[release-1.15] Bump to v1.15.2

As the title says, bumping to v1.15.2 Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
[release-1.15] Fixes an interoperability issue while listing tags
2026-01-30 13:58:48 +00:00 · 2024-07-10 21:03:07 -04:00 · 2024-07-10 21:03:07 -04:00 · 2024-06-27 20:29:26 +02:00 · 2024-06-27 14:11:56 -04:00 · 2024-06-20 18:59:49 +02:00
3315 changed files with 580344 additions and 114856 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -20,23 +20,12 @@ env:
    # Save a little typing (path relative to $CIRRUS_WORKING_DIR)
    SCRIPT_BASE: "./contrib/cirrus"

-    ####
-    #### Cache-image names to test with (double-quotes around names are critical)
-    ####
-    FEDORA_NAME: "fedora-36"
-    PRIOR_FEDORA_NAME: "fedora-35"
-    UBUNTU_NAME: "ubuntu-2110"
-
    # Google-cloud VM Images
-    IMAGE_SUFFIX: "c4955393725038592"
+    IMAGE_SUFFIX: "c20240102t155643z-f39f38d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
-    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
-    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"

    # Container FQIN's
    FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
-    PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
-    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}"

    # Built along with the standard PR-based workflow in c/automation_images
    SKOPEO_CIDEV_CONTAINER_FQIN: "quay.io/libpod/skopeo_cidev:${IMAGE_SUFFIX}"
@@ -53,17 +42,19 @@ validate_task:
    # The git-validation tool doesn't work well on branch or tag push,
    # under Cirrus-CI, due to challenges obtaining the starting commit ID.
    # Only do validation for PRs.
-    only_if: $CIRRUS_PR != ''
+    only_if: &is_pr $CIRRUS_PR != ''
    container:
        image: '${SKOPEO_CIDEV_CONTAINER_FQIN}'
        cpu: 4
        memory: 8
-    script: |
+    setup_script: |
+        make tools
+    test_script: |
        make validate-local
        make vendor && hack/tree_status.sh

 doccheck_task:
-    only_if: $CIRRUS_PR != ''
+    only_if: *is_pr
    depends_on:
      - validate
    container:
@@ -80,13 +71,39 @@ doccheck_task:
      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" build
      "${SKOPEO_PATH}/${SCRIPT_BASE}/runner.sh" doccheck

+osx_task:
+    # Don't run for docs-only builds.
+    # Also don't run on release-branches or their PRs,
+    # since base container-image is not version-constrained.
+    only_if: &not_docs_or_release_branch >-
+        ($CIRRUS_BASE_BRANCH == $CIRRUS_DEFAULT_BRANCH ||
+         $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH ) &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    depends_on:
+        - validate
+    macos_instance:
+        image: ghcr.io/cirruslabs/macos-ventura-base:latest
+    setup_script: |
+        export PATH=$GOPATH/bin:$PATH
+        brew update
+        brew install gpgme go go-md2man
+        make tools
+    test_script: |
+        export PATH=$GOPATH/bin:$PATH
+        go version
+        go env
+        make validate-local test-unit-local bin/skopeo
+        sudo make install
+        /usr/local/bin/skopeo -v
+

 cross_task:
    alias: cross
-    only_if: &not_docs $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
    depends_on:
        - validate
-    gce_instance:
+    gce_instance: &standardvm
        image_project: libpod-218412
        zone: "us-central1-f"
        cpu: 2
@@ -103,6 +120,42 @@ cross_task:
        "${GOSRC}/${SCRIPT_BASE}/runner.sh" cross


