with the colon suffix.
+func autocompleteSupportedTransports(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	tps := transports.ListNames()
+	suggestions := make([]string, 0, len(tps))
+	for _, tp := range tps {
+		suggestions = append(suggestions, tp+":")
+	}
+	return suggestions, cobra.ShellCompDirectiveNoFileComp
+}
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"
 	"strings"

 	commonFlag "github.com/containers/common/pkg/flag"
@@ -13,6 +13,8 @@ import (
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/pkg/cli/sigstore"
+	"github.com/containers/image/v5/signature/signer"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	encconfig "github.com/containers/ocicrypt/config"
@@ -21,24 +23,27 @@ import (
 )

 type copyOptions struct {
-	global              *globalOptions
-	deprecatedTLSVerify *deprecatedTLSVerifyOption
-	srcImage            *imageOptions
-	destImage           *imageDestOptions
-	retryOpts           *retry.RetryOptions
-	additionalTags      []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
-	removeSignatures    bool                      // Do not copy signatures from the source image
-	signByFingerprint   string                    // Sign the image using a GPG key with the specified fingerprint
-	signPassphraseFile  string                    // Path pointing to a passphrase file when signing
-	digestFile          string                    // Write digest to this file
-	format              commonFlag.OptionalString // Force conversion of the image to a specified format
-	quiet               bool                      // Suppress output information when copying images
-	all                 bool                      // Copy all of the images if the source is a list
-	multiArch           commonFlag.OptionalString // How to handle multi architecture images
-	preserveDigests     bool                      // Preserve digests during copy
-	encryptLayer        []int                     // The list of layers to encrypt
-	encryptionKeys      []string                  // Keys needed to encrypt the image
-	decryptionKeys      []string                  // Keys needed to decrypt the image
+	global                   *globalOptions
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions
+	destImage                *imageDestOptions
+	retryOpts                *retry.Options
+	additionalTags           []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing (for either signature format, but only one of them)
+	signIdentity             string                    // Identity of the signed image, must be a fully specified docker reference
+	digestFile               string                    // Write digest to this file
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	quiet                    bool                      // Suppress output information when copying images
+	all                      bool                      // Copy all of the images if the source is a list
+	multiArch                commonFlag.OptionalString // How to handle multi architecture images
+	preserveDigests          bool                      // Preserve digests during copy
+	encryptLayer             []int                     // The list of layers to encrypt
+	encryptionKeys           []string                  // Keys needed to encrypt the image
+	decryptionKeys           []string                  // Keys needed to decrypt the image
 }

 func copyCmd(global *globalOptions) *cobra.Command {
@@ -63,8 +68,9 @@ Supported transports:

 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -80,7 +86,10 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE-IMAGE")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
-	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
+	flags.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "Read a passphrase for signing an image from `PATH`")
+	flags.StringVar(&opts.signIdentity, "sign-identity", "", "Identity of signed image, must be a fully specified docker reference. Defaults to the target docker reference.")
 	flags.StringVar(&opts.digestFile, "digestfile", "", "Write the digest of the pushed image to the specified file")
 	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
 	flags.StringSliceVar(&opts.encryptionKeys, "encryption-key", []string{}, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)")
@@ -110,7 +119,7 @@ func parseMultiArch(multiArch string) (copy.ImageListSelection, error) {
 	}
 }

-func (opts *copyOptions) run(args []string, stdout io.Writer) error {
+func (opts *copyOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
@@ -125,7 +134,11 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if err != nil {
 		return fmt.Errorf("Error loading trust policy: %v", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	srcRef, err := alltransports.ParseImageName(imageNames[0])
 	if err != nil {
@@ -222,25 +235,71 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 		decConfig = cc.DecryptConfig
 	}

-	passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
-	if err != nil {
-		return err
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} // opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
+
+	var signers []*signer.Signer
+	if opts.signBySigstoreParamFile != "" {
+		signer, err := sigstore.NewSignerFromParameterFile(opts.signBySigstoreParamFile, &sigstore.Options{
+			PrivateKeyPassphrasePrompt: func(keyFile string) (string, error) {
+				return promptForPassphrase(keyFile, os.Stdin, os.Stdout)
+			},
+			Stdin:  os.Stdin,
+			Stdout: stdout,
+		})
+		if err != nil {
+			return fmt.Errorf("Error using --sign-by-sigstore: %w", err)
+		}
+		defer signer.Close()
+		signers = append(signers, signer)
 	}

-	return retry.RetryIfNecessary(ctx, func() error {
+	var signIdentity reference.Named = nil
+	if opts.signIdentity != "" {
+		signIdentity, err = reference.ParseNamed(opts.signIdentity)
+		if err != nil {
+			return fmt.Errorf("Could not parse --sign-identity: %v", err)
+		}
+	}
+
+	opts.destImage.warnAboutIneffectiveOptions(destRef.Transport())
+
+	return retry.IfNecessary(ctx, func() error {
 		manifestBytes, err := copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
-			RemoveSignatures:      opts.removeSignatures,
-			SignBy:                opts.signByFingerprint,
-			SignPassphrase:        passphrase,
-			ReportWriter:          stdout,
-			SourceCtx:             sourceCtx,
-			DestinationCtx:        destinationCtx,
-			ForceManifestMIMEType: manifestType,
-			ImageListSelection:    imageListSelection,
-			PreserveDigests:       opts.preserveDigests,
-			OciDecryptConfig:      decConfig,
-			OciEncryptLayers:      encLayers,
-			OciEncryptConfig:      encConfig,
+			RemoveSignatures:                 opts.removeSignatures,
+			Signers:                          signers,
+			SignBy:                           opts.signByFingerprint,
+			SignPassphrase:                   passphrase,
+			SignBySigstorePrivateKeyFile:     opts.signBySigstorePrivateKey,
+			SignSigstorePrivateKeyPassphrase: []byte(passphrase),
+			SignIdentity:                     signIdentity,
+			ReportWriter:                     stdout,
+			SourceCtx:                        sourceCtx,
+			DestinationCtx:                   destinationCtx,
+			ForceManifestMIMEType:            manifestType,
+			ImageListSelection:               imageListSelection,
+			PreserveDigests:                  opts.preserveDigests,
+			OciDecryptConfig:                 decConfig,
+			OciEncryptLayers:                 encLayers,
+			OciEncryptConfig:                 encConfig,
 		})
 		if err != nil {
 			return err
@@ -250,7 +309,7 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 			if err != nil {
 				return err
 			}
-			if err = ioutil.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
+			if err = os.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
 				return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
 			}
 		}
--- a/cmd/skopeo/delete.go
+++ b/cmd/skopeo/delete.go
@@ -15,7 +15,7 @@ import (
 type deleteOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func deleteCmd(global *globalOptions) *cobra.Command {
@@ -35,8 +35,9 @@ Supported transports:
 %s
 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo delete docker://registry.example.com/example/pause:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo delete docker://registry.example.com/example/pause:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -69,7 +70,7 @@ func (opts *deleteOptions) run(args []string, stdout io.Writer) error {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()

-	return retry.RetryIfNecessary(ctx, func() error {
+	return retry.IfNecessary(ctx, func() error {
 		return ref.DeleteImage(ctx, sys)
 	}, opts.retryOpts)
 }
--- a/cmd/skopeo/generate_sigstore_key.go
+++ b/cmd/skopeo/generate_sigstore_key.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/signature/sigstore"
+	"github.com/spf13/cobra"
+)
+
+type generateSigstoreKeyOptions struct {
+	outputPrefix   string
+	passphraseFile string
+}
+
+func generateSigstoreKeyCmd() *cobra.Command {
+	var opts generateSigstoreKeyOptions
+	cmd := &cobra.Command{
+		Use:     "generate-sigstore-key [command options] --output-prefix PREFIX",
+		Short:   "Generate a sigstore public/private key pair",
+		RunE:    commandAction(opts.run),
+		Example: "skopeo generate-sigstore-key --output-prefix my-key",
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.StringVar(&opts.outputPrefix, "output-prefix", "", "Write the keys to `PREFIX`.pub and `PREFIX`.private")
+	flags.StringVar(&opts.passphraseFile, "passphrase-file", "", "Read a passphrase for the private key from `PATH`")
+	return cmd
+}
+
+// ensurePathDoesNotExist verifies that path does not refer to an existing file,
+// and returns an error if so.
+func ensurePathDoesNotExist(path string) error {
+	switch _, err := os.Stat(path); {
+	case err == nil:
+		return fmt.Errorf("Refusing to overwrite existing %q", path)
+	case errors.Is(err, fs.ErrNotExist):
+		return nil
+	default:
+		return fmt.Errorf("Error checking existence of %q: %w", path, err)
+	}
+}
+
+func (opts *generateSigstoreKeyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 0 || opts.outputPrefix == "" {
+		return errors.New("Usage: generate-sigstore-key --output-prefix PREFIX")
+	}
+
+	pubKeyPath := opts.outputPrefix + ".pub"
+	privateKeyPath := opts.outputPrefix + ".private"
+	if err := ensurePathDoesNotExist(pubKeyPath); err != nil {
+		return err
+	}
+	if err := ensurePathDoesNotExist(privateKeyPath); err != nil {
+		return err
+	}
+
+	var passphrase string
+	if opts.passphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.passphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else {
+		p, err := promptForPassphrase(privateKeyPath, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
+
+	keys, err := sigstore.GenerateKeyPair([]byte(passphrase))
+	if err != nil {
+		return fmt.Errorf("Error generating key pair: %w", err)
+	}
+
+	if err := os.WriteFile(privateKeyPath, keys.PrivateKey, 0600); err != nil {
+		return fmt.Errorf("Error writing private key to %q: %w", privateKeyPath, err)
+	}
+	if err := os.WriteFile(pubKeyPath, keys.PublicKey, 0644); err != nil {
+		return fmt.Errorf("Error writing private key to %q: %w", pubKeyPath, err)
+	}
+	fmt.Fprintf(stdout, "Key written to %q and %q", privateKeyPath, pubKeyPath)
+	return nil
+}
--- a/cmd/skopeo/generate_sigstore_key_test.go
+++ b/cmd/skopeo/generate_sigstore_key_test.go
@@ -0,0 +1,79 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateSigstoreKey(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"--output-prefix", "foo", "a1"},
+	} {
+		out, err := runSkopeo(append([]string{"generate-sigstore-key"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// One of the destination files already exists
+	outputSuffixes := []string{".pub", ".private"}
+	for _, suffix := range outputSuffixes {
+		dir := t.TempDir()
+		prefix := filepath.Join(dir, "prefix")
+		err := os.WriteFile(prefix+suffix, []byte{}, 0600)
+		require.NoError(t, err)
+		out, err := runSkopeo("generate-sigstore-key",
+			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
+		)
+		assertTestFailed(t, out, err, "Refusing to overwrite")
+	}
+
+	// One of the destinations is inaccessible (simulate by a symlink that tries to
+	// traverse a non-directory)
+	for _, suffix := range outputSuffixes {
+		dir := t.TempDir()
+		nonDirectory := filepath.Join(dir, "nondirectory")
+		err := os.WriteFile(nonDirectory, []byte{}, 0600)
+		require.NoError(t, err)
+		prefix := filepath.Join(dir, "prefix")
+		err = os.Symlink(filepath.Join(nonDirectory, "unaccessible"), prefix+suffix)
+		require.NoError(t, err)
+		out, err := runSkopeo("generate-sigstore-key",
+			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
+		)
+		assertTestFailed(t, out, err, prefix+suffix) // + an OS-specific error message
+	}
+	destDir := t.TempDir()
+	// Error reading passphrase
+	out, err := runSkopeo("generate-sigstore-key",
+		"--output-prefix", filepath.Join(destDir, "prefix"),
+		"--passphrase-file", filepath.Join(destDir, "this-does-not-exist"),
+	)
+	assertTestFailed(t, out, err, "this-does-not-exist")
+
+	// (The interactive passphrase prompting is not yet tested)
+
+	// Error writing outputs is untested: when unit tests run as root, we can’t use permissions on a directory to cause write failures,
+	// with the --output-prefix mechanism, and refusing to even start writing to pre-exisiting files, directories are the only mechanism
+	// we have to trigger a write failure.
+
+	// Success
+	// Just a smoke-test, useability of the keys is tested in the generate implementation.
+	dir := t.TempDir()
+	prefix := filepath.Join(dir, "prefix")
+	passphraseFile := filepath.Join(dir, "passphrase")
+	err = os.WriteFile(passphraseFile, []byte("some passphrase"), 0600)
+	require.NoError(t, err)
+	out, err = runSkopeo("generate-sigstore-key",
+		"--output-prefix", prefix, "--passphrase-file", passphraseFile,
+	)
+	assert.NoError(t, err)
+	for _, suffix := range outputSuffixes {
+		assert.Contains(t, out, prefix+suffix)
+	}
+
+}
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -2,9 +2,9 @@ package main

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
-	"os"
 	"strings"
 	"text/tabwriter"
 	"text/template"
@@ -17,8 +17,8 @@ import (
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/skopeo/cmd/skopeo/inspect"
+	"github.com/docker/distribution/registry/api/errcode"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -26,7 +26,7 @@ import (
 type inspectOptions struct {
 	global        *globalOptions
 	image         *imageOptions
-	retryOpts     *retry.RetryOptions
+	retryOpts     *retry.Options
 	format        string
 	raw           bool // Output the raw manifest instead of parsing information about the image
 	config        bool // Output the raw config blob instead of parsing information about the image
@@ -55,6 +55,7 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 		Example: `skopeo inspect docker://registry.fedoraproject.org/fedora
  skopeo inspect --config docker://docker.io/alpine
  skopeo inspect  --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -95,30 +96,30 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		return err
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		src, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error parsing image name %q", imageName)
+		return fmt.Errorf("Error parsing image name %q: %w", imageName, err)
 	}

 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		rawManifest, _, err = src.GetManifest(ctx, nil)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error retrieving manifest for image")
+		return fmt.Errorf("Error retrieving manifest for image: %w", err)
 	}

 	if opts.raw && !opts.config {
 		_, err := stdout.Write(rawManifest)
 		if err != nil {
-			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+			return fmt.Errorf("Error writing manifest to standard output: %w", err)
 		}

 		return nil
@@ -126,29 +127,29 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)

 	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
 	if err != nil {
-		return errors.Wrapf(err, "Error parsing manifest for image")
+		return fmt.Errorf("Error parsing manifest for image: %w", err)
 	}

 	if opts.config && opts.raw {
 		var configBlob []byte
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			configBlob, err = img.ConfigBlob(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading configuration blob")
+			return fmt.Errorf("Error reading configuration blob: %w", err)
 		}
 		_, err = stdout.Write(configBlob)
 		if err != nil {
-			return errors.Wrapf(err, "Error writing configuration blob to standard output")
+			return fmt.Errorf("Error writing configuration blob to standard output: %w", err)
 		}
 		return nil
 	} else if opts.config {
 		var config *v1.Image
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			config, err = img.OCIConfig(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading OCI-formatted configuration data")
+			return fmt.Errorf("Error reading OCI-formatted configuration data: %w", err)
 		}
 		if report.IsJSON(opts.format) || opts.format == "" {
 			var out []byte
@@ -159,15 +160,15 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		} else {
 			row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
 			data = append(data, config)
-			err = printTmpl(row, data)
+			err = printTmpl(stdout, row, data)
 		}
 		if err != nil {
-			return errors.Wrapf(err, "Error writing OCI-formatted configuration data to standard output")
+			return fmt.Errorf("Error writing OCI-formatted configuration data to standard output: %w", err)
 		}
 		return nil
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		imgInspect, err = img.Inspect(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -185,11 +186,12 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		Architecture:  imgInspect.Architecture,
 		Os:            imgInspect.Os,
 		Layers:        imgInspect.Layers,
+		LayersData:    imgInspect.LayersData,
 		Env:           imgInspect.Env,
 	}
 	outputData.Digest, err = manifest.Digest(rawManifest)
 	if err != nil {
-		return errors.Wrapf(err, "Error computing manifest digest")
+		return fmt.Errorf("Error computing manifest digest: %w", err)
 	}
 	if dockerRef := img.Reference().DockerReference(); dockerRef != nil {
 		outputData.Name = dockerRef.Name()
@@ -201,13 +203,27 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		}
 		outputData.RepoTags, err = docker.GetRepositoryTags(ctx, sys, img.Reference())
 		if err != nil {
-			// some registries may decide to block the "list all tags" endpoint
-			// gracefully allow the inspect to continue in this case. Currently
-			// the IBM Bluemix container registry has this restriction.
-			// In addition, AWS ECR rejects it with 403 (Forbidden) if the "ecr:ListImages"
-			// action is not allowed.
-			if !strings.Contains(err.Error(), "401") && !strings.Contains(err.Error(), "403") {
-				return errors.Wrapf(err, "Error determining repository tags")
+			// Some registries may decide to block the "list all tags" endpoint;
+			// gracefully allow the inspect to continue in this case:
+			fatalFailure := true
+			// - AWS ECR rejects it if the "ecr:ListImages" action is not allowed.
+			//   https://github.com/containers/skopeo/issues/726
+			var ec errcode.ErrorCoder
+			if ok := errors.As(err, &ec); ok && ec.ErrorCode() == errcode.ErrorCodeDenied {
+				fatalFailure = false
+			}
+			// - public.ecr.aws does not implement the endpoint at all, and fails with 404:
+			//   https://github.com/containers/skopeo/issues/1230
+			//   This is actually "code":"NOT_FOUND", and the parser doesn’t preserve that.
+			//   So, also check the error text.
+			if ok := errors.As(err, &ec); ok && ec.ErrorCode() == errcode.ErrorCodeUnknown {
+				var e errcode.Error
+				if ok := errors.As(err, &e); ok && e.Code == errcode.ErrorCodeUnknown && e.Message == "404 page not found" {
+					fatalFailure = false
+				}
+			}
+			if fatalFailure {
+				return fmt.Errorf("Error determining repository tags: %w", err)
 			}
 			logrus.Warnf("Registry disallows tag list retrieval; skipping")
 		}
@@ -221,14 +237,14 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 	}
 	row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
 	data = append(data, outputData)
-	return printTmpl(row, data)
+	return printTmpl(stdout, row, data)
 }

-func printTmpl(row string, data []interface{}) error {
+func printTmpl(stdout io.Writer, row string, data []interface{}) error {
 	t, err := template.New("skopeo inspect").Parse(row)
 	if err != nil {
 		return err
 	}
-	w := tabwriter.NewWriter(os.Stdout, 8, 2, 2, ' ', 0)
+	w := tabwriter.NewWriter(stdout, 8, 2, 2, ' ', 0)
 	return t.Execute(w, data)
 }
--- a/cmd/skopeo/inspect/output.go
+++ b/cmd/skopeo/inspect/output.go
@@ -3,6 +3,7 @@ package inspect
 import (
 	"time"

+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 )

@@ -19,5 +20,6 @@ type Output struct {
 	Architecture  string
 	Os            string
 	Layers        []string
+	LayersData    []types.ImageInspectLayer
 	Env           []string
 }
--- a/cmd/skopeo/layers.go
+++ b/cmd/skopeo/layers.go
@@ -1,9 +1,9 @@
 package main

 import (
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"

@@ -13,14 +13,13 @@ import (
 	"github.com/containers/image/v5/pkg/blobinfocache"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 type layersOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func layersCmd(global *globalOptions) *cobra.Command {
@@ -69,25 +68,25 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		rawSource types.ImageSource
 		src       types.ImageCloser
 	)
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		rawSource, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
 		return err
 	}
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		src, err = image.FromSource(ctx, sys, rawSource)
 		return err
 	}, opts.retryOpts); err != nil {
 		if closeErr := rawSource.Close(); closeErr != nil {
-			return errors.Wrapf(err, " (close error: %v)", closeErr)
+			return fmt.Errorf("%w (closing image source: %v)", err, closeErr)
 		}

 		return err
 	}
 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

@@ -122,7 +121,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 	}

-	tmpDir, err := ioutil.TempDir(".", "layers-")
+	tmpDir, err := os.MkdirTemp(".", "layers-")
 	if err != nil {
 		return err
 	}
@@ -137,7 +136,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {

 	defer func() {
 		if err := dest.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing destination", err)
 		}
 	}()

@@ -146,7 +145,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 			r        io.ReadCloser
 			blobSize int64
 		)
-		if err = retry.RetryIfNecessary(ctx, func() error {
+		if err = retry.IfNecessary(ctx, func() error {
 			r, blobSize, err = rawSource.GetBlob(ctx, types.BlobInfo{Digest: bd.digest, Size: -1}, cache)
 			return err
 		}, opts.retryOpts); err != nil {
@@ -154,14 +153,14 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 		if _, err := dest.PutBlob(ctx, r, types.BlobInfo{Digest: bd.digest, Size: blobSize}, cache, bd.isConfig); err != nil {
 			if closeErr := r.Close(); closeErr != nil {
-				return errors.Wrapf(err, " (close error: %v)", closeErr)
+				return fmt.Errorf("%w (close error: %v)", err, closeErr)
 			}
 			return err
 		}
 	}

 	var manifest []byte
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		manifest, _, err = src.Manifest(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
--- a/cmd/skopeo/list_tags.go
+++ b/cmd/skopeo/list_tags.go
@@ -3,29 +3,46 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"sort"
 	"strings"

 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/archive"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 // tagListOutput is the output format of (skopeo list-tags), primarily so that we can format it with a simple json.MarshalIndent.
 type tagListOutput struct {
-	Repository string
+	Repository string `json:",omitempty"`
 	Tags       []string
 }

 type tagsOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
+}
+
+var transportHandlers = map[string]func(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error){
+	docker.Transport.Name():  listDockerRepoTags,
+	archive.Transport.Name(): listDockerArchiveTags,
+}
+
+// supportedTransports returns all the supported transports
+func supportedTransports(joinStr string) string {
+	res := make([]string, 0, len(transportHandlers))
+	for handlerName := range transportHandlers {
+		res = append(res, handlerName)
+	}
+	sort.Strings(res)
+	return strings.Join(res, joinStr)
 }

 func tagsCmd(global *globalOptions) *cobra.Command {
@@ -38,13 +55,14 @@ func tagsCmd(global *globalOptions) *cobra.Command {
 		image:     imageOpts,
 		retryOpts: retryOpts,
 	}
+
 	cmd := &cobra.Command{
-		Use:   "list-tags [command options] REPOSITORY-NAME",
-		Short: "List tags in the transport/repository specified by the REPOSITORY-NAME",
-		Long: `Return the list of tags from the transport/repository "REPOSITORY-NAME"
+		Use:   "list-tags [command options] SOURCE-IMAGE",
+		Short: "List tags in the transport/repository specified by the SOURCE-IMAGE",
+		Long: `Return the list of tags from the transport/repository "SOURCE-IMAGE"

 Supported transports:
-docker
+` + supportedTransports(" ") + `

 See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 `,
@@ -63,12 +81,12 @@ See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 // Would really love to not have this, but needed to enforce tag-less and digest-less names
 func parseDockerRepositoryReference(refString string) (types.ImageReference, error) {
 	if !strings.HasPrefix(refString, docker.Transport.Name()+"://") {
-		return nil, errors.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
+		return nil, fmt.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
 	}

 	parts := strings.SplitN(refString, ":", 2)
 	if len(parts) != 2 {
-		return nil, errors.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
+		return nil, fmt.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
 	}

 	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(parts[1], "//"))
@@ -90,11 +108,63 @@ func listDockerTags(ctx context.Context, sys *types.SystemContext, imgRef types.

 	tags, err := docker.GetRepositoryTags(ctx, sys, imgRef)
 	if err != nil {
-		return ``, nil, fmt.Errorf("Error listing repository tags: %v", err)
+		return ``, nil, fmt.Errorf("Error listing repository tags: %w", err)
 	}
 	return repositoryName, tags, nil
 }

+// return the tagLists from a docker repo
+func listDockerRepoTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	// Do transport-specific parsing and validation to get an image reference
+	imgRef, err := parseDockerRepositoryReference(userInput)
+	if err != nil {
+		return
+	}
+	if err = retry.IfNecessary(ctx, func() error {
+		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
+		return err
+	}, opts.retryOpts); err != nil {
+		return
+	}
+	return
+}
+
+// return the tagLists from a docker archive file
+func listDockerArchiveTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	ref, err := alltransports.ParseImageName(userInput)
+	if err != nil {
+		return
+	}
+
+	tarReader, _, err := archive.NewReaderForReference(sys, ref)
+	if err != nil {
+		return
+	}
+	defer tarReader.Close()
+
+	imageRefs, err := tarReader.List()
+	if err != nil {
+		return
+	}
+
+	var repoTags []string
+	for imageIndex, items := range imageRefs {
+		for _, ref := range items {
+			repoTags, err = tarReader.ManifestTagsForReference(ref)
+			if err != nil {
+				return
+			}
+			// handle for each untagged image
+			if len(repoTags) == 0 {
+				repoTags = []string{fmt.Sprintf("@%d", imageIndex)}
+			}
+			tagListing = append(tagListing, repoTags...)
+		}
+	}
+
+	return
+}
+
 func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -113,23 +183,17 @@ func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 		return fmt.Errorf("Invalid %q: does not specify a transport", args[0])
 	}

-	if transport.Name() != docker.Transport.Name() {
-		return fmt.Errorf("Unsupported transport '%v' for tag listing. Only '%v' currently supported", transport.Name(), docker.Transport.Name())
-	}
-
-	// Do transport-specific parsing and validation to get an image reference
-	imgRef, err := parseDockerRepositoryReference(args[0])
-	if err != nil {
-		return err
-	}
-
 	var repositoryName string
 	var tagListing []string
-	if err = retry.RetryIfNecessary(ctx, func() error {
-		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
-		return err
-	}, opts.retryOpts); err != nil {
-		return err
+
+	if val, ok := transportHandlers[transport.Name()]; ok {
+		repositoryName, tagListing, err = val(ctx, sys, opts, args[0])
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("Unsupported transport '%s' for tag listing. Only supported: %s",
+			transport.Name(), supportedTransports(", "))
 	}

 	outputData := tagListOutput{
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -63,11 +63,8 @@ func createApp() (*cobra.Command, *globalOptions) {
 		},
 		SilenceUsage:  true,
 		SilenceErrors: true,
-		// Currently, skopeo uses manually written completions.  Cobra allows
-		// for auto-generating completions for various shells.  Podman is
-		// already making us of that.  If Skopeo decides to follow, please
-		// remove the line below (and hide the `completion` command).
-		CompletionOptions: cobra.CompletionOptions{DisableDefaultCmd: true},
+		// Hide the completion command which is provided by cobra
+		CompletionOptions: cobra.CompletionOptions{HiddenDefaultCmd: true},
 		// This is documented to parse "local" (non-PersistentFlags) flags of parent commands before
 		// running subcommands and handling their options. We don't really run into such cases,
 		// because all of our flags on rootCommand are in PersistentFlags, except for the deprecated --tls-verify;
@@ -101,6 +98,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 	rootCommand.AddCommand(
 		copyCmd(&opts),
 		deleteCmd(&opts),
+		generateSigstoreKeyCmd(),
 		inspectCmd(&opts),
 		layersCmd(&opts),
 		loginCmd(&opts),
--- a/cmd/skopeo/manifest.go
+++ b/cmd/skopeo/manifest.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"

 	"github.com/containers/image/v5/manifest"
 	"github.com/spf13/cobra"
@@ -31,7 +31,7 @@ func (opts *manifestDigestOptions) run(args []string, stdout io.Writer) error {
 	}
 	manifestPath := args[0]

-	man, err := ioutil.ReadFile(manifestPath)
+	man, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
--- a/cmd/skopeo/proxy.go
+++ b/cmd/skopeo/proxy.go
@@ -73,11 +73,16 @@ import (

 	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
+	ocilayout "github.com/containers/image/v5/oci/layout"
 	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
+	dockerdistributionerrcode "github.com/docker/distribution/registry/api/errcode"
+	dockerdistributionapi "github.com/docker/distribution/registry/api/v2"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )

@@ -88,7 +93,9 @@ import (
 // 0.2.1: Initial version
 // 0.2.2: Added support for fetching image configuration as OCI
 // 0.2.3: Added GetFullConfig
-const protocolVersion = "0.2.3"
+// 0.2.4: Added OpenImageOptional
+// 0.2.5: Added LayerInfoJSON
+const protocolVersion = "0.2.5"

 // maxMsgSize is the current limit on a packet size.
 // Note that all non-metadata (i.e. payload data) is sent over a pipe.
@@ -98,7 +105,10 @@ const maxMsgSize = 32 * 1024
 // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
 // We hard error if the input JSON numbers we expect to be
 // integers are above this.
-const maxJSONFloat = float64(1<<53 - 1)
+const maxJSONFloat = float64(uint64(1)<<53 - 1)
+
+// sentinelImageID represents "image not found" on the wire
+const sentinelImageID = 0

 // request is the JSON serialization of a function call
 type request struct {
@@ -166,6 +176,14 @@ type proxyHandler struct {
 	activePipes map[uint32]*activePipe
 }

+// convertedLayerInfo is the reduced form of the OCI type BlobInfo
+// Used in the return value of GetLayerInfo
+type convertedLayerInfo struct {
+	Digest    digest.Digest `json:"digest"`
+	Size      int64         `json:"size"`
+	MediaType string        `json:"media_type"`
+}
+
 // Initialize performs one-time initialization, and returns the protocol version
 func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {
 	h.lock.Lock()
@@ -197,6 +215,29 @@ func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {
 // OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
 // The return value is an opaque integer handle.
 func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
+	return h.openImageImpl(args, false)
+}
+
+// isDockerManifestUnknownError is a copy of code from containers/image,
+// please update there first.
+func isDockerManifestUnknownError(err error) bool {
+	var ec dockerdistributionerrcode.ErrorCoder
+	if !errors.As(err, &ec) {
+		return false
+	}
+	return ec.ErrorCode() == dockerdistributionapi.ErrorCodeManifestUnknown
+}
+
+// isNotFoundImageError heuristically attempts to determine whether an error
+// is saying the remote source couldn't find the image (as opposed to an
+// authentication error, an I/O error etc.)
+// TODO drive this into containers/image properly
+func isNotFoundImageError(err error) bool {
+	return isDockerManifestUnknownError(err) ||
+		errors.Is(err, ocilayout.ImageNotFoundError{})
+}
+
+func (h *proxyHandler) openImageImpl(args []interface{}, allowNotFound bool) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
 	var ret replyBuf
@@ -218,9 +259,15 @@ func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
 	}
 	imgsrc, err := imgRef.NewImageSource(context.Background(), h.sysctx)
 	if err != nil {
+		if allowNotFound && isNotFoundImageError(err) {
+			ret.value = sentinelImageID
+			return ret, nil
+		}
 		return ret, err
 	}

+	// Note that we never return zero as an imageid; this code doesn't yet
+	// handle overflow though.
 	h.imageSerial++
 	openimg := &openImage{
 		id:  h.imageSerial,
@@ -232,6 +279,13 @@ func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
 	return ret, nil
 }

+// OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
+// The return value is an opaque integer handle.  If the image does not exist, zero
+// is returned.
+func (h *proxyHandler) OpenImageOptional(args []interface{}) (replyBuf, error) {
+	return h.openImageImpl(args, true)
+}
+
 func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
@@ -278,6 +332,9 @@ func (h *proxyHandler) parseImageFromID(v interface{}) (*openImage, error) {
 	if err != nil {
 		return nil, err
 	}
+	if imgid == sentinelImageID {
+		return nil, fmt.Errorf("Invalid imageid value of zero")
+	}
 	imgref, ok := h.images[imgid]
 	if !ok {
 		return nil, fmt.Errorf("no image %v", imgid)
@@ -542,10 +599,12 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {

 	piper, f, err := h.allocPipe()
 	if err != nil {
+		blobr.Close()
 		return ret, err
 	}
 	go func() {
 		// Signal completion when we return
+		defer blobr.Close()
 		defer f.wg.Done()
 		verifier := d.Verifier()
 		tr := io.TeeReader(blobr, verifier)
@@ -568,6 +627,56 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
 	return ret, nil
 }

+// GetLayerInfo returns data about the layers of an image, useful for reading the layer contents.
+//
+// This needs to be called since the data returned by GetManifest() does not allow to correctly
+// calling GetBlob() for the containers-storage: transport (which doesn’t store the original compressed
+// representations referenced in the manifest).
+func (h *proxyHandler) GetLayerInfo(args []interface{}) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+
+	if len(args) != 1 {
+		return ret, fmt.Errorf("found %d args, expecting (imgid)", len(args))
+	}
+
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+
+	ctx := context.TODO()
+
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	layerInfos, err := img.LayerInfosForCopy(ctx)
+	if err != nil {
+		return ret, err
+	}
+
+	if layerInfos == nil {
+		layerInfos = img.LayerInfos()
+	}
+
+	var layers []convertedLayerInfo
+	for _, layer := range layerInfos {
+		layers = append(layers, convertedLayerInfo{layer.Digest, layer.Size, layer.MediaType})
+	}
+
+	ret.value = layers
+	return ret, nil
+}
+
 // FinishPipe waits for the worker goroutine to finish, and closes the write side of the pipe.
 func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
 	h.lock.Lock()
@@ -596,6 +705,17 @@ func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
 	return ret, err
 }

+// close releases all resources associated with this proxy backend
+func (h *proxyHandler) close() {
+	for _, image := range h.images {
+		err := image.src.Close()
+		if err != nil {
+			// This shouldn't be fatal
+			logrus.Warnf("Failed to close image %s: %v", transports.ImageName(image.cachedimg.Reference()), err)
+		}
+	}
+}
+
 // send writes a reply buffer to the socket
 func (buf replyBuf) send(conn *net.UnixConn, err error) error {
 	replyToSerialize := reply{
@@ -664,13 +784,22 @@ func proxyCmd(global *globalOptions) *cobra.Command {
 // processRequest dispatches a remote request.
 // replyBuf is the result of the invocation.
 // terminate should be true if processing of requests should halt.
-func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool, err error) {
+func (h *proxyHandler) processRequest(readBytes []byte) (rb replyBuf, terminate bool, err error) {
+	var req request
+
+	// Parse the request JSON
+	if err = json.Unmarshal(readBytes, &req); err != nil {
+		err = fmt.Errorf("invalid request: %v", err)
+		return
+	}
 	// Dispatch on the method
 	switch req.Method {
 	case "Initialize":
 		rb, err = h.Initialize(req.Args)
 	case "OpenImage":
 		rb, err = h.OpenImage(req.Args)
+	case "OpenImageOptional":
+		rb, err = h.OpenImageOptional(req.Args)
 	case "CloseImage":
 		rb, err = h.CloseImage(req.Args)
 	case "GetManifest":
@@ -681,10 +810,14 @@ func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool,
 		rb, err = h.GetFullConfig(req.Args)
 	case "GetBlob":
 		rb, err = h.GetBlob(req.Args)
+	case "GetLayerInfo":
+		rb, err = h.GetLayerInfo(req.Args)
 	case "FinishPipe":
 		rb, err = h.FinishPipe(req.Args)
 	case "Shutdown":
 		terminate = true
+	// NOTE: If you add a method here, you should very likely be bumping the
+	// const protocolVersion above.
 	default:
 		err = fmt.Errorf("unknown method: %s", req.Method)
 	}
@@ -698,6 +831,7 @@ func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
 		images:      make(map[uint32]*openImage),
 		activePipes: make(map[uint32]*activePipe),
 	}
+	defer handler.close()