+ostree-rs-ext_task:
+    alias: proxy_ostree_ext
+    only_if: *not_docs_or_release_branch
+    # WARNING: This task potentially performs a container image
+    # build (on change) with runtime package installs.  Therefore,
+    # its behavior can be unpredictable and potentially flake-prone.
+    # In case of emergency, uncomment the next statement to bypass.
+    #
+    # skip: $CI == "true"
+    #
+    depends_on:
+        - validate
+    # Ref: https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
+    container:
+        # The runtime image will be rebuilt on change
+        dockerfile: contrib/cirrus/ostree_ext.dockerfile
+        docker_arguments:  # required build-args
+            BASE_FQIN: quay.io/coreos-assembler/fcos-buildroot:testing-devel
+            CIRRUS_IMAGE_VERSION: 2
+    env:
+        EXT_REPO_NAME: ostree-rs-ext
+        EXT_REPO_HOME: $CIRRUS_WORKING_DIR/../$EXT_REPO_NAME
+        EXT_REPO: https://github.com/ostreedev/${EXT_REPO_NAME}.git
+    skopeo_build_script:
+        - dnf builddep -y skopeo
+        - make
+        - make install
+    proxy_ostree_ext_build_script:
+        - git clone --depth 1 $EXT_REPO $EXT_REPO_HOME
+        - cd $EXT_REPO_HOME
+        - cargo test --no-run
+    proxy_ostree_ext_test_script:
+        - cd $EXT_REPO_HOME
+        - cargo test -- --nocapture --quiet
+
+
 #####
 ##### NOTE: This task is subtantially duplicated in the containers/image
 ##### repository's `.cirrus.yml`.  Changes made here should be fully merged
@@ -110,7 +163,10 @@ cross_task:
 #####
 test_skopeo_task:
    alias: test_skopeo
-    only_if: *not_docs
+    # Don't test for [CI:DOCS], [CI:BUILD].
+    only_if: >-
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:BUILD.*' &&
+        $CIRRUS_CHANGE_TITLE !=~ '.*CI:DOCS.*'
    depends_on:
        - validate
    gce_instance:
@@ -155,10 +211,9 @@ meta_task:
        image: quay.io/libpod/imgts:latest
    env:
        # Space-separated list of images used by this repository state
-        IMGNAMES: >-
+        IMGNAMES: |
            ${FEDORA_CACHE_IMAGE_NAME}
-            ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
-            ${UBUNTU_CACHE_IMAGE_NAME}
+            build-push-${IMAGE_SUFFIX}
        BUILDID: "${CIRRUS_BUILD_ID}"
        REPOREF: "${CIRRUS_REPO_NAME}"
        GCPJSON: ENCRYPTED[6867b5a83e960e7c159a98fe6c8360064567a071c6f4b5e7d532283ecd870aa65c94ccd74bdaa9bf7aadac9d42e20a67]
@@ -178,7 +233,9 @@ success_task:
    depends_on:
        - validate
        - doccheck
+        - osx
        - cross
+        - proxy_ostree_ext
        - test_skopeo
        - meta
    container: *smallcontainer
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,10 +0,0 @@
-version: 2
-updates:
- package-ecosystem: gomod
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "10:00"
-    timezone: Europe/Berlin
-  open-pull-requests-limit: 10
-
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -0,0 +1,52 @@
+/*
+   Renovate is a service similar to GitHub Dependabot, but with
+   (fantastically) more configuration options.  So many options
+   in fact, if you're new I recommend glossing over this cheat-sheet
+   prior to the official documentation:
+
+   https://www.augmentedmind.de/2021/07/25/renovate-bot-cheat-sheet
+
+   Configuration Update/Change Procedure:
+     1. Make changes
+     2. Manually validate changes (from repo-root):
+
+        podman run -it \
+            -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
+            docker.io/renovate/renovate:latest \
+            renovate-config-validator
+     3. Commit.
+
+   Configuration Reference:
+   https://docs.renovatebot.com/configuration-options/
+
+   Monitoring Dashboard:
+   https://app.renovatebot.com/dashboard#github/containers
+
+   Note: The Renovate bot will create/manage it's business on
+         branches named 'renovate/*'.  Otherwise, and by
+         default, the only the copy of this file that matters
+         is the one on the `main` branch.  No other branches
+         will be monitored or touched in any way.
+*/
+
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+
+  /*************************************************
+   ****** Global/general configuration options *****
+   *************************************************/
+
+  // Re-use predefined sets of configuration options to DRY
+  "extends": [
+    // https://github.com/containers/automation/blob/main/renovate/defaults.json5
+    "github>containers/automation//renovate/defaults.json5"
+  ],
+
+  // Permit automatic rebasing when base-branch changes by more than
+  // one commit.
+  "rebaseWhen": "behind-base-branch",
+
+  /*************************************************
+   *** Repository-specific configuration options ***
+   *************************************************/
+}
--- a/.github/workflows/check_cirrus_cron.yml
+++ b/.github/workflows/check_cirrus_cron.yml
@@ -3,100 +3,18 @@
 # See also:
 # https://github.com/containers/podman/blob/main/.github/workflows/check_cirrus_cron.yml

-# Format Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
-
-# Required to un-FUBAR default ${{github.workflow}} value
-name: check_cirrus_cron
-
 on:
-    # Note: This only applies to the default branch.
-    schedule:
-        # N/B: This should correspond to a period slightly after
-        # the last job finishes running.  See job defs. at:
-        # https://cirrus-ci.com/settings/repository/6706677464432640
-        - cron:  '59 23 * * 1-5'
-    # Debug: Allow triggering job manually in github-actions WebUI
-    workflow_dispatch: {}
-
-env:
-    # Debug-mode can reveal secrets, only enable by a secret value.
-    # Ref: https://help.github.com/en/actions/configuring-and-managing-workflows/managing-a-workflow-run#enabling-step-debug-logging
-    ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
-    # CSV listing of e-mail addresses for delivery failure or error notices
-    RCPTCSV: rh.container.bot@gmail.com,podman-monitor@lists.podman.io
-    # Filename for table of cron-name to build-id data
-    # (must be in $GITHUB_WORKSPACE/artifacts/)
-    NAME_ID_FILEPATH: './artifacts/name_id.txt'
+  # Note: This only applies to the default branch.
+  schedule:
+    # N/B: This should correspond to a period slightly after
+    # the last job finishes running.  See job defs. at:
+    # https://cirrus-ci.com/settings/repository/6706677464432640
+    - cron:  '03 03 * * 1-5'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}

 jobs:
-    cron_failures:
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@v2
-              with:
-                  persist-credentials: false
-
-            # Avoid duplicating cron_failures.sh in skopeo repo.
-            - uses: actions/checkout@v2
-              with:
-                  repository: containers/podman
-                  path: '_podman'
-                  persist-credentials: false
-
-            - name: Get failed cron names and Build IDs
-              id: cron
-              run: './_podman/.github/actions/${{ github.workflow }}/${{ github.job }}.sh'
-
-            - if: steps.cron.outputs.failures > 0
-              shell: bash
-              # Must be inline, since context expressions are used.
-              # Ref: https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions
-              run: |
-                set -eo pipefail
-                (
-                echo "Detected one or more Cirrus-CI cron-triggered jobs have failed recently:"
-                echo ""
-
-                while read -r NAME BID; do
-                    echo "Cron build '$NAME' Failed: https://cirrus-ci.com/build/$BID"
-                done < "$NAME_ID_FILEPATH"
-
-                echo ""
-                echo "# Source: ${{ github.workflow }} workflow on ${{ github.repository }}."
-                # Separate content from sendgrid.com automatic footer.
-                echo ""
-                echo ""
-                ) > ./artifacts/email_body.txt
-
-            - if: steps.cron.outputs.failures > 0
-              name: Send failure notification e-mail
-              # Ref: https://github.com/dawidd6/action-send-mail
-              uses: dawidd6/action-send-mail@v2.2.2
-              with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
-                server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
-                subject: Cirrus-CI cron build failures on ${{github.repository}}
-                to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
-                body: file://./artifacts/email_body.txt
-
-            - if: always()
-              uses: actions/upload-artifact@v2
-              with:
-                  name: ${{ github.job }}_artifacts
-                  path: artifacts/*
-
-            - if: failure()
-              name: Send error notification e-mail
-              uses: dawidd6/action-send-mail@v2.2.2
-              with:
-                server_address: ${{secrets.ACTION_MAIL_SERVER}}
-                server_port: 465
-                username: ${{secrets.ACTION_MAIL_USERNAME}}
-                password: ${{secrets.ACTION_MAIL_PASSWORD}}
-                subject: Github workflow error on ${{github.repository}}
-                to: ${{env.RCPTCSV}}
-                from: ${{secrets.ACTION_MAIL_SENDER}}
-                body: "Job failed: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  call_cron_failures:
+    uses: containers/podman/.github/workflows/check_cirrus_cron.yml@main
+    secrets: inherit
--- a/.github/workflows/discussion_lock.yml
+++ b/.github/workflows/discussion_lock.yml
@@ -0,0 +1,20 @@
+---
+
+# See also:
+# https://github.com/containers/podman/blob/main/.github/workflows/discussion_lock.yml
+
+on:
+  schedule:
+    - cron:  '0 0 * * *'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  closed_issue_discussion_lock:
+    uses: containers/podman/.github/workflows/discussion_lock.yml@main
+    secrets: inherit
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
--- a/.github/workflows/multi-arch-build.yaml
+++ b/.github/workflows/multi-arch-build.yaml
@@ -1,209 +0,0 @@
---
-
-# Please see contrib/<reponame>image/README.md for details on the intentions
-# of this workflow.
-#
-# BIG FAT WARNING:  This workflow is duplicated across containers/skopeo,
-#                   containers/buildah, and containers/podman.  ANY AND
-#                   ALL CHANGES MADE HERE MUST BE MANUALLY DUPLICATED
-#                   TO THE OTHER REPOS.
-
-name: build multi-arch images
-
-on:
-  # Upstream tends to be very active, with many merges per day.
-  # Only run this daily via cron schedule, or manually, not by branch push.
-  schedule:
-    - cron:  '0 8 * * *'
-  # allows to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  multi:
-    name: multi-arch image build
-    env:
-      REPONAME: skopeo  # No easy way to parse this out of $GITHUB_REPOSITORY
-      # Server/namespace value used to format FQIN
-      REPONAME_QUAY_REGISTRY: quay.io/skopeo
-      CONTAINERS_QUAY_REGISTRY: quay.io/containers
-      # list of architectures for build
-      PLATFORMS: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
-      # Command to execute in container to obtain project version number
-      VERSION_CMD: "--version"  # skopeo is the entrypoint
-
-    # build several images (upstream, testing, stable) in parallel
-    strategy:
-      # By default, failure of one matrix item cancels all others
-      fail-fast: false
-      matrix:
-        # Builds are located under contrib/<reponame>image/<source> directory
-        source:
-          - upstream
-          - testing
-          - stable
-    runs-on: ubuntu-latest
-    # internal registry caches build for inspection before push
-    services:
-      registry:
-        image: quay.io/libpod/registry:2
-        ports:
-          - 5000:5000
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          driver-opts: network=host
-          install: true
-
-      - name: Build and locally push image
-        uses: docker/build-push-action@v2
-        with:
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-
-      # Simple verification that stable images work, and
-      # also grab version number use in forming the FQIN.
-      - name: amd64 container sniff test
-        if: matrix.source == 'stable'
-        id: sniff_test
-        run: |
-          podman pull --tls-verify=false \
-                            localhost:5000/$REPONAME/${{ matrix.source }}
-          VERSION_OUTPUT=$(podman run \
-                           localhost:5000/$REPONAME/${{ matrix.source }} \
-                           $VERSION_CMD)
-          echo "$VERSION_OUTPUT"
-          VERSION=$(awk -r -e "/^${REPONAME} version /"'{print $3}' <<<"$VERSION_OUTPUT")
-          test -n "$VERSION"
-          echo "::set-output name=version::$VERSION"
-
-      - name: Generate image FQIN(s) to push
-        id: reponame_reg
-        run: |
-          if [[ "${{ matrix.source }}" == 'stable' ]]; then
-            # The command version in image just built