 	// Convert the socket FD passed by client into a net.FileConn
 	fd := os.NewFile(uintptr(opts.sockFd), "sock")
@@ -717,18 +851,15 @@ func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
 			}
 			return fmt.Errorf("reading socket: %v", err)
 		}
-		// Parse the request JSON
 		readbuf := buf[0:n]
-		var req request
-		if err := json.Unmarshal(readbuf, &req); err != nil {
-			rb := replyBuf{}
-			rb.send(conn, fmt.Errorf("invalid request: %v", err))
-		}

-		rb, terminate, err := handler.processRequest(req)
+		rb, terminate, err := handler.processRequest(readbuf)
 		if terminate {
 			return nil
 		}
-		rb.send(conn, err)
+
+		if err := rb.send(conn, err); err != nil {
+			return fmt.Errorf("writing to socket: %w", err)
+		}
 	}
 }
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -5,7 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"

 	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/signature"
@@ -39,7 +39,7 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 	dockerReference := args[1]
 	fingerprint := args[2]

-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
 	}
@@ -60,7 +60,7 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 		return fmt.Errorf("Error creating signature: %v", err)
 	}

-	if err := ioutil.WriteFile(opts.output, signature, 0644); err != nil {
+	if err := os.WriteFile(opts.output, signature, 0644); err != nil {
 		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
 	}
 	return nil
@@ -89,11 +89,11 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 	expectedFingerprint := args[2]
 	signaturePath := args[3]

-	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
+	unverifiedManifest, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
-	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	unverifiedSignature, err := os.ReadFile(signaturePath)
 	if err != nil {
 		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
 	}
@@ -139,7 +139,7 @@ func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer)
 	}
 	untrustedSignaturePath := args[0]

-	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	untrustedSignature, err := os.ReadFile(untrustedSignaturePath)
 	if err != nil {
 		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
 	}
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -2,7 +2,6 @@ package main

 import (
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -25,9 +24,8 @@ const (
 // Test that results of runSkopeo failed with nothing on stdout, and substring
 // within the error message.
 func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
-	assert.Error(t, err)
+	assert.ErrorContains(t, err, substring)
 	assert.Empty(t, stdout)
-	assert.Contains(t, err.Error(), substring)
 }

 func TestStandaloneSign(t *testing.T) {
@@ -40,8 +38,7 @@ func TestStandaloneSign(t *testing.T) {

 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
@@ -78,7 +75,7 @@ func TestStandaloneSign(t *testing.T) {
 	assertTestFailed(t, out, err, "/dev/full")

 	// Success
-	sigOutput, err := ioutil.TempFile("", "sig")
+	sigOutput, err := os.CreateTemp("", "sig")
 	require.NoError(t, err)
 	defer os.Remove(sigOutput.Name())
 	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
@@ -86,9 +83,9 @@ func TestStandaloneSign(t *testing.T) {
 	require.NoError(t, err)
 	assert.Empty(t, out)

-	sig, err := ioutil.ReadFile(sigOutput.Name())
+	sig, err := os.ReadFile(sigOutput.Name())
 	require.NoError(t, err)
-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	require.NoError(t, err)
 	mech, err = signature.NewGPGSigningMechanism()
 	require.NoError(t, err)
@@ -103,8 +100,7 @@ func TestStandaloneVerify(t *testing.T) {
 	manifestPath := "fixtures/image.manifest.json"
 	signaturePath := "fixtures/image.signature"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -2,9 +2,10 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
@@ -18,10 +19,11 @@ import (
 	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/pkg/cli/sigstore"
+	"github.com/containers/image/v5/signature/signer"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v2"
@@ -29,21 +31,25 @@ import (

 // syncOptions contains information retrieved from the skopeo sync command line.
 type syncOptions struct {
-	global              *globalOptions // Global (not command dependent) skopeo options
-	deprecatedTLSVerify *deprecatedTLSVerifyOption
-	srcImage            *imageOptions     // Source image options
-	destImage           *imageDestOptions // Destination image options
-	retryOpts           *retry.RetryOptions
-	removeSignatures    bool                      // Do not copy signatures from the source image
-	signByFingerprint   string                    // Sign the image using a GPG key with the specified fingerprint
-	signPassphraseFile  string                    // Path pointing to a passphrase file when signing
-	format              commonFlag.OptionalString // Force conversion of the image to a specified format
-	source              string                    // Source repository name
-	destination         string                    // Destination registry name
-	scoped              bool                      // When true, namespace copied images at destination using the source repository name
-	all                 bool                      // Copy all of the images if an image in the source is a list
-	preserveDigests     bool                      // Preserve digests during sync
-	keepGoing           bool                      // Whether or not to abort the sync if there are any errors during syncing the images
+	global                   *globalOptions // Global (not command dependent) skopeo options
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions     // Source image options
+	destImage                *imageDestOptions // Destination image options
+	retryOpts                *retry.Options
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	source                   string                    // Source repository name
+	destination              string                    // Destination registry name
+	scoped                   bool                      // When true, namespace copied images at destination using the source repository name
+	all                      bool                      // Copy all of the images if an image in the source is a list
+	dryRun                   bool                      // Don't actually copy anything, just output what it would have done
+	preserveDigests          bool                      // Preserve digests during sync
+	keepGoing                bool                      // Whether or not to abort the sync if there are any errors during syncing the images
+	appendSuffix             string                    // Suffix to append to destination image tag
 }

 // repoDescriptor contains information of a single repository used as a sync source.
@@ -104,12 +110,16 @@ See skopeo-sync(1) for details.
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE images")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	flags.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
 	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
 	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
 	flags.StringVarP(&opts.source, "src", "s", "", "SOURCE transport type")
 	flags.StringVarP(&opts.destination, "dest", "d", "", "DESTINATION transport type")
 	flags.BoolVar(&opts.scoped, "scoped", false, "Images at DESTINATION are prefix using the full source image path as scope")
+	flags.StringVar(&opts.appendSuffix, "append-suffix", "", "String to append to DESTINATION tags")
 	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.BoolVar(&opts.dryRun, "dry-run", false, "Run without actually copying data")
 	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
 	flags.BoolVarP(&opts.keepGoing, "keep-going", "", false, "Do not abort the sync if any image copy fails")
 	flags.AddFlagSet(&sharedFlags)
@@ -138,13 +148,13 @@ func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) err
 // It returns a new unmarshaled sourceConfig object and any error encountered.
 func newSourceConfig(yamlFile string) (sourceConfig, error) {
 	var cfg sourceConfig
-	source, err := ioutil.ReadFile(yamlFile)
+	source, err := os.ReadFile(yamlFile)
 	if err != nil {
 		return cfg, err
 	}
 	err = yaml.Unmarshal(source, &cfg)
 	if err != nil {
-		return cfg, errors.Wrapf(err, "Failed to unmarshal %q", yamlFile)
+		return cfg, fmt.Errorf("Failed to unmarshal %q: %w", yamlFile, err)
 	}
 	return cfg, nil
 }
@@ -156,7 +166,7 @@ func parseRepositoryReference(input string) (reference.Named, error) {
 		return nil, err
 	}
 	if !reference.IsNameOnly(ref) {
-		return nil, errors.Errorf("input names a reference, not a repository")
+		return nil, errors.New("input names a reference, not a repository")
 	}
 	return ref, nil
 }
@@ -174,24 +184,24 @@ func destinationReference(destination string, transport string) (types.ImageRefe
 	case directory.Transport.Name():
 		_, err := os.Stat(destination)
 		if err == nil {
-			return nil, errors.Errorf("Refusing to overwrite destination directory %q", destination)
+			return nil, fmt.Errorf("Refusing to overwrite destination directory %q", destination)
 		}
 		if !os.IsNotExist(err) {
-			return nil, errors.Wrap(err, "Destination directory could not be used")
+			return nil, fmt.Errorf("Destination directory could not be used: %w", err)
 		}
 		// the directory holding the image must be created here
 		if err = os.MkdirAll(destination, 0755); err != nil {
-			return nil, errors.Wrapf(err, "Error creating directory for image %s", destination)
+			return nil, fmt.Errorf("Error creating directory for image %s: %w", destination, err)
 		}
 		imageTransport = directory.Transport
 	default:
-		return nil, errors.Errorf("%q is not a valid destination transport", transport)
+		return nil, fmt.Errorf("%q is not a valid destination transport", transport)
 	}
 	logrus.Debugf("Destination for transport %q: %s", transport, destination)

 	destRef, err := imageTransport.ParseReference(destination)
 	if err != nil {
-		return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", imageTransport.Name(), destination)
+		return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", imageTransport.Name(), destination, err)
 	}

 	return destRef, nil
@@ -211,16 +221,8 @@ func getImageTags(ctx context.Context, sysCtx *types.SystemContext, repoRef refe
 		return nil, err // Should never happen for a reference with tag and no digest
 	}
 	tags, err := docker.GetRepositoryTags(ctx, sysCtx, dockerRef)
-
-	switch err := err.(type) {
-	case nil:
-		break
-	case docker.ErrUnauthorizedForCredentials:
-		// Some registries may decide to block the "list all tags" endpoint.
-		// Gracefully allow the sync to continue in this case.
-		logrus.Warnf("Registry disallows tag list retrieval: %s", err)
-	default:
-		return tags, errors.Wrapf(err, "Error determining repository tags for image %s", name)
+	if err != nil {
+		return nil, fmt.Errorf("Error determining repository tags for repo %s: %w", name, err)
 	}

 	return tags, nil
@@ -240,11 +242,15 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 	for _, tag := range tags {
 		taggedRef, err := reference.WithTag(repoRef, tag)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Error creating a reference for repository %s and tag %q", repoRef.Name(), tag)
+			logrus.WithFields(logrus.Fields{
+				"repo": repoRef.Name(),
+				"tag":  tag,
+			}).Errorf("Error creating a tagged reference from registry tag list: %v", err)
+			continue
 		}
 		ref, err := docker.NewReference(taggedRef)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %s", docker.Transport.Name(), taggedRef.String())
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %s: %w", docker.Transport.Name(), taggedRef.String(), err)
 		}
 		sourceReferences = append(sourceReferences, ref)
 	}
@@ -257,15 +263,15 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 // and any error encountered.
 func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
 	var sourceReferences []types.ImageReference
-	err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
+	err := filepath.WalkDir(dirPath, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
+		if !d.IsDir() && d.Name() == "manifest.json" {
 			dirname := filepath.Dir(path)
 			ref, err := directory.Transport.ParseReference(dirname)
 			if err != nil {
-				return errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", directory.Transport.Name(), dirname)
+				return fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", directory.Transport.Name(), dirname, err)
 			}
 			sourceReferences = append(sourceReferences, ref)
 			return filepath.SkipDir
@@ -275,7 +281,7 @@ func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {

 	if err != nil {
 		return sourceReferences,
-			errors.Wrapf(err, "Error walking the path %q", dirPath)
+			fmt.Errorf("Error walking the path %q: %w", dirPath, err)
 	}

 	return sourceReferences, nil
@@ -433,7 +439,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}
 		named, err := reference.ParseNormalizedNamed(source) // May be a repository or an image.
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), source)
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), source, err)
 		}
 		imageTagged := !reference.IsNameOnly(named)
 		logrus.WithFields(logrus.Fields{
@@ -443,7 +449,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		if imageTagged {
 			srcRef, err := docker.NewReference(named)
 			if err != nil {
-				return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), named.String())
+				return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), named.String(), err)
 			}
 			desc.ImageRefs = []types.ImageReference{srcRef}
 		} else {
@@ -452,7 +458,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 				return descriptors, err
 			}
 			if len(desc.ImageRefs) == 0 {
-				return descriptors, errors.Errorf("No images to sync found in %q", source)
+				return descriptors, fmt.Errorf("No images to sync found in %q", source)
 			}
 		}
 		descriptors = append(descriptors, desc)
@@ -463,7 +469,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}

 		if _, err := os.Stat(source); err != nil {
-			return descriptors, errors.Wrap(err, "Invalid source directory specified")
+			return descriptors, fmt.Errorf("Invalid source directory specified: %w", err)
 		}
 		desc.DirBasePath = source
 		var err error
@@ -472,7 +478,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		if len(desc.ImageRefs) == 0 {
-			return descriptors, errors.Errorf("No images to sync found in %q", source)
+			return descriptors, fmt.Errorf("No images to sync found in %q", source)
 		}
 		descriptors = append(descriptors, desc)

@@ -491,7 +497,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex

 			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
 			if err != nil {
-				return descriptors, errors.Wrapf(err, "Failed to retrieve list of images from registry %q", registryName)
+				return descriptors, fmt.Errorf("Failed to retrieve list of images from registry %q: %w", registryName, err)
 			}
 			descriptors = append(descriptors, descs...)
 		}
@@ -500,7 +506,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 	return descriptors, nil
 }

-func (opts *syncOptions) run(args []string, stdout io.Writer) error {
+func (opts *syncOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
@@ -508,9 +514,13 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {

 	policyContext, err := opts.global.getPolicyContext()
 	if err != nil {
-		return errors.Wrapf(err, "Error loading trust policy")
+		return fmt.Errorf("Error loading trust policy: %w", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	// validate source and destination options
 	contains := func(val string, list []string) (_ bool) {
@@ -526,20 +536,22 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return errors.New("A source transport must be specified")
 	}
 	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
-		return errors.Errorf("%q is not a valid source transport", opts.source)
+		return fmt.Errorf("%q is not a valid source transport", opts.source)
 	}

 	if len(opts.destination) == 0 {
 		return errors.New("A destination transport must be specified")
 	}
 	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
-		return errors.Errorf("%q is not a valid destination transport", opts.destination)
+		return fmt.Errorf("%q is not a valid destination transport", opts.destination)
 	}

 	if opts.source == opts.destination && opts.source == directory.Transport.Name() {
 		return errors.New("sync from 'dir' to 'dir' not implemented, consider using rsync instead")
 	}

+	opts.destImage.warnAboutIneffectiveOptions(transports.Get(opts.destination))
+
 	imageListSelection := copy.CopySystemImage
 	if opts.all {
 		imageListSelection = copy.CopyAllImages
@@ -563,7 +575,7 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {

 	sourceArg := args[0]
 	var srcRepoList []repoDescriptor
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		srcRepoList, err = imagesToCopy(sourceArg, opts.source, sourceCtx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -576,15 +588,51 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return err
 	}

-	passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
-	if err != nil {
-		return err
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
 	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
+
+	var signers []*signer.Signer
+	if opts.signBySigstoreParamFile != "" {
+		signer, err := sigstore.NewSignerFromParameterFile(opts.signBySigstoreParamFile, &sigstore.Options{
+			PrivateKeyPassphrasePrompt: func(keyFile string) (string, error) {
+				return promptForPassphrase(keyFile, os.Stdin, os.Stdout)
+			},
+			Stdin:  os.Stdin,
+			Stdout: stdout,
+		})
+		if err != nil {
+			return fmt.Errorf("Error using --sign-by-sigstore: %w", err)
+		}
+		defer signer.Close()
+		signers = append(signers, signer)
+	}
+
 	options := copy.Options{
 		RemoveSignatures:                      opts.removeSignatures,
+		Signers:                               signers,
 		SignBy:                                opts.signByFingerprint,
 		SignPassphrase:                        passphrase,
-		ReportWriter:                          os.Stdout,
+		SignBySigstorePrivateKeyFile:          opts.signBySigstorePrivateKey,
+		SignSigstorePrivateKeyPassphrase:      []byte(passphrase),
+		ReportWriter:                          stdout,
 		DestinationCtx:                        destinationCtx,
 		ImageListSelection:                    imageListSelection,
 		PreserveDigests:                       opts.preserveDigests,
@@ -593,6 +641,10 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 	}
 	errorsPresent := false
 	imagesNumber := 0
+	if opts.dryRun {
+		logrus.Warn("Running in dry-run mode")
+	}
+
 	for _, srcRepo := range srcRepoList {
 		options.SourceCtx = srcRepo.Context
 		for counter, ref := range srcRepo.ImageRefs {
@@ -614,34 +666,42 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 				destSuffix = path.Base(destSuffix)
 			}

-			destRef, err := destinationReference(path.Join(destination, destSuffix), opts.destination)
+			destRef, err := destinationReference(path.Join(destination, destSuffix)+opts.appendSuffix, opts.destination)
 			if err != nil {
 				return err
 			}

-			logrus.WithFields(logrus.Fields{
+			fromToFields := logrus.Fields{
 				"from": transports.ImageName(ref),
 				"to":   transports.ImageName(destRef),
-			}).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
-
-			if err = retry.RetryIfNecessary(ctx, func() error {
-				_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
-				return err
-			}, opts.retryOpts); err != nil {
-				if !opts.keepGoing {
-					return errors.Wrapf(err, "Error copying ref %q", transports.ImageName(ref))
+			}
+			if opts.dryRun {
+				logrus.WithFields(fromToFields).Infof("Would have copied image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+			} else {
+				logrus.WithFields(fromToFields).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+				if err = retry.IfNecessary(ctx, func() error {
+					_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
+					return err
+				}, opts.retryOpts); err != nil {
+					if !opts.keepGoing {
+						return fmt.Errorf("Error copying ref %q: %w", transports.ImageName(ref), err)
+					}
+					// log the error, keep a note that there was a failure and move on to the next
+					// image ref
+					errorsPresent = true
+					logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
+					continue
 				}
-				// log the error, keep a note that there was a failure and move on to the next
-				// image ref
-				errorsPresent = true
-				logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
-				continue
 			}
 			imagesNumber++
 		}
 	}

-	logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	if opts.dryRun {
+		logrus.Infof("Would have synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	} else {
+		logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	}
 	if !errorsPresent {
 		return nil
 	}
--- a/cmd/skopeo/unshare_linux.go
+++ b/cmd/skopeo/unshare_linux.go
@@ -1,9 +1,10 @@
 package main

 import (
+	"fmt"
+
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/storage/pkg/unshare"
-	"github.com/pkg/errors"
 	"github.com/syndtr/gocapability/capability"
 )

@@ -22,7 +23,7 @@ func maybeReexec() error {
 	// if we already have the capabilities we need.
 	capabilities, err := capability.NewPid(0)
 	if err != nil {
-		return errors.Wrapf(err, "error reading the current capabilities sets")
+		return fmt.Errorf("error reading the current capabilities sets: %w", err)
 	}
 	for _, cap := range neededCapabilities {
 		if !capabilities.Get(capability.EFFECTIVE, cap) {
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -9,15 +10,16 @@ import (

 	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/directory"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"golang.org/x/term"
 )

 // errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that cli.ShowSubcommandHelp should be called.
@@ -25,6 +27,27 @@ type errorShouldDisplayUsage struct {
 	error
 }

+// noteCloseFailure returns (possibly-nil) err modified to account for (non-nil) closeErr.
+// The error for closeErr is annotated with description (which is not a format string)
+// Typical usage:
+//
+//	defer func() {
+//		if err := something.Close(); err != nil {
+//			returnedErr = noteCloseFailure(returnedErr, "closing something", err)
+//		}
+//	}
+func noteCloseFailure(err error, description string, closeErr error) error {
+	// We don’t accept a Closer() and close it ourselves because signature.PolicyContext has .Destroy(), not .Close().
+	// This also makes it harder for a caller to do
+	//     defer noteCloseFailure(returnedErr, …)
+	// which doesn’t use the right value of returnedErr, and doesn’t update it.
+	if err == nil {
+		return fmt.Errorf("%s: %w", description, closeErr)
+	}
+	// In this case we prioritize the primary error for use with %w; closeErr is usually less relevant, or might be a consequence of the primary erorr.
+	return fmt.Errorf("%w (%s: %v)", err, description, closeErr)
+}
+
 // commandAction intermediates between the RunE interface and the real handler,
 // primarily to ensure that cobra.Command is not available to the handler, which in turn
 // makes sure that the cmd.Flags() etc. flag access functions are not used,
@@ -33,8 +56,9 @@ type errorShouldDisplayUsage struct {
 func commandAction(handler func(args []string, stdout io.Writer) error) func(cmd *cobra.Command, args []string) error {
 	return func(c *cobra.Command, args []string) error {
 		err := handler(args, c.OutOrStdout())
-		if _, ok := err.(errorShouldDisplayUsage); ok {
-			c.Help()
+		var shouldDisplayUsage errorShouldDisplayUsage
+		if errors.As(err, &shouldDisplayUsage) {
+			return c.Help()
 		}
 		return err
 	}
@@ -151,8 +175,8 @@ func imageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLS
 	return fs, opts
 }

-func retryFlags() (pflag.FlagSet, *retry.RetryOptions) {
-	opts := retry.RetryOptions{}
+func retryFlags() (pflag.FlagSet, *retry.Options) {
+	opts := retry.Options{}
 	fs := pflag.FlagSet{}
 	fs.IntVar(&opts.MaxRetry, "retry-times", 0, "the number of times to possibly retry")
 	return fs, &opts
@@ -221,6 +245,7 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 }

 // imageDestOptions is a superset of imageOptions specialized for image destinations.
+// Every user should call imageDestOptions.warnAboutIneffectiveOptions() as part of handling the CLI
 type imageDestOptions struct {
 	*imageOptions
 	dirForceCompression         bool                   // Compress layers when saving to the dir: transport
@@ -229,12 +254,13 @@ type imageDestOptions struct {
 	compressionFormat           string                 // Format to use for the compression
 	compressionLevel            commonFlag.OptionalInt // Level to use for the compression
 	precomputeDigests           bool                   // Precompute digests to dedup layers when saving to the docker: transport
+	imageDestFlagPrefix         string
 }

 // imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
 func imageDestFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageDestOptions) {
 	genericFlags, genericOptions := imageFlags(global, shared, deprecatedTLSVerify, flagPrefix, credsOptionAlias)
-	opts := imageDestOptions{imageOptions: genericOptions}
+	opts := imageDestOptions{imageOptions: genericOptions, imageDestFlagPrefix: flagPrefix}
 	fs := pflag.FlagSet{}
 	fs.AddFlagSet(&genericFlags)
 	fs.BoolVar(&opts.dirForceCompression, flagPrefix+"compress", false, "Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
@@ -272,6 +298,19 @@ func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
 	return ctx, err
 }

+// warnAboutIneffectiveOptions warns if any ineffective option was set by the user
+// Every user should call this as part of handling the CLI
+func (opts *imageDestOptions) warnAboutIneffectiveOptions(destTransport types.ImageTransport) {
+	if destTransport.Name() != directory.Transport.Name() {
+		if opts.dirForceCompression {
+			logrus.Warnf("--%s can only be used if the destination transport is 'dir'", opts.imageDestFlagPrefix+"compress")
+		}
+		if opts.dirForceDecompression {
+			logrus.Warnf("--%s can only be used if the destination transport is 'dir'", opts.imageDestFlagPrefix+"decompress")
+		}
+	}
+}
+
 func parseCreds(creds string) (string, string, error) {
 	if creds == "" {
 		return "", "", errors.New("credentials can't be empty")
@@ -354,3 +393,19 @@ func adjustUsage(c *cobra.Command) {
 	c.SetUsageTemplate(usageTemplate)
 	c.DisableFlagsInUseLine = true
 }
+
+// promptForPassphrase interactively prompts for a passphrase related to privateKeyFile
+func promptForPassphrase(privateKeyFile string, stdin, stdout *os.File) (string, error) {
+	stdinFd := int(stdin.Fd())
+	if !term.IsTerminal(stdinFd) {
+		return "", fmt.Errorf("Cannot prompt for a passphrase for key %s, standard input is not a TTY", privateKeyFile)
+	}
+
+	fmt.Fprintf(stdout, "Passphrase for key %s: ", privateKeyFile)
+	passphrase, err := term.ReadPassword(stdinFd)
+	if err != nil {
+		return "", fmt.Errorf("Error reading password: %w", err)
+	}
+	fmt.Fprintf(stdout, "\n")
+	return string(passphrase), nil
+}
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -1,7 +1,7 @@
 package main

 import (
-	"os"
+	"errors"
 	"testing"

 	"github.com/containers/image/v5/manifest"
@@ -13,6 +13,27 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func TestNoteCloseFailure(t *testing.T) {
+	const description = "description"
+
+	mainErr := errors.New("main")
+	closeErr := errors.New("closing")
+
+	// Main success, closing failed
+	res := noteCloseFailure(nil, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+
+	// Both main and closing failed
+	res = noteCloseFailure(mainErr, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), mainErr.Error())
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+	assert.ErrorIs(t, res, mainErr)
+}
+
 // fakeGlobalOptions creates globalOptions and sets it according to flags.
 func fakeGlobalOptions(t *testing.T, flags []string) (*globalOptions, *cobra.Command) {
 	app, opts := createApp()
@@ -128,17 +149,9 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
 		DockerRegistryUserAgent: defaultUserAgent,
 	}, res)

-	oldXRD, hasXRD := os.LookupEnv("REGISTRY_AUTH_FILE")
-	defer func() {
-		if hasXRD {
-			os.Setenv("REGISTRY_AUTH_FILE", oldXRD)
-		} else {
-			os.Unsetenv("REGISTRY_AUTH_FILE")
-		}
-	}()
 	authFile := "/tmp/auth.json"
 	// Make sure when REGISTRY_AUTH_FILE is set the auth file is used
-	os.Setenv("REGISTRY_AUTH_FILE", authFile)
+	t.Setenv("REGISTRY_AUTH_FILE", authFile)

 	// Explicitly set everything to default, except for when the default is “not present”
 	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{
--- a/completions/bash/skopeo
+++ b/completions/bash/skopeo
@@ -1,341 +0,0 @@
-#! /bin/bash
-
-_complete_() {
-    local options_with_args=$1
-    local boolean_options="$2 -h --help"
-    local transports=$3
-
-    local option_with_args
-    for option_with_args in $options_with_args $transports
-    do
-        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
-        then
-            return
-        fi
-    done
-
-    case "$cur" in
-        -*)
-            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-            ;;
-        *)
-            if [ -n "$transports" ]
-            then
-                compopt -o nospace
-                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
-            fi
-            ;;
-    esac
-}
-
-_skopeo_supported_transports() {
-    local subcommand=$1
-
-    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
-}
-
-_skopeo_copy() {
-    local options_with_args="
-    --authfile
-    --src-authfile
-    --dest-authfile
-    --format -f
-    --multi-arch
-    --sign-by
-    --sign-passphrase-file
-    --src-creds --screds
-    --src-cert-dir
-    --src-tls-verify
-    --dest-creds --dcreds
-    --dest-cert-dir
-    --dest-tls-verify
-    --src-daemon-host
-    --dest-daemon-host
-    --src-registry-token
-    --dest-registry-token
-    --src-username
-    --src-password
-    --dest-username
-    --dest-password
-    "
-
-    local boolean_options="
-    --all
-    --dest-compress
-    --dest-decompress
-    --remove-signatures
-    --src-no-creds
-    --dest-no-creds
-    --dest-oci-accept-uncompressed-layers
-    --dest-precompute-digests
-    --preserve-digests
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_sync() {
-    local options_with_args="
-    --authfile
-    --dest
-    --dest-authfile
-    --dest-cert-
-    --dest-creds
-    --dest-registry-token string
-    --format
-    --retry-times
-    --sign-by
-    --sign-passphrase-file
-    --src
-    --src-authfile
-    --src-cert-dir
-    --src-creds
-    --src-registry-token
-    --src-username
-    --src-password
-    --dest-username
-    --dest-password
-    "
-
-    local boolean_options="
-    --all
-    --dest-no-creds
-    --dest-tls-verify
-    --remove-signatures
-    --scoped
-    --src-no-creds
-    --src-tls-verify
-    --keep-going
-    --preserve-digests
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_inspect() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --format
-     --retry-times
-     --registry-token
-    --username
-    --password
-     "
-     local boolean_options="
-     --config
-     --raw
-     --tls-verify
-     --no-creds
-     --no-tags -n
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_standalone_sign() {
-     local options_with_args="
-       -o --output
-       --passphrase-file
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_standalone_verify() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_manifest_digest() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_delete() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-    --username
-    --password
-     "
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_layers() {
-     local options_with_args="
-       --authfile
-       --creds
-       --cert-dir
-       --registry-token
-      --username
-      --password
-     "
-     local boolean_options="
-       --tls-verify
-       --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_list_repository_tags() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-    --username
-    --password
-     "
-
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_login() {
-    local options_with_args="
-    --authfile
-    --cert-dir
-    --password -p
-    --username -u
-    "
-
-    local boolean_options="
-    --get-login
-    --tls-verify
-    --password-stdin
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_logout() {
-    local options_with_args="
-    --authfile
-    "
-
-    local boolean_options="
-    --all -a
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_skopeo() {
-     # XXX: Changes here need to be reflected in the manually expanded
-     # string in the `case` statement below as well.
-     local options_with_args="
-       --policy
-       --registries.d
-       --override-arch
-       --override-os
-       --override-variant
-       --command-timeout
-       --tmpdir
-     "
-     local boolean_options="
-       --insecure-policy
-       --debug
-       --version -v
-       --help -h
-     "
-
-     local commands=(
-       copy
-       delete
-       inspect
-       list-tags
-       login
-       logout
-       manifest-digest
-       standalone-sign
-       standalone-verify
-       sync
-       help
-       h
-     )
-
-     case "$prev" in
-         # XXX: Changes here need to be reflected in $options_with_args as well.
-         --policy|--registries.d|--override-arch|--override-os|--override-variant|--command-timeout)
-             return
-             ;;
-     esac
-
-     case "$cur" in
-         -*)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-             ;;
-         *)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
-             ;;
-     esac
-}
-
-_cli_bash_autocomplete() {
-     local cur
-
-     COMPREPLY=()
-     cur="${COMP_WORDS[COMP_CWORD]}"
-     COMPREPLY=()
-     local cur prev words cword
-
-     _get_comp_words_by_ref -n : cur prev words cword
-
-     local command="skopeo" cpos=0
-     local counter=1
-     while [ $counter -lt "$cword" ]; do
-         case "${words[$counter]}" in
-             skopeo|copy|sync|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h|list-repository-tags)
-                 command="${words[$counter]//-/_}"
-                 cpos=$counter
-                 (( cpos++ ))
-                 break
-                 ;;
-         esac
-         (( counter++ ))
-     done
-
-     local completions_func=_skopeo_${command}
-     declare -F "$completions_func" >/dev/null && $completions_func
-
-     return 0
-}
-
- complete -F _cli_bash_autocomplete skopeo
--- a/contrib/cirrus/ostree_ext.dockerfile
+++ b/contrib/cirrus/ostree_ext.dockerfile
@@ -0,0 +1,15 @@
+ARG BASE_FQIN=quay.io/coreos-assembler/fcos-buildroot:testing-devel
+FROM $BASE_FQIN
+
+# See 'Danger of using COPY and ADD instructions'
+# at https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
+# Provide easy way to force-invalidate image cache by .cirrus.yml change
+ARG CIRRUS_IMAGE_VERSION
+ENV CIRRUS_IMAGE_VERSION=$CIRRUS_IMAGE_VERSION
+ADD https://sh.rustup.rs /var/tmp/rustup_installer.sh
+
+RUN dnf erase -y rust && \
+    chmod +x /var/tmp/rustup_installer.sh && \
+    /var/tmp/rustup_installer.sh -y --default-toolchain stable --profile minimal
+
+ENV PATH=/root/.cargo/bin:/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -30,12 +30,6 @@ else
    ) > /dev/stderr
 fi

-OS_RELEASE_ID="$(source /etc/os-release; echo $ID)"
-# GCE image-name compatible string representation of distribution _major_ version
-OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | tr -d '.')"
-# Combined to ease some usage
-OS_REL_VER="${OS_RELEASE_ID}-${OS_RELEASE_VER}"
-
 # This is the magic interpreted by the tests to allow modifying local config/services.
 SKOPEO_CONTAINER_TESTS=1

@@ -61,9 +55,6 @@ _run_setup() {
    # VM's come with the distro. skopeo package pre-installed
    dnf erase -y skopeo

-    # Required for testing the SIF transport
-    dnf install -y fakeroot squashfs-tools
-
    msg "Removing systemd-resolved from nsswitch.conf"
    # /etc/resolv.conf is already set to bypass systemd-resolvd
    sed -i -r -e 's/^(hosts.+)resolve.+dns/\1dns/' /etc/nsswitch.conf
@@ -121,18 +112,19 @@ _run_unit() {
    make test-unit-local BUILDTAGS="$BUILDTAGS"
 }

-_run_integration() {
+_podman_reset() {
    # Ensure we start with a clean-slate
-    podman system reset --force
+    showrun podman system reset --force
+}

+_run_integration() {
+    _podman_reset
    make test-integration-local BUILDTAGS="$BUILDTAGS"
 }

 _run_system() {
-    # Ensure we start with a clean-slate
-    podman system reset --force
-
-    # Executes with containers required for testing.
+    _podman_reset
+    ##### Note: Test MODIFIES THE HOST SETUP #####
    make test-system-local BUILDTAGS="$BUILDTAGS"
 }

--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -1,4 +1,17 @@
-<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
+[comment]: <> (***ATTENTION*** ***WARNING*** ***ALERT*** ***CAUTION*** ***DANGER***)
+[comment]: <> ()
+[comment]: <> (ANY changes made to this file, once commited/merged must)
+[comment]: <> (be manually copy/pasted -in markdown- into the description)
+[comment]: <> (field on Quay at the following locations:)
+[comment]: <> ()
+[comment]: <> (https://quay.io/repository/containers/skopeo)
+[comment]: <> (https://quay.io/repository/skopeo/stable)
+[comment]: <> (https://quay.io/repository/skopeo/testing)
+[comment]: <> (https://quay.io/repository/skopeo/upstream)
+[comment]: <> ()
+[comment]: <> (***ATTENTION*** ***WARNING*** ***ALERT*** ***CAUTION*** ***DANGER***)
+
+<img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250">

 ----

@@ -6,7 +19,7 @@

 ## Overview

-This directory contains the Dockerfiles necessary to create the skopeoimage container
+This directory contains the Containerfiles necessary to create the skopeoimage container
 images that are housed on quay.io under the skopeo account.  All repositories where
 the images live are public and can be pulled without credentials.  These container images are secured and the
 resulting containers can run safely with privileges within the container.
@@ -18,22 +31,23 @@ default to `/`.