-            VERSION='v${{ steps.sniff_test.outputs.version }}'
-            # workaround vim syntax-highlight bug: '
-            # Push both new|updated version-tag and latest-tag FQINs
-            FQIN="$REPONAME_QUAY_REGISTRY/stable:$VERSION,$REPONAME_QUAY_REGISTRY/stable:latest"
-          elif [[ "${{ matrix.source }}" == 'testing' ]]; then
-            # Assume some contents changed, always push latest testing.
-            FQIN="$REPONAME_QUAY_REGISTRY/testing:latest"
-          elif [[ "${{ matrix.source }}" == 'upstream' ]]; then
-            # Assume some contents changed, always push latest upstream.
-            FQIN="$REPONAME_QUAY_REGISTRY/upstream:latest"
-          else
-            echo "::error::Unknown matrix item '${{ matrix.source }}'"
-            exit 1
-          fi
-          echo "::warning::Pushing $FQIN"
-          echo "::set-output name=fqin::${FQIN}"
-          echo '::set-output name=push::true'
-
-      # This is substantially similar to the above logic,
-      # but only handles $CONTAINERS_QUAY_REGISTRY for
-      # the stable "latest" and named-version tagged images.
-      - name: Generate containers reg. image FQIN(s)
-        if: matrix.source == 'stable'
-        id: containers_reg
-        run: |
-          VERSION='v${{ steps.sniff_test.outputs.version }}'
-          # workaround vim syntax-highlight bug: '
-          # Push both new|updated version-tag and latest-tag FQINs
-          FQIN="$CONTAINERS_QUAY_REGISTRY/$REPONAME:$VERSION,$CONTAINERS_QUAY_REGISTRY/$REPONAME:latest"
-          echo "::warning::Pushing $FQIN"
-          echo "::set-output name=fqin::${FQIN}"
-          echo '::set-output name=push::true'
-
-      - name: Define LABELS multi-line env. var. value
-        run: |
-          # This is a really hacky/strange workflow idiom, required
-          # for setting multi-line $LABELS value for consumption in
-          # a future step.  There is literally no cleaner way to do this :<
-          # https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#multiline-strings
-          function set_labels() {
-            echo 'LABELS<<DELIMITER' >> "$GITHUB_ENV"
-            for line; do
-                echo "$line" | tee -a "$GITHUB_ENV"
-            done
-            echo "DELIMITER" >> "$GITHUB_ENV"
-          }
-
-          declare -a lines
-          lines=(\
-            "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git"
-            "org.opencontainers.image.revision=${GITHUB_SHA}"
-            "org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
-          )
-
-          # Only the 'stable' matrix source obtains $VERSION
-          if [[ "${{ matrix.source }}" == "stable" ]]; then
-            lines+=(\
-              "org.opencontainers.image.version=${{ steps.sniff_test.outputs.version }}"
-            )
-          fi
-
-          set_labels "${lines[@]}"
-
-      # Separate steps to login and push for $REPONAME_QUAY_REGISTRY and
-      # $CONTAINERS_QUAY_REGISTRY are required, because 2 sets of credentials
-      # are used and namespaced within the registry.  At the same time, reuse
-      # of non-shell steps is not supported by Github Actions nor are YAML
-      # anchors/aliases, nor composite actions.
-
-      # Push to $REPONAME_QUAY_REGISTRY for stable, testing. and upstream
-      - name: Login to ${{ env.REPONAME_QUAY_REGISTRY }}
-        uses: docker/login-action@v1
-        if: steps.reponame_reg.outputs.push == 'true'
-        with:
-          registry: ${{ env.REPONAME_QUAY_REGISTRY }}
-          # N/B: Secrets are not passed to workflows that are triggered
-          #      by a pull request from a fork
-          username: ${{ secrets.REPONAME_QUAY_USERNAME }}
-          password: ${{ secrets.REPONAME_QUAY_PASSWORD }}
-
-      - name: Push images to ${{ steps.reponame_reg.outputs.fqin }}
-        uses: docker/build-push-action@v2
-        if: steps.reponame_reg.outputs.push == 'true'
-        with:
-          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-          cache-to: type=inline
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: ${{ steps.reponame_reg.outputs.fqin }}
-          labels: |
-            ${{ env.LABELS }}
-
-      # Push to $CONTAINERS_QUAY_REGISTRY only stable
-      - name: Login to ${{ env.CONTAINERS_QUAY_REGISTRY }}
-        if: steps.containers_reg.outputs.push == 'true'
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ env.CONTAINERS_QUAY_REGISTRY}}
-          username: ${{ secrets.CONTAINERS_QUAY_USERNAME }}
-          password: ${{ secrets.CONTAINERS_QUAY_PASSWORD }}
-
-      - name: Push images to ${{ steps.containers_reg.outputs.fqin }}
-        if: steps.containers_reg.outputs.push == 'true'
-        uses: docker/build-push-action@v2
-        with:
-          cache-from: type=registry,ref=localhost:5000/${{ env.REPONAME }}/${{ matrix.source }}
-          cache-to: type=inline
-          context: contrib/${{ env.REPONAME }}image/${{ matrix.source }}
-          file: ./contrib/${{ env.REPONAME }}image/${{ matrix.source }}/Dockerfile
-          platforms: ${{ env.PLATFORMS }}
-          push: true
-          tags: ${{ steps.containers_reg.outputs.fqin }}
-          labels: |
-            ${{ env.LABELS }}
--- a/.github/workflows/rerun_cirrus_cron.yml
+++ b/.github/workflows/rerun_cirrus_cron.yml
@@ -0,0 +1,19 @@
+---
+
+# See also: https://github.com/containers/podman/blob/main/.github/workflows/rerun_cirrus_cron.yml
+
+on:
+  # Note: This only applies to the default branch.
+  schedule:
+    # N/B: This should correspond to a period slightly after
+    # the last job finishes running.  See job defs. at:
+    # https://cirrus-ci.com/settings/repository/6706677464432640
+    - cron:  '01 01 * * 1-5'
+  # Debug: Allow triggering job manually in github-actions WebUI
+  workflow_dispatch: {}
+
+jobs:
+  # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+  call_cron_rerun:
+    uses: containers/podman/.github/workflows/rerun_cirrus_cron.yml@main
+    secrets: inherit
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,13 +7,17 @@ on:
  schedule:
  - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:
-
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
-
    steps:
-    - uses: actions/stale@v1
+    - uses: actions/stale@v9
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        stale-issue-message: 'A friendly reminder that this issue had no activity for 30 days.'
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@
 /layers-*
 /skopeo
 result
-
+/completions/
 # ignore JetBrains IDEs (GoLand) config folder
 .idea

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,3 @@
+---
+run:
+  timeout: 5m
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -0,0 +1,98 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+# NOTE: The Packit copr_build tasks help to check if every commit builds on
+# supported Fedora and CentOS Stream arches.
+# They do not block the current Cirrus-based workflow.
+
+downstream_package_name: skopeo
+upstream_tag_template: v{version}
+
+packages:
+  skopeo-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/skopeo.spec
+  skopeo-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/skopeo.spec
+  skopeo-rhel:
+    specfile_path: rpm/skopeo.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    targets:
+      fedora-all-x86_64: {}
+      fedora-all-aarch64: {}
+      fedora-eln-x86_64:
+        additional_repos:
+          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/"
+      fedora-eln-aarch64:
+        additional_repos:
+          - "https://kojipkgs.fedoraproject.org/repos/eln-build/latest/aarch64/"
+    enable_net: true
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-centos]
+    notifications: *copr_build_failure_notification
+    targets:
+      - centos-stream-9-x86_64
+      - centos-stream-9-aarch64
+      - centos-stream-10-x86_64
+      - centos-stream-10-aarch64
+    enable_net: true
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [skopeo-rhel]
+    notifications: *copr_build_failure_notification
+    targets:
+      - epel-9-x86_64
+      - epel-9-aarch64
+    enable_net: true
+
+  # Run on commit to main branch
+  - job: copr_build
+    trigger: commit
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # Sync to Fedora
+  - job: propose_downstream
+    trigger: release
+    packages: [skopeo-fedora]
+    update_release: false
+    dist_git_branches:
+      - fedora-all
+
+  # Sync to CentOS Stream
+  - job: propose_downstream
+    trigger: release
+    packages: [skopeo-centos]
+    update_release: false
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    dist_git_branches:
+      - fedora-all
+
+  - job: bodhi_update
+    trigger: commit
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -149,7 +149,7 @@ When new PRs for [containers/image](https://github.com/containers/image) break `
 ## Communications