 The container images are:

-  * `quay.io/containers/skopeo:<version>` and `quay.io/skopeo/stable:<version>` -
-    These images are built when a new Skopeo version becomes available in
-    Fedora.  These images are intended to be unchanging and stable, they will
-    never be updated by automation once they've been pushed.  For build details,
-    please [see the configuration file](stable/Dockerfile).
+  * `quay.io/containers/skopeo:v<version>` and `quay.io/skopeo/stable:v<version>` -
+    These images are built daily.  These images are intended contain an unchanging
+    and stable version of skopeo.  For the most recent `<version>` tags (`vX`,
+    `vX.Y`, and `vX.Y.Z`) the image contents will be updated daily to incorporate
+    (especially) security updates.  For build details, please[see the configuration
+    file](stable/Containerfile).
  * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
-    Built daily using the same Dockerfile as above.  The skopeo version
-    will remain the "latest" available in Fedora, however the image
+    Built daily using the same Containerfile as above.  The skopeo version
+    will remain the "latest" available in Fedora, however the other image
    contents may vary compared to the version-tagged images.
  * `quay.io/skopeo/testing:latest` - This image is built daily, using the
    latest version of Skopeo that was in the Fedora `updates-testing` repository.
-    The image is Built with [the testing Dockerfile](testing/Dockerfile).
+    The image is Built with [the testing Containerfile](testing/Containerfile).
  * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
    code found in this GitHub repository.  Due to the image changing frequently,
    it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Dockerfile](upstream/Dockerfile).
+    [the upstream Containerfile](upstream/Containerfile).


 ## Sample Usage
--- a/contrib/skopeoimage/stable/Containerfile
+++ b/contrib/skopeoimage/stable/Containerfile
@@ -0,0 +1,47 @@
+# stable/Containerfile
+#
+# Build a Skopeo container image from the latest
+# stable version of Skopeo on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install skopeo fuse-overlayfs \
+        --exclude container-selinux && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/stable/Dockerfile
+++ b/contrib/skopeoimage/stable/Dockerfile
@@ -1,33 +0,0 @@
-# stable/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# stable version of Skopeo on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Containerfile
+++ b/contrib/skopeoimage/testing/Containerfile
@@ -0,0 +1,49 @@
+# testing/Containerfile
+#
+# Build a Skopeo container image from the latest
+# version of Skopeo that is in updates-testing
+# on the Fedoras Updates System.
+# https://bodhi.fedoraproject.org/updates/?search=skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install skopeo fuse-overlayfs \
+        --exclude container-selinux \
+        --enablerepo updates-testing && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Dockerfile
+++ b/contrib/skopeoimage/testing/Dockerfile
@@ -1,34 +0,0 @@
-# testing/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# version of Skopeo that is in updates-testing
-# on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Containerfile
+++ b/contrib/skopeoimage/upstream/Containerfile
@@ -0,0 +1,50 @@
+# upstream/Containerfile
+#
+# Build a Skopeo container image from the latest
+# upstream version of Skopeo on GitHub.
+# https://github.com/containers/skopeo
+# This image can be used to create a secured container
+# that runs safely with privileges within the container.
+#
+FROM registry.fedoraproject.org/fedora:latest
+
+# Don't include container-selinux and remove
+# directories used by dnf that are just taking
+# up space.
+# TODO: rpm --setcaps... needed due to Fedora (base) image builds
+#       being (maybe still?) affected by
+#       https://bugzilla.redhat.com/show_bug.cgi?id=1995337#c3
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install 'dnf-command(copr)' --enablerepo=updates-testing && \
+    dnf -y copr enable rhcontainerbot/podman-next && \
+    dnf -y install skopeo \
+        --exclude container-selinux \
+        --enablerepo=updates-testing && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd skopeo && \
+    echo skopeo:100000:65536 > /etc/subuid && \
+    echo skopeo:100000:65536 > /etc/subgid
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+        -e '/additionalimage.*/a "/var/lib/shared",' \
+        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+        /usr/share/containers/storage.conf \
+        > /etc/containers/storage.conf
+
+# Setup the ability to use additional stores
+# with this container image.
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock
+
+# Point to the Authorization file
+ENV REGISTRY_AUTH_FILE=/tmp/auth.json
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Dockerfile
+++ b/contrib/skopeoimage/upstream/Dockerfile
@@ -1,54 +0,0 @@
-# upstream/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# upstream version of Skopeo on GitHub.
-# https://github.com/containers/skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
-yum -y install make \
-golang \
-git \
-go-md2man \
-fuse-overlayfs \
-fuse3 \
-containers-common \
-gpgme-devel \
-libassuan-devel \
-btrfs-progs-devel \
-device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
-mkdir /root/skopeo; \
-git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
-export GOPATH=/root/skopeo; \
-cd /root/skopeo/src/github.com/containers/skopeo; \
-make bin/skopeo;\
-make PREFIX=/usr install;\
-rm -rf /root/skopeo/*; \
-yum -y remove git golang go-md2man make; \
-yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/default.yaml
+++ b/default.yaml
@@ -1,19 +1,21 @@
 # This is a default registries.d configuration file.  You may
 # add to this file or create additional files in registries.d/.
 #
-# sigstore: indicates a location that is read and write
-# sigstore-staging: indicates a location that is only for write
+# lookaside: for reading/writing simple signing signatures
+# lookaside-staging: for writing simple signing signatures, preferred over lookaside
 #
-# sigstore and sigstore-staging take a value of the following:
-#   sigstore:  {schema}://location
+# lookaside and lookaside-staging take a value of the following:
+#   lookaside:  {schema}://location
 #
 # For reading signatures, schema may be http, https, or file.
 # For writing signatures, schema may only be file.

-# This is the default signature write location for docker registries.
+# The default locations are built-in, for both reading and writing:
+# /var/lib/containers/sigstore for root, or
+# ~/.local/share/containers/sigstore for non-root users.
 default-docker:
-#  sigstore: file:///var/lib/containers/sigstore
-  sigstore-staging: file:///var/lib/containers/sigstore
+#  lookaside: https://…
+#  lookaside-staging: file:///…

 # The 'docker' indicator here is the start of the configuration
 # for docker registries.
@@ -21,6 +23,6 @@ default-docker:
 # docker:
 #
 #   privateregistry.com:
-#    sigstore: http://privateregistry.com/sigstore/
-#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+#    lookaside: https://privateregistry.com/sigstore/
+#    lookaside-staging: /mnt/nfs/privateregistry/sigstore

--- a/docs/skopeo-copy.1.md
+++ b/docs/skopeo-copy.1.md
@@ -56,7 +56,7 @@ After copying the image, write the digest of the resulting image to the file.

 **--preserve-digests**

-Preserve the digests during copying. Fail if the digest cannot be preserved.
+Preserve the digests during copying. Fail if the digest cannot be preserved. Consider using `--all` at the same time.

 **--encrypt-layer** _ints_

@@ -70,7 +70,7 @@ MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifes

 Print usage statement

-**--multi-arch**
+**--multi-arch** _option_

 Control what is copied if _source-image_ refers to a multi-architecture image. Default is system.

@@ -89,13 +89,26 @@ Suppress output information when copying images.

 Do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by**=_key-id_
+**--sign-by** _key-id_

-Add a signature using that key ID for an image name corresponding to _destination-image_
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_

-**--sign-passphrase-file**=_path_
+**--sign-by-sigstore** _param-file_

-The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
+See containers-sigstore-signing-params.yaml(5) for details about the file format.
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+**--sign-identity** _reference_
+
+The identity to use when signing the image. The identity must be a fully specified docker reference. If the identity is not specified, the target docker reference will be used.

 **--src-shared-blob-dir** _directory_

@@ -206,12 +219,12 @@ The password to access the destination registry.
 ## EXAMPLES

 To just copy an image from one registry to another:
-```sh
+```console
 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
 ```

 To copy the layers of the docker.io busybox image to a local directory:
-```sh
+```console
 $ mkdir -p /var/lib/images/busybox
 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
 $ ls /var/lib/images/busybox/*
@@ -220,42 +233,46 @@ $ ls /var/lib/images/busybox/*
  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
 ```

-To copy and sign an image:
+To create an archive consumable by `docker load` (but note that using a registry is almost always more efficient):
+```console
+$ skopeo copy docker://busybox:latest docker-archive:archive-file.tar:busybox:latest
+```

-```sh
-# skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
+To copy and sign an image:
+```console
+$ skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
 ```

 To encrypt an image:
-```sh
-skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
+```console
+$ skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8

-openssl genrsa -out private.key 1024
-openssl rsa -in private.key -pubout > public.key
+$ openssl genrsa -out private.key 1024
+$ openssl rsa -in private.key -pubout > public.key

-skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+$ skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
 ```

 To decrypt an image:
-```sh
-skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```console
+$ skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
 ```

 To copy encrypted image without decryption:
-```sh
-skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
+```console
+$ skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
 ```

 To decrypt an image that requires more than one key:
-```sh
-skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```console
+$ skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
 ```

 Container images can also be partially encrypted by specifying the index of the layer. Layers are 0-indexed indices, with support for negative indexing. i.e. 0 is the first layer, -1 is the last layer.

 Let's say out of 3 layers that the image `docker.io/library/nginx:1.17.8` is made up of, we only want to encrypt the 2nd layer,
-```sh
-skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+```console
+$ skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
 ```

 ## SEE ALSO
--- a/docs/skopeo-delete.1.md
+++ b/docs/skopeo-delete.1.md
@@ -6,17 +6,27 @@ skopeo\-delete - Mark the _image-name_ for later deletion by the registry's garb
 ## SYNOPSIS
 **skopeo delete** [*options*] _image-name_

-Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
+## DESCRIPTION
+
+Mark _image-name_ for deletion.
+The effect of this is registry-specific; many registries don’t support this operation, or don’t allow it in some circumstances / configurations.
+
+**WARNING**: If _image-name_ contains a digest, this affects the referenced manifest, and may delete all tags (within the current repository?) pointing to that manifest.
+
+**WARNING**: If _image-name_ contains a tag (but not a digest), in the current version of Skopeo this resolves the tag into a digest, and then deletes the manifest by digest, as described above (possibly deleting all tags pointing to that manifest, not just the provided tag). This behavior may change in the future.
+
+
+When using the github.com/distribution/distribution registry server:
+To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,

 ```
 /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
+```
 Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml

 If you are running the container registry inside of a container you would execute something like:
-
+```
 $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
 ```

 ## OPTIONS
@@ -75,8 +85,8 @@ The password to access the registry.
 ## EXAMPLES

 Mark image example/pause for deletion from the registry.example.com registry:
-```sh
-$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```console
+$ skopeo delete docker://registry.example.com/example/pause:latest
 ```
 See above for additional details on using the command **delete**.

--- a/docs/skopeo-generate-sigstore-key.1.md
+++ b/docs/skopeo-generate-sigstore-key.1.md
@@ -0,0 +1,47 @@
+% skopeo-generate-sigstore-key(1)
+
+## NAME
+skopeo\-generate-sigstore-key - Generate a sigstore public/private key pair.
+
+## SYNOPSIS
+**skopeo generate-sigstore-key** [*options*] **--output-prefix** _prefix_
+
+## DESCRIPTION
+
+Generates a public/private key pair suitable for creating sigstore image signatures.
+The private key is encrypted with a passphrase;
+if one is not provided using an option, this command prompts for it interactively.
+
+The private key is written to _prefix_**.private** .
+The private key is written to _prefix_**.pub** .
+
+## OPTIONS
+
+**--help**, **-h**
+
+Print usage statement
+
+**--output-prefix** _prefix_
+
+Mandatory.
+Path prefix for the output keys (_prefix_**.private** and _prefix_**.pub**).
+
+**--passphrase-file** _path_
+
+The passphare to use to encrypt the private key.
+Only the first line will be read.
+A passphrase stored in a file is of questionable security if other users can read this file.
+Do not use this option if at all avoidable.
+
+## EXAMPLES
+
+```console
+$ skopeo generate-sigstore-key --output-prefix mykey
+```
+
+# SEE ALSO
+skopeo(1), skopeo-copy(1), containers-policy.json(5)
+
+## AUTHORS
+
+Miloslav Trmač <mitr@redhat.com>
--- a/docs/skopeo-inspect.1.md
+++ b/docs/skopeo-inspect.1.md
@@ -87,74 +87,90 @@ Do not list the available tags from the repository in the output. When `true`, t
 ## EXAMPLES

 To review information for the image fedora from the docker.io registry:
-```sh
+```console
 $ skopeo inspect docker://docker.io/fedora
+
 {
    "Name": "docker.io/library/fedora",
-    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "Digest": "sha256:f99efcddc4dd6736d8a88cc1ab6722098ec1d77dbf7aed9a7a514fc997ca08e0",
    "RepoTags": [
-	"20",
-	"21",
-	"22",
-	"23",
-	"24",
-	"heisenbug",
-	"latest",
-	"rawhide"
+        "20",
+        "21",
+        "..."
    ],
-    "Created": "2016-06-20T19:33:43.220526898Z",
-    "DockerVersion": "1.10.3",
-    "Labels": {},
+    "Created": "2022-11-16T07:26:42.618327645Z",
+    "DockerVersion": "20.10.12",
+    "Labels": {
+        "maintainer": "Clement Verna \u003ccverna@fedoraproject.org\u003e"
+    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-	"sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+        "sha256:cb8b1ed77979b894115a983f391465651aa7eb3edd036be4b508eea47271eb93"
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:cb8b1ed77979b894115a983f391465651aa7eb3edd036be4b508eea47271eb93",
+            "Size": 65990920,
+            "Annotations": null
+        }
+    ],
+    "Env": [
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "DISTTAG=f37container",
+        "FGC=f37",
+        "FBR=f37"
    ]
 }
 ```

 To inspect python from the docker.io registry and not show the available tags:
-```sh
+```console
 $ skopeo inspect --no-tags docker://docker.io/library/python
 {
    "Name": "docker.io/library/python",
-    "Digest": "sha256:5ca194a80ddff913ea49c8154f38da66a41d2b73028c5cf7e46bc3c1d6fda572",
+    "Digest": "sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d",
    "RepoTags": [],
-    "Created": "2021-10-05T23:40:54.936108045Z",
-    "DockerVersion": "20.10.7",
+    "Created": "2022-11-16T06:55:28.566254104Z",
+    "DockerVersion": "20.10.12",
    "Labels": null,
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-        "sha256:df5590a8898bedd76f02205dc8caa5cc9863267dbcd8aac038bcd212688c1cc7",
-        "sha256:705bb4cb554eb7751fd21a994f6f32aee582fbe5ea43037db6c43d321763992b",
-        "sha256:519df5fceacdeaadeec563397b1d9f4d7c29c9f6eff879739cab6f0c144f49e1",
-        "sha256:ccc287cbeddc96a0772397ca00ec85482a7b7f9a9fac643bfddd87b932f743db",
-        "sha256:e3f8e6af58ed3a502f0c3c15dce636d9d362a742eb5b67770d0cfcb72f3a9884",
-        "sha256:aebed27b2d86a5a3a2cbe186247911047a7e432b9d17daad8f226597c0ea4276",
-        "sha256:54c32182bdcc3041bf64077428467109a70115888d03f7757dcf614ff6d95ebe",
-        "sha256:cc8b7caedab13af07adf4836e13af2d4e9e54d794129b0fd4c83ece6b1112e86",
-        "sha256:462c3718af1d5cdc050cfba102d06c26f78fe3b738ce2ca2eb248034b1738945"
+        "sha256:a8ca11554fce00d9177da2d76307bdc06df7faeb84529755c648ac4886192ed1",
+        "sha256:e4e46864aba2e62ba7c75965e4aa33ec856ee1b1074dda6b478101c577b63abd",
+        "..."
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:a8ca11554fce00d9177da2d76307bdc06df7faeb84529755c648ac4886192ed1",
+            "Size": 55038615,
+            "Annotations": null
+        },
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:e4e46864aba2e62ba7c75965e4aa33ec856ee1b1074dda6b478101c577b63abd",
+            "Size": 5164893,
+            "Annotations": null
+        },
+        "..."
    ],
    "Env": [
        "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "LANG=C.UTF-8",
-        "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
-        "PYTHON_VERSION=3.10.0",
-        "PYTHON_PIP_VERSION=21.2.4",
-        "PYTHON_SETUPTOOLS_VERSION=57.5.0",
-        "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/d781367b97acf0ece7e9e304bf281e99b618bf10/public/get-pip.py",
-        "PYTHON_GET_PIP_SHA256=01249aa3e58ffb3e1686b7141b4e9aac4d398ef4ac3012ed9dff8dd9f685ffe0"
+        "...",
    ]
 }
 ```

-```
+```console
 $ /bin/skopeo inspect --config docker://registry.fedoraproject.org/fedora --format "{{ .Architecture }}"
 amd64
 ```

-```
+```console
 $ /bin/skopeo inspect --format '{{ .Env }}' docker://registry.access.redhat.com/ubi8
 [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci]
 ```
--- a/docs/skopeo-list-tags.1.md
+++ b/docs/skopeo-list-tags.1.md
@@ -1,14 +1,14 @@
 % skopeo-list-tags(1)

 ## NAME
-skopeo\-list\-tags - List tags in the transport-specific image repository.
+skopeo\-list\-tags - List image names in a transport-specific collection of images.

 ## SYNOPSIS
-**skopeo list-tags** [*options*] _repository-name_
+**skopeo list-tags** [*options*] _source-image_

-Return a list of tags from _repository-name_ in a registry.
+Return a list of tags from _source-image_ in a registry or a local docker-archive file.

-  _repository-name_ name of repository to retrieve tag listing from
+  _source-image_ name of the repository to retrieve a tag listing from or a local docker-archive file.

 ## OPTIONS

@@ -53,7 +53,7 @@ The password to access the registry.

 ## REPOSITORY NAMES

-Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported.
+Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags".

 This commands refers to repositories using a _transport_`:`_details_ format. The following formats are supported:

@@ -72,12 +72,14 @@ This commands refers to repositories using a _transport_`:`_details_ format. The
        "docker.io/myuser/myimage:v1.0"
        "docker.io/myuser/myimage@sha256:f48c4cc192f4c3c6a069cb5cca6d0a9e34d6076ba7c214fd0cc3ca60e0af76bb"

+  **docker-archive:path[:docker-reference]
+  more than one images were stored in a docker save-formatted file. 

 ## EXAMPLES

 ### Docker Transport
 To get the list of tags in the "fedora" repository from the docker.io registry (the repository name expands to "library/fedora" per docker transport canonical form):
-```sh
+```console
 $ skopeo list-tags docker://docker.io/fedora
 {
    "Repository": "docker.io/library/fedora",
@@ -108,7 +110,7 @@ $ skopeo list-tags docker://docker.io/fedora

 To list the tags in a local host docker/distribution registry on port 5000, in this case for the "fedora" repository:

-```sh
+```console
 $ skopeo list-tags docker://localhost:5000/fedora
 {
    "Repository": "localhost:5000/fedora",
@@ -121,8 +123,48 @@ $ skopeo list-tags docker://localhost:5000/fedora

 ```

+### Docker-archive Transport
+
+To list the tags in a local docker-archive file:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/busybox.tar.gz
+{
+    "Tags": [
+        "busybox:1.28.3"
+    ]
+}
+```
+
+Also supports more than one tags in an archive:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/docker-two-images.tar.gz
+{
+    "Tags": [
+        "example.com/empty:latest",
+        "example.com/empty/but:different"
+    ]
+}
+```
+
+Will include a source-index entry for each untagged image:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/four-tags-with-an-untag.tar
+{
+    "Tags": [
+        "image1:tag1",
+        "image2:tag2",
+        "@2",
+        "image4:tag4"
+    ]
+}
+```
+
+
 # SEE ALSO
-skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-transports(1)

 ## AUTHORS

--- a/docs/skopeo-login.1.md
+++ b/docs/skopeo-login.1.md
@@ -57,41 +57,41 @@ Write more detailed information to stdout

 ## EXAMPLES

-```
+```console
 $ skopeo login docker.io
 Username: testuser
 Password:
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login -u testuser -p testpassword localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --authfile authdir/myauths.json docker.io
 Username: testuser
 Password:
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --tls-verify=false -u test -p test localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --cert-dir /etc/containers/certs.d/ -u foo -p bar localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login -u testuser  --password-stdin < testpassword.txt docker.io
 Login Succeeded!
 ```

-```
+```console
 $ echo $testpassword | skopeo login -u testuser --password-stdin docker.io
 Login Succeeded!
 ```
--- a/docs/skopeo-logout.1.md
+++ b/docs/skopeo-logout.1.md
@@ -35,17 +35,17 @@ Require HTTPS and verify certificates when talking to the container registry or

 ## EXAMPLES

-```
+```console
 $ skopeo logout docker.io
 Remove login credentials for docker.io
 ```

-```
+```console
 $ skopeo logout --authfile authdir/myauths.json docker.io
 Remove login credentials for docker.io
 ```

-```
+```console
 $ skopeo logout --all
 Remove login credentials for all registries
 ```
--- a/docs/skopeo-manifest-digest.1.md
+++ b/docs/skopeo-manifest-digest.1.md
@@ -18,7 +18,7 @@ Print usage statement

 ## EXAMPLES

-```sh
+```console
 $ skopeo manifest-digest manifest.json
 sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
 ```
--- a/docs/skopeo-standalone-sign.1.md
+++ b/docs/skopeo-standalone-sign.1.md
@@ -31,7 +31,7 @@ The passphare to use when signing with the key ID from `--sign-by`. Only the fir

 ## EXAMPLES

-```sh
+```console
 $ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
 $
 ```
--- a/docs/skopeo-standalone-verify.1.md
+++ b/docs/skopeo-standalone-verify.1.md
@@ -30,7 +30,7 @@ Print usage statement

 ## EXAMPLES

-```sh
+```console
 $ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
 Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
 ```
--- a/docs/skopeo-sync.1.md
+++ b/docs/skopeo-sync.1.md
@@ -1,14 +1,14 @@
 % skopeo-sync(1)

 ## NAME
-skopeo\-sync - Synchronize images between container registries and local directories.
+skopeo\-sync - Synchronize images between registry repositories and local directories.


 ## SYNOPSIS
 **skopeo sync** [*options*] --src _transport_ --dest _transport_ _source_ _destination_

 ## DESCRIPTION
-Synchronize images between container registries and local directories.
+Synchronize images between registry repoositories and local directories.
 The synchronization is achieved by copying all the images found at _source_ to _destination_.

 Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
@@ -50,6 +50,10 @@ Path of the authentication file for the source registry. Uses path given by `--a

 Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.

+**--dry-run**
+
+Run the sync without actually copying data to the destination.
+
 **--src**, **-s** _transport_ Transport for the source repository.

 **--dest**, **-d** _transport_ Destination transport.
@@ -62,13 +66,28 @@ Print usage statement.

 **--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.

-**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved.
+**--append-suffix** _tag-suffix_ String to append to destination tags.
+
+**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved. Consider using `--all` at the same time.

 **--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by**=_key-id_ Add a signature using that key ID for an image name corresponding to _destination-image_.
+**--sign-by** _key-id_

-**--sign-passphrase-file**=_path_ The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-by-sigstore** _param-file_
+
+Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
+See containers-sigstore-signing-params.yaml(5) for details about the file format.
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

 **--src-creds** _username[:password]_ for accessing the source registry.

@@ -114,7 +133,7 @@ The password to access the destination registry.
 ## EXAMPLES

 ### Synchronizing to a local directory
-```
+```console
 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
 ```
 Images are located at:
@@ -132,7 +151,7 @@ Images are located at:
 /media/usb/busybox:1-glibc
 ```
 Sync run
-```
+```console
 $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
 ```
 Destination registry content:
@@ -142,7 +161,7 @@ my-registry.local.lan/test/busybox   1-glibc
 ```

 ### Synchronizing to a local directory, scoped
-```
+```console
 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
 ```
 Images are located at:
@@ -155,8 +174,8 @@ Images are located at:
 ```

 ### Synchronizing to a container registry
-```
-skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
+```console
+$ skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
 ```
 Destination registry content:
 ```
@@ -165,8 +184,8 @@ registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
 ```

 ### Synchronizing to a container registry keeping the repository
-```
-skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
+```console
+$ skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
 ```
 Destination registry content:
 ```
@@ -174,6 +193,16 @@ REPO                              TAGS
 registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
 ```

+### Synchronizing to a container registry with tag suffix
+```console
+$ skopeo sync --src docker --dest docker --append-suffix '-mirror' registry.example.com/busybox my-registry.local.lan
+```
+Destination registry content:
+```
+REPO                         TAGS
+registry.local.lan/busybox   1-glibc-mirror, 1-musl-mirror, 1-ubuntu-mirror, ..., latest-mirror
+```
+
 ### YAML file content (used _source_ for `**--src yaml**`)

 ```yaml
@@ -198,8 +227,8 @@ quay.io:
            - latest
 ```
 If the yaml filename is `sync.yml`, sync run:
-```
-skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
+```console
+$ skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
 ```
 This will copy the following images:
 - Repository `registry.example.com/busybox`: all images, as no tags are specified.
--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -47,7 +47,7 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
  **oci-archive:**_path_**:**_tag_
  An image _tag_ in a tar archive compliant with "Open Container Image Layout Specification" at _path_.

-See [containers-transports(5)](https://github.com/containers/image/blob/master/docs/containers-transports.5.md) for details.
+See [containers-transports(5)](https://github.com/containers/image/blob/main/docs/containers-transports.5.md) for details.

 ## OPTIONS

@@ -101,23 +101,24 @@ Print the version number
 | ----------------------------------------- | ------------------------------------------------------------------------------ |
 | [skopeo-copy(1)](skopeo-copy.1.md)        | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
 | [skopeo-delete(1)](skopeo-delete.1.md)    | Mark the _image-name_ for later deletion by the registry's garbage collector.  |
+| [skopeo-generate-sigstore-key(1)](skopeo-generate-sigstore-key.1.md)    | Generate a sigstore public/private key pair.  |
 | [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about _image-name_ in a registry.                 |
-| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List tags in the transport-specific image repository.                      |
+| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List image names in a transport-specific collection of images.|
 | [skopeo-login(1)](skopeo-login.1.md)  | Login to a container registry. |
 | [skopeo-logout(1)](skopeo-logout.1.md)  | Logout of a container registry. |
 | [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output. |
 | [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.      |
 | [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Verify an image signature.                                   |
-| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between container registries and local directories.                 |
+| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between registry repositories and local directories.                |

 ## FILES
  **/etc/containers/policy.json**
  Default trust policy file, if **--policy** is not specified.
-  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md) .
+  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md) .

  **/etc/containers/registries.d**
  Default directory containing registry configuration, if **--registries.d** is not specified.
-  The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md).
+  The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md).

 ## SEE ALSO
 skopeo-login(1), docker-login(1), containers-auth.json(5), containers-storage.conf(5), containers-policy.json(5), containers-transports(5)
--- a/docs/skopeo.svg
+++ b/docs/skopeo.svg
@@ -1,546 +1,74 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:xlink="http://www.w3.org/1999/xlink"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="480.61456"
-   height="472.66098"
-   viewBox="0 0 127.1626 125.05822"
-   version="1.1"
-   id="svg8"
-   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
-   sodipodi:docname="skopeo.svg"
-   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
-   inkscape:export-xdpi="90"
-   inkscape:export-ydpi="90">
-  <defs
-     id="defs2">
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84477">
-      <stop
-         style="stop-color:#0093d9;stop-opacity:1"
-         offset="0"
-         id="stop84473" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84475" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84469">
-      <stop
-         style="stop-color:#f6e6c8;stop-opacity:1"
-         offset="0"
-         id="stop84465" />
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1"
-         offset="1"
-         id="stop84467" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84461">
-      <stop
-         style="stop-color:#bfdce8;stop-opacity:1;"
-         offset="0"
-         id="stop84457" />
-      <stop
-         style="stop-color:#2a72ac;stop-opacity:1"
-         offset="1"
-         id="stop84459" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84420">
-      <stop
-         style="stop-color:#a7a9ac;stop-opacity:1;"
-         offset="0"
-         id="stop84416" />
-      <stop
-         style="stop-color:#e7e8e9;stop-opacity:1"
-         offset="1"
-         id="stop84418" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84347">
-      <stop
-         style="stop-color:#2c2d2f;stop-opacity:1;"
-         offset="0"
-         id="stop84343" />
-      <stop
-         style="stop-color:#000000;stop-opacity:1"
-         offset="1"
-         id="stop84345" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84339">
-      <stop
-         style="stop-color:#002442;stop-opacity:1;"
-         offset="0"
-         id="stop84335" />
-      <stop
-         style="stop-color:#151617;stop-opacity:1"
-         offset="1"
-         id="stop84337" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84331">
-      <stop
-         style="stop-color:#003d6e;stop-opacity:1;"
-         offset="0"
-         id="stop84327" />
-      <stop
-         style="stop-color:#59b5ff;stop-opacity:1"
-         offset="1"
-         id="stop84329" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84323">
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1;"
-         offset="0"
-         id="stop84319" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84321" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84325"
-       x1="221.5741"
-       y1="250.235"
-       x2="219.20772"
-       y2="221.99771"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84331"
-       id="linearGradient84333"
-       x1="223.23239"
-       y1="212.83418"
-       x2="245.52328"
-       y2="129.64345"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84341"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84347"
-       id="linearGradient84349"
-       x1="212.05453"
-       y1="215.20055"
-       x2="237.73705"
-       y2="230.02835"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84363"
-       x1="193.61516"
-       y1="225.045"
-       x2="224.08698"
-       y2="223.54327"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84377"
-       x1="182.72513"
-       y1="222.54439"
-       x2="184.01024"
-       y2="210.35291"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84408"
-       x1="211.73801"
-       y1="225.48302"
-       x2="204.24324"
-       y2="238.46432"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84422"
-       x1="190.931"
-       y1="221.83777"
-       x2="187.53873"
-       y2="229.26593"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84425"
-       gradientUnits="userSpaceOnUse"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84441"
-       x1="169.95944"
-       y1="215.77036"
-       x2="174.0289"
-       y2="207.81528"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84455"
-       x1="234.08092"
-       y1="252.39755"
-       x2="245.88477"
-       y2="251.21777"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84461"
-       id="radialGradient84463"
-       cx="213.19594"
-       cy="223.40646"
-       fx="214.12064"
-       fy="217.34077"
-       r="33.39888"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84469"
-       id="radialGradient84471"
-       cx="207.18298"
-       cy="211.06483"
-       fx="207.18298"
-       fy="211.06483"
-       r="2.77954"
-       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84477"
-       id="linearGradient84479"
-       x1="241.60336"
-       y1="255.46982"
-       x2="244.45177"
-       y2="250.4846"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
+<svg width="168.71024mm" height="145.54036mm" viewBox="0 0 168.71024 145.54036" version="1.1" id="svg2674" inkscape:version="1.2 (dc2aedaf03, 2022-05-15)" sodipodi:docname="skopeo-badge-full-vert.svg" inkscape:export-filename="skopeo-badge-full-vert.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs id="defs2668">
+    <inkscape:path-effect is_visible="true" id="path-effect10334" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10336" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect9986" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect9984" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10300" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect10304" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124972" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124976" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163593" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163605" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163611" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163615" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163619" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163629" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163633" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163651" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163655" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163597" effect="spiro" lpeversion="0"/>
  </defs>
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="1"
-     inkscape:cx="517.27113"
-     inkscape:cy="314.79773"
-     inkscape:document-units="mm"
-     inkscape:current-layer="layer1"
-     inkscape:document-rotation="0"
-     showgrid="false"
-     units="px"
-     inkscape:snap-global="false"
-     inkscape:window-width="2560"
-     inkscape:window-height="1376"
-     inkscape:window-x="0"
-     inkscape:window-y="27"
-     inkscape:window-maximized="1"
-     fit-margin-top="0"
-     fit-margin-left="0"
-     fit-margin-right="0"
-     fit-margin-bottom="0" />
-  <metadata
-     id="metadata5">
+  <sodipodi:namedview id="base" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:pageopacity="0.0" inkscape:pageshadow="2" inkscape:zoom="0.7" inkscape:cx="399.28571" inkscape:cy="187.14286" inkscape:document-units="mm" inkscape:current-layer="g1208" showgrid="false" fit-margin-top="10" fit-margin-left="10" fit-margin-right="10" fit-margin-bottom="10" inkscape:window-width="2560" inkscape:window-height="1403" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:pagecheckerboard="0" inkscape:showpageshadow="2" inkscape:deskcolor="#d1d1d1"/>
+  <metadata id="metadata2671">
    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
+      <cc:Work rdf:about="">
        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
      </cc:Work>
    </rdf:RDF>
  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-149.15784,-175.92614)">
-    <g
-       id="g84497"
-       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
-       transform="translate(0,10.583333)">
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84485"
-         width="31.605196"
-         height="19.16976"
-         x="299.48376"
-         y="87.963303"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84487"
-         width="16.725054"
-         height="9.8947001"
-         x="258.07639"
-         y="92.60083"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84489"
-         width="4.8383565"
-         height="11.503917"
-         x="253.2236"
-         y="91.796227"
-         transform="rotate(30)" />
-      <rect
-         y="86.859642"
-         x="331.21924"
-         height="21.377089"
-         width="4.521956"
-         id="rect84491"
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         transform="rotate(30)" />
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(378.90631,201.21016)">
+    <g id="g1208">
+      <g id="g81584" transform="matrix(1.7276536,0,0,1.7276536,-401.82487,-530.26362)" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/new skopeo/skopeo-logomark_medium_transparent-bg.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108">
+        <g style="fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-opacity:1" id="g81528" transform="translate(-734.38295,98.0028)">
+          <path inkscape:connector-curvature="0" style="opacity:1;fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-width:1.05833;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 796.57913,145.63255 -19.29817,-9.23285 -4.82036,-20.8616 13.2871,-16.780616 21.38926,-0.06408 13.38485,16.701146 -4.69887,20.8897 z" id="path81526"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,80.461942)" id="g81554">
+          <rect style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81530" width="16.725054" height="9.8947001" x="158.13725" y="255.21965" transform="rotate(30)"/>
+          <rect style="fill:#ffffff;stroke:#000000;stroke-width:1.32292;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6" id="rect81532" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+          <path sodipodi:nodetypes="cczc" inkscape:connector-curvature="0" id="path81534" d="m 78.802289,335.54596 -9.111984,15.78242 c 1.40192,0.25963 4.990131,-0.63196 7.869989,-5.61868 2.879866,-4.98671 2.168498,-9.07865 1.241995,-10.16374 z" style="fill:#9dc6e7;fill-opacity:1;stroke:#2a72ac;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" y="250.58212" x="199.54463" height="19.16976" width="31.605196" id="rect81536" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81538" width="16.459545" height="15.252436" x="178.48766" y="252.54079"/>
+          <g style="stroke:#808080;stroke-opacity:1" id="g81548">
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81540" width="4.521956" height="21.377089" x="195.04353" y="249.47847" transform="rotate(30)"/>
+            <rect y="251.64348" x="174.76939" height="17.047071" width="3.617183" id="rect81542" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81544" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+            <rect y="249.47847" x="231.28011" height="21.377089" width="4.521956" id="rect81546" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81574;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+          </g>
+          <path inkscape:connector-curvature="0" id="path81550" d="m 47.691007,322.31629 22.49734,12.98884" style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"/>
+          <path style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 27.886021,312.45704 9.423431,5.07506" id="path81552" inkscape:connector-curvature="0"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,101.28812)" id="g81568">
+          <path style="fill:#2a72ac;fill-opacity:1;stroke:#003e6f;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" d="m 34.507847,231.71327 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z" id="path81556" inkscape:connector-curvature="0" sodipodi:nodetypes="cccccc"/>
+          <path sodipodi:nodetypes="ccccc" inkscape:connector-curvature="0" id="path81558" d="m 28.119527,245.45648 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z" style="fill:#808080;fill-opacity:1;stroke:#000000;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6"/>
+          <path style="fill:#4d4d4d;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 24.616967,251.5299 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z" id="path81560" inkscape:connector-curvature="0" sodipodi:nodetypes="ccccc"/>
+          <ellipse ry="3.8438656" rx="3.8395541" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="ellipse81562" cx="39.230743" cy="255.66997"/>
+          <path sodipodi:nodetypes="ccc" style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 71.999346,266.02935 -8.9307,-5.38071 10.81942,-5.07707" id="path81564" inkscape:connector-curvature="0"/>
+          <path style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 35.169799,245.57008 10.37702,-6.1817 -7.12581,-2.30459" id="path81566" inkscape:connector-curvature="0" sodipodi:nodetypes="ccc"/>
+        </g>
+        <g style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-opacity:1" id="g81582" transform="translate(0.69195604,69.064926)">
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 83.087609,145.72448 -3.6551,1.27991" id="path81570" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 51.138114,129.84674 1.971302,3.71206" id="path81572" inkscape:connector-curvature="0" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" inkscape:connector-curvature="0" id="path81574" d="m 70.63337,129.84674 -2.345479,4.17978" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" inkscape:connector-curvature="0" id="path81576" d="m 61.405599,166.31541 v 5.83669" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" inkscape:connector-curvature="0" id="path81578" d="m 43.729779,164.25283 4.216366,-4.18995" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 79.100039,164.25283 -1.50358,-1.57071" id="path81580" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+        </g>
+      </g>
+      <text id="text81524" y="-73.044861" x="-363.40085" style="font-style:normal;font-weight:normal;font-size:37.592px;line-height:22.5552px;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#e1ae4f;fill-opacity:1;stroke:none;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" xml:space="preserve"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#e1ae4f;fill-opacity:1;stroke-width:0.264583px" y="-73.044861" x="-363.40085" id="tspan81522" sodipodi:role="line" dx="0 0 0 0 0 0"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81514">sk</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81516">o</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81518">pe</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81520">o</tspan></tspan></text>
    </g>
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       id="path84483"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="cccccc"
-       inkscape:connector-curvature="0"
-       id="path84481"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <circle
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="path84224"
-       cx="213.64427"
-       cy="234.18927"
-       r="35.482784" />
-    <circle
-       r="33.39888"
-       cy="234.18927"
-       cx="213.64427"
-       id="circle84226"
-       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84114"
-       width="31.605196"
-       height="19.16976"
-       x="304.77545"
-       y="97.128738"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84116"
-       width="4.521956"
-       height="21.377089"
-       x="300.27435"
-       y="96.025078"
-       transform="rotate(30)" />
-    <rect
-       y="99.087395"
-       x="283.71848"
-       height="15.252436"
-       width="16.459545"
-       id="rect84118"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       y="98.190086"
-       x="280.00021"
-       height="17.047071"
-       width="3.617183"
-       id="rect84120"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84122"
-       width="16.725054"
-       height="9.8947001"
-       x="263.36807"
-       y="101.76627"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84124"
-       width="4.8383565"
-       height="11.503917"
-       x="258.51526"
-       y="100.96166"
-       transform="rotate(30)" />
-    <rect
-       y="96.025078"
-       x="336.51093"
-       height="21.377089"
-       width="4.521956"
-       id="rect84126"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <path
-       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
-       id="rect84313"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84128"
-       d="m 215.3335,241.36799 22.49734,12.98884"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84130"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
-       id="path84134"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccccc" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       id="path84136"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
-       id="rect84410"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
-       id="path84284"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
-       id="rect84351"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
-       id="rect84365"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="ccccc"
-       inkscape:connector-curvature="0"
-       id="path84138"
-       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <ellipse
-       cy="223.01579"
-       cx="207.08998"
-       id="circle84140"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       rx="3.8395541"
-       ry="3.8438656" />
-    <path
-       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
-       id="path84272"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84142"
-       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84144"
-       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       sodipodi:nodetypes="ccc" />
-    <path
-       sodipodi:nodetypes="ccc"
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
-       id="path84280"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
-       id="path84290"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccc" />
-    <path
-       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
-       id="ellipse84292"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
-       id="path84298"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
-       id="path84379"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
-       id="rect84396"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
-       id="rect84429"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
-       id="rect84443"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 215.55025,240.82707 22.49734,12.98884"
-       id="path84521"
-       inkscape:connector-curvature="0" />
  </g>
 </svg>
--- a/go.mod
+++ b/go.mod
@@ -1,24 +1,136 @@
 module github.com/containers/skopeo

-go 1.12
+go 1.17

 require (
-	github.com/containers/common v0.47.4
-	github.com/containers/image/v5 v5.19.1
-	github.com/containers/ocicrypt v1.1.2
-	github.com/containers/storage v1.38.2
-	github.com/docker/docker v20.10.12+incompatible
-	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/containers/common v0.51.0
+	github.com/containers/image/v5 v5.24.0
+	github.com/containers/ocicrypt v1.1.7
+	github.com/containers/storage v1.45.3
+	github.com/docker/distribution v2.8.1+incompatible
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20211202193544-a5463b7f9c84
+	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/opencontainers/image-tools v1.0.0-rc3
-	github.com/pkg/errors v0.9.1
-	github.com/russross/blackfriday v2.0.0+incompatible // indirect
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.3.0
+	github.com/sirupsen/logrus v1.9.0
+	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.8.1
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
+	golang.org/x/term v0.4.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 )
+
+require (
+	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/hcsshim v0.9.6 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/containerd/cgroups v1.0.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
+	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
+	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/docker v20.10.23+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.20.3 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/runtime v0.24.1 // indirect
+	github.com/go-openapi/spec v0.20.7 // indirect
+	github.com/go-openapi/strfmt v0.21.3 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/validate v0.22.0 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/go-playground/validator/v10 v10.11.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-containerregistry v0.12.1 // indirect
+	github.com/google/go-intervals v0.0.2 // indirect
+	github.com/google/trillian v1.5.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
+	github.com/klauspost/pgzip v1.2.6-0.20220930104621-17e8dac29df8 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mistifyio/go-zfs/v3 v3.0.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/runc v1.1.4 // indirect
+	github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb // indirect
+	github.com/opencontainers/selinux v1.10.2 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/proglottis/gpgme v0.1.3 // indirect
+	github.com/rivo/uniseg v0.4.3 // indirect
+	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/sigstore/fulcio v1.0.0 // indirect
+	github.com/sigstore/rekor v1.0.1 // indirect
+	github.com/sigstore/sigstore v1.5.1 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
+	github.com/sylabs/sif/v2 v2.9.0 // indirect
+	github.com/tchap/go-patricia v2.3.0+incompatible // indirect
+	github.com/theupdateframework/go-tuf v0.5.2-0.20221207161717-9cb61d6e65f5 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vbauerster/mpb/v7 v7.5.3 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.etcd.io/bbolt v1.3.6 // indirect
+	go.mongodb.org/mongo-driver v1.11.1 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	golang.org/x/crypto v0.5.0 // indirect
+	golang.org/x/mod v0.7.0 // indirect
+	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/oauth2 v0.4.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sys v0.4.0 // indirect
+	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/tools v0.4.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
+	google.golang.org/grpc v1.51.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
--- a/go.sum
+++ b/go.sum
--- a/hack/btrfs_installed_tag.sh
+++ b/hack/btrfs_installed_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 cc -E - > /dev/null 2> /dev/null << EOF
 #include <btrfs/ioctl.h>
 EOF
--- a/hack/btrfs_tag.sh
+++ b/hack/btrfs_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 cc -E - > /dev/null 2> /dev/null << EOF
 #include <btrfs/version.h>
 EOF
--- a/hack/libdm_tag.sh
+++ b/hack/libdm_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -34,7 +34,7 @@ if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
    echo "         the Makefile targets WITHOUT the '-local' suffix."
    echo "***************************************************************"
    ) > /dev/stderr
-    sleep 5s
+    sleep 5
 fi

 echo
--- a/hack/make/test-system
+++ b/hack/make/test-system
@@ -1,14 +1,41 @@
 #!/bin/bash
 set -e

-# Before running podman for the first time, make sure
-# to set storage to vfs (not overlay): podman-in-podman
-# doesn't work with overlay. And, disable mountopt,
-# which causes error with vfs.
-sed -i \
-    -e 's/^driver\s*=.*/driver = "vfs"/' \
-    -e 's/^mountopt/#mountopt/' \
-    /etc/containers/storage.conf
+# These tests can run in/outside of a container.  However,
+# not all storage drivers are supported in a container
+# environment.  Detect this and setup storage when
+# running in a container.
+#
+# Paradoxically (FIXME: clean this up), SKOPEO_CONTAINER_TESTS is set
+# both inside a container and without a container (in a CI VM); it actually means
+# "it is safe to desctructively modify the system for tests".
+#
+# On a CI VM, we can just use Podman as it is already configured; the changes below,
+# to use VFS, are necessary only inside a container, because overlay-inside-overlay
+# does not work. So, make these changes conditional on both
+# SKOPEO_CONTAINER_TESTS (for acceptability to do destructive modification) and !CI
+# (for necessity to adjust for in-container operation)
+if ((SKOPEO_CONTAINER_TESTS)) && [[ "$CI" != true ]]; then
+    if [[ -r /etc/containers/storage.conf ]]; then
+        echo "MODIFYING existing storage.conf"
+        sed -i \
+            -e 's/^driver\s*=.*/driver = "vfs"/' \
+            -e 's/^mountopt/#mountopt/' \
+            /etc/containers/storage.conf
+    else
+        echo "CREATING NEW storage.conf"
+        cat >> /etc/containers/storage.conf << EOF
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+EOF
+    fi
+    # The logic of finding the relevant storage.conf file is convoluted
+    # and in effect differs between Skopeo and Podman, at least in some versions;
+    # explicitly point at the file we want to use to hopefully avoid that.
+    export CONTAINERS_STORAGE_CONF=/etc/containers/storage.conf
+fi

 # Build skopeo, install into /usr/bin
 make PREFIX=/usr install
--- a/hack/tree_status.sh
+++ b/hack/tree_status.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e

 STATUS=$(git status --porcelain)
--- a/install.md
+++ b/install.md
@@ -1,7 +1,8 @@
 # Installing Skopeo

 ## Distribution Packages
-`skopeo` may already be packaged in your distribution.
+`skopeo` may already be packaged in your distribution. This document lists the
+installation steps for many distros, along with their information and support links.

 ### Fedora

@@ -9,30 +10,51 @@
 sudo dnf -y install skopeo
 ```