 For general questions, or discussions, please use the 
-IRC group on `irc.freenode.net` called `container-projects`
+IRC channel on `irc.libera.chat` called `#container-projects`
 that has been setup.

 For discussions around issues/bugs and features, you can use the github
--- a/128
+++ b/128
@@ -2,44 +2,46 @@

 export GOPROXY=https://proxy.golang.org

-# On some platforms (eg. macOS, FreeBSD) gpgme is installed in /usr/local/ but /usr/local/include/ is
-# not in the default search path. Rather than hard-code this directory, use gpgme-config.
-# Sadly that must be done at the top-level user instead of locally in the gpgme subpackage, because cgo
-# supports only pkg-config, not general shell scripts, and gpgme does not install a pkg-config file.
-# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
-# (and the user will probably find out because the cgo compilation will fail).
-GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
-
 # The following variables very roughly follow https://www.gnu.org/prep/standards/standards.html#Makefile-Conventions .
 DESTDIR ?=
 PREFIX ?= /usr/local
+ifeq ($(shell uname -s),FreeBSD)
+CONTAINERSCONFDIR ?= /usr/local/etc/containers
+else
 CONTAINERSCONFDIR ?= /etc/containers
+endif
 REGISTRIESDDIR ?= ${CONTAINERSCONFDIR}/registries.d
-SIGSTOREDIR ?= /var/lib/containers/sigstore
+LOOKASIDEDIR ?= /var/lib/containers/sigstore
 BINDIR ?= ${PREFIX}/bin
 MANDIR ?= ${PREFIX}/share/man
-BASHCOMPLETIONSDIR ?= ${PREFIX}/share/bash-completion/completions
+
+BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+ZSHINSTALLDIR=${PREFIX}/share/zsh/site-functions
+FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d

 GO ?= go
 GOBIN := $(shell $(GO) env GOBIN)
 GOOS ?= $(shell go env GOOS)
 GOARCH ?= $(shell go env GOARCH)

+# N/B: This value is managed by Renovate, manual changes are
+# possible, as long as they don't disturb the formatting
+# (i.e. DO NOT ADD A 'v' prefix!)
+GOLANGCI_LINT_VERSION := 1.56.2
+
 ifeq ($(GOBIN),)
 GOBIN := $(GOPATH)/bin
 endif

-# Multiple scripts are sensitive to this value, make sure it's exported/available
-# N/B: Need to use 'command -v' here for compatibility with MacOS.
-export CONTAINER_RUNTIME ?= $(if $(shell command -v podman),podman,docker)
-GOMD2MAN ?= $(if $(shell command -v go-md2man),go-md2man,$(GOBIN)/go-md2man)
-
-# Go module support: set `-mod=vendor` to use the vendored sources.
-# See also hack/make.sh.
-ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
-  GO:=GO111MODULE=on $(GO)
-  MOD_VENDOR=-mod=vendor
-endif
+# Scripts may also use CONTAINER_RUNTIME, so we need to export it.
+# Note possibly non-obvious aspects of this:
+# - We need to use 'command -v' here, not 'which', for compatibility with MacOS.
+# - GNU Make 4.2.1 (included in Ubuntu 20.04) incorrectly tries to avoid invoking
+#   a shell, and fails because there is no /usr/bin/command. The trailing ';' in
+#   $(shell … ;) defeats that heuristic (recommended in
+#   https://savannah.gnu.org/bugs/index.php?57625 ).
+export CONTAINER_RUNTIME ?= $(if $(shell command -v podman ;),podman,docker)
+GOMD2MAN ?= $(if $(shell command -v go-md2man ;),go-md2man,$(GOBIN)/go-md2man)

 ifeq ($(DEBUG), 1)
  override GOGCFLAGS += -N -l
@@ -51,20 +53,12 @@ ifeq ($(GOOS), linux)
  endif
 endif

-GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
-
 # If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
-# You can increase test output verbosity with the option '-test.vv'.
-# You can select certain tests to run, with `-test.run <regex>` for example:
+# You can select certain tests to run, with `-run <regex>` for example:
 #
-#     make test-unit TESTFLAGS='-test.run ^TestManifestDigest$'
-#
-# For integration test, we use [gocheck](https://labix.org/gocheck).
-# You can increase test output verbosity with the option '-check.vv'.
-# You can limit test selection with `-check.f <regex>`, for example:
-#
-#     make test-integration TESTFLAGS='-check.f CopySuite.TestCopy.*'
-export TESTFLAGS ?= -v -check.v -test.timeout=15m
+#     make test-unit TESTFLAGS='-run ^TestManifestDigest$'
+#     make test-integration TESTFLAGS='-run copySuite.TestCopy.*'
+export TESTFLAGS ?= -timeout=15m