-### RHEL/CentOS ≥ 8 and CentOS Stream
+[Package Info](https://src.fedoraproject.org/rpms/skopeo) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Fedora&component=skopeo&product=Fedora)
+
+Fedora bugs can be reported on the Skopeo GitHub [Issues](https://github.com/containers/skopeo/issues) page.
+
+### RHEL / CentOS Stream ≥ 8

 ```sh
 sudo dnf -y install skopeo
 ```

+If you are a RHEL customer, please reach out through the official RHEL support
+channels for any issues.
+
+CentOS Stream 9: [Package Info](https://gitlab.com/redhat/centos-stream/rpms/skopeo/-/tree/c9s) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%209&version=CentOS%20Stream)
+
+CentOS Stream 8: [Package Info](https://git.centos.org/rpms/skopeo/tree/c8s-stream-rhel8) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%208&version=CentOS%20Stream)
+
+
 ### RHEL/CentOS ≤ 7.x

 ```sh
 sudo yum -y install skopeo
 ```

+CentOS 7: [Package Repo](https://git.centos.org/rpms/skopeo/tree/c7-extras)
+
 ### openSUSE

 ```sh
 sudo zypper install skopeo
 ```

+[Package Info](https://software.opensuse.org/package/skopeo)
+
 ### Alpine

 ```sh
 sudo apk add skopeo
 ```

+[Package Info](https://pkgs.alpinelinux.org/packages?name=skopeo)
+
 ### macOS

 ```sh
@@ -44,6 +66,8 @@ brew install skopeo
 $ nix-env -i skopeo
 ```

+[Package Info](https://search.nixos.org/packages?&show=skopeo&query=skopeo)
+
 ### Debian

 The skopeo package is available on [Bullseye](https://packages.debian.org/bullseye/skopeo),
@@ -55,6 +79,8 @@ sudo apt-get update
 sudo apt-get -y install skopeo
 ```

+[Package Info](https://packages.debian.org/stable/skopeo)
+
 ### Raspberry Pi OS arm64 (beta)

 Raspberry Pi OS uses the standard Debian's repositories,
@@ -73,17 +99,7 @@ sudo apt-get -y update
 sudo apt-get -y install skopeo
 ```

-The [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-provides packages for Ubuntu 20.04 (it should also work with direct derivatives like Pop!\_OS).
-
-```bash
-. /etc/os-release
-echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y upgrade
-sudo apt-get -y install skopeo
-```
+[Package Info](https://packages.ubuntu.com/jammy/skopeo)

 ### Windows
 Skopeo has not yet been packaged for Windows. There is an [open feature
@@ -196,6 +212,13 @@ Building in a container is simpler, but more restrictive:
 $ make binary
 ```

+### Shell completion scripts
+
+Skopeo has shell completion scripts for bash, zsh, fish and powershell. They are installed as part of `make install`.
+You may have to restart your shell in order for them to take effect.
+
+For instructions to manually generate and load the scripts please see `skopeo completion --help`.
+
 ### Installation

 Finally, after the binary and documentation is built:
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -36,12 +36,12 @@ func (s *SkopeoSuite) SetUpSuite(c *check.C) {

 func (s *SkopeoSuite) TearDownSuite(c *check.C) {
 	if s.regV2 != nil {
-		s.regV2.Close()
+		s.regV2.tearDown(c)
 	}
 	if s.regV2WithAuth != nil {
 		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
 		//c.Assert(cmd.Run(), check.IsNil)
-		s.regV2WithAuth.Close()
+		s.regV2WithAuth.tearDown(c)
 	}
 }

@@ -49,25 +49,25 @@ func (s *SkopeoSuite) TearDownSuite(c *check.C) {
 //func skopeoCmd()

 func (s *SkopeoSuite) TestVersion(c *check.C) {
-	wanted := fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version)
-	assertSkopeoSucceeds(c, wanted, "--version")
+	assertSkopeoSucceeds(c, fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version),
+		"--version")
 }

 func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	wanted := ".*manifest unknown: manifest unknown.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+	assertSkopeoFails(c, ".*manifest unknown.*",
+		"--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

 func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	wanted := ".*unauthorized: authentication required.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+	assertSkopeoFails(c, ".*authentication required.*",
+		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

 func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
-	wanted := ".*unknown flag: --cert-path.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
-	wanted = ".*unauthorized: authentication required.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
+	assertSkopeoFails(c, ".*unknown flag: --cert-path.*",
+		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
+	assertSkopeoFails(c, ".*authentication required.*",
+		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
 }

 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
@@ -75,10 +75,8 @@ func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
 func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
 	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
 	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := ".*manifest unknown.*"
-	c.Assert(string(out), check.Matches, "(?s)"+wanted) // (?s) : '.' will also match newlines
-	wanted = ".*unauthorized: authentication required.*"
-	c.Assert(string(out), check.Not(check.Matches), "(?s)"+wanted) // (?s) : '.' will also match newlines
+	c.Assert(string(out), check.Matches, "(?s).*manifest unknown.*")                                 // (?s) : '.' will also match newlines
+	c.Assert(string(out), check.Not(check.Matches), "(?s).*unauthorized: authentication required.*") // (?s) : '.' will also match newlines
 }

 func (s *SkopeoSuite) TestInspectFailsWhenReferenceIsInvalid(c *check.C) {
@@ -86,28 +84,28 @@ func (s *SkopeoSuite) TestInspectFailsWhenReferenceIsInvalid(c *check.C) {
 }

 func (s *SkopeoSuite) TestLoginLogout(c *check.C) {
-	wanted := "^Login Succeeded!\n$"
-	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, "^Login Succeeded!\n$",
+		"login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
 	// test --get-login returns username
-	wanted = fmt.Sprintf("^%s\n$", s.regV2WithAuth.username)
-	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--get-login", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, fmt.Sprintf("^%s\n$", s.regV2WithAuth.username),
+		"login", "--tls-verify=false", "--get-login", s.regV2WithAuth.url)
 	// test logout
-	wanted = fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url)
-	assertSkopeoSucceeds(c, wanted, "logout", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
+		"logout", s.regV2WithAuth.url)
 }

 func (s *SkopeoSuite) TestCopyWithLocalAuth(c *check.C) {
-	wanted := "^Login Succeeded!\n$"
-	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, "^Login Succeeded!\n$",
+		"login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
 	// copy to private registry using local authentication
 	imageName := fmt.Sprintf("docker://%s/busybox:mine", s.regV2WithAuth.url)
 	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", testFQIN+":latest", imageName)
 	// inspect from private registry
 	assertSkopeoSucceeds(c, "", "inspect", "--tls-verify=false", imageName)
 	// logout from the registry
-	wanted = fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url)
-	assertSkopeoSucceeds(c, wanted, "logout", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(c, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
+		"logout", s.regV2WithAuth.url)
 	// inspect from private registry should fail after logout
-	wanted = ".*unauthorized: authentication required.*"
-	assertSkopeoFails(c, wanted, "inspect", "--tls-verify=false", imageName)
+	assertSkopeoFails(c, ".*authentication required.*",
+		"inspect", "--tls-verify=false", imageName)
 }
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
@@ -6,7 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"log"
 	"net/http"
 	"net/http/httptest"
@@ -64,9 +64,7 @@ func (s *CopySuite) SetUpSuite(c *check.C) {
 	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, false, false)
 	s.s1Registry = setupRegistryV2At(c, v2s1DockerRegistryURL, false, true)

-	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	s.gpgHome = gpgHome
+	s.gpgHome = c.MkDir()
 	os.Setenv("GNUPGHOME", s.gpgHome)

 	for _, key := range []string{"personal", "official"} {
@@ -75,21 +73,18 @@ func (s *CopySuite) SetUpSuite(c *check.C) {
 		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")

 		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
-		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+		err := os.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
 			[]byte(out), 0600)
 		c.Assert(err, check.IsNil)
 	}
 }

 func (s *CopySuite) TearDownSuite(c *check.C) {
-	if s.gpgHome != "" {
-		os.RemoveAll(s.gpgHome)
-	}
 	if s.registry != nil {
-		s.registry.Close()
+		s.registry.tearDown(c)
 	}
 	if s.s1Registry != nil {
-		s.s1Registry.Close()
+		s.s1Registry.tearDown(c)
 	}
 	if s.cluster != nil {
 		s.cluster.tearDown(c)
@@ -97,32 +92,20 @@ func (s *CopySuite) TearDownSuite(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestList(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-manifest-list")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir)
+	dir := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "dir:"+dir)
 }

 func (s *CopySuite) TestCopyAllWithManifestList(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-all-manifest-list")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir)
+	dir := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", "--all", knownListImage, "dir:"+dir)
 }

 func (s *CopySuite) TestCopyAllWithManifestListRoundTrip(c *check.C) {
-	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", knownListImage, "oci:"+oci1)
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci1, "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "dir:"+dir1, "oci:"+oci2)
@@ -133,18 +116,10 @@ func (s *CopySuite) TestCopyAllWithManifestListRoundTrip(c *check.C) {
 }

 func (s *CopySuite) TestCopyAllWithManifestListConverge(c *check.C) {
-	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", knownListImage, "oci:"+oci1)
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci1, "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "--format", "oci", knownListImage, "dir:"+dir2)
@@ -155,13 +130,11 @@ func (s *CopySuite) TestCopyAllWithManifestListConverge(c *check.C) {
 }

 func (s *CopySuite) TestCopyNoneWithManifestList(c *check.C) {
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=index-only", knownListImage, "dir:"+dir1)

 	manifestPath := filepath.Join(dir1, "manifest.json")
-	readManifest, err := ioutil.ReadFile(manifestPath)
+	readManifest, err := os.ReadFile(manifestPath)
 	c.Assert(err, check.IsNil)
 	mimeType := manifest.GuessMIMEType(readManifest)
 	c.Assert(mimeType, check.Equals, "application/vnd.docker.distribution.manifest.list.v2+json")
@@ -170,18 +143,10 @@ func (s *CopySuite) TestCopyNoneWithManifestList(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListConverge(c *check.C) {
-	oci1, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-all-manifest-list-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
-	dir1, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-all-manifest-list-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "oci:"+oci1)
 	assertSkopeoSucceeds(c, "", "copy", "--multi-arch=all", "oci:"+oci1, "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "copy", "--format", "oci", knownListImage, "dir:"+dir2)
@@ -192,24 +157,16 @@ func (s *CopySuite) TestCopyWithManifestListConverge(c *check.C) {
 }

 func (s *CopySuite) TestCopyAllWithManifestListStorageFails(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-storage")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	assertSkopeoFails(c, `.*destination transport .* does not support copying multiple images as a group.*`, "copy", "--multi-arch=all", knownListImage, "containers-storage:"+storage+"test")
 }

 func (s *CopySuite) TestCopyWithManifestListStorage(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "containers-storage:"+storage+"test")
 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "dir:"+dir1)
 	assertSkopeoSucceeds(c, "", "copy", "containers-storage:"+storage+"test", "dir:"+dir2)
@@ -218,16 +175,10 @@ func (s *CopySuite) TestCopyWithManifestListStorage(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListStorageMultiple(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-multiple-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "--override-arch", "amd64", "copy", knownListImage, "containers-storage:"+storage+"test")
 	assertSkopeoSucceeds(c, "", "--override-arch", "arm64", "copy", knownListImage, "containers-storage:"+storage+"test")
 	assertSkopeoSucceeds(c, "", "--override-arch", "arm64", "copy", knownListImage, "dir:"+dir1)
@@ -237,18 +188,10 @@ func (s *CopySuite) TestCopyWithManifestListStorageMultiple(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListDigest(c *check.C) {
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
-	oci1, err := ioutil.TempDir("", "copy-manifest-list-digest-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "copy-manifest-list-digest-oci")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
 	c.Assert(err, check.IsNil)
@@ -262,31 +205,21 @@ func (s *CopySuite) TestCopyWithManifestListDigest(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithDigestfileOutput(c *check.C) {
-	tempdir, err := ioutil.TempDir("", "tempdir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tempdir)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
+	tempdir := c.MkDir()
+	dir1 := c.MkDir()
 	digestOutPath := filepath.Join(tempdir, "digest.txt")
 	assertSkopeoSucceeds(c, "", "copy", "--digestfile="+digestOutPath, knownListImage, "dir:"+dir1)
-	readDigest, err := ioutil.ReadFile(digestOutPath)
+	readDigest, err := os.ReadFile(digestOutPath)
 	c.Assert(err, check.IsNil)
 	_, err = digest.Parse(string(readDigest))
 	c.Assert(err, check.IsNil)
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
 	c.Assert(err, check.IsNil)
@@ -299,16 +232,10 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigest(c *check.C) {
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArches(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
-	dir1, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-dir")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
 	c.Assert(err, check.IsNil)
@@ -321,9 +248,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArches(c *check
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesBothUseListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-both")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -343,9 +268,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesBothUseLi
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesFirstUsesListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-first")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -379,9 +302,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesFirstUses
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesSecondUsesListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-second")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -415,9 +336,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesSecondUse
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesThirdUsesListDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-third")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -451,9 +370,7 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesThirdUses
 }

 func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesTagAndDigest(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-manifest-list-storage-digest-multiple-arches-tag-digest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	m := combinedOutputOfCommand(c, skopeoBinary, "inspect", "--raw", knownListImage)
 	manifestDigest, err := manifest.Digest([]byte(m))
@@ -496,28 +413,20 @@ func (s *CopySuite) TestCopyWithManifestListStorageDigestMultipleArchesTagAndDig
 }

 func (s *CopySuite) TestCopyFailsWhenImageOSDoesNotMatchRuntimeOS(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-fails-image-does-not-match-runtime")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	assertSkopeoFails(c, `.*no image found in manifest list for architecture .*, variant .*, OS .*`, "copy", knownWindowsOnlyImage, "containers-storage:"+storage+"test")
 }

 func (s *CopySuite) TestCopySucceedsWhenImageDoesNotMatchRuntimeButWeOverride(c *check.C) {
-	storage, err := ioutil.TempDir("", "copy-succeeds-image-does-not-match-runtime-but-override")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(storage)
+	storage := c.MkDir()
 	storage = fmt.Sprintf("[vfs@%s/root+%s/runroot]", storage, storage)
 	assertSkopeoSucceeds(c, "", "--override-os=windows", "--override-arch=amd64", "copy", knownWindowsOnlyImage, "containers-storage:"+storage+"test")
 }

 func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
-	dir1, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// "pull": docker: → dir:
@@ -533,12 +442,8 @@ func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
 func (s *CopySuite) TestCopySimple(c *check.C) {
 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	dir1, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "copy-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// "pull": docker: → dir:
@@ -557,7 +462,7 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 	ociImgName := "pause"
 	defer os.RemoveAll(ociDest)
 	assertSkopeoSucceeds(c, "", "copy", "docker://k8s.gcr.io/pause:latest", "oci:"+ociDest+":"+ociImgName)
-	_, err = os.Stat(ociDest)
+	_, err := os.Stat(ociDest)
 	c.Assert(err, check.IsNil)

 	// docker v2s2 -> OCI image layout without image name
@@ -569,31 +474,14 @@ func (s *CopySuite) TestCopySimple(c *check.C) {
 }

 func (s *CopySuite) TestCopyEncryption(c *check.C) {
-
-	originalImageDir, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(originalImageDir)
-	encryptedImgDir, err := ioutil.TempDir("", "copy-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(encryptedImgDir)
-	decryptedImgDir, err := ioutil.TempDir("", "copy-3")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(decryptedImgDir)
-	keysDir, err := ioutil.TempDir("", "copy-4")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(keysDir)
-	undecryptedImgDir, err := ioutil.TempDir("", "copy-5")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(undecryptedImgDir)
-	multiLayerImageDir, err := ioutil.TempDir("", "copy-6")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(multiLayerImageDir)
-	partiallyEncryptedImgDir, err := ioutil.TempDir("", "copy-7")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(partiallyEncryptedImgDir)
-	partiallyDecryptedImgDir, err := ioutil.TempDir("", "copy-8")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(partiallyDecryptedImgDir)
+	originalImageDir := c.MkDir()
+	encryptedImgDir := c.MkDir()
+	decryptedImgDir := c.MkDir()
+	keysDir := c.MkDir()
+	undecryptedImgDir := c.MkDir()
+	multiLayerImageDir := c.MkDir()
+	partiallyEncryptedImgDir := c.MkDir()
+	partiallyDecryptedImgDir := c.MkDir()

 	// Create RSA key pair
 	privateKey, err := rsa.GenerateKey(rand.Reader, 4096)
@@ -602,9 +490,9 @@ func (s *CopySuite) TestCopyEncryption(c *check.C) {
 	privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey)
 	publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
 	c.Assert(err, check.IsNil)
-	err = ioutil.WriteFile(keysDir+"/private.key", privateKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/private.key", privateKeyBytes, 0644)
 	c.Assert(err, check.IsNil)
-	err = ioutil.WriteFile(keysDir+"/public.key", publicKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/public.key", publicKeyBytes, 0644)
 	c.Assert(err, check.IsNil)

 	// We can either perform encryption or decryption on the image.
@@ -628,7 +516,7 @@ func (s *CopySuite) TestCopyEncryption(c *check.C) {
 	invalidPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	c.Assert(err, check.IsNil)
 	invalidPrivateKeyBytes := x509.MarshalPKCS1PrivateKey(invalidPrivateKey)
-	err = ioutil.WriteFile(keysDir+"/invalid_private.key", invalidPrivateKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/invalid_private.key", invalidPrivateKeyBytes, 0644)
 	c.Assert(err, check.IsNil)
 	assertSkopeoFails(c, ".*no suitable key unwrapper found or none of the private keys could be used for decryption.*",
 		"copy", "--decryption-key", keysDir+"/invalid_private.key",
@@ -668,7 +556,7 @@ func (s *CopySuite) TestCopyEncryption(c *check.C) {
 }

 func matchLayerBlobBinaryType(c *check.C, ociImageDirPath string, contentType string, matchCount int) {
-	files, err := ioutil.ReadDir(ociImageDirPath)
+	files, err := os.ReadDir(ociImageDirPath)
 	c.Assert(err, check.IsNil)

 	foundCount := 0
@@ -704,7 +592,7 @@ func assertDirImagesAreEqual(c *check.C, dir1, dir2 string) {
 	digests := []digest.Digest{}
 	for _, dir := range []string{dir1, dir2} {
 		manifestPath := filepath.Join(dir, "manifest.json")
-		m, err := ioutil.ReadFile(manifestPath)
+		m, err := os.ReadFile(manifestPath)
 		c.Assert(err, check.IsNil)
 		digest, err := manifest.Digest(m)
 		c.Assert(err, check.IsNil)
@@ -722,7 +610,7 @@ func assertSchema1DirImagesAreEqualExceptNames(c *check.C, dir1, ref1, dir2, ref
 	manifests := []map[string]interface{}{}
 	for dir, ref := range map[string]string{dir1: ref1, dir2: ref2} {
 		manifestPath := filepath.Join(dir, "manifest.json")
-		m, err := ioutil.ReadFile(manifestPath)
+		m, err := os.ReadFile(manifestPath)
 		c.Assert(err, check.IsNil)
 		data := map[string]interface{}{}
 		err = json.Unmarshal(m, &data)
@@ -745,12 +633,8 @@ func assertSchema1DirImagesAreEqualExceptNames(c *check.C, dir1, ref1, dir2, ref

 // Streaming (skopeo copy)
 func (s *CopySuite) TestCopyStreaming(c *check.C) {
-	dir1, err := ioutil.TempDir("", "streaming-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
-	dir2, err := ioutil.TempDir("", "streaming-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir2)
+	dir1 := c.MkDir()
+	dir2 := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// streaming: docker: → atomic:
@@ -770,12 +654,8 @@ func (s *CopySuite) TestCopyStreaming(c *check.C) {
 func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	oci1, err := ioutil.TempDir("", "oci-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci1)
-	oci2, err := ioutil.TempDir("", "oci-2")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(oci2)
+	oci1 := c.MkDir()
+	oci2 := c.MkDir()

 	// Docker -> OCI
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", testFQIN, "oci:"+oci1+":latest")
@@ -798,7 +678,7 @@ func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
 	// Verify using the upstream OCI image validator, this should catch most
 	// non-compliance errors. DO NOT REMOVE THIS TEST UNLESS IT'S ABSOLUTELY
 	// NECESSARY.
-	err = image.ValidateLayout(oci1, nil, logger)
+	err := image.ValidateLayout(oci1, nil, logger)
 	c.Assert(err, check.IsNil)
 	err = image.ValidateLayout(oci2, nil, logger)
 	c.Assert(err, check.IsNil)
@@ -820,9 +700,7 @@ func (s *CopySuite) TestCopySignatures(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	dir, err := ioutil.TempDir("", "signatures-dest")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir)
+	dir := c.MkDir()
 	dirDest := "dir:" + dir

 	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
@@ -876,9 +754,7 @@ func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	topDir, err := ioutil.TempDir("", "dir-signatures-top")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	topDirDest := "dir:" + topDir

 	for _, suffix := range []string{"/dir1", "/dir2", "/restricted/personal", "/restricted/official", "/restricted/badidentity", "/dest"} {
@@ -921,9 +797,7 @@ func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
 func (s *CopySuite) TestCopyCompression(c *check.C) {
 	const uncompresssedLayerFile = "160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"

-	topDir, err := ioutil.TempDir("", "compression-top")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()

 	for i, t := range []struct{ fixture, remote string }{
 		{"uncompressed-image-s1", "docker://" + v2DockerRegistryURL + "/compression/compression:s1"},
@@ -958,21 +832,21 @@ func (s *CopySuite) TestCopyCompression(c *check.C) {

 func findRegularFiles(c *check.C, root string) []string {
 	result := []string{}
-	err := filepath.Walk(root, filepath.WalkFunc(func(path string, info os.FileInfo, err error) error {
+	err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if info.Mode().IsRegular() {
+		if d.Type().IsRegular() {
 			result = append(result, path)
 		}
 		return nil
-	}))
+	})
 	c.Assert(err, check.IsNil)
 	return result
 }

-// --sign-by and policy use for docker: with sigstore
-func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
+// --sign-by and policy use for docker: with lookaside
+func (s *CopySuite) TestCopyDockerLookaside(c *check.C) {
 	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
 	c.Assert(err, check.IsNil)
 	defer mech.Close()
@@ -982,21 +856,19 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {

 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "signatures-sigstore")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	copyDest := filepath.Join(tmpDir, "dest")
 	err = os.Mkdir(copyDest, 0755)
 	c.Assert(err, check.IsNil)
 	dirDest := "dir:" + copyDest
-	plainSigstore := filepath.Join(tmpDir, "sigstore")
-	splitSigstoreStaging := filepath.Join(tmpDir, "sigstore-staging")
+	plainLookaside := filepath.Join(tmpDir, "lookaside")
+	splitLookasideStaging := filepath.Join(tmpDir, "lookaside-staging")

-	splitSigstoreReadServerHandler := http.NotFoundHandler()
-	splitSigstoreReadServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		splitSigstoreReadServerHandler.ServeHTTP(w, r)
+	splitLookasideReadServerHandler := http.NotFoundHandler()
+	splitLookasideReadServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		splitLookasideReadServerHandler.ServeHTTP(w, r)
 	}))
-	defer splitSigstoreReadServer.Close()
+	defer splitLookasideReadServer.Close()

 	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
 	defer os.Remove(policy)
@@ -1004,20 +876,20 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
 	err = os.Mkdir(registriesDir, 0755)
 	c.Assert(err, check.IsNil)
 	registriesFile := fileFromFixture(c, "fixtures/registries.yaml",
-		map[string]string{"@sigstore@": plainSigstore, "@split-staging@": splitSigstoreStaging, "@split-read@": splitSigstoreReadServer.URL})
+		map[string]string{"@lookaside@": plainLookaside, "@split-staging@": splitLookasideStaging, "@split-read@": splitLookasideReadServer.URL})
 	err = os.Symlink(registriesFile, filepath.Join(registriesDir, "registries.yaml"))
 	c.Assert(err, check.IsNil)

-	// Get an image to work with.  Also verifies that we can use Docker repositories with no sigstore configured.
+	// Get an image to work with.  Also verifies that we can use Docker repositories with no lookaside configured.
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", testFQIN, ourRegistry+"original/busybox")
 	// Pulling an unsigned image fails.
 	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
 		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"original/busybox", dirDest)

-	// Signing with sigstore defined succeeds,
+	// Signing with lookaside defined succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--sign-by", "personal@example.com", ourRegistry+"original/busybox", ourRegistry+"signed/busybox")
 	// a signature file has been created,
-	foundFiles := findRegularFiles(c, plainSigstore)
+	foundFiles := findRegularFiles(c, plainLookaside)
 	c.Assert(foundFiles, check.HasLen, 1)
 	// and pulling a signed image succeeds.
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"signed/busybox", dirDest)
@@ -1025,19 +897,19 @@ func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
 	// Deleting the image succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "delete", ourRegistry+"signed/busybox")
 	// and the signature file has been deleted (but we leave the directories around).
-	foundFiles = findRegularFiles(c, plainSigstore)
+	foundFiles = findRegularFiles(c, plainLookaside)
 	c.Assert(foundFiles, check.HasLen, 0)

-	// Signing with a read/write sigstore split succeeds,
+	// Signing with a read/write lookaside split succeeds,
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--sign-by", "personal@example.com", ourRegistry+"original/busybox", ourRegistry+"public/busybox")
 	// and a signature file has been created.
-	foundFiles = findRegularFiles(c, splitSigstoreStaging)
+	foundFiles = findRegularFiles(c, splitLookasideStaging)
 	c.Assert(foundFiles, check.HasLen, 1)
-	// Pulling the image fails because the read sigstore URL has not been populated:
+	// Pulling the image fails because the read lookaside URL has not been populated:
 	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
 		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
-	// Pulling the image succeeds after the read sigstore URL is available:
-	splitSigstoreReadServerHandler = http.FileServer(http.Dir(splitSigstoreStaging))
+	// Pulling the image succeeds after the read lookaside URL is available:
+	splitLookasideReadServerHandler = http.FileServer(http.Dir(splitLookasideStaging))
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
 }

@@ -1050,9 +922,7 @@ func (s *CopySuite) TestCopyAtomicExtension(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	topDir, err := ioutil.TempDir("", "atomic-extension")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	for _, subdir := range []string{"dirAA", "dirAD", "dirDA", "dirDD", "registries.d"} {
 		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
 		c.Assert(err, check.IsNil)
@@ -1099,22 +969,6 @@ func (s *CopySuite) TestCopyAtomicExtension(c *check.C) {
 	assertDirImagesAreEqual(c, filepath.Join(topDir, "dirDA"), filepath.Join(topDir, "dirDD"))
 }

-// copyWithSignedIdentity creates a copy of an unsigned image, adding a signature for an unrelated identity
-// This should be easier than using standalone-sign.
-func copyWithSignedIdentity(c *check.C, src, dest, signedIdentity, signBy, registriesDir string) {
-	topDir, err := ioutil.TempDir("", "copyWithSignedIdentity")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
-
-	signingDir := filepath.Join(topDir, "signing-temp")
-	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", src, "dir:"+signingDir)
-	c.Logf("%s", combinedOutputOfCommand(c, "ls", "-laR", signingDir))
-	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", filepath.Join(signingDir, "signature-1"),
-		filepath.Join(signingDir, "manifest.json"), signedIdentity, signBy)
-	c.Logf("%s", combinedOutputOfCommand(c, "ls", "-laR", signingDir))
-	assertSkopeoSucceeds(c, "", "--registries.d", registriesDir, "copy", "--dest-tls-verify=false", "dir:"+signingDir, dest)
-}
-
 // Both mirroring support in registries.conf, and mirrored remapIdentity support in policy.json
 func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 	const regPrefix = "docker://localhost:5006/myns/mirroring-"
@@ -1126,16 +980,14 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
 	}

-	topDir, err := ioutil.TempDir("", "mirrored-signatures")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
-	registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable sigstore use
+	topDir := c.MkDir()
+	registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable lookaside use
 	dirDest := "dir:" + filepath.Join(topDir, "unused-dest")

 	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
 	defer os.Remove(policy)

-	// We use X-R-S-S for this testing to avoid having to deal with the sigstores.
+	// We use X-R-S-S for this testing to avoid having to deal with the lookasides.
 	// A downside is that OpenShift records signatures per image, so the error messages below
 	// list all signatures for other tags used for the same image as well.
 	// So, make sure to never create a signature that could be considered valid in a different part of the test (i.e. don't reuse tags).
@@ -1160,10 +1012,12 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 	assertSkopeoFails(c, ".*Source image rejected: None of the signatures were accepted, reasons: Signature for identity localhost:5006/myns/mirroring-primary:direct is not accepted; Signature for identity localhost:5006/myns/mirroring-mirror:mirror-signed is not accepted.*",
 		"--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"primary:mirror-signed", dirDest)

+	// Fail if we specify an unqualified identity
+	assertSkopeoFails(c, ".*Could not parse --sign-identity: repository name must be canonical.*",
+		"--registries.d", registriesDir, "copy", "--src-tls-verify=false", "--dest-tls-verify=false", "--sign-by=personal@example.com", "--sign-identity=this-is-not-fully-specified", regPrefix+"primary:unsigned", regPrefix+"mirror:primary-signed")
+
 	// Create a signature for mirroring-primary:primary-signed without pushing there.
-	copyWithSignedIdentity(c, regPrefix+"primary:unsigned", regPrefix+"mirror:primary-signed",
-		"localhost:5006/myns/mirroring-primary:primary-signed", "personal@example.com",
-		registriesDir)
+	assertSkopeoSucceeds(c, "", "--registries.d", registriesDir, "copy", "--src-tls-verify=false", "--dest-tls-verify=false", "--sign-by=personal@example.com", "--sign-identity=localhost:5006/myns/mirroring-primary:primary-signed", regPrefix+"primary:unsigned", regPrefix+"mirror:primary-signed")
 	// Verify that a correctly signed image for the primary is accessible using the primary's reference
 	assertSkopeoSucceeds(c, "", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"primary:primary-signed", dirDest)
 	// … but verify that while it is accessible using the mirror location
@@ -1178,20 +1032,17 @@ func (s *CopySuite) TestCopyVerifyingMirroredSignatures(c *check.C) {
 	// … it is NOT accessible when requiring a signature …
 	assertSkopeoFails(c, ".*Source image rejected: None of the signatures were accepted, reasons: Signature for identity localhost:5006/myns/mirroring-primary:direct is not accepted; Signature for identity localhost:5006/myns/mirroring-mirror:mirror-signed is not accepted; Signature for identity localhost:5006/myns/mirroring-primary:primary-signed is not accepted.*", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"remap:remapped", dirDest)
 	// … until signed.
-	copyWithSignedIdentity(c, regPrefix+"remap:remapped", regPrefix+"remap:remapped",
-		"localhost:5006/myns/mirroring-primary:remapped", "personal@example.com",
-		registriesDir)
+	assertSkopeoSucceeds(c, "", "--registries.d", registriesDir, "copy", "--src-tls-verify=false", "--dest-tls-verify=false", "--sign-by=personal@example.com", "--sign-identity=localhost:5006/myns/mirroring-primary:remapped", regPrefix+"remap:remapped", regPrefix+"remap:remapped")
 	assertSkopeoSucceeds(c, "", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"remap:remapped", dirDest)
 	// To be extra clear about the semantics, verify that the signedPrefix (primary) location never exists
 	// and only the remapped prefix (mirror) is accessed.
-	assertSkopeoFails(c, ".*initializing source docker://localhost:5006/myns/mirroring-primary:remapped:.*manifest unknown: manifest unknown.*", "--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"primary:remapped", dirDest)
+	assertSkopeoFails(c, ".*initializing source docker://localhost:5006/myns/mirroring-primary:remapped:.*manifest unknown.*",
+		"--policy", policy, "--registries.d", registriesDir, "--registries-conf", "fixtures/registries.conf", "copy", "--src-tls-verify=false", regPrefix+"primary:remapped", dirDest)
 }

 func (s *SkopeoSuite) TestCopySrcWithAuth(c *check.C) {
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", testFQIN, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
-	dir1, err := ioutil.TempDir("", "copy-1")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(dir1)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--src-creds=testuser:testpassword", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "dir:"+dir1)
 }

@@ -1205,9 +1056,7 @@ func (s *SkopeoSuite) TestCopySrcAndDestWithAuth(c *check.C) {
 }

 func (s *CopySuite) TestCopyNoPanicOnHTTPResponseWithoutTLSVerifyFalse(c *check.C) {
-	topDir, err := ioutil.TempDir("", "no-panic-on-https-response-without-tls-verify-false")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()

 	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"

@@ -1223,9 +1072,7 @@ func (s *CopySuite) TestCopySchemaConversion(c *check.C) {
 }

 func (s *CopySuite) TestCopyManifestConversion(c *check.C) {
-	topDir, err := ioutil.TempDir("", "manifest-conversion")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	srcDir := filepath.Join(topDir, "source")
 	destDir1 := filepath.Join(topDir, "dest1")
 	destDir2 := filepath.Join(topDir, "dest2")
@@ -1249,18 +1096,14 @@ func (s *CopySuite) TestCopyManifestConversion(c *check.C) {
 }

 func (s *CopySuite) TestCopyPreserveDigests(c *check.C) {
-	topDir, err := ioutil.TempDir("", "preserve-digests")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()

 	assertSkopeoSucceeds(c, "", "copy", knownListImage, "--multi-arch=all", "--preserve-digests", "dir:"+topDir)
 	assertSkopeoFails(c, ".*Instructed to preserve digests.*", "copy", knownListImage, "--multi-arch=all", "--preserve-digests", "--format=oci", "dir:"+topDir)
 }

 func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Registry, schema2Registry string) {
-	topDir, err := ioutil.TempDir("", "schema-conversion")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(topDir)
+	topDir := c.MkDir()
 	for _, subdir := range []string{"input1", "input2", "dest2"} {
 		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
 		c.Assert(err, check.IsNil)
@@ -1294,16 +1137,14 @@ func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Regist
 const regConfFixture = "./fixtures/registries.conf"

 func (s *SkopeoSuite) TestSuccessCopySrcWithMirror(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

 	assertSkopeoSucceeds(c, "", "--registries-conf="+regConfFixture, "copy",
 		"docker://mirror.invalid/busybox", "dir:"+dir)
 }

 func (s *SkopeoSuite) TestFailureCopySrcWithMirrorsUnavailable(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

 	// .invalid domains are, per RFC 6761, supposed to result in NXDOMAIN.
 	// With systemd-resolved (used only via NSS?), we instead seem to get “Temporary failure in name resolution”
@@ -1312,16 +1153,14 @@ func (s *SkopeoSuite) TestFailureCopySrcWithMirrorsUnavailable(c *check.C) {
 }

 func (s *SkopeoSuite) TestSuccessCopySrcWithMirrorAndPrefix(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

 	assertSkopeoSucceeds(c, "", "--registries-conf="+regConfFixture, "copy",
 		"docker://gcr.invalid/foo/bar/busybox", "dir:"+dir)
 }

 func (s *SkopeoSuite) TestFailureCopySrcWithMirrorAndPrefixUnavailable(c *check.C) {
-	dir, err := ioutil.TempDir("", "copy-mirror")
-	c.Assert(err, check.IsNil)
+	dir := c.MkDir()

 	// .invalid domains are, per RFC 6761, supposed to result in NXDOMAIN.
 	// With systemd-resolved (used only via NSS?), we instead seem to get “Temporary failure in name resolution”
--- a/integration/fixtures/registries.yaml
+++ b/integration/fixtures/registries.yaml
@@ -1,6 +1,6 @@
 docker:
   localhost:5555:
-        sigstore: file://@sigstore@
+        lookaside: file://@lookaside@
   localhost:5555/public:
-        sigstore-staging: file://@split-staging@
-        sigstore: @split-read@
+        lookaside-staging: file://@split-staging@
+        lookaside: @split-read@
--- a/integration/openshift.go
+++ b/integration/openshift.go
@@ -5,14 +5,13 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"

-	"github.com/docker/docker/pkg/homedir"
+	"github.com/containers/storage/pkg/homedir"
 	"gopkg.in/check.v1"
 )

@@ -33,10 +32,7 @@ type openshiftCluster struct {
 // in isolated test environment.
 func startOpenshiftCluster(c *check.C) *openshiftCluster {
 	cluster := &openshiftCluster{}
-
-	dir, err := ioutil.TempDir("", "openshift-cluster")
-	c.Assert(err, check.IsNil)
-	cluster.workingDir = dir
+	cluster.workingDir = c.MkDir()

 	cluster.startMaster(c)
 	cluster.prepareRegistryConfig(c)
@@ -196,7 +192,7 @@ func (cluster *openshiftCluster) startRegistry(c *check.C) {
 		// The default configuration currently already contains acceptschema2: false
 	})
 	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
-	configContents, err := ioutil.ReadFile(schema1Config)
+	configContents, err := os.ReadFile(schema1Config)
 	c.Assert(err, check.IsNil)
 	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
 	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
@@ -240,7 +236,7 @@ func (cluster *openshiftCluster) dockerLogin(c *check.C) {
 			}`, port, authValue))
 	}
 	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
-	err = ioutil.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
+	err = os.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
 	c.Assert(err, check.IsNil)
 }

@@ -258,12 +254,12 @@ func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
 // tearDown stops the cluster services and deletes (only some!) of the state.
 func (cluster *openshiftCluster) tearDown(c *check.C) {
 	for i := len(cluster.processes) - 1; i >= 0; i-- {
-		cluster.processes[i].Process.Kill()
-	}
-	if cluster.workingDir != "" {
-		os.RemoveAll(cluster.workingDir)
+		// It’s undocumented what Kill() returns if the process has terminated,
+		// so we couldn’t check just for that. This is running in a container anyway…
+		_ = cluster.processes[i].Process.Kill()
 	}
 	if cluster.dockerDir != "" {
-		os.RemoveAll(cluster.dockerDir)
+		err := os.RemoveAll(cluster.dockerDir)
+		c.Assert(err, check.IsNil)
 	}
 }
--- a/integration/openshift_shell_test.go
+++ b/integration/openshift_shell_test.go
@@ -15,11 +15,15 @@ TestRunShell is not really a test; it is a convenient way to use the registry se
 in openshift.go and CopySuite to get an interactive environment for experimentation.

 To use it, run:
+
 	sudo make shell
+
 to start a container, then within the container:
+
 	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -check.v -check.vv -check.f='CopySuite.TestRunShell'

 An example of what can be done within the container:
+
 	cd ..; make bin/skopeo PREFIX=/usr install
 	./skopeo --tls-verify=false  copy --sign-by=personal@example.com docker://quay.io/libpod/busybox:latest atomic:localhost:5000/myns/personal:personal
 	oc get istag personal:personal -o json
--- a/integration/proxy_test.go
+++ b/integration/proxy_test.go
@@ -3,7 +3,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"os"
 	"os/exec"
@@ -20,6 +20,9 @@ import (
 // This image is known to be x86_64 only right now
 const knownNotManifestListedImage_x8664 = "docker://quay.io/coreos/11bot"

+// knownNotExtantImage would be very surprising if it did exist
+const knownNotExtantImage = "docker://quay.io/centos/centos:opensusewindowsubuntu"
+
 const expectedProxySemverMajor = "0.2"

 // request is copied from proxy.go
@@ -57,7 +60,7 @@ type pipefd struct {
 	fd *os.File
 }

-func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd *pipefd, err error) {
+func (p *proxy) call(method string, args []interface{}) (rval interface{}, fd *pipefd, err error) {
 	req := request{
 		Method: method,
 		Args:   args,
@@ -66,7 +69,7 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 	if err != nil {
 		return
 	}
-	n, err := self.c.Write(reqbuf)
+	n, err := p.c.Write(reqbuf)
 	if err != nil {
 		return
 	}
@@ -76,7 +79,7 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 	}
 	oob := make([]byte, syscall.CmsgSpace(1))
 	replybuf := make([]byte, maxMsgSize)
-	n, oobn, _, _, err := self.c.ReadMsgUnix(replybuf, oob)
+	n, oobn, _, _, err := p.c.ReadMsgUnix(replybuf, oob)
 	if err != nil {
 		err = fmt.Errorf("reading reply: %v", err)
 		return
@@ -119,9 +122,9 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 	return
 }

-func (self *proxy) callNoFd(method string, args []interface{}) (rval interface{}, err error) {
+func (p *proxy) callNoFd(method string, args []interface{}) (rval interface{}, err error) {
 	var fd *pipefd
-	rval, fd, err = self.call(method, args)
+	rval, fd, err = p.call(method, args)
 	if err != nil {
 		return
 	}
@@ -132,9 +135,9 @@ func (self *proxy) callNoFd(method string, args []interface{}) (rval interface{}
 	return rval, nil
 }

-func (self *proxy) callReadAllBytes(method string, args []interface{}) (rval interface{}, buf []byte, err error) {
+func (p *proxy) callReadAllBytes(method string, args []interface{}) (rval interface{}, buf []byte, err error) {
 	var fd *pipefd
-	rval, fd, err = self.call(method, args)
+	rval, fd, err = p.call(method, args)
 	if err != nil {
 		return
 	}
@@ -144,13 +147,13 @@ func (self *proxy) callReadAllBytes(method string, args []interface{}) (rval int
 	}
 	fetchchan := make(chan byteFetch)
 	go func() {
-		manifestBytes, err := ioutil.ReadAll(fd.fd)
+		manifestBytes, err := io.ReadAll(fd.fd)
 		fetchchan <- byteFetch{
 			content: manifestBytes,
 			err:     err,
 		}
 	}()
-	_, err = self.callNoFd("FinishPipe", []interface{}{fd.id})
+	_, err = p.callNoFd("FinishPipe", []interface{}{fd.id})
 	if err != nil {
 		return
 	}
@@ -240,8 +243,31 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 		return fmt.Errorf("OpenImage return value is %T", v)
 	}
 	imgid := uint32(imgidv)
+	if imgid == 0 {
+		return fmt.Errorf("got zero from expected image")
+	}

-	v, manifestBytes, err := p.callReadAllBytes("GetManifest", []interface{}{imgid})
+	// Also verify the optional path
+	v, err = p.callNoFd("OpenImageOptional", []interface{}{knownNotManifestListedImage_x8664})
+	if err != nil {
+		return err
+	}
+
+	imgidv, ok = v.(float64)
+	if !ok {
+		return fmt.Errorf("OpenImageOptional return value is %T", v)
+	}
+	imgid2 := uint32(imgidv)
+	if imgid2 == 0 {
+		return fmt.Errorf("got zero from expected image")
+	}
+
+	_, err = p.callNoFd("CloseImage", []interface{}{imgid2})
+	if err != nil {
+		return err
+	}
+
+	_, manifestBytes, err := p.callReadAllBytes("GetManifest", []interface{}{imgid})
 	if err != nil {
 		return err
 	}
@@ -250,7 +276,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 		return err
 	}

-	v, configBytes, err := p.callReadAllBytes("GetFullConfig", []interface{}{imgid})
+	_, configBytes, err := p.callReadAllBytes("GetFullConfig", []interface{}{imgid})
 	if err != nil {
 		return err
 	}
@@ -269,7 +295,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	}

 	// Also test this legacy interface
-	v, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []interface{}{imgid})
+	_, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []interface{}{imgid})
 	if err != nil {
 		return err
 	}
@@ -285,10 +311,30 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	}

 	_, err = p.callNoFd("CloseImage", []interface{}{imgid})
+	if err != nil {
+		return err
+	}

 	return nil
 }

+func runTestOpenImageOptionalNotFound(p *proxy, img string) error {
+	v, err := p.callNoFd("OpenImageOptional", []interface{}{img})
+	if err != nil {
+		return err
+	}
+
+	imgidv, ok := v.(float64)
+	if !ok {
+		return fmt.Errorf("OpenImageOptional return value is %T", v)
+	}
+	imgid := uint32(imgidv)
+	if imgid != 0 {
+		return fmt.Errorf("Unexpected optional image id %v", imgid)
+	}
+	return nil
+}
+
 func (s *ProxySuite) TestProxy(c *check.C) {
 	p, err := newProxy()
 	c.Assert(err, check.IsNil)
@@ -304,4 +350,10 @@ func (s *ProxySuite) TestProxy(c *check.C) {
 		err = fmt.Errorf("Testing image %s: %v", knownListImage, err)
 	}
 	c.Assert(err, check.IsNil)
+
+	err = runTestOpenImageOptionalNotFound(p, knownNotExtantImage)
+	if err != nil {
+		err = fmt.Errorf("Testing optional image %s: %v", knownNotExtantImage, err)
+	}
+	c.Assert(err, check.IsNil)
 }
--- a/integration/registry.go
+++ b/integration/registry.go
@@ -2,7 +2,6 @@ package main

 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"os/exec"
@@ -20,7 +19,6 @@ const (
 type testRegistryV2 struct {
 	cmd      *exec.Cmd
 	url      string
-	dir      string
 	username string
 	password string
 	email    string
@@ -45,10 +43,7 @@ func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistry
 }

 func newTestRegistryV2At(c *check.C, url string, auth, schema1 bool) (*testRegistryV2, error) {
-	tmp, err := ioutil.TempDir("", "registry-test-")
-	if err != nil {
-		return nil, err
-	}
+	tmp := c.MkDir()
 	template := `version: 0.1
 loglevel: debug
 storage:
@@ -58,6 +53,9 @@ storage:
        enabled: true
 http:
    addr: %s
+compatibility:
+    schema1:
+        enabled: true
 %s`
 	var (
 		htpasswd string
@@ -71,7 +69,7 @@ http:
 		username = "testuser"
 		password = "testpassword"
 		email = "test@test.org"
-		if err := ioutil.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
+		if err := os.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
 			return nil, err
 		}
 		htpasswd = fmt.Sprintf(`auth:
@@ -86,19 +84,18 @@ http:
 		return nil, err
 	}
 	if _, err := fmt.Fprintf(config, template, tmp, url, htpasswd); err != nil {
-		os.RemoveAll(tmp)
 		return nil, err
 	}

-	binary := binaryV2
+	var cmd *exec.Cmd
 	if schema1 {
-		binary = binaryV2Schema1
+		cmd = exec.Command(binaryV2Schema1, confPath)
+	} else {
+		cmd = exec.Command(binaryV2, "serve", confPath)
 	}

-	cmd := exec.Command(binary, confPath)
 	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
-		os.RemoveAll(tmp)
 		if os.IsNotExist(err) {
 			c.Skip(err.Error())
 		}
@@ -107,7 +104,6 @@ http:
 	return &testRegistryV2{
 		cmd:      cmd,
 		url:      url,
-		dir:      tmp,
 		username: username,
 		password: password,
 		email:    email,
@@ -120,13 +116,15 @@ func (t *testRegistryV2) Ping() error {
 	if err != nil {
 		return err
 	}
+	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
 		return fmt.Errorf("registry ping replied with an unexpected status code %d", resp.StatusCode)
 	}
 	return nil
 }

-func (t *testRegistryV2) Close() {
-	t.cmd.Process.Kill()
-	os.RemoveAll(t.dir)
+func (t *testRegistryV2) tearDown(c *check.C) {
+	// It’s undocumented what Kill() returns if the process has terminated,
+	// so we couldn’t check just for that. This is running in a container anyway…
+	_ = t.cmd.Process.Kill()
 }
--- a/integration/signing_test.go
+++ b/integration/signing_test.go
@@ -3,7 +3,6 @@ package main
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"strings"
@@ -21,7 +20,6 @@ func init() {
 }

 type SigningSuite struct {
-	gpgHome     string
 	fingerprint string
 }

@@ -40,25 +38,18 @@ func (s *SigningSuite) SetUpSuite(c *check.C) {
 	_, err := exec.LookPath(skopeoBinary)
 	c.Assert(err, check.IsNil)

-	s.gpgHome, err = ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	os.Setenv("GNUPGHOME", s.gpgHome)
+	gpgHome := c.MkDir()
+	os.Setenv("GNUPGHOME", gpgHome)

-	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")
+	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", gpgHome, "--batch", "--gen-key")

-	lines, err := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
+	lines, err := exec.Command(gpgBinary, "--homedir", gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
 	c.Assert(err, check.IsNil)
 	s.fingerprint, err = findFingerprint(lines)
 	c.Assert(err, check.IsNil)
 }

 func (s *SigningSuite) TearDownSuite(c *check.C) {
-	if s.gpgHome != "" {
-		err := os.RemoveAll(s.gpgHome)
-		c.Assert(err, check.IsNil)
-	}
-	s.gpgHome = ""
-
 	os.Unsetenv("GNUPGHOME")
 }

@@ -73,7 +64,7 @@ func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/smoketest"

-	sigOutput, err := ioutil.TempFile("", "sig")
+	sigOutput, err := os.CreateTemp("", "sig")
 	c.Assert(err, check.IsNil)
 	defer os.Remove(sigOutput.Name())
 	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
--- a/integration/sync_test.go
+++ b/integration/sync_test.go
@@ -3,7 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
@@ -40,7 +40,6 @@ func init() {
 type SyncSuite struct {
 	cluster  *openshiftCluster
 	registry *testRegistryV2
-	gpgHome  string
 }

 func (s *SyncSuite) SetUpSuite(c *check.C) {
@@ -74,10 +73,8 @@ func (s *SyncSuite) SetUpSuite(c *check.C) {
 	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
 	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, registryAuth, registrySchema1)

-	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	s.gpgHome = gpgHome
-	os.Setenv("GNUPGHOME", s.gpgHome)
+	gpgHome := c.MkDir()
+	os.Setenv("GNUPGHOME", gpgHome)

 	for _, key := range []string{"personal", "official"} {
 		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%no-protection\n%%commit\n",
@@ -85,7 +82,7 @@ func (s *SyncSuite) SetUpSuite(c *check.C) {
 		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")

 		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
-		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+		err := os.WriteFile(filepath.Join(gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
 			[]byte(out), 0600)
 		c.Assert(err, check.IsNil)
 	}
@@ -96,21 +93,32 @@ func (s *SyncSuite) TearDownSuite(c *check.C) {
 		return
 	}

-	if s.gpgHome != "" {
-		os.RemoveAll(s.gpgHome)
-	}
 	if s.registry != nil {
-		s.registry.Close()
+		s.registry.tearDown(c)
 	}
 	if s.cluster != nil {
 		s.cluster.tearDown(c)
 	}
 }

-func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+func assertNumberOfManifestsInSubdirs(c *check.C, dir string, expectedCount int) {
+	nManifests := 0
+	err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.IsDir() && d.Name() == "manifest.json" {
+			nManifests++
+			return filepath.SkipDir
+		}
+		return nil
+	})
 	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	c.Assert(nManifests, check.Equals, expectedCount)
+}
+
+func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
@@ -136,9 +144,7 @@ func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
 }

 func (s *SyncSuite) TestDocker2DirTaggedAll(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList
@@ -164,16 +170,14 @@ func (s *SyncSuite) TestDocker2DirTaggedAll(c *check.C) {
 }

 func (s *SyncSuite) TestPreserveDigests(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList

 	// copy docker => dir
 	assertSkopeoSucceeds(c, "", "copy", "--all", "--preserve-digests", "docker://"+image, "dir:"+tmpDir)
-	_, err = os.Stat(path.Join(tmpDir, "manifest.json"))
+	_, err := os.Stat(path.Join(tmpDir, "manifest.json"))
 	c.Assert(err, check.IsNil)

 	assertSkopeoFails(c, ".*Instructed to preserve digests.*", "copy", "--all", "--preserve-digests", "--format=oci", "docker://"+image, "dir:"+tmpDir)
@@ -186,8 +190,7 @@ func (s *SyncSuite) TestScoped(c *check.C) {
 	c.Assert(err, check.IsNil)
 	imagePath := imageRef.DockerReference().String()

-	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
 	c.Assert(err, check.IsNil)
@@ -195,8 +198,6 @@ func (s *SyncSuite) TestScoped(c *check.C) {
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
 	c.Assert(err, check.IsNil)
-
-	os.RemoveAll(dir1)
 }

 func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
@@ -210,8 +211,7 @@ func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
 	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))

 	//sync upstream image to dir, not scoped
-	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
+	dir1 := c.MkDir()
 	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
 	c.Assert(err, check.IsNil)
@@ -226,14 +226,10 @@ func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
 	c.Assert(err, check.IsNil)
-	os.RemoveAll(dir1)
 }

 func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
-
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepo
@@ -255,9 +251,7 @@ func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
 }

 func (s *SyncSuite) TestYamlUntagged(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	image := pullableRepo
@@ -278,7 +272,8 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {

 	// sync to the local registry
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	c.Assert(err, check.IsNil)
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
 	// sync back from local registry to a folder
 	os.Remove(yamlFile)
@@ -289,7 +284,8 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
    %s: []
 `, v2DockerRegistryURL, imagePath)

-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	c.Assert(err, check.IsNil)
 	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)

 	sysCtx = types.SystemContext{
@@ -301,27 +297,11 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Check(len(localTags), check.Not(check.Equals), 0)
 	c.Assert(len(localTags), check.Equals, len(tags))
-
-	nManifests := 0
-	//count the number of manifest.json in dir1
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, len(tags))
+	assertNumberOfManifestsInSubdirs(c, dir1, len(tags))
 }

 func (s *SyncSuite) TestYamlRegex2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -334,28 +314,14 @@ k8s.gcr.io:
 	c.Assert(nTags, check.Not(check.Equals), 0)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
 	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, nTags)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(c, dir1, nTags)
 }

 func (s *SyncSuite) TestYamlDigest2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -365,28 +331,14 @@ k8s.gcr.io:
    - sha256:59eec8837a4d942cc19a52b8c09ea75121acc38114a2c68b98983ce9356b8610
 `
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
 	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, 1)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(c, dir1, 1)
 }

 func (s *SyncSuite) TestYaml2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -417,29 +369,15 @@ quay.io:
 	c.Assert(nTags, check.Not(check.Equals), 0)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
 	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, nTags)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(c, dir1, nTags)
 }

 func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
 	dir1 := path.Join(tmpDir, "dir1")
 	image := pullableRepoWithLatestTag
 	tag := "latest"
@@ -481,7 +419,8 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	for _, cfg := range testCfg {
 		yamlConfig := fmt.Sprintf(yamlTemplate, v2DockerRegistryURL, cfg.tlsVerify, image, tag)
 		yamlFile := path.Join(tmpDir, "registries.yaml")
-		ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		c.Assert(err, check.IsNil)

 		cfg.checker(c, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 		os.Remove(yamlFile)
@@ -491,9 +430,7 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 }

 func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "sync-manifest-output")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	destDir1 := filepath.Join(tmpDir, "dest1")
 	destDir2 := filepath.Join(tmpDir, "dest2")
@@ -513,9 +450,7 @@ func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
 func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
@@ -546,15 +481,13 @@ func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
 func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepoWithLatestTag

 	dir1 := path.Join(tmpDir, "dir1")
-	err = os.Mkdir(dir1, 0755)
+	err := os.Mkdir(dir1, 0755)
 	c.Assert(err, check.IsNil)
 	dir2 := path.Join(tmpDir, "dir2")
 	err = os.Mkdir(dir2, 0755)
@@ -586,9 +519,7 @@ func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
 }

 func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")
@@ -598,56 +529,48 @@ func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
 }

 func (s *SyncSuite) TestFailsNoSourceImages(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	assertSkopeoFails(c, ".*No images to sync found in .*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)

-	assertSkopeoFails(c, ".*No images to sync found in .*",
+	assertSkopeoFails(c, ".*Error determining repository tags for repo docker.io/library/hopefully_no_images_will_ever_be_called_like_this: fetching tags list: requested access to the resource is denied.*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", "hopefully_no_images_will_ever_be_called_like_this", v2DockerRegistryURL)
 }

 func (s *SyncSuite) TestFailsWithDockerSourceNoRegistry(c *check.C) {
 	const regURL = "google.com/namespace/imagename"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	//untagged
-	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+	assertSkopeoFails(c, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+	assertSkopeoFails(c, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL+":thetag", tmpDir)
 }

 func (s *SyncSuite) TestFailsWithDockerSourceUnauthorized(c *check.C) {
 	const repo = "privateimagenamethatshouldnotbepublic"
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	//untagged
-	assertSkopeoFails(c, ".*Registry disallows tag list retrieval.*",
+	assertSkopeoFails(c, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*unauthorized: authentication required.*",
+	assertSkopeoFails(c, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }

 func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {
 	repo := path.Join(v2DockerRegistryURL, "imagedoesnotexist")
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()

 	//untagged
-	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+	assertSkopeoFails(c, ".*repository name not known to registry.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo, tmpDir)

 	//tagged
@@ -657,9 +580,9 @@ func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {

 func (s *SyncSuite) TestFailsWithDirSourceNotExisting(c *check.C) {
 	// Make sure the dir does not exist!
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	err = os.RemoveAll(tmpDir)
+	tmpDir := c.MkDir()
+	tmpDir = filepath.Join(tmpDir, "this-does-not-exist")
+	err := os.RemoveAll(tmpDir)
 	c.Assert(err, check.IsNil)
 	_, err = os.Stat(path.Join(tmpDir))
 	c.Check(os.IsNotExist(err), check.Equals, true)
--- a/integration/utils.go
+++ b/integration/utils.go
@@ -3,8 +3,8 @@ package main
 import (
 	"bytes"
 	"io"
-	"io/ioutil"
 	"net"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
@@ -19,7 +19,7 @@ const decompressDirsBinary = "./decompress-dirs.sh"

 const testFQIN = "docker://quay.io/libpod/busybox" // tag left off on purpose, some tests need to add a special one
 const testFQIN64 = "docker://quay.io/libpod/busybox:amd64"
-const testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:master" // multi-layer
+const testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:latest" // multi-layer

 // consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
 func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
@@ -163,15 +163,15 @@ func modifyEnviron(env []string, name, value string) []string {
 // fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
 // Callers should defer os.Remove(the_returned_path)
 func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
-	contents, err := ioutil.ReadFile(inputPath)
+	contents, err := os.ReadFile(inputPath)
 	c.Assert(err, check.IsNil)
 	for template, value := range edits {
-		updated := bytes.Replace(contents, []byte(template), []byte(value), -1)
+		updated := bytes.ReplaceAll(contents, []byte(template), []byte(value))
 		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
 		contents = updated
 	}

-	file, err := ioutil.TempFile("", "policy.json")
+	file, err := os.CreateTemp("", "policy.json")
 	c.Assert(err, check.IsNil)
 	path := file.Name()

@@ -187,7 +187,7 @@ func fileFromFixture(c *check.C, inputPath string, edits map[string]string) stri
 func runDecompressDirs(c *check.C, regexp string, args ...string) {
 	c.Logf("Running %s %s", decompressDirsBinary, strings.Join(args, " "))
 	for i, dir := range args {
-		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
 		c.Assert(err, check.IsNil)
 		c.Logf("manifest %d before: %s", i+1, string(m))
 	}
@@ -197,7 +197,7 @@ func runDecompressDirs(c *check.C, regexp string, args ...string) {
 		if len(out) > 0 {
 			c.Logf("output: %s", out)
 		}
-		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
 		c.Assert(err, check.IsNil)
 		c.Logf("manifest %d after: %s", i+1, string(m))
 	}
@@ -208,7 +208,7 @@ func runDecompressDirs(c *check.C, regexp string, args ...string) {

 // Verify manifest in a dir: image at dir is expectedMIMEType.
 func verifyManifestMIMEType(c *check.C, dir string, expectedMIMEType string) {
-	manifestBlob, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
 	c.Assert(err, check.IsNil)
 	mimeType := manifest.GuessMIMEType(manifestBlob)
 	c.Assert(mimeType, check.Equals, expectedMIMEType)
--- a/skopeo.spec.rpkg
+++ b/skopeo.spec.rpkg
@@ -0,0 +1,132 @@
+# For automatic rebuilds in COPR
+
+# The following tag is to get correct syntax highlighting for this file in vim text editor
+# vim: syntax=spec
+
+# Any additinoal comments should go below this line or else syntax highlighting
+# may not work.
+
+# CAUTION: This is not a replacement for RPMs provided by your distro.
+# Only intended to build and test the latest unreleased changes.
+
+%global gomodulesmode GO111MODULE=on
+%global with_debug 1
+
+%if 0%{?with_debug}
+%global _find_debuginfo_dwz_opts %{nil}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package %{nil}
+%endif
+
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
+%endif
+
+Name: {{{ git_dir_name }}}
+Epoch: 101
+Version: {{{ git_dir_version }}}
+Release: 1%{?dist}
+Summary: Inspect container images and repositories on registries
+License: ASL 2.0
+URL: https://github.com/containers/skopeo
+VCS: {{{ git_dir_vcs }}}
+Source: {{{ git_dir_pack }}}
+%if 0%{?fedora} && ! 0%{?rhel}
+BuildRequires: btrfs-progs-devel
+%endif
+BuildRequires: golang >= 1.16.6
+BuildRequires: glib2-devel
+BuildRequires: git-core
+BuildRequires: go-md2man
+%if 0%{?fedora} || 0%{?rhel} >= 9
+BuildRequires: go-rpm-macros
+%endif
+BuildRequires: pkgconfig(devmapper)
+BuildRequires: gpgme-devel
+BuildRequires: libassuan-devel
+BuildRequires: pkgconfig
+BuildRequires: make
+BuildRequires: ostree-devel
+%if 0%{?fedora} <= 35
+Requires: containers-common >= 4:1-39
+%else
+Requires: containers-common >= 4:1-46
+%endif
+
+%description
+Command line utility to inspect images and repositories directly on Docker
+registries without the need to pull them.
+
+%package tests
+Summary: Tests for %{name}
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: bats
+Requires: gnupg
+Requires: jq
+Requires: podman
+Requires: httpd-tools
+Requires: openssl
+Requires: fakeroot
+Requires: squashfs-tools
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
+%prep
+{{{ git_dir_setup_macro }}}
+
+sed -i 's/install-binary: bin\/skopeo/install-binary:/' Makefile
+
+# This will invoke `make` command in the directory with the extracted sources.
+%build
+%set_build_flags
+export CGO_CFLAGS=$CFLAGS
+# These extra flags present in $CFLAGS have been skipped for now as they break the build
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
+
+%ifarch x86_64
+export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
+%endif
+
+LDFLAGS=""
+
+export BUILDTAGS="$(hack/libdm_tag.sh)"
+%if 0%{?rhel}
+export BUILDTAGS="$BUILDTAGS exclude_graphdriver_btrfs btrfs_noversion"
+%endif
+
+%gobuild -o bin/%{name} ./cmd/%{name}
+
+%install
+%{__make} PREFIX=%{buildroot}%{_prefix} install-binary install-docs install-completions
+
+# system tests
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man1/%%{name}*
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/%{name}
+%dir %{_datadir}/fish
+%dir %{_datadir}/fish/vendor_completions.d
+%{_datadir}/fish/vendor_completions.d/%{name}.fish
+%dir %{_datadir}/zsh
+%dir %{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/_%{name}
+
+%files tests
+%license LICENSE
+%{_datadir}/%{name}/test
+
+%changelog
+{{{ git_dir_changelog }}}
--- a/systemtest/010-inspect.bats
+++ b/systemtest/010-inspect.bats
@@ -32,7 +32,8 @@ load helpers
    config_digest=$(jq -r '.config.digest' <<<"$inspect_local_raw")

    # Each SHA-named layer file (but not the config) must be listed in the output of 'inspect'.
-    # As of Skopeo 1.6, (skopeo inspect)'s output lists layer digests,
+    # In all existing versions of Skopeo (with 1.6 being the current as of this comment),
+    # the output of 'inspect' lists layer digests,
    # but not the digest of the config blob ($config_digest), if any.
    layers=$(jq -r '.Layers' <<<"$inspect_local")
    for sha in $(find $workdir -type f | xargs -l1 basename | egrep '^[0-9a-f]{64}$'); do
@@ -94,10 +95,11 @@ END_EXPECT
    # is created by the make-noarch-manifest script in this directory.
    img=docker://quay.io/libpod/notmyarch:20210121

-    # Get our host arch (what we're running on). This assumes that skopeo
-    # arch matches podman; it also assumes running podman >= April 2020
-    # (prior to that, the format keys were lower-case).
-    arch=$(podman info --format '{{.Host.Arch}}')
+    # Get our host golang arch (what we're running on, according to golang).
+    # This assumes that skopeo arch matches host arch (which it always should).
+    # Buildah is used here because it depends less on the exact system config
+    # than podman - and all we're really after is the golang-flavored arch name.
+    arch=$(go env GOARCH)

    # By default, 'inspect' tries to match our host os+arch. This should fail.
    run_skopeo 1 inspect $img
--- a/systemtest/020-copy.bats
+++ b/systemtest/020-copy.bats
@@ -50,7 +50,7 @@ function setup() {

    local dir=$TESTDIR/dir

-    run_skopeo copy --dest-compress --dest-compress-format=zstd $remote_image oci:$dir:latest
+    run_skopeo copy --dest-compress-format=zstd $remote_image oci:$dir:latest

    # zstd magic number
    local magic=$(printf "\x28\xb5\x2f\xfd")
--- a/systemtest/040-local-registry-auth.bats
+++ b/systemtest/040-local-registry-auth.bats
@@ -8,38 +8,40 @@ load helpers
 function setup() {
    standard_setup

-    # Remove old/stale cred file
-    _cred_dir=$TESTDIR/credentials
-    export XDG_RUNTIME_DIR=$_cred_dir
-    mkdir -p $_cred_dir/containers
-    rm -f $_cred_dir/containers/auth.json
-
    # Start authenticated registry with random password
    testuser=testuser
    testpassword=$(random_string 15)

    start_registry --testuser=$testuser --testpassword=$testpassword --enable-delete=true reg
+
+    _cred_dir=$TESTDIR/credentials
+    # It is important to change XDG_RUNTIME_DIR only after we start the registry, otherwise it affects the path of $XDG_RUNTIME_DIR/netns maintained by Podman,
+    # making it imposible to clean up after ourselves.
+    export XDG_RUNTIME_DIR=$_cred_dir
+    mkdir -p $_cred_dir/containers
+    # Remove old/stale cred file
+    rm -f $_cred_dir/containers/auth.json
 }

@test "auth: credentials on command line" {
    # No creds
    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/nonesuch
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # Wrong user
    run_skopeo 1 inspect --tls-verify=false --creds=baduser:badpassword \
               docker://localhost:5000/nonesuch
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # Wrong password
    run_skopeo 1 inspect --tls-verify=false --creds=$testuser:badpassword \
               docker://localhost:5000/nonesuch
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # Correct creds, but no such image
    run_skopeo 1 inspect --tls-verify=false --creds=$testuser:$testpassword \
               docker://localhost:5000/nonesuch
-    expect_output --substring "manifest unknown: manifest unknown"
+    expect_output --substring "manifest unknown"

    # These should pass
    run_skopeo copy --dest-tls-verify=false --dcreds=$testuser:$testpassword \
@@ -64,7 +66,7 @@ function setup() {
    podman logout localhost:5000

    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/busybox:mine
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"
 }

@test "auth: copy with --src-creds and --dest-creds" {
@@ -94,7 +96,7 @@ function setup() {

    # inspect without authfile: should fail
    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/busybox:mine
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # inspect with authfile: should work
    run_skopeo inspect --tls-verify=false --authfile $TESTDIR/test.auth docker://localhost:5000/busybox:mine
--- a/systemtest/070-list-tags.bats
+++ b/systemtest/070-list-tags.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+#
+# list-tags tests
+#
+
+load helpers
+
+# list from registry
+@test "list-tags: remote repository on a registry" {
+    local remote_image=quay.io/libpod/alpine_labels
+
+    run_skopeo list-tags "docker://${remote_image}"
+    expect_output --substring "quay.io/libpod/alpine_labels"
+    expect_output --substring "latest"
+}
+
+# list from a local docker-archive file
+@test "list-tags: from a docker-archive file" {
+    local file_name=${TEST_SOURCE_DIR}/testdata/docker-two-images.tar.xz
+
+    run_skopeo list-tags docker-archive:$file_name
+    expect_output --substring "example.com/empty:latest"
+    expect_output --substring "example.com/empty/but:different"
+
+}
+
+
+# vim: filetype=sh
--- a/systemtest/080-sync.bats
+++ b/systemtest/080-sync.bats
@@ -0,0 +1,26 @@
+#!/usr/bin/env bats
+#
+# Sync tests
+#
+
+load helpers
+
+function setup() {
+    standard_setup
+}
+
+@test "sync: --dry-run" {
+    local remote_image=quay.io/libpod/busybox:latest
+    local dir=$TESTDIR/dir
+
+    run_skopeo sync --dry-run --src docker --dest dir --scoped $remote_image $dir
+    expect_output --substring "Would have copied image"
+    expect_output --substring "from=\"docker://${remote_image}\" to=\"dir:${dir}/${remote_image}\""
+    expect_output --substring "Would have synced 1 images from 1 sources"
+}
+
+teardown() {
+    standard_teardown
+}
+
+# vim: filetype=sh
--- a/systemtest/testdata/docker-two-images.tar.xz
+++ b/systemtest/testdata/docker-two-images.tar.xz
--- a/vendor/github.com/BurntSushi/toml/.gitignore
+++ b/vendor/github.com/BurntSushi/toml/.gitignore
@@ -1,2 +1,2 @@
-toml.test
+/toml.test
 /toml-test
--- a/vendor/github.com/BurntSushi/toml/COMPATIBLE
+++ b/vendor/github.com/BurntSushi/toml/COMPATIBLE
@@ -1 +0,0 @@
-Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).
--- a/vendor/github.com/BurntSushi/toml/README.md
+++ b/vendor/github.com/BurntSushi/toml/README.md
@@ -1,6 +1,5 @@
 TOML stands for Tom's Obvious, Minimal Language. This Go package provides a
-reflection interface similar to Go's standard library `json` and `xml`
-packages.
+reflection interface similar to Go's standard library `json` and `xml` packages.

 Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).

@@ -10,7 +9,7 @@ See the [releases page](https://github.com/BurntSushi/toml/releases) for a
 changelog; this information is also in the git tag annotations (e.g. `git show
 v0.4.0`).

-This library requires Go 1.13 or newer; install it with:
+This library requires Go 1.13 or newer; add it to your go.mod with:

    % go get github.com/BurntSushi/toml@latest

@@ -19,16 +18,7 @@ It also comes with a TOML validator CLI tool:
    % go install github.com/BurntSushi/toml/cmd/tomlv@latest
    % tomlv some-toml-file.toml

-### Testing
-This package passes all tests in [toml-test] for both the decoder and the
-encoder.
-
-[toml-test]: https://github.com/BurntSushi/toml-test
-
 ### Examples
-This package works similar to how the Go standard library handles XML and JSON.
-Namely, data is loaded into Go values via reflection.
-
 For the simplest example, consider some TOML file as just a list of keys and
 values:

@@ -40,7 +30,7 @@ Perfection = [ 6, 28, 496, 8128 ]
 DOB = 1987-07-05T05:45:00Z
 ```