 # This is assumed to be set non-empty when operating inside a CI/automation environment
 CI ?=
@@ -88,7 +82,7 @@ endif
 CONTAINER_GOSRC = /src/github.com/containers/skopeo
 CONTAINER_RUN ?= $(CONTAINER_CMD) --security-opt label=disable -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN)

-GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)
+GIT_COMMIT := $(shell GIT_CEILING_DIRECTORIES=$$(cd ..; pwd) git rev-parse HEAD 2> /dev/null || true)

 EXTRA_LDFLAGS ?=
 SKOPEO_LDFLAGS := -ldflags '-X main.gitCommit=${GIT_COMMIT} $(EXTRA_LDFLAGS)'
@@ -123,6 +117,7 @@ help:
 	@echo " * 'install' - Install binaries and documents to system locations"
 	@echo " * 'binary' - Build skopeo with a container"
 	@echo " * 'bin/skopeo' - Build skopeo locally"
+	@echo " * 'bin/skopeo.OS.ARCH' - Build skopeo for specific OS and ARCH"
 	@echo " * 'test-unit' - Execute unit tests"
 	@echo " * 'test-integration' - Execute integration tests"
 	@echo " * 'validate' - Verify whether there is no conflict and all Go source files have been formatted, linted and vetted"
@@ -137,9 +132,9 @@ binary: cmd/skopeo
 # Build w/o using containers
 .PHONY: bin/skopeo
 bin/skopeo:
-	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
+	$(GO) build ${GO_DYN_FLAGS} ${SKOPEO_LDFLAGS} -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o $@ ./cmd/skopeo
 bin/skopeo.%:
-	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build $(MOD_VENDOR) ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
+	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO) build ${SKOPEO_LDFLAGS} -tags "containers_image_openpgp $(BUILDTAGS)" -o $@ ./cmd/skopeo
 local-cross: bin/skopeo.darwin.amd64 bin/skopeo.linux.arm bin/skopeo.linux.arm64 bin/skopeo.windows.386.exe bin/skopeo.windows.amd64.exe

 $(MANPAGES): %: %.md
@@ -152,11 +147,19 @@ docs: $(MANPAGES)
 docs-in-container:
 	${CONTAINER_RUN} $(MAKE) docs $(if $(DEBUG),DEBUG=$(DEBUG))

+.PHONY: completions
+completions: bin/skopeo
+	install -d -m 755 completions/bash completions/zsh completions/fish completions/powershell
+	./bin/skopeo completion bash >| completions/bash/skopeo
+	./bin/skopeo completion zsh >| completions/zsh/_skopeo
+	./bin/skopeo completion fish >| completions/fish/skopeo.fish
+	./bin/skopeo completion powershell >| completions/powershell/skopeo.ps1
+
 clean:
-	rm -rf bin docs/*.1
+	rm -rf bin docs/*.1 completions/

 install: install-binary install-docs install-completions
-	install -d -m 755 ${DESTDIR}${SIGSTOREDIR}
+	install -d -m 755 ${DESTDIR}${LOOKASIDEDIR}
 	install -d -m 755 ${DESTDIR}${CONTAINERSCONFDIR}
 	install -m 644 default-policy.json ${DESTDIR}${CONTAINERSCONFDIR}/policy.json
 	install -d -m 755 ${DESTDIR}${REGISTRIESDDIR}
@@ -172,25 +175,39 @@ ifneq ($(DISABLE_DOCS), 1)
 	install -m 644 docs/*.1 ${DESTDIR}${MANDIR}/man1
 endif

-install-completions:
-	install -m 755 -d ${DESTDIR}${BASHCOMPLETIONSDIR}
-	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHCOMPLETIONSDIR}/skopeo
+install-completions: completions
+	install -d -m 755 ${DESTDIR}${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${DESTDIR}${BASHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${ZSHINSTALLDIR}
+	install -m 644 completions/zsh/_skopeo ${DESTDIR}${ZSHINSTALLDIR}
+	install -d -m 755 ${DESTDIR}${FISHINSTALLDIR}
+	install -m 644 completions/fish/skopeo.fish ${DESTDIR}${FISHINSTALLDIR}
+	# There is no common location for powershell files so do not install them. Users have to source the file from their powershell profile.