-Which could be defined in Go as:
+Which can be decoded with:

 ```go
 type Config struct {
@@ -48,20 +38,15 @@ type Config struct {
 	Cats       []string
 	Pi         float64
 	Perfection []int
-	DOB        time.Time // requires `import time`
+	DOB        time.Time
 }
-```

-And then decoded with:
-
-```go
 var conf Config
-err := toml.Decode(tomlData, &conf)
-// handle error
+_, err := toml.Decode(tomlData, &conf)
 ```

-You can also use struct tags if your struct field name doesn't map to a TOML
-key value directly:
+You can also use struct tags if your struct field name doesn't map to a TOML key
+value directly:

 ```toml
 some_key_NAME = "wat"
@@ -73,139 +58,63 @@ type TOML struct {
 }
 ```

-Beware that like other most other decoders **only exported fields** are
-considered when encoding and decoding; private fields are silently ignored.
+Beware that like other decoders **only exported fields** are considered when
+encoding and decoding; private fields are silently ignored.

 ### Using the `Marshaler` and `encoding.TextUnmarshaler` interfaces
-Here's an example that automatically parses duration strings into
-`time.Duration` values:
+Here's an example that automatically parses values in a `mail.Address`:

 ```toml
-[[song]]
-name = "Thunder Road"
-duration = "4m49s"
-
-[[song]]
-name = "Stairway to Heaven"
-duration = "8m03s"
+contacts = [
+    "Donald Duck <donald@duckburg.com>",
+    "Scrooge McDuck <scrooge@duckburg.com>",
+]
 ```

-Which can be decoded with:
+Can be decoded with:

 ```go
-type song struct {
-	Name     string
-	Duration duration
-}
-type songs struct {
-	Song []song
-}
-var favorites songs
-if _, err := toml.Decode(blob, &favorites); err != nil {
-	log.Fatal(err)
+// Create address type which satisfies the encoding.TextUnmarshaler interface.
+type address struct {
+	*mail.Address
 }

-for _, s := range favorites.Song {
-	fmt.Printf("%s (%s)\n", s.Name, s.Duration)
-}
-```
-
-And you'll also need a `duration` type that satisfies the
-`encoding.TextUnmarshaler` interface:
-
-```go
-type duration struct {
-	time.Duration
-}
-
-func (d *duration) UnmarshalText(text []byte) error {
+func (a *address) UnmarshalText(text []byte) error {
 	var err error
-	d.Duration, err = time.ParseDuration(string(text))
+	a.Address, err = mail.ParseAddress(string(text))
 	return err
 }
+
+// Decode it.
+func decode() {
+	blob := `
+		contacts = [
+			"Donald Duck <donald@duckburg.com>",
+			"Scrooge McDuck <scrooge@duckburg.com>",
+		]
+	`
+
+	var contacts struct {
+		Contacts []address
+	}
+
+	_, err := toml.Decode(blob, &contacts)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, c := range contacts.Contacts {
+		fmt.Printf("%#v\n", c.Address)
+	}
+
+	// Output:
+	// &mail.Address{Name:"Donald Duck", Address:"donald@duckburg.com"}
+	// &mail.Address{Name:"Scrooge McDuck", Address:"scrooge@duckburg.com"}
+}
 ```

 To target TOML specifically you can implement `UnmarshalTOML` TOML interface in
 a similar way.

 ### More complex usage
-Here's an example of how to load the example from the official spec page:
-
-```toml
-# This is a TOML document. Boom.
-
-title = "TOML Example"
-
-[owner]
-name = "Tom Preston-Werner"
-organization = "GitHub"
-bio = "GitHub Cofounder & CEO\nLikes tater tots and beer."
-dob = 1979-05-27T07:32:00Z # First class dates? Why not?
-
-[database]
-server = "192.168.1.1"
-ports = [ 8001, 8001, 8002 ]
-connection_max = 5000
-enabled = true
-
-[servers]
-
-  # You can indent as you please. Tabs or spaces. TOML don't care.
-  [servers.alpha]
-  ip = "10.0.0.1"
-  dc = "eqdc10"
-
-  [servers.beta]
-  ip = "10.0.0.2"
-  dc = "eqdc10"
-
-[clients]
-data = [ ["gamma", "delta"], [1, 2] ] # just an update to make sure parsers support it
-
-# Line breaks are OK when inside arrays
-hosts = [
-  "alpha",
-  "omega"
-]
-```
-
-And the corresponding Go types are:
-
-```go
-type tomlConfig struct {
-	Title   string
-	Owner   ownerInfo
-	DB      database `toml:"database"`
-	Servers map[string]server
-	Clients clients
-}
-
-type ownerInfo struct {
-	Name string
-	Org  string `toml:"organization"`
-	Bio  string
-	DOB  time.Time
-}
-
-type database struct {
-	Server  string
-	Ports   []int
-	ConnMax int `toml:"connection_max"`
-	Enabled bool
-}
-
-type server struct {
-	IP string
-	DC string
-}
-
-type clients struct {
-	Data  [][]interface{}
-	Hosts []string
-}
-```
-
-Note that a case insensitive match will be tried if an exact match can't be
-found.
-
-A working example of the above can be found in `_example/example.{go,toml}`.
+See the [`_example/`](/_example) directory for a more complex example.
--- a/vendor/github.com/BurntSushi/toml/decode.go
+++ b/vendor/github.com/BurntSushi/toml/decode.go
@@ -1,14 +1,18 @@
 package toml

 import (
+	"bytes"
 	"encoding"
+	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"math"
 	"os"
 	"reflect"
+	"strconv"
 	"strings"
+	"time"
 )

 // Unmarshaler is the interface implemented by objects that can unmarshal a
@@ -17,16 +21,35 @@ type Unmarshaler interface {
 	UnmarshalTOML(interface{}) error
 }

-// Unmarshal decodes the contents of `p` in TOML format into a pointer `v`.
-func Unmarshal(p []byte, v interface{}) error {
-	_, err := Decode(string(p), v)
+// Unmarshal decodes the contents of data in TOML format into a pointer v.
+//
+// See [Decoder] for a description of the decoding process.
+func Unmarshal(data []byte, v interface{}) error {
+	_, err := NewDecoder(bytes.NewReader(data)).Decode(v)
 	return err
 }

+// Decode the TOML data in to the pointer v.
+//
+// See [Decoder] for a description of the decoding process.
+func Decode(data string, v interface{}) (MetaData, error) {
+	return NewDecoder(strings.NewReader(data)).Decode(v)
+}
+
+// DecodeFile reads the contents of a file and decodes it with [Decode].
+func DecodeFile(path string, v interface{}) (MetaData, error) {
+	fp, err := os.Open(path)
+	if err != nil {
+		return MetaData{}, err
+	}
+	defer fp.Close()
+	return NewDecoder(fp).Decode(v)
+}
+
 // Primitive is a TOML value that hasn't been decoded into a Go value.
 //
 // This type can be used for any value, which will cause decoding to be delayed.
-// You can use the PrimitiveDecode() function to "manually" decode these values.
+// You can use [PrimitiveDecode] to "manually" decode these values.
 //
 // NOTE: The underlying representation of a `Primitive` value is subject to
 // change. Do not rely on it.
@@ -42,36 +65,22 @@ type Primitive struct {
 // The significand precision for float32 and float64 is 24 and 53 bits; this is
 // the range a natural number can be stored in a float without loss of data.
 const (
-	maxSafeFloat32Int = 16777215         // 2^24-1
-	maxSafeFloat64Int = 9007199254740991 // 2^53-1
+	maxSafeFloat32Int = 16777215                // 2^24-1
+	maxSafeFloat64Int = int64(9007199254740991) // 2^53-1
 )

-// PrimitiveDecode is just like the other `Decode*` functions, except it
-// decodes a TOML value that has already been parsed. Valid primitive values
-// can *only* be obtained from values filled by the decoder functions,
-// including this method. (i.e., `v` may contain more `Primitive`
-// values.)
-//
-// Meta data for primitive values is included in the meta data returned by
-// the `Decode*` functions with one exception: keys returned by the Undecoded
-// method will only reflect keys that were decoded. Namely, any keys hidden
-// behind a Primitive will be considered undecoded. Executing this method will
-// update the undecoded keys in the meta data. (See the example.)
-func (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error {
-	md.context = primValue.context
-	defer func() { md.context = nil }()
-	return md.unify(primValue.undecoded, rvalue(v))
-}
-
 // Decoder decodes TOML data.
 //
-// TOML tables correspond to Go structs or maps (dealer's choice – they can be
-// used interchangeably).
+// TOML tables correspond to Go structs or maps; they can be used
+// interchangeably, but structs offer better type safety.
 //
 // TOML table arrays correspond to either a slice of structs or a slice of maps.
 //
-// TOML datetimes correspond to Go time.Time values. Local datetimes are parsed
-// in the local timezone.
+// TOML datetimes correspond to [time.Time]. Local datetimes are parsed in the
+// local timezone.
+//
+// [time.Duration] types are treated as nanoseconds if the TOML value is an
+// integer, or they're parsed with time.ParseDuration() if they're strings.
 //
 // All other TOML types (float, string, int, bool and array) correspond to the
 // obvious Go types.
@@ -80,9 +89,9 @@ func (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error {
 // interface, in which case any primitive TOML value (floats, strings, integers,
 // booleans, datetimes) will be converted to a []byte and given to the value's
 // UnmarshalText method. See the Unmarshaler example for a demonstration with
-// time duration strings.
+// email addresses.
 //
-// Key mapping
+// ### Key mapping
 //
 // TOML keys can map to either keys in a Go map or field names in a Go struct.
 // The special `toml` struct tag can be used to map TOML keys to struct fields
@@ -109,6 +118,7 @@ func NewDecoder(r io.Reader) *Decoder {
 var (
 	unmarshalToml = reflect.TypeOf((*Unmarshaler)(nil)).Elem()
 	unmarshalText = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+	primitiveType = reflect.TypeOf((*Primitive)(nil)).Elem()
 )

 // Decode TOML data in to the pointer `v`.
@@ -120,10 +130,10 @@ func (dec *Decoder) Decode(v interface{}) (MetaData, error) {
 			s = "%v"
 		}

-		return MetaData{}, e("cannot decode to non-pointer "+s, reflect.TypeOf(v))
+		return MetaData{}, fmt.Errorf("toml: cannot decode to non-pointer "+s, reflect.TypeOf(v))
 	}
 	if rv.IsNil() {
-		return MetaData{}, e("cannot decode to nil value of %q", reflect.TypeOf(v))
+		return MetaData{}, fmt.Errorf("toml: cannot decode to nil value of %q", reflect.TypeOf(v))
 	}

 	// Check if this is a supported type: struct, map, interface{}, or something
@@ -133,7 +143,7 @@ func (dec *Decoder) Decode(v interface{}) (MetaData, error) {
 	if rv.Kind() != reflect.Struct && rv.Kind() != reflect.Map &&
 		!(rv.Kind() == reflect.Interface && rv.NumMethod() == 0) &&
 		!rt.Implements(unmarshalToml) && !rt.Implements(unmarshalText) {
-		return MetaData{}, e("cannot decode to type %s", rt)
+		return MetaData{}, fmt.Errorf("toml: cannot decode to type %s", rt)
 	}

 	// TODO: parser should read from io.Reader? Or at the very least, make it
@@ -150,30 +160,29 @@ func (dec *Decoder) Decode(v interface{}) (MetaData, error) {

 	md := MetaData{
 		mapping: p.mapping,
-		types:   p.types,
+		keyInfo: p.keyInfo,
 		keys:    p.ordered,
 		decoded: make(map[string]struct{}, len(p.ordered)),
 		context: nil,
+		data:    data,
 	}
 	return md, md.unify(p.mapping, rv)
 }

-// Decode the TOML data in to the pointer v.
+// PrimitiveDecode is just like the other Decode* functions, except it decodes a
+// TOML value that has already been parsed. Valid primitive values can *only* be
+// obtained from values filled by the decoder functions, including this method.
+// (i.e., v may contain more [Primitive] values.)
 //
-// See the documentation on Decoder for a description of the decoding process.
-func Decode(data string, v interface{}) (MetaData, error) {
-	return NewDecoder(strings.NewReader(data)).Decode(v)
-}
-
-// DecodeFile is just like Decode, except it will automatically read the
-// contents of the file at path and decode it for you.
-func DecodeFile(path string, v interface{}) (MetaData, error) {
-	fp, err := os.Open(path)
-	if err != nil {
-		return MetaData{}, err
-	}
-	defer fp.Close()
-	return NewDecoder(fp).Decode(v)
+// Meta data for primitive values is included in the meta data returned by the
+// Decode* functions with one exception: keys returned by the Undecoded method
+// will only reflect keys that were decoded. Namely, any keys hidden behind a
+// Primitive will be considered undecoded. Executing this method will update the
+// undecoded keys in the meta data. (See the example.)
+func (md *MetaData) PrimitiveDecode(primValue Primitive, v interface{}) error {
+	md.context = primValue.context
+	defer func() { md.context = nil }()
+	return md.unify(primValue.undecoded, rvalue(v))
 }

 // unify performs a sort of type unification based on the structure of `rv`,
@@ -184,7 +193,7 @@ func DecodeFile(path string, v interface{}) (MetaData, error) {
 func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
 	// Special case. Look for a `Primitive` value.
 	// TODO: #76 would make this superfluous after implemented.
-	if rv.Type() == reflect.TypeOf((*Primitive)(nil)).Elem() {
+	if rv.Type() == primitiveType {
 		// Save the undecoded data and the key context into the primitive
 		// value.
 		context := make(Key, len(md.context))
@@ -196,17 +205,14 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
 		return nil
 	}

-	// Special case. Unmarshaler Interface support.
-	if rv.CanAddr() {
-		if v, ok := rv.Addr().Interface().(Unmarshaler); ok {
-			return v.UnmarshalTOML(data)
-		}
+	rvi := rv.Interface()
+	if v, ok := rvi.(Unmarshaler); ok {
+		return v.UnmarshalTOML(data)
 	}
-
-	// Special case. Look for a value satisfying the TextUnmarshaler interface.
-	if v, ok := rv.Interface().(encoding.TextUnmarshaler); ok {
+	if v, ok := rvi.(encoding.TextUnmarshaler); ok {
 		return md.unifyText(data, v)
 	}
+
 	// TODO:
 	// The behavior here is incorrect whenever a Go type satisfies the
 	// encoding.TextUnmarshaler interface but also corresponds to a TOML hash or
@@ -217,7 +223,6 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error {

 	k := rv.Kind()

-	// laziness
 	if k >= reflect.Int && k <= reflect.Uint64 {
 		return md.unifyInt(data, rv)
 	}
@@ -243,15 +248,14 @@ func (md *MetaData) unify(data interface{}, rv reflect.Value) error {
 	case reflect.Bool:
 		return md.unifyBool(data, rv)
 	case reflect.Interface:
-		// we only support empty interfaces.
-		if rv.NumMethod() > 0 {
-			return e("unsupported type %s", rv.Type())
+		if rv.NumMethod() > 0 { // Only support empty interfaces are supported.
+			return md.e("unsupported type %s", rv.Type())
 		}
 		return md.unifyAnything(data, rv)
 	case reflect.Float32, reflect.Float64:
 		return md.unifyFloat64(data, rv)
 	}
-	return e("unsupported type %s", rv.Kind())
+	return md.e("unsupported type %s", rv.Kind())
 }

 func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
@@ -260,7 +264,7 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
 		if mapping == nil {
 			return nil
 		}
-		return e("type mismatch for %s: expected table but found %T",
+		return md.e("type mismatch for %s: expected table but found %T",
 			rv.Type().String(), mapping)
 	}

@@ -286,13 +290,14 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
 			if isUnifiable(subv) {
 				md.decoded[md.context.add(key).String()] = struct{}{}
 				md.context = append(md.context, key)
+
 				err := md.unify(datum, subv)
 				if err != nil {
 					return err
 				}
 				md.context = md.context[0 : len(md.context)-1]
 			} else if f.name != "" {
-				return e("cannot write unexported field %s.%s", rv.Type().String(), f.name)
+				return md.e("cannot write unexported field %s.%s", rv.Type().String(), f.name)
 			}
 		}
 	}
@@ -300,10 +305,10 @@ func (md *MetaData) unifyStruct(mapping interface{}, rv reflect.Value) error {
 }

 func (md *MetaData) unifyMap(mapping interface{}, rv reflect.Value) error {
-	if k := rv.Type().Key().Kind(); k != reflect.String {
-		return fmt.Errorf(
-			"toml: cannot decode to a map with non-string key type (%s in %q)",
-			k, rv.Type())
+	keyType := rv.Type().Key().Kind()
+	if keyType != reflect.String && keyType != reflect.Interface {
+		return fmt.Errorf("toml: cannot decode to a map with non-string key type (%s in %q)",
+			keyType, rv.Type())
 	}

 	tmap, ok := mapping.(map[string]interface{})
@@ -321,13 +326,22 @@ func (md *MetaData) unifyMap(mapping interface{}, rv reflect.Value) error {
 		md.context = append(md.context, k)

 		rvval := reflect.Indirect(reflect.New(rv.Type().Elem()))
-		if err := md.unify(v, rvval); err != nil {
+
+		err := md.unify(v, indirect(rvval))
+		if err != nil {
 			return err
 		}
 		md.context = md.context[0 : len(md.context)-1]

 		rvkey := indirect(reflect.New(rv.Type().Key()))
-		rvkey.SetString(k)
+
+		switch keyType {
+		case reflect.Interface:
+			rvkey.Set(reflect.ValueOf(k))
+		case reflect.String:
+			rvkey.SetString(k)
+		}
+
 		rv.SetMapIndex(rvkey, rvval)
 	}
 	return nil
@@ -342,7 +356,7 @@ func (md *MetaData) unifyArray(data interface{}, rv reflect.Value) error {
 		return md.badtype("slice", data)
 	}
 	if l := datav.Len(); l != rv.Len() {
-		return e("expected array length %d; got TOML array of length %d", rv.Len(), l)
+		return md.e("expected array length %d; got TOML array of length %d", rv.Len(), l)
 	}
 	return md.unifySliceArray(datav, rv)
 }
@@ -375,6 +389,18 @@ func (md *MetaData) unifySliceArray(data, rv reflect.Value) error {
 }

 func (md *MetaData) unifyString(data interface{}, rv reflect.Value) error {
+	_, ok := rv.Interface().(json.Number)
+	if ok {
+		if i, ok := data.(int64); ok {
+			rv.SetString(strconv.FormatInt(i, 10))
+		} else if f, ok := data.(float64); ok {
+			rv.SetString(strconv.FormatFloat(f, 'f', -1, 64))
+		} else {
+			return md.badtype("string", data)
+		}
+		return nil
+	}
+
 	if s, ok := data.(string); ok {
 		rv.SetString(s)
 		return nil
@@ -383,11 +409,13 @@ func (md *MetaData) unifyString(data interface{}, rv reflect.Value) error {
 }

 func (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {
+	rvk := rv.Kind()
+
 	if num, ok := data.(float64); ok {
-		switch rv.Kind() {
+		switch rvk {
 		case reflect.Float32:
 			if num < -math.MaxFloat32 || num > math.MaxFloat32 {
-				return e("value %f is out of range for float32", num)
+				return md.parseErr(errParseRange{i: num, size: rvk.String()})
 			}
 			fallthrough
 		case reflect.Float64:
@@ -399,20 +427,11 @@ func (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {
 	}

 	if num, ok := data.(int64); ok {
-		switch rv.Kind() {
-		case reflect.Float32:
-			if num < -maxSafeFloat32Int || num > maxSafeFloat32Int {
-				return e("value %d is out of range for float32", num)
-			}
-			fallthrough
-		case reflect.Float64:
-			if num < -maxSafeFloat64Int || num > maxSafeFloat64Int {
-				return e("value %d is out of range for float64", num)
-			}
-			rv.SetFloat(float64(num))
-		default:
-			panic("bug")
+		if (rvk == reflect.Float32 && (num < -maxSafeFloat32Int || num > maxSafeFloat32Int)) ||
+			(rvk == reflect.Float64 && (num < -maxSafeFloat64Int || num > maxSafeFloat64Int)) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
 		}
+		rv.SetFloat(float64(num))
 		return nil
 	}

@@ -420,50 +439,46 @@ func (md *MetaData) unifyFloat64(data interface{}, rv reflect.Value) error {
 }

 func (md *MetaData) unifyInt(data interface{}, rv reflect.Value) error {
-	if num, ok := data.(int64); ok {
-		if rv.Kind() >= reflect.Int && rv.Kind() <= reflect.Int64 {
-			switch rv.Kind() {
-			case reflect.Int, reflect.Int64:
-				// No bounds checking necessary.
-			case reflect.Int8:
-				if num < math.MinInt8 || num > math.MaxInt8 {
-					return e("value %d is out of range for int8", num)
-				}
-			case reflect.Int16:
-				if num < math.MinInt16 || num > math.MaxInt16 {
-					return e("value %d is out of range for int16", num)
-				}
-			case reflect.Int32:
-				if num < math.MinInt32 || num > math.MaxInt32 {
-					return e("value %d is out of range for int32", num)
-				}
+	_, ok := rv.Interface().(time.Duration)
+	if ok {
+		// Parse as string duration, and fall back to regular integer parsing
+		// (as nanosecond) if this is not a string.
+		if s, ok := data.(string); ok {
+			dur, err := time.ParseDuration(s)
+			if err != nil {
+				return md.parseErr(errParseDuration{s})
 			}
-			rv.SetInt(num)
-		} else if rv.Kind() >= reflect.Uint && rv.Kind() <= reflect.Uint64 {
-			unum := uint64(num)
-			switch rv.Kind() {
-			case reflect.Uint, reflect.Uint64:
-				// No bounds checking necessary.
-			case reflect.Uint8:
-				if num < 0 || unum > math.MaxUint8 {
-					return e("value %d is out of range for uint8", num)
-				}
-			case reflect.Uint16:
-				if num < 0 || unum > math.MaxUint16 {
-					return e("value %d is out of range for uint16", num)
-				}
-			case reflect.Uint32:
-				if num < 0 || unum > math.MaxUint32 {
-					return e("value %d is out of range for uint32", num)
-				}
-			}
-			rv.SetUint(unum)
-		} else {
-			panic("unreachable")
+			rv.SetInt(int64(dur))
+			return nil
 		}
-		return nil
 	}
-	return md.badtype("integer", data)
+
+	num, ok := data.(int64)
+	if !ok {
+		return md.badtype("integer", data)
+	}
+
+	rvk := rv.Kind()
+	switch {
+	case rvk >= reflect.Int && rvk <= reflect.Int64:
+		if (rvk == reflect.Int8 && (num < math.MinInt8 || num > math.MaxInt8)) ||
+			(rvk == reflect.Int16 && (num < math.MinInt16 || num > math.MaxInt16)) ||
+			(rvk == reflect.Int32 && (num < math.MinInt32 || num > math.MaxInt32)) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetInt(num)
+	case rvk >= reflect.Uint && rvk <= reflect.Uint64:
+		unum := uint64(num)
+		if rvk == reflect.Uint8 && (num < 0 || unum > math.MaxUint8) ||
+			rvk == reflect.Uint16 && (num < 0 || unum > math.MaxUint16) ||
+			rvk == reflect.Uint32 && (num < 0 || unum > math.MaxUint32) {
+			return md.parseErr(errParseRange{i: num, size: rvk.String()})
+		}
+		rv.SetUint(unum)
+	default:
+		panic("unreachable")
+	}
+	return nil
 }

 func (md *MetaData) unifyBool(data interface{}, rv reflect.Value) error {
@@ -488,7 +503,7 @@ func (md *MetaData) unifyText(data interface{}, v encoding.TextUnmarshaler) erro
 			return err
 		}
 		s = string(text)
-	case TextMarshaler:
+	case encoding.TextMarshaler:
 		text, err := sdata.MarshalText()
 		if err != nil {
 			return err
@@ -514,7 +529,30 @@ func (md *MetaData) unifyText(data interface{}, v encoding.TextUnmarshaler) erro
 }

 func (md *MetaData) badtype(dst string, data interface{}) error {
-	return e("incompatible types: TOML key %q has type %T; destination has type %s", md.context, data, dst)
+	return md.e("incompatible types: TOML value has type %T; destination has type %s", data, dst)
+}
+
+func (md *MetaData) parseErr(err error) error {
+	k := md.context.String()
+	return ParseError{
+		LastKey:  k,
+		Position: md.keyInfo[k].pos,
+		Line:     md.keyInfo[k].pos.Line,
+		err:      err,
+		input:    string(md.data),
+	}
+}
+
+func (md *MetaData) e(format string, args ...interface{}) error {
+	f := "toml: "
+	if len(md.context) > 0 {
+		f = fmt.Sprintf("toml: (last key %q): ", md.context)
+		p := md.keyInfo[md.context.String()].pos
+		if p.Line > 0 {
+			f = fmt.Sprintf("toml: line %d (last key %q): ", p.Line, md.context)
+		}
+	}
+	return fmt.Errorf(f+format, args...)
 }

 // rvalue returns a reflect.Value of `v`. All pointers are resolved.
@@ -533,7 +571,11 @@ func indirect(v reflect.Value) reflect.Value {
 	if v.Kind() != reflect.Ptr {
 		if v.CanSet() {
 			pv := v.Addr()
-			if _, ok := pv.Interface().(encoding.TextUnmarshaler); ok {
+			pvi := pv.Interface()
+			if _, ok := pvi.(encoding.TextUnmarshaler); ok {
+				return pv
+			}
+			if _, ok := pvi.(Unmarshaler); ok {
 				return pv
 			}
 		}
@@ -549,12 +591,12 @@ func isUnifiable(rv reflect.Value) bool {
 	if rv.CanSet() {
 		return true
 	}
-	if _, ok := rv.Interface().(encoding.TextUnmarshaler); ok {
+	rvi := rv.Interface()
+	if _, ok := rvi.(encoding.TextUnmarshaler); ok {
+		return true
+	}
+	if _, ok := rvi.(Unmarshaler); ok {
 		return true
 	}
 	return false
 }
-
-func e(format string, args ...interface{}) error {
-	return fmt.Errorf("toml: "+format, args...)
-}
--- a/vendor/github.com/BurntSushi/toml/decode_go116.go
+++ b/vendor/github.com/BurntSushi/toml/decode_go116.go
@@ -7,8 +7,8 @@ import (
 	"io/fs"
 )

-// DecodeFS is just like Decode, except it will automatically read the contents
-// of the file at `path` from a fs.FS instance.
+// DecodeFS reads the contents of a file from [fs.FS] and decodes it with
+// [Decode].
 func DecodeFS(fsys fs.FS, path string, v interface{}) (MetaData, error) {
 	fp, err := fsys.Open(path)
 	if err != nil {
--- a/vendor/github.com/BurntSushi/toml/doc.go
+++ b/vendor/github.com/BurntSushi/toml/doc.go
@@ -1,13 +1,11 @@
-/*
-Package toml implements decoding and encoding of TOML files.
-
-This package supports TOML v1.0.0, as listed on https://toml.io
-
-There is also support for delaying decoding with the Primitive type, and
-querying the set of keys in a TOML document with the MetaData type.
-
-The github.com/BurntSushi/toml/cmd/tomlv package implements a TOML validator,
-and can be used to verify if TOML document is valid. It can also be used to
-print the type of each key.
-*/
+// Package toml implements decoding and encoding of TOML files.
+//
+// This package supports TOML v1.0.0, as specified at https://toml.io
+//
+// There is also support for delaying decoding with the Primitive type, and
+// querying the set of keys in a TOML document with the MetaData type.
+//
+// The github.com/BurntSushi/toml/cmd/tomlv package implements a TOML validator,
+// and can be used to verify if TOML document is valid. It can also be used to
+// print the type of each key.
 package toml
--- a/vendor/github.com/BurntSushi/toml/encode.go
+++ b/vendor/github.com/BurntSushi/toml/encode.go
@@ -3,6 +3,7 @@ package toml
 import (
 	"bufio"
 	"encoding"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -63,6 +64,12 @@ var dblQuotedReplacer = strings.NewReplacer(
 	"\x7f", `\u007f`,
 )

+var (
+	marshalToml = reflect.TypeOf((*Marshaler)(nil)).Elem()
+	marshalText = reflect.TypeOf((*encoding.TextMarshaler)(nil)).Elem()
+	timeType    = reflect.TypeOf((*time.Time)(nil)).Elem()
+)
+
 // Marshaler is the interface implemented by types that can marshal themselves
 // into valid TOML.
 type Marshaler interface {
@@ -72,9 +79,12 @@ type Marshaler interface {
 // Encoder encodes a Go to a TOML document.
 //
 // The mapping between Go values and TOML values should be precisely the same as
-// for the Decode* functions.
+// for [Decode].
 //
-// The toml.Marshaler and encoder.TextMarshaler interfaces are supported to
+// time.Time is encoded as a RFC 3339 string, and time.Duration as its string
+// representation.
+//
+// The [Marshaler] and [encoding.TextMarshaler] interfaces are supported to
 // encoding the value as custom TOML.
 //
 // If you want to write arbitrary binary data then you will need to use
@@ -85,6 +95,17 @@ type Marshaler interface {
 //
 // Go maps will be sorted alphabetically by key for deterministic output.
 //
+// The toml struct tag can be used to provide the key name; if omitted the
+// struct field name will be used. If the "omitempty" option is present the
+// following value will be skipped:
+//
+//   - arrays, slices, maps, and string with len of 0
+//   - struct with all zero values
+//   - bool false
+//
+// If omitzero is given all int and float types with a value of 0 will be
+// skipped.
+//
 // Encoding Go values without a corresponding TOML representation will return an
 // error. Examples of this includes maps with non-string keys, slices with nil
 // elements, embedded non-struct types, and nested slices containing maps or
@@ -109,7 +130,7 @@ func NewEncoder(w io.Writer) *Encoder {
 	}
 }

-// Encode writes a TOML representation of the Go value to the Encoder's writer.
+// Encode writes a TOML representation of the Go value to the [Encoder]'s writer.
 //
 // An error is returned if the value given cannot be encoded to a valid TOML
 // document.
@@ -136,18 +157,15 @@ func (enc *Encoder) safeEncode(key Key, rv reflect.Value) (err error) {
 }

 func (enc *Encoder) encode(key Key, rv reflect.Value) {
-	// Special case: time needs to be in ISO8601 format.
-	//
-	// Special case: if we can marshal the type to text, then we used that. This
-	// prevents the encoder for handling these types as generic structs (or
-	// whatever the underlying type of a TextMarshaler is).
-	switch t := rv.Interface().(type) {
-	case time.Time, encoding.TextMarshaler, Marshaler:
+	// If we can marshal the type to text, then we use that. This prevents the
+	// encoder for handling these types as generic structs (or whatever the
+	// underlying type of a TextMarshaler is).
+	switch {
+	case isMarshaler(rv):
 		enc.writeKeyValue(key, rv, false)
 		return
-	// TODO: #76 would make this superfluous after implemented.
-	case Primitive:
-		enc.encode(key, reflect.ValueOf(t.undecoded))
+	case rv.Type() == primitiveType: // TODO: #76 would make this superfluous after implemented.
+		enc.encode(key, reflect.ValueOf(rv.Interface().(Primitive).undecoded))
 		return
 	}

@@ -212,18 +230,44 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 		if err != nil {
 			encPanic(err)
 		}
-		enc.writeQuoted(string(s))
+		if s == nil {
+			encPanic(errors.New("MarshalTOML returned nil and no error"))
+		}
+		enc.w.Write(s)
 		return
 	case encoding.TextMarshaler:
 		s, err := v.MarshalText()
 		if err != nil {
 			encPanic(err)
 		}
+		if s == nil {
+			encPanic(errors.New("MarshalText returned nil and no error"))
+		}
 		enc.writeQuoted(string(s))
 		return
+	case time.Duration:
+		enc.writeQuoted(v.String())
+		return
+	case json.Number:
+		n, _ := rv.Interface().(json.Number)
+
+		if n == "" { /// Useful zero value.
+			enc.w.WriteByte('0')
+			return
+		} else if v, err := n.Int64(); err == nil {
+			enc.eElement(reflect.ValueOf(v))
+			return
+		} else if v, err := n.Float64(); err == nil {
+			enc.eElement(reflect.ValueOf(v))
+			return
+		}
+		encPanic(fmt.Errorf("unable to convert %q to int64 or float64", n))
 	}

 	switch rv.Kind() {
+	case reflect.Ptr:
+		enc.eElement(rv.Elem())
+		return
 	case reflect.String:
 		enc.writeQuoted(rv.String())
 	case reflect.Bool:
@@ -259,7 +303,7 @@ func (enc *Encoder) eElement(rv reflect.Value) {
 	case reflect.Interface:
 		enc.eElement(rv.Elem())
 	default:
-		encPanic(fmt.Errorf("unexpected primitive type: %T", rv.Interface()))
+		encPanic(fmt.Errorf("unexpected type: %T", rv.Interface()))
 	}
 }

@@ -280,7 +324,7 @@ func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) {
 	length := rv.Len()
 	enc.wf("[")
 	for i := 0; i < length; i++ {
-		elem := rv.Index(i)
+		elem := eindirect(rv.Index(i))
 		enc.eElement(elem)
 		if i != length-1 {
 			enc.wf(", ")
@@ -294,7 +338,7 @@ func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) {
 		encPanic(errNoKey)
 	}
 	for i := 0; i < rv.Len(); i++ {
-		trv := rv.Index(i)
+		trv := eindirect(rv.Index(i))
 		if isNil(trv) {
 			continue
 		}
@@ -319,7 +363,7 @@ func (enc *Encoder) eTable(key Key, rv reflect.Value) {
 }

 func (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value, inline bool) {
-	switch rv := eindirect(rv); rv.Kind() {
+	switch rv.Kind() {
 	case reflect.Map:
 		enc.eMap(key, rv, inline)
 	case reflect.Struct:
@@ -341,7 +385,7 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 	var mapKeysDirect, mapKeysSub []string
 	for _, mapKey := range rv.MapKeys() {
 		k := mapKey.String()
-		if typeIsTable(tomlTypeOfGo(rv.MapIndex(mapKey))) {
+		if typeIsTable(tomlTypeOfGo(eindirect(rv.MapIndex(mapKey)))) {
 			mapKeysSub = append(mapKeysSub, k)
 		} else {
 			mapKeysDirect = append(mapKeysDirect, k)
@@ -351,7 +395,7 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {
 	var writeMapKeys = func(mapKeys []string, trailC bool) {
 		sort.Strings(mapKeys)
 		for i, mapKey := range mapKeys {
-			val := rv.MapIndex(reflect.ValueOf(mapKey))
+			val := eindirect(rv.MapIndex(reflect.ValueOf(mapKey)))
 			if isNil(val) {
 				continue
 			}
@@ -379,6 +423,13 @@ func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) {

 const is32Bit = (32 << (^uint(0) >> 63)) == 32

+func pointerTo(t reflect.Type) reflect.Type {
+	if t.Kind() == reflect.Ptr {
+		return pointerTo(t.Elem())
+	}
+	return t
+}
+
 func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	// Write keys for fields directly under this key first, because if we write
 	// a field that creates a new table then all keys under it will be in that
@@ -395,31 +446,25 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	addFields = func(rt reflect.Type, rv reflect.Value, start []int) {
 		for i := 0; i < rt.NumField(); i++ {
 			f := rt.Field(i)
-			if f.PkgPath != "" && !f.Anonymous { /// Skip unexported fields.
+			isEmbed := f.Anonymous && pointerTo(f.Type).Kind() == reflect.Struct
+			if f.PkgPath != "" && !isEmbed { /// Skip unexported fields.
+				continue
+			}
+			opts := getOptions(f.Tag)
+			if opts.skip {
 				continue
 			}

-			frv := rv.Field(i)
+			frv := eindirect(rv.Field(i))

 			// Treat anonymous struct fields with tag names as though they are
 			// not anonymous, like encoding/json does.
 			//
 			// Non-struct anonymous fields use the normal encoding logic.
-			if f.Anonymous {
-				t := f.Type
-				switch t.Kind() {
-				case reflect.Struct:
-					if getOptions(f.Tag).name == "" {
-						addFields(t, frv, append(start, f.Index...))
-						continue
-					}
-				case reflect.Ptr:
-					if t.Elem().Kind() == reflect.Struct && getOptions(f.Tag).name == "" {
-						if !frv.IsNil() {
-							addFields(t.Elem(), frv.Elem(), append(start, f.Index...))
-						}
-						continue
-					}
+			if isEmbed {
+				if getOptions(f.Tag).name == "" && frv.Kind() == reflect.Struct {
+					addFields(frv.Type(), frv, append(start, f.Index...))
+					continue
 				}
 			}

@@ -445,7 +490,7 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 	writeFields := func(fields [][]int) {
 		for _, fieldIndex := range fields {
 			fieldType := rt.FieldByIndex(fieldIndex)
-			fieldVal := rv.FieldByIndex(fieldIndex)
+			fieldVal := eindirect(rv.FieldByIndex(fieldIndex))

 			if isNil(fieldVal) { /// Don't write anything for nil fields.
 				continue
@@ -459,7 +504,8 @@ func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) {
 			if opts.name != "" {
 				keyName = opts.name
 			}
-			if opts.omitempty && isEmpty(fieldVal) {
+
+			if opts.omitempty && enc.isEmpty(fieldVal) {
 				continue
 			}
 			if opts.omitzero && isZero(fieldVal) {
@@ -498,6 +544,21 @@ func tomlTypeOfGo(rv reflect.Value) tomlType {
 	if isNil(rv) || !rv.IsValid() {
 		return nil
 	}
+
+	if rv.Kind() == reflect.Struct {
+		if rv.Type() == timeType {
+			return tomlDatetime
+		}
+		if isMarshaler(rv) {
+			return tomlString
+		}
+		return tomlHash
+	}
+
+	if isMarshaler(rv) {
+		return tomlString
+	}
+
 	switch rv.Kind() {
 	case reflect.Bool:
 		return tomlBool
@@ -509,7 +570,7 @@ func tomlTypeOfGo(rv reflect.Value) tomlType {
 	case reflect.Float32, reflect.Float64:
 		return tomlFloat
 	case reflect.Array, reflect.Slice:
-		if typeEqual(tomlHash, tomlArrayType(rv)) {
+		if isTableArray(rv) {
 			return tomlArrayHash
 		}
 		return tomlArray
@@ -519,67 +580,35 @@ func tomlTypeOfGo(rv reflect.Value) tomlType {
 		return tomlString
 	case reflect.Map:
 		return tomlHash
-	case reflect.Struct:
-		if _, ok := rv.Interface().(time.Time); ok {
-			return tomlDatetime
-		}
-		if isMarshaler(rv) {
-			return tomlString
-		}
-		return tomlHash
 	default:
-		if isMarshaler(rv) {
-			return tomlString
-		}
-
 		encPanic(errors.New("unsupported type: " + rv.Kind().String()))
 		panic("unreachable")
 	}
 }

 func isMarshaler(rv reflect.Value) bool {
-	switch rv.Interface().(type) {
-	case encoding.TextMarshaler:
-		return true
-	case Marshaler:
-		return true
-	}
-
-	// Someone used a pointer receiver: we can make it work for pointer values.
-	if rv.CanAddr() {
-		if _, ok := rv.Addr().Interface().(encoding.TextMarshaler); ok {
-			return true
-		}
-		if _, ok := rv.Addr().Interface().(Marshaler); ok {
-			return true
-		}
-	}
-	return false
+	return rv.Type().Implements(marshalText) || rv.Type().Implements(marshalToml)
 }

-// tomlArrayType returns the element type of a TOML array. The type returned
-// may be nil if it cannot be determined (e.g., a nil slice or a zero length
-// slize). This function may also panic if it finds a type that cannot be
-// expressed in TOML (such as nil elements, heterogeneous arrays or directly
-// nested arrays of tables).
-func tomlArrayType(rv reflect.Value) tomlType {
-	if isNil(rv) || !rv.IsValid() || rv.Len() == 0 {
-		return nil
+// isTableArray reports if all entries in the array or slice are a table.
+func isTableArray(arr reflect.Value) bool {
+	if isNil(arr) || !arr.IsValid() || arr.Len() == 0 {
+		return false
 	}

-	/// Don't allow nil.
-	rvlen := rv.Len()
-	for i := 1; i < rvlen; i++ {
-		if tomlTypeOfGo(rv.Index(i)) == nil {
+	ret := true
+	for i := 0; i < arr.Len(); i++ {
+		tt := tomlTypeOfGo(eindirect(arr.Index(i)))
+		// Don't allow nil.
+		if tt == nil {
 			encPanic(errArrayNilElement)
 		}
-	}

-	firstType := tomlTypeOfGo(rv.Index(0))
-	if firstType == nil {
-		encPanic(errArrayNilElement)
+		if ret && !typeEqual(tomlHash, tt) {
+			ret = false
+		}
 	}
-	return firstType
+	return ret
 }

 type tagOptions struct {
@@ -620,10 +649,26 @@ func isZero(rv reflect.Value) bool {
 	return false
 }

-func isEmpty(rv reflect.Value) bool {
+func (enc *Encoder) isEmpty(rv reflect.Value) bool {
 	switch rv.Kind() {
 	case reflect.Array, reflect.Slice, reflect.Map, reflect.String:
 		return rv.Len() == 0
+	case reflect.Struct:
+		if rv.Type().Comparable() {
+			return reflect.Zero(rv.Type()).Interface() == rv.Interface()
+		}
+		// Need to also check if all the fields are empty, otherwise something
+		// like this with uncomparable types will always return true:
+		//
+		//   type a struct{ field b }
+		//   type b struct{ s []string }
+		//   s := a{field: b{s: []string{"AAA"}}}
+		for i := 0; i < rv.NumField(); i++ {
+			if !enc.isEmpty(rv.Field(i)) {
+				return false
+			}
+		}
+		return true
 	case reflect.Bool:
 		return !rv.Bool()
 	}
@@ -638,16 +683,15 @@ func (enc *Encoder) newline() {

 // Write a key/value pair:
 //
-//   key = <any value>
+//	key = <any value>
 //
 // This is also used for "k = v" in inline tables; so something like this will
 // be written in three calls:
 //
-//     ┌────────────────────┐
-//     │      ┌───┐  ┌─────┐│
-//     v      v   v  v     vv
-//     key = {k = v, k2 = v2}
-//
+//	┌───────────────────┐
+//	│      ┌───┐  ┌────┐│
+//	v      v   v  v    vv
+//	key = {k = 1, k2 = 2}
 func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) {
 	if len(key) == 0 {
 		encPanic(errNoKey)
@@ -675,13 +719,25 @@ func encPanic(err error) {
 	panic(tomlEncodeError{err})
 }

+// Resolve any level of pointers to the actual value (e.g. **string → string).
 func eindirect(v reflect.Value) reflect.Value {
-	switch v.Kind() {
-	case reflect.Ptr, reflect.Interface:
-		return eindirect(v.Elem())
-	default:
+	if v.Kind() != reflect.Ptr && v.Kind() != reflect.Interface {
+		if isMarshaler(v) {
+			return v
+		}
+		if v.CanAddr() { /// Special case for marshalers; see #358.
+			if pv := v.Addr(); isMarshaler(pv) {
+				return pv
+			}
+		}
 		return v
 	}
+
+	if v.IsNil() {
+		return v
+	}
+
+	return eindirect(v.Elem())
 }

 func isNil(rv reflect.Value) bool {
--- a/vendor/github.com/BurntSushi/toml/error.go
+++ b/vendor/github.com/BurntSushi/toml/error.go
@@ -5,57 +5,60 @@ import (
 	"strings"
 )

-// ParseError is returned when there is an error parsing the TOML syntax.
-//
-// For example invalid syntax, duplicate keys, etc.
+// ParseError is returned when there is an error parsing the TOML syntax such as
+// invalid syntax, duplicate keys, etc.
 //
 // In addition to the error message itself, you can also print detailed location
-// information with context by using ErrorWithLocation():
+// information with context by using [ErrorWithPosition]:
 //
-//     toml: error: Key 'fruit' was already created and cannot be used as an array.
+//	toml: error: Key 'fruit' was already created and cannot be used as an array.
 //
-//     At line 4, column 2-7:
+//	At line 4, column 2-7:
 //
-//           2 | fruit = []
-//           3 |
-//           4 | [[fruit]] # Not allowed
-//                 ^^^^^
+//	      2 | fruit = []
+//	      3 |
+//	      4 | [[fruit]] # Not allowed
+//	            ^^^^^
 //
-// Furthermore, the ErrorWithUsage() can be used to print the above with some
-// more detailed usage guidance:
+// [ErrorWithUsage] can be used to print the above with some more detailed usage
+// guidance:
 //
-//    toml: error: newlines not allowed within inline tables
+//	toml: error: newlines not allowed within inline tables
 //
-//    At line 1, column 18:
+//	At line 1, column 18:
 //
-//          1 | x = [{ key = 42 #
-//                               ^
+//	      1 | x = [{ key = 42 #
+//	                           ^
 //
-//    Error help:
+//	Error help:
 //
-//      Inline tables must always be on a single line:
+//	  Inline tables must always be on a single line:
 //
-//          table = {key = 42, second = 43}
+//	      table = {key = 42, second = 43}
 //
-//      It is invalid to split them over multiple lines like so:
+//	  It is invalid to split them over multiple lines like so:
 //
-//          # INVALID
-//          table = {
-//              key    = 42,
-//              second = 43
-//          }
+//	      # INVALID
+//	      table = {
+//	          key    = 42,
+//	          second = 43
+//	      }
 //
-//      Use regular for this:
+//	  Use regular for this:
 //
-//          [table]
-//          key    = 42
-//          second = 43
+//	      [table]
+//	      key    = 42
+//	      second = 43
 type ParseError struct {
 	Message  string   // Short technical message.
 	Usage    string   // Longer message with usage guidance; may be blank.
 	Position Position // Position of the error
 	LastKey  string   // Last parsed key, may be blank.
-	Line     int      // Line the error occurred. Deprecated: use Position.
+
+	// Line the error occurred.
+	//
+	// Deprecated: use [Position].
+	Line int

 	err   error
 	input string
@@ -83,7 +86,7 @@ func (pe ParseError) Error() string {

 // ErrorWithUsage() returns the error with detailed location context.
 //
-// See the documentation on ParseError.
+// See the documentation on [ParseError].
 func (pe ParseError) ErrorWithPosition() string {
 	if pe.input == "" { // Should never happen, but just in case.
 		return pe.Error()
@@ -124,13 +127,17 @@ func (pe ParseError) ErrorWithPosition() string {
 // ErrorWithUsage() returns the error with detailed location context and usage
 // guidance.
 //
-// See the documentation on ParseError.
+// See the documentation on [ParseError].
 func (pe ParseError) ErrorWithUsage() string {
 	m := pe.ErrorWithPosition()
 	if u, ok := pe.err.(interface{ Usage() string }); ok && u.Usage() != "" {
-		return m + "Error help:\n\n    " +
-			strings.ReplaceAll(strings.TrimSpace(u.Usage()), "\n", "\n    ") +
-			"\n"
+		lines := strings.Split(strings.TrimSpace(u.Usage()), "\n")
+		for i := range lines {
+			if lines[i] != "" {
+				lines[i] = "    " + lines[i]
+			}
+		}
+		return m + "Error help:\n\n" + strings.Join(lines, "\n") + "\n"
 	}
 	return m
 }
@@ -160,6 +167,11 @@ type (
 	errLexInvalidDate   struct{ v string }
 	errLexInlineTableNL struct{}
 	errLexStringNL      struct{}
+	errParseRange       struct {
+		i    interface{} // int or float
+		size string      // "int64", "uint16", etc.
+	}
+	errParseDuration struct{ d string }
 )

 func (e errLexControl) Error() string {
@@ -179,6 +191,10 @@ func (e errLexInlineTableNL) Error() string { return "newlines not allowed withi
 func (e errLexInlineTableNL) Usage() string { return usageInlineNewline }
 func (e errLexStringNL) Error() string      { return "strings cannot contain newlines" }
 func (e errLexStringNL) Usage() string      { return usageStringNewline }
+func (e errParseRange) Error() string       { return fmt.Sprintf("%v is out of range for %s", e.i, e.size) }
+func (e errParseRange) Usage() string       { return usageIntOverflow }
+func (e errParseDuration) Error() string    { return fmt.Sprintf("invalid duration: %q", e.d) }
+func (e errParseDuration) Usage() string    { return usageDuration }

 const usageEscape = `
 A '\' inside a "-delimited string is interpreted as an escape character.
@@ -227,3 +243,37 @@ Instead use """ or ''' to split strings over multiple lines:
    string = """Hello,
    world!"""
 `
+
+const usageIntOverflow = `
+This number is too large; this may be an error in the TOML, but it can also be a
+bug in the program that uses too small of an integer.
+
+The maximum and minimum values are:
+
+    size   │ lowest         │ highest
+    ───────┼────────────────┼──────────
+    int8   │ -128           │ 127
+    int16  │ -32,768        │ 32,767
+    int32  │ -2,147,483,648 │ 2,147,483,647
+    int64  │ -9.2 × 10¹⁷    │ 9.2 × 10¹⁷
+    uint8  │ 0              │ 255
+    uint16 │ 0              │ 65535
+    uint32 │ 0              │ 4294967295
+    uint64 │ 0              │ 1.8 × 10¹⁸
+
+int refers to int32 on 32-bit systems and int64 on 64-bit systems.
+`
+
+const usageDuration = `
+A duration must be as "number<unit>", without any spaces. Valid units are:
+
+    ns         nanoseconds (billionth of a second)
+    us, µs     microseconds (millionth of a second)
+    ms         milliseconds (thousands of a second)
+    s          seconds
+    m          minutes
+    h          hours
+
+You can combine multiple units; for example "5m10s" for 5 minutes and 10
+seconds.
+`
--- a/vendor/github.com/BurntSushi/toml/go.mod
+++ b/vendor/github.com/BurntSushi/toml/go.mod
@@ -1,3 +0,0 @@
-module github.com/BurntSushi/toml
-
-go 1.16
--- a/vendor/github.com/BurntSushi/toml/lex.go
+++ b/vendor/github.com/BurntSushi/toml/lex.go
@@ -82,7 +82,7 @@ func (lx *lexer) nextItem() item {
 			return item
 		default:
 			lx.state = lx.state(lx)
-			//fmt.Printf("     STATE %-24s  current: %-10q	stack: %s\n", lx.state, lx.current(), lx.stack)
+			//fmt.Printf("     STATE %-24s  current: %-10s	stack: %s\n", lx.state, lx.current(), lx.stack)
 		}
 	}
 }
@@ -128,6 +128,11 @@ func (lx lexer) getPos() Position {
 }

 func (lx *lexer) emit(typ itemType) {
+	// Needed for multiline strings ending with an incomplete UTF-8 sequence.
+	if lx.start > lx.pos {
+		lx.error(errLexUTF8{lx.input[lx.pos]})
+		return
+	}
 	lx.items <- item{typ: typ, pos: lx.getPos(), val: lx.current()}
 	lx.start = lx.pos
 }
@@ -711,7 +716,17 @@ func lexMultilineString(lx *lexer) stateFn {
 				if lx.peek() == '"' {
 					/// Check if we already lexed 5 's; if so we have 6 now, and
 					/// that's just too many man!
-					if strings.HasSuffix(lx.current(), `"""""`) {
+					///
+					/// Second check is for the edge case:
+					///
+					///            two quotes allowed.
+					///            vv
+					///   """lol \""""""
+					///          ^^  ^^^---- closing three
+					///     escaped
+					///
+					/// But ugly, but it works
+					if strings.HasSuffix(lx.current(), `"""""`) && !strings.HasSuffix(lx.current(), `\"""""`) {
 						return lx.errorf(`unexpected '""""""'`)
 					}
 					lx.backup()
@@ -756,7 +771,7 @@ func lexRawString(lx *lexer) stateFn {
 }

 // lexMultilineRawString consumes a raw string. Nothing can be escaped in such
-// a string. It assumes that the beginning "'''" has already been consumed and
+// a string. It assumes that the beginning ''' has already been consumed and
 // ignored.
 func lexMultilineRawString(lx *lexer) stateFn {
 	r := lx.next()
@@ -802,8 +817,7 @@ func lexMultilineRawString(lx *lexer) stateFn {
 // lexMultilineStringEscape consumes an escaped character. It assumes that the
 // preceding '\\' has already been consumed.
 func lexMultilineStringEscape(lx *lexer) stateFn {
-	// Handle the special case first:
-	if isNL(lx.next()) {
+	if isNL(lx.next()) { /// \ escaping newline.
 		return lexMultilineString
 	}
 	lx.backup()
--- a/vendor/github.com/BurntSushi/toml/meta.go
+++ b/vendor/github.com/BurntSushi/toml/meta.go
@@ -12,10 +12,11 @@ import (
 type MetaData struct {
 	context Key // Used only during decoding.

+	keyInfo map[string]keyInfo
 	mapping map[string]interface{}
-	types   map[string]tomlType
 	keys    []Key
 	decoded map[string]struct{}
+	data    []byte // Input file; for errors.
 }

 // IsDefined reports if the key exists in the TOML data.
@@ -50,8 +51,8 @@ func (md *MetaData) IsDefined(key ...string) bool {
 // Type will return the empty string if given an empty key or a key that does
 // not exist. Keys are case sensitive.
 func (md *MetaData) Type(key ...string) string {
-	if typ, ok := md.types[Key(key).String()]; ok {
-		return typ.typeString()
+	if ki, ok := md.keyInfo[Key(key).String()]; ok {
+		return ki.tomlType.typeString()
 	}
 	return ""
 }
@@ -70,7 +71,7 @@ func (md *MetaData) Keys() []Key {
 // Undecoded returns all keys that have not been decoded in the order in which
 // they appear in the original TOML document.
 //
-// This includes keys that haven't been decoded because of a Primitive value.
+// This includes keys that haven't been decoded because of a [Primitive] value.
 // Once the Primitive value is decoded, the keys will be considered decoded.
 //
 // Also note that decoding into an empty interface will result in no decoding,
@@ -88,7 +89,7 @@ func (md *MetaData) Undecoded() []Key {
 	return undecoded
 }

-// Key represents any TOML key, including key groups. Use (MetaData).Keys to get
+// Key represents any TOML key, including key groups. Use [MetaData.Keys] to get
 // values of this type.
 type Key []string

--- a/vendor/github.com/BurntSushi/toml/parse.go
+++ b/vendor/github.com/BurntSushi/toml/parse.go
@@ -16,12 +16,18 @@ type parser struct {
 	currentKey string   // Base key name for everything except hashes.
 	pos        Position // Current position in the TOML file.

-	ordered   []Key                  // List of keys in the order that they appear in the TOML data.
+	ordered []Key // List of keys in the order that they appear in the TOML data.
+
+	keyInfo   map[string]keyInfo     // Map keyname → info about the TOML key.
 	mapping   map[string]interface{} // Map keyname → key value.
-	types     map[string]tomlType    // Map keyname → TOML type.
 	implicits map[string]struct{}    // Record implicit keys (e.g. "key.group.names").
 }

+type keyInfo struct {
+	pos      Position
+	tomlType tomlType
+}
+
 func parse(data string) (p *parser, err error) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -57,8 +63,8 @@ func parse(data string) (p *parser, err error) {
 	}

 	p = &parser{
+		keyInfo:   make(map[string]keyInfo),
 		mapping:   make(map[string]interface{}),
-		types:     make(map[string]tomlType),
 		lx:        lex(data),
 		ordered:   make([]Key, 0),
 		implicits: make(map[string]struct{}),
@@ -74,6 +80,15 @@ func parse(data string) (p *parser, err error) {
 	return p, nil
 }

+func (p *parser) panicErr(it item, err error) {
+	panic(ParseError{
+		err:      err,
+		Position: it.pos,
+		Line:     it.pos.Len,
+		LastKey:  p.current(),
+	})
+}
+
 func (p *parser) panicItemf(it item, format string, v ...interface{}) {
 	panic(ParseError{
 		Message:  fmt.Sprintf(format, v...),
@@ -94,7 +109,7 @@ func (p *parser) panicf(format string, v ...interface{}) {

 func (p *parser) next() item {
 	it := p.lx.nextItem()
-	//fmt.Printf("ITEM %-18s line %-3d │ %q\n", it.typ, it.line, it.val)
+	//fmt.Printf("ITEM %-18s line %-3d │ %q\n", it.typ, it.pos.Line, it.val)
 	if it.typ == itemError {
 		if it.err != nil {
 			panic(ParseError{
@@ -146,7 +161,7 @@ func (p *parser) topLevel(item item) {
 		p.assertEqual(itemTableEnd, name.typ)

 		p.addContext(key, false)
-		p.setType("", tomlHash)
+		p.setType("", tomlHash, item.pos)
 		p.ordered = append(p.ordered, key)
 	case itemArrayTableStart: // [[ .. ]]
 		name := p.nextPos()
@@ -158,7 +173,7 @@ func (p *parser) topLevel(item item) {
 		p.assertEqual(itemArrayTableEnd, name.typ)

 		p.addContext(key, true)
-		p.setType("", tomlArrayHash)
+		p.setType("", tomlArrayHash, item.pos)
 		p.ordered = append(p.ordered, key)
 	case itemKeyStart: // key = ..
 		outerContext := p.context
@@ -181,8 +196,9 @@ func (p *parser) topLevel(item item) {
 		}

 		/// Set value.
-		val, typ := p.value(p.next(), false)
-		p.set(p.currentKey, val, typ)
+		vItem := p.next()
+		val, typ := p.value(vItem, false)
+		p.set(p.currentKey, val, typ, vItem.pos)
 		p.ordered = append(p.ordered, p.context.add(p.currentKey))

 		/// Remove the context we added (preserving any context from [tbl] lines).
@@ -220,7 +236,7 @@ func (p *parser) value(it item, parentIsArray bool) (interface{}, tomlType) {
 	case itemString:
 		return p.replaceEscapes(it, it.val), p.typeOfPrimitive(it)
 	case itemMultilineString:
-		return p.replaceEscapes(it, stripFirstNewline(stripEscapedNewlines(it.val))), p.typeOfPrimitive(it)
+		return p.replaceEscapes(it, stripFirstNewline(p.stripEscapedNewlines(it.val))), p.typeOfPrimitive(it)
 	case itemRawString:
 		return it.val, p.typeOfPrimitive(it)
 	case itemRawMultilineString:
@@ -266,7 +282,7 @@ func (p *parser) valueInteger(it item) (interface{}, tomlType) {
 		// So mark the former as a bug but the latter as a legitimate user
 		// error.
 		if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {
-			p.panicItemf(it, "Integer '%s' is out of the range of 64-bit signed integers.", it.val)
+			p.panicErr(it, errParseRange{i: it.val, size: "int64"})
 		} else {
 			p.bug("Expected integer value, but got '%s'.", it.val)
 		}
@@ -304,7 +320,7 @@ func (p *parser) valueFloat(it item) (interface{}, tomlType) {
 	num, err := strconv.ParseFloat(val, 64)
 	if err != nil {
 		if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange {
-			p.panicItemf(it, "Float '%s' is out of the range of 64-bit IEEE-754 floating-point numbers.", it.val)
+			p.panicErr(it, errParseRange{i: it.val, size: "float64"})
 		} else {
 			p.panicItemf(it, "Invalid float value: %q", it.val)
 		}
@@ -343,9 +359,8 @@ func (p *parser) valueDatetime(it item) (interface{}, tomlType) {
 }

 func (p *parser) valueArray(it item) (interface{}, tomlType) {
-	p.setType(p.currentKey, tomlArray)
+	p.setType(p.currentKey, tomlArray, it.pos)

-	// p.setType(p.currentKey, typ)
 	var (
 		types []tomlType

@@ -414,7 +429,7 @@ func (p *parser) valueInlineTable(it item, parentIsArray bool) (interface{}, tom

 		/// Set the value.
 		val, typ := p.value(p.next(), false)
-		p.set(p.currentKey, val, typ)
+		p.set(p.currentKey, val, typ, it.pos)
 		p.ordered = append(p.ordered, p.context.add(p.currentKey))
 		hash[p.currentKey] = val

@@ -533,9 +548,10 @@ func (p *parser) addContext(key Key, array bool) {
 }

 // set calls setValue and setType.
-func (p *parser) set(key string, val interface{}, typ tomlType) {
+func (p *parser) set(key string, val interface{}, typ tomlType, pos Position) {
 	p.setValue(key, val)
-	p.setType(key, typ)
+	p.setType(key, typ, pos)
+
 }

 // setValue sets the given key to the given value in the current context.
@@ -599,7 +615,7 @@ func (p *parser) setValue(key string, value interface{}) {
 //
 // Note that if `key` is empty, then the type given will be applied to the
 // current context (which is either a table or an array of tables).
-func (p *parser) setType(key string, typ tomlType) {
+func (p *parser) setType(key string, typ tomlType, pos Position) {
 	keyContext := make(Key, 0, len(p.context)+1)
 	keyContext = append(keyContext, p.context...)
 	if len(key) > 0 { // allow type setting for hashes
@@ -611,7 +627,7 @@ func (p *parser) setType(key string, typ tomlType) {
 	if len(keyContext) == 0 {
 		keyContext = Key{""}
 	}
-	p.types[keyContext.String()] = typ
+	p.keyInfo[keyContext.String()] = keyInfo{tomlType: typ, pos: pos}
 }

 // Implicit keys need to be created when tables are implied in "a.b.c.d = 1" and
@@ -619,7 +635,7 @@ func (p *parser) setType(key string, typ tomlType) {
 func (p *parser) addImplicit(key Key)     { p.implicits[key.String()] = struct{}{} }
 func (p *parser) removeImplicit(key Key)  { delete(p.implicits, key.String()) }
 func (p *parser) isImplicit(key Key) bool { _, ok := p.implicits[key.String()]; return ok }
-func (p *parser) isArray(key Key) bool    { return p.types[key.String()] == tomlArray }
+func (p *parser) isArray(key Key) bool    { return p.keyInfo[key.String()].tomlType == tomlArray }
 func (p *parser) addImplicitContext(key Key) {
 	p.addImplicit(key)
 	p.addContext(key, false)
@@ -647,7 +663,7 @@ func stripFirstNewline(s string) string {
 }

 // Remove newlines inside triple-quoted strings if a line ends with "\".
-func stripEscapedNewlines(s string) string {
+func (p *parser) stripEscapedNewlines(s string) string {
 	split := strings.Split(s, "\n")
 	if len(split) < 1 {
 		return s
@@ -679,6 +695,10 @@ func stripEscapedNewlines(s string) string {
 			continue
 		}

+		if i == len(split)-1 {
+			p.panicf("invalid escape: '\\ '")
+		}
+
 		split[i] = line[:len(line)-1] // Remove \
 		if len(split)-1 > i {
 			split[i+1] = strings.TrimLeft(split[i+1], " \t\r")
@@ -706,10 +726,8 @@ func (p *parser) replaceEscapes(it item, str string) string {
 		switch s[r] {
 		default:
 			p.bug("Expected valid escape code after \\, but got %q.", s[r])
-			return ""
 		case ' ', '\t':
 			p.panicItemf(it, "invalid escape: '\\%c'", s[r])
-			return ""
 		case 'b':
 			replaced = append(replaced, rune(0x0008))
 			r += 1
--- a/vendor/github.com/Microsoft/go-winio/.gitattributes
+++ b/vendor/github.com/Microsoft/go-winio/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
--- a/vendor/github.com/Microsoft/go-winio/.gitignore
+++ b/vendor/github.com/Microsoft/go-winio/.gitignore
@@ -1 +1,10 @@
+.vscode/
+
 *.exe
+
+# testing
+testdata
+
+# go workspaces
+go.work
+go.work.sum
--- a/vendor/github.com/Microsoft/go-winio/.golangci.yml
+++ b/vendor/github.com/Microsoft/go-winio/.golangci.yml
@@ -0,0 +1,144 @@
+run:
+  skip-dirs:
+    - pkg/etw/sample
+
+linters:
+  enable:
+    # style
+    - containedctx # struct contains a context
+    - dupl # duplicate code
+    - errname # erorrs are named correctly
+    - goconst # strings that should be constants
+    - godot # comments end in a period
+    - misspell
+    - nolintlint # "//nolint" directives are properly explained
+    - revive # golint replacement
+    - stylecheck # golint replacement, less configurable than revive
+    - unconvert # unnecessary conversions
+    - wastedassign
+
+    # bugs, performance, unused, etc ...
+    - contextcheck # function uses a non-inherited context
+    - errorlint # errors not wrapped for 1.13
+    - exhaustive # check exhaustiveness of enum switch statements
+    - gofmt # files are gofmt'ed
+    - gosec # security
+    - nestif # deeply nested ifs
+    - nilerr # returns nil even with non-nil error
+    - prealloc # slices that can be pre-allocated
+    - structcheck # unused struct fields
+    - unparam # unused function params
+
+issues:
+  exclude-rules:
+    # err is very often shadowed in nested scopes
+    - linters:
+        - govet
+      text: '^shadow: declaration of "err" shadows declaration'
+
+    # ignore long lines for skip autogen directives
+    - linters:
+        - revive
+      text: "^line-length-limit: "
+      source: "^//(go:generate|sys) "
+
+    # allow unjustified ignores of error checks in defer statements
+    - linters:
+        - nolintlint
+      text: "^directive `//nolint:errcheck` should provide explanation"
+      source: '^\s*defer '
+
+    # allow unjustified ignores of error lints for io.EOF
+    - linters:
+        - nolintlint
+      text: "^directive `//nolint:errorlint` should provide explanation"
+      source: '[=|!]= io.EOF'
+
+
+linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      # struct order is often for Win32 compat
+      # also, ignore pointer bytes/GC issues for now until performance becomes an issue
+      - fieldalignment
+    check-shadowing: true
+  nolintlint:
+    allow-leading-space: false
+    require-explanation: true
+    require-specific: true
+  revive:
+    # revive is more configurable than static check, so likely the preferred alternative to static-check
+    # (once the perf issue is solved: https://github.com/golangci/golangci-lint/issues/2997)
+    enable-all-rules:
+      true
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
+    rules:
+      # rules with required arguments
+      - name: argument-limit
+        disabled: true
+      - name: banned-characters
+        disabled: true
+      - name: cognitive-complexity
+        disabled: true
+      - name: cyclomatic
+        disabled: true
+      - name: file-header
+        disabled: true
+      - name: function-length
+        disabled: true
+      - name: function-result-limit
+        disabled: true
+      - name: max-public-structs
+        disabled: true
+      # geneally annoying rules
+      - name: add-constant # complains about any and all strings and integers
+        disabled: true
+      - name: confusing-naming # we frequently use "Foo()" and "foo()" together
+        disabled: true
+      - name: flag-parameter # excessive, and a common idiom we use
+        disabled: true
+      # general config
+      - name: line-length-limit
+        arguments:
+          - 140
+      - name: var-naming
+        arguments:
+          - []
+          - - CID
+            - CRI
+            - CTRD
+            - DACL
+            - DLL
+            - DOS
+            - ETW
+            - FSCTL
+            - GCS
+            - GMSA
+            - HCS
+            - HV
+            - IO
+            - LCOW
+            - LDAP
+            - LPAC
+            - LTSC
+            - MMIO
+            - NT
+            - OCI
+            - PMEM
+            - PWSH
+            - RX
+            - SACl
+            - SID
+            - SMB
+            - TX
+            - VHD
+            - VHDX
+            - VMID
+            - VPCI
+            - WCOW
+            - WIM
+  stylecheck:
+    checks:
+      - "all"
+      - "-ST1003" # use revive's var naming
--- a/vendor/github.com/Microsoft/go-winio/README.md
+++ b/vendor/github.com/Microsoft/go-winio/README.md
@@ -13,16 +13,60 @@ Please see the LICENSE file for licensing information.

 ## Contributing

-This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA)
-declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
+This project welcomes contributions and suggestions.
+Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that
+you have the right to, and actually do, grant us the rights to use your contribution.
+For details, visit [Microsoft CLA](https://cla.microsoft.com).

-When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR
-appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
+When you submit a pull request, a CLA-bot will automatically determine whether you need to
+provide a CLA and decorate the PR appropriately (e.g., label, comment).
+Simply follow the instructions provided by the bot.
+You will only need to do this once across all repos using our CLA.

-We also require that contributors sign their commits using git commit -s or git commit --signoff to certify they either authored the work themselves
-or otherwise have permission to use it in this project. Please see https://developercertificate.org/ for more info, as well as to make sure that you can
-attest to the rules listed. Our CI uses the DCO Github app to ensure that all commits in a given PR are signed-off.
+Additionally, the pull request pipeline requires the following steps to be performed before
+mergining.

+### Code Sign-Off
+
+We require that contributors sign their commits using [`git commit --signoff`][git-commit-s]
+to certify they either authored the work themselves or otherwise have permission to use it in this project.
+
+A range of commits can be signed off using [`git rebase --signoff`][git-rebase-s].
+
+Please see [the developer certificate](https://developercertificate.org) for more info,
+as well as to make sure that you can attest to the rules listed.
+Our CI uses the DCO Github app to ensure that all commits in a given PR are signed-off.
+
+### Linting
+
+Code must pass a linting stage, which uses [`golangci-lint`][lint].
+The linting settings are stored in [`.golangci.yaml`](./.golangci.yaml), and can be run
+automatically with VSCode by adding the following to your workspace or folder settings:
+
+```json
+    "go.lintTool": "golangci-lint",
+    "go.lintOnSave": "package",
+```
+
+Additional editor [integrations options are also available][lint-ide].
+
+Alternatively, `golangci-lint` can be [installed locally][lint-install] and run from the repo root:
+
+```shell
+# use . or specify a path to only lint a package
+# to show all lint errors, use flags "--max-issues-per-linter=0 --max-same-issues=0"
+> golangci-lint run ./...
+```
+
+### Go Generate
+
+The pipeline checks that auto-generated code, via `go generate`, are up to date.
+
+This can be done for the entire repo:
+
+```shell
+> go generate ./...
+```

 ## Code of Conduct

@@ -30,8 +74,16 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope
 For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
 contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

-
-
 ## Special Thanks
-Thanks to natefinch for the inspiration for this library. See https://github.com/natefinch/npipe
-for another named pipe implementation.
+
+Thanks to [natefinch][natefinch] for the inspiration for this library.
+See [npipe](https://github.com/natefinch/npipe) for another named pipe implementation.
+
+[lint]: https://golangci-lint.run/
+[lint-ide]: https://golangci-lint.run/usage/integrations/#editor-integration
+[lint-install]: https://golangci-lint.run/usage/install/#local-installation
+
+[git-commit-s]: https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s
+[git-rebase-s]: https://git-scm.com/docs/git-rebase#Documentation/git-rebase.txt---signoff
+
+[natefinch]: https://github.com/natefinch
--- a/vendor/github.com/Microsoft/go-winio/SECURITY.md
+++ b/vendor/github.com/Microsoft/go-winio/SECURITY.md
@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.7 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
--- a/vendor/github.com/Microsoft/go-winio/backup.go
+++ b/vendor/github.com/Microsoft/go-winio/backup.go
@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package winio
@@ -7,11 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"runtime"
 	"syscall"
 	"unicode/utf16"
+
+	"golang.org/x/sys/windows"
 )

 //sys backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupRead
@@ -24,7 +26,7 @@ const (
 	BackupAlternateData
 	BackupLink
 	BackupPropertyData
-	BackupObjectId
+	BackupObjectId //revive:disable-line:var-naming ID, not Id
 	BackupReparseData
 	BackupSparseBlock
 	BackupTxfsData
@@ -34,14 +36,16 @@ const (
 	StreamSparseAttributes = uint32(8)
 )

+//nolint:revive // var-naming: ALL_CAPS
 const (
-	WRITE_DAC              = 0x40000
-	WRITE_OWNER            = 0x80000
-	ACCESS_SYSTEM_SECURITY = 0x1000000
+	WRITE_DAC              = windows.WRITE_DAC
+	WRITE_OWNER            = windows.WRITE_OWNER
+	ACCESS_SYSTEM_SECURITY = windows.ACCESS_SYSTEM_SECURITY
 )

 // BackupHeader represents a backup stream of a file.
 type BackupHeader struct {
+	//revive:disable-next-line:var-naming ID, not Id
 	Id         uint32 // The backup stream ID
 	Attributes uint32 // Stream attributes
 	Size       int64  // The size of the stream in bytes
@@ -49,8 +53,8 @@ type BackupHeader struct {
 	Offset     int64  // The offset of the stream in the file (for BackupSparseBlock only).
 }

-type win32StreamId struct {
-	StreamId   uint32
+type win32StreamID struct {
+	StreamID   uint32
 	Attributes uint32
 	Size       uint64
 	NameSize   uint32
@@ -71,7 +75,7 @@ func NewBackupStreamReader(r io.Reader) *BackupStreamReader {
 // Next returns the next backup stream and prepares for calls to Read(). It skips the remainder of the current stream if
 // it was not completely read.
 func (r *BackupStreamReader) Next() (*BackupHeader, error) {
-	if r.bytesLeft > 0 {
+	if r.bytesLeft > 0 { //nolint:nestif // todo: flatten this
 		if s, ok := r.r.(io.Seeker); ok {
 			// Make sure Seek on io.SeekCurrent sometimes succeeds
 			// before trying the actual seek.
@@ -82,16 +86,16 @@ func (r *BackupStreamReader) Next() (*BackupHeader, error) {
 				r.bytesLeft = 0
 			}
 		}
-		if _, err := io.Copy(ioutil.Discard, r); err != nil {
+		if _, err := io.Copy(io.Discard, r); err != nil {
 			return nil, err
 		}
 	}
-	var wsi win32StreamId
+	var wsi win32StreamID
 	if err := binary.Read(r.r, binary.LittleEndian, &wsi); err != nil {
 		return nil, err
 	}
 	hdr := &BackupHeader{
-		Id:         wsi.StreamId,
+		Id:         wsi.StreamID,
 		Attributes: wsi.Attributes,
 		Size:       int64(wsi.Size),
 	}
@@ -102,7 +106,7 @@ func (r *BackupStreamReader) Next() (*BackupHeader, error) {
 		}
 		hdr.Name = syscall.UTF16ToString(name)
 	}
-	if wsi.StreamId == BackupSparseBlock {
+	if wsi.StreamID == BackupSparseBlock {
 		if err := binary.Read(r.r, binary.LittleEndian, &hdr.Offset); err != nil {
 			return nil, err
 		}
@@ -147,8 +151,8 @@ func (w *BackupStreamWriter) WriteHeader(hdr *BackupHeader) error {
 		return fmt.Errorf("missing %d bytes", w.bytesLeft)
 	}
 	name := utf16.Encode([]rune(hdr.Name))
-	wsi := win32StreamId{
-		StreamId:   hdr.Id,
+	wsi := win32StreamID{
+		StreamID:   hdr.Id,
 		Attributes: hdr.Attributes,
 		Size:       uint64(hdr.Size),
 		NameSize:   uint32(len(name) * 2),
@@ -203,7 +207,7 @@ func (r *BackupFileReader) Read(b []byte) (int, error) {
 	var bytesRead uint32
 	err := backupRead(syscall.Handle(r.f.Fd()), b, &bytesRead, false, r.includeSecurity, &r.ctx)
 	if err != nil {
-		return 0, &os.PathError{"BackupRead", r.f.Name(), err}
+		return 0, &os.PathError{Op: "BackupRead", Path: r.f.Name(), Err: err}
 	}
 	runtime.KeepAlive(r.f)
 	if bytesRead == 0 {
@@ -216,7 +220,7 @@ func (r *BackupFileReader) Read(b []byte) (int, error) {
 // the underlying file.
 func (r *BackupFileReader) Close() error {
 	if r.ctx != 0 {
-		backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
+		_ = backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
 		runtime.KeepAlive(r.f)
 		r.ctx = 0
 	}
@@ -242,7 +246,7 @@ func (w *BackupFileWriter) Write(b []byte) (int, error) {
 	var bytesWritten uint32
 	err := backupWrite(syscall.Handle(w.f.Fd()), b, &bytesWritten, false, w.includeSecurity, &w.ctx)
 	if err != nil {
-		return 0, &os.PathError{"BackupWrite", w.f.Name(), err}
+		return 0, &os.PathError{Op: "BackupWrite", Path: w.f.Name(), Err: err}
 	}
 	runtime.KeepAlive(w.f)
 	if int(bytesWritten) != len(b) {
@@ -255,7 +259,7 @@ func (w *BackupFileWriter) Write(b []byte) (int, error) {
 // close the underlying file.
 func (w *BackupFileWriter) Close() error {
 	if w.ctx != 0 {
-		backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
+		_ = backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
 		runtime.KeepAlive(w.f)
 		w.ctx = 0
 	}
@@ -271,7 +275,13 @@ func OpenForBackup(path string, access uint32, share uint32, createmode uint32)
 	if err != nil {
 		return nil, err
 	}
-	h, err := syscall.CreateFile(&winPath[0], access, share, nil, createmode, syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT, 0)
+	h, err := syscall.CreateFile(&winPath[0],
+		access,
+		share,
+		nil,
+		createmode,
+		syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT,
+		0)
 	if err != nil {
 		err = &os.PathError{Op: "open", Path: path, Err: err}
 		return nil, err
--- a/vendor/github.com/Microsoft/go-winio/backuptar/noop.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/noop.go
@@ -1,4 +1,3 @@
-// +build !windows
 // This file only exists to allow go get on non-Windows platforms.

 package backuptar
--- a/vendor/github.com/Microsoft/go-winio/backuptar/strconv.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/strconv.go
@@ -1,3 +1,5 @@
+//go:build windows
+
 package backuptar

 import (
--- a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package backuptar
@@ -7,7 +8,6 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -18,17 +18,18 @@ import (
 	"golang.org/x/sys/windows"
 )

+//nolint:deadcode,varcheck // keep unused constants for potential future use
 const (
-	c_ISUID  = 04000   // Set uid
-	c_ISGID  = 02000   // Set gid
-	c_ISVTX  = 01000   // Save text (sticky bit)
-	c_ISDIR  = 040000  // Directory
-	c_ISFIFO = 010000  // FIFO
-	c_ISREG  = 0100000 // Regular file
-	c_ISLNK  = 0120000 // Symbolic link
-	c_ISBLK  = 060000  // Block special file
-	c_ISCHR  = 020000  // Character special file
-	c_ISSOCK = 0140000 // Socket
+	cISUID  = 0004000 // Set uid
+	cISGID  = 0002000 // Set gid
+	cISVTX  = 0001000 // Save text (sticky bit)
+	cISDIR  = 0040000 // Directory
+	cISFIFO = 0010000 // FIFO
+	cISREG  = 0100000 // Regular file
+	cISLNK  = 0120000 // Symbolic link
+	cISBLK  = 0060000 // Block special file
+	cISCHR  = 0020000 // Character special file
+	cISSOCK = 0140000 // Socket
 )

 const (
@@ -44,7 +45,7 @@ const (
 // zeroReader is an io.Reader that always returns 0s.
 type zeroReader struct{}

-func (zr zeroReader) Read(b []byte) (int, error) {
+func (zeroReader) Read(b []byte) (int, error) {
 	for i := range b {
 		b[i] = 0
 	}
@@ -55,7 +56,7 @@ func copySparse(t *tar.Writer, br *winio.BackupStreamReader) error {
 	curOffset := int64(0)
 	for {
 		bhdr, err := br.Next()
-		if err == io.EOF {
+		if err == io.EOF { //nolint:errorlint
 			err = io.ErrUnexpectedEOF
 		}
 		if err != nil {
@@ -71,8 +72,8 @@ func copySparse(t *tar.Writer, br *winio.BackupStreamReader) error {
 		}
 		// archive/tar does not support writing sparse files
 		// so just write zeroes to catch up to the current offset.
-		if _, err := io.CopyN(t, zeroReader{}, bhdr.Offset-curOffset); err != nil {
-			return fmt.Errorf("seek to offset %d: %s", bhdr.Offset, err)
+		if _, err = io.CopyN(t, zeroReader{}, bhdr.Offset-curOffset); err != nil {
+			return fmt.Errorf("seek to offset %d: %w", bhdr.Offset, err)
 		}
 		if bhdr.Size == 0 {
 			// A sparse block with size = 0 is used to mark the end of the sparse blocks.
@@ -106,24 +107,84 @@ func BasicInfoHeader(name string, size int64, fileInfo *winio.FileBasicInfo) *ta
 	hdr.PAXRecords[hdrCreationTime] = formatPAXTime(time.Unix(0, fileInfo.CreationTime.Nanoseconds()))

 	if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
-		hdr.Mode |= c_ISDIR
+		hdr.Mode |= cISDIR
 		hdr.Size = 0
 		hdr.Typeflag = tar.TypeDir
 	}
 	return hdr
 }

+// SecurityDescriptorFromTarHeader reads the SDDL associated with the header of the current file
+// from the tar header and returns the security descriptor into a byte slice.
+func SecurityDescriptorFromTarHeader(hdr *tar.Header) ([]byte, error) {
+	if sdraw, ok := hdr.PAXRecords[hdrRawSecurityDescriptor]; ok {
+		sd, err := base64.StdEncoding.DecodeString(sdraw)
+		if err != nil {
+			// Not returning sd as-is in the error-case, as base64.DecodeString
+			// may return partially decoded data (not nil or empty slice) in case
+			// of a failure: https://github.com/golang/go/blob/go1.17.7/src/encoding/base64/base64.go#L382-L387
+			return nil, err
+		}
+		return sd, nil
+	}
+	// Maintaining old SDDL-based behavior for backward compatibility. All new
+	// tar headers written by this library will have raw binary for the security
+	// descriptor.
+	if sddl, ok := hdr.PAXRecords[hdrSecurityDescriptor]; ok {
+		return winio.SddlToSecurityDescriptor(sddl)
+	}
+	return nil, nil
+}
+
+// ExtendedAttributesFromTarHeader reads the EAs associated with the header of the
+// current file from the tar header and returns it as a byte slice.
+func ExtendedAttributesFromTarHeader(hdr *tar.Header) ([]byte, error) {
+	var eas []winio.ExtendedAttribute //nolint:prealloc // len(eas) <= len(hdr.PAXRecords); prealloc is wasteful
+	for k, v := range hdr.PAXRecords {
+		if !strings.HasPrefix(k, hdrEaPrefix) {
+			continue
+		}
+		data, err := base64.StdEncoding.DecodeString(v)
+		if err != nil {
+			return nil, err
+		}
+		eas = append(eas, winio.ExtendedAttribute{
+			Name:  k[len(hdrEaPrefix):],
+			Value: data,
+		})
+	}
+	var eaData []byte
+	var err error
+	if len(eas) != 0 {
+		eaData, err = winio.EncodeExtendedAttributes(eas)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return eaData, nil
+}
+
+// EncodeReparsePointFromTarHeader reads the ReparsePoint structure from the tar header
+// and encodes it into a byte slice. The file for which this function is called must be a
+// symlink.
+func EncodeReparsePointFromTarHeader(hdr *tar.Header) []byte {
+	_, isMountPoint := hdr.PAXRecords[hdrMountPoint]
+	rp := winio.ReparsePoint{
+		Target:       filepath.FromSlash(hdr.Linkname),
+		IsMountPoint: isMountPoint,
+	}
+	return winio.EncodeReparsePoint(&rp)
+}
+
 // WriteTarFileFromBackupStream writes a file to a tar writer using data from a Win32 backup stream.
 //
 // This encodes Win32 metadata as tar pax vendor extensions starting with MSWINDOWS.
 //
 // The additional Win32 metadata is:
 //
-// MSWINDOWS.fileattr: The Win32 file attributes, as a decimal value
-//
-// MSWINDOWS.rawsd: The Win32 security descriptor, in raw binary format
-//
-// MSWINDOWS.mountpoint: If present, this is a mount point and not a symlink, even though the type is '2' (symlink)
+//   - MSWINDOWS.fileattr: The Win32 file attributes, as a decimal value
+//   - MSWINDOWS.rawsd: The Win32 security descriptor, in raw binary format
+//   - MSWINDOWS.mountpoint: If present, this is a mount point and not a symlink, even though the type is '2' (symlink)
 func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size int64, fileInfo *winio.FileBasicInfo) error {
 	name = filepath.ToSlash(name)
 	hdr := BasicInfoHeader(name, size, fileInfo)
@@ -146,7 +207,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 	var dataHdr *winio.BackupHeader
 	for dataHdr == nil {
 		bhdr, err := br.Next()
-		if err == io.EOF {
+		if err == io.EOF { //nolint:errorlint
 			break
 		}
 		if err != nil {
@@ -154,21 +215,21 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 		}
 		switch bhdr.Id {
 		case winio.BackupData:
-			hdr.Mode |= c_ISREG
+			hdr.Mode |= cISREG
 			if !readTwice {
 				dataHdr = bhdr
 			}
 		case winio.BackupSecurity:
-			sd, err := ioutil.ReadAll(br)
+			sd, err := io.ReadAll(br)
 			if err != nil {
 				return err
 			}
 			hdr.PAXRecords[hdrRawSecurityDescriptor] = base64.StdEncoding.EncodeToString(sd)

 		case winio.BackupReparseData:
-			hdr.Mode |= c_ISLNK
+			hdr.Mode |= cISLNK
 			hdr.Typeflag = tar.TypeSymlink
-			reparseBuffer, err := ioutil.ReadAll(br)
+			reparseBuffer, _ := io.ReadAll(br)
 			rp, err := winio.DecodeReparsePoint(reparseBuffer)
 			if err != nil {
 				return err
@@ -179,7 +240,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 			hdr.Linkname = rp.Target

 		case winio.BackupEaData:
-			eab, err := ioutil.ReadAll(br)
+			eab, err := io.ReadAll(br)
 			if err != nil {
 				return err
 			}
@@ -213,7 +274,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 		}
 		for dataHdr == nil {
 			bhdr, err := br.Next()
-			if err == io.EOF {
+			if err == io.EOF { //nolint:errorlint
 				break
 			}
 			if err != nil {
@@ -248,7 +309,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 	//     range of the file containing the range contents. Finally there is a sparse block stream with
 	//     size = 0 and offset = <file size>.

-	if dataHdr != nil {
+	if dataHdr != nil { //nolint:nestif // todo: reduce nesting complexity
 		// A data stream was found. Copy the data.
 		// We assume that we will either have a data stream size > 0 XOR have sparse block streams.
 		if dataHdr.Size > 0 || (dataHdr.Attributes&winio.StreamSparseAttributes) == 0 {
@@ -256,13 +317,13 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 				return fmt.Errorf("%s: mismatch between file size %d and header size %d", name, size, dataHdr.Size)
 			}
 			if _, err = io.Copy(t, br); err != nil {
-				return fmt.Errorf("%s: copying contents from data stream: %s", name, err)
+				return fmt.Errorf("%s: copying contents from data stream: %w", name, err)
 			}
 		} else if size > 0 {
 			// As of a recent OS change, BackupRead now returns a data stream for empty sparse files.
 			// These files have no sparse block streams, so skip the copySparse call if file size = 0.
 			if err = copySparse(t, br); err != nil {
-				return fmt.Errorf("%s: copying contents from sparse block stream: %s", name, err)
+				return fmt.Errorf("%s: copying contents from sparse block stream: %w", name, err)
 			}
 		}
 	}
@@ -272,7 +333,7 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 	// been written. In practice, this means that we don't get EA or TXF metadata.
 	for {
 		bhdr, err := br.Next()
-		if err == io.EOF {
+		if err == io.EOF { //nolint:errorlint
 			break
 		}
 		if err != nil {
@@ -280,35 +341,30 @@ func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size
 		}
 		switch bhdr.Id {
 		case winio.BackupAlternateData:
-			altName := bhdr.Name
-			if strings.HasSuffix(altName, ":$DATA") {
-				altName = altName[:len(altName)-len(":$DATA")]
-			}
-			if (bhdr.Attributes & winio.StreamSparseAttributes) == 0 {
-				hdr = &tar.Header{
-					Format:     hdr.Format,
-					Name:       name + altName,
-					Mode:       hdr.Mode,
-					Typeflag:   tar.TypeReg,
-					Size:       bhdr.Size,
-					ModTime:    hdr.ModTime,
-					AccessTime: hdr.AccessTime,
-					ChangeTime: hdr.ChangeTime,
-				}
-				err = t.WriteHeader(hdr)
-				if err != nil {
-					return err
-				}
-				_, err = io.Copy(t, br)
-				if err != nil {
-					return err
-				}
-
-			} else {
+			if (bhdr.Attributes & winio.StreamSparseAttributes) != 0 {
 				// Unsupported for now, since the size of the alternate stream is not present
 				// in the backup stream until after the data has been read.
 				return fmt.Errorf("%s: tar of sparse alternate data streams is unsupported", name)
 			}
+			altName := strings.TrimSuffix(bhdr.Name, ":$DATA")
+			hdr = &tar.Header{
+				Format:     hdr.Format,
+				Name:       name + altName,
+				Mode:       hdr.Mode,
+				Typeflag:   tar.TypeReg,
+				Size:       bhdr.Size,
+				ModTime:    hdr.ModTime,
+				AccessTime: hdr.AccessTime,
+				ChangeTime: hdr.ChangeTime,
+			}
+			err = t.WriteHeader(hdr)
+			if err != nil {
+				return err
+			}
+			_, err = io.Copy(t, br)
+			if err != nil {
+				return err
+			}
 		case winio.BackupEaData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData:
 			// ignore these streams
 		default:
@@ -350,7 +406,7 @@ func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *win
 		}
 		fileInfo.CreationTime = windows.NsecToFiletime(creationTime.UnixNano())
 	}
-	return
+	return name, size, fileInfo, err
 }

 // WriteBackupStreamFromTarFile writes a Win32 backup stream from the current tar file. Since this function may process multiple
@@ -358,21 +414,10 @@ func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *win
 // tar file that was not processed, or io.EOF is there are no more.
 func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (*tar.Header, error) {
 	bw := winio.NewBackupStreamWriter(w)
-	var sd []byte
-	var err error
-	// Maintaining old SDDL-based behavior for backward compatibility.  All new tar headers written
-	// by this library will have raw binary for the security descriptor.
-	if sddl, ok := hdr.PAXRecords[hdrSecurityDescriptor]; ok {
-		sd, err = winio.SddlToSecurityDescriptor(sddl)
-		if err != nil {
-			return nil, err
-		}
-	}
-	if sdraw, ok := hdr.PAXRecords[hdrRawSecurityDescriptor]; ok {
-		sd, err = base64.StdEncoding.DecodeString(sdraw)
-		if err != nil {
-			return nil, err
-		}
+
+	sd, err := SecurityDescriptorFromTarHeader(hdr)
+	if err != nil {
+		return nil, err
 	}
 	if len(sd) != 0 {
 		bhdr := winio.BackupHeader{
@@ -388,25 +433,12 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (
 			return nil, err
 		}
 	}
-	var eas []winio.ExtendedAttribute
-	for k, v := range hdr.PAXRecords {
-		if !strings.HasPrefix(k, hdrEaPrefix) {
-			continue
-		}
-		data, err := base64.StdEncoding.DecodeString(v)
-		if err != nil {
-			return nil, err
-		}
-		eas = append(eas, winio.ExtendedAttribute{
-			Name:  k[len(hdrEaPrefix):],
-			Value: data,
-		})
+
+	eadata, err := ExtendedAttributesFromTarHeader(hdr)
+	if err != nil {
+		return nil, err
 	}
-	if len(eas) != 0 {
-		eadata, err := winio.EncodeExtendedAttributes(eas)
-		if err != nil {
-			return nil, err
-		}
+	if len(eadata) != 0 {
 		bhdr := winio.BackupHeader{
 			Id:   winio.BackupEaData,
 			Size: int64(len(eadata)),
@@ -420,13 +452,9 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (
 			return nil, err
 		}
 	}
+
 	if hdr.Typeflag == tar.TypeSymlink {
-		_, isMountPoint := hdr.PAXRecords[hdrMountPoint]
-		rp := winio.ReparsePoint{
-			Target:       filepath.FromSlash(hdr.Linkname),
-			IsMountPoint: isMountPoint,
-		}
-		reparse := winio.EncodeReparsePoint(&rp)
+		reparse := EncodeReparsePointFromTarHeader(hdr)
 		bhdr := winio.BackupHeader{
 			Id:   winio.BackupReparseData,
 			Size: int64(len(reparse)),
@@ -440,6 +468,7 @@ func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (
 			return nil, err
 		}
 	}
+
 	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
 		bhdr := winio.BackupHeader{
 			Id:   winio.BackupData,
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0).`