 shell:
 	$(CONTAINER_RUN) bash

+tools:
+	if [ ! -x "$(GOBIN)/golangci-lint" ]; then \
+		curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v$(GOLANGCI_LINT_VERSION) ; \
+	fi
+
 check: validate test-unit test-integration test-system

 test-integration:
-	$(CONTAINER_RUN) $(MAKE) test-integration-local
+# This is intended to be equal to $(CONTAINER_RUN), but with --cap-add=cap_mknod.
+# --cap-add=cap_mknod is important to allow skopeo to use containers-storage: directly as it exists in the callers’ environment, without
+# creating a nested user namespace (which requires /etc/subuid and /etc/subgid to be set up)
+	$(CONTAINER_CMD) --security-opt label=disable --cap-add=cap_mknod -v $(CURDIR):$(CONTAINER_GOSRC) -w $(CONTAINER_GOSRC) $(SKOPEO_CIDEV_CONTAINER_FQIN) \
+		$(MAKE) test-integration-local


 # Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
 test-integration-local: bin/skopeo
-	hack/make.sh test-integration
+	hack/warn-destructive-tests.sh
+	hack/test-integration.sh

 # complicated set of options needed to run podman-in-podman
-# TODO: The $(RM) command will likely fail w/o `podman unshare`
 test-system:
 	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
 	$(CONTAINER_CMD) --privileged \
@@ -199,12 +216,13 @@ test-system:
 		"$(SKOPEO_CIDEV_CONTAINER_FQIN)" \
 			$(MAKE) test-system-local; \
 	rc=$$?; \
-	-$(RM) -rf $$DTEMP; \
+	$(CONTAINER_RUNTIME) unshare rm -rf $$DTEMP; # This probably doesn't work with Docker, oh well, better than nothing... \
 	exit $$rc

 # Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
 test-system-local: bin/skopeo
-	hack/make.sh test-system
+	hack/warn-destructive-tests.sh
+	hack/test-system.sh

 test-unit:
 	# Just call (make test unit-local) here instead of worrying about environment differences
@@ -218,16 +236,19 @@ test-all-local: validate-local validate-docs test-unit-local

 .PHONY: validate-local
 validate-local:
-	BUILDTAGS="${BUILDTAGS}" hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+	hack/validate-git-marks.sh
+	hack/validate-gofmt.sh
+	GOBIN=$(GOBIN) hack/validate-lint.sh
+	BUILDTAGS="${BUILDTAGS}" hack/validate-vet.sh

 # This invokes bin/skopeo, hence cannot be run as part of validate-local
 .PHONY: validate-docs
-validate-docs:
+validate-docs: bin/skopeo
 	hack/man-page-checker
 	hack/xref-helpmsgs-manpages

-test-unit-local: bin/skopeo
-	$(GPGME_ENV) $(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+test-unit-local:
+	$(GO) test -tags "$(BUILDTAGS)" $$($(GO) list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')

 vendor:
 	$(GO) mod tidy
@@ -235,4 +256,9 @@ vendor:
 	$(GO) mod verify

 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src quay.io/libpod/golang:1.16 $(MAKE) vendor
+	podman run --privileged --rm --env HOME=/root -v $(CURDIR):/src -w /src golang $(MAKE) vendor
+
+# CAUTION: This is not a replacement for RPMs provided by your distro.
+# Only intended to build and test the latest unreleased changes.
+rpm:
+	rpkg local
--- a/README.md
+++ b/README.md
@@ -1,7 +1,4 @@
-skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=master)](https://travis-ci.org/containers/skopeo)
-=
-
-<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
+<img src="https://cdn.rawgit.com/containers/skopeo/main/docs/skopeo.svg" width="250" alt="Skopeo">

 ----

@@ -42,6 +39,12 @@ Skopeo works with API V2 container image registries such as [docker.io](https://
 * oci:path:tag
         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.

+[Obtaining skopeo](./install.md)
+-
+
+For a detailed description how to install or build skopeo, see
+[install.md](./install.md).
+
 ## Inspecting a repository
 `skopeo` is able to _inspect_ a repository on a container registry and fetch images layers.
 The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
@@ -56,29 +59,37 @@ Examples:
 $ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
 {
    "Name": "registry.fedoraproject.org/fedora",
-    "Digest": "sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9",
+    "Digest": "sha256:0f65bee641e821f8118acafb44c2f8fe30c2fc6b9a2b3729c0660376391aa117",
    "RepoTags": [
-        "24",
-        "25",
-        "26-modular",
-	...
+        "34-aarch64",
+        "34",
+        "latest",
+        ...
    ],
-    "Created": "2020-04-29T06:48:16Z",
+    "Created": "2022-11-24T13:54:18Z",
    "DockerVersion": "1.10.1",
    "Labels": {
        "license": "MIT",
        "name": "fedora",
        "vendor": "Fedora Project",
-        "version": "32"
+        "version": "37"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-        "sha256:3088721d7dbf674fc0be64cd3cf00c25aab921cacf35fa0e7b1578500a3e1653"
+        "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0"
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0",
+            "Size": 71355009,
+            "Annotations": null
+        }
    ],
    "Env": [
-        "DISTTAG=f32container",
-        "FGC=f32",
+        "DISTTAG=f37container",
+        "FGC=f37",
        "container=oci"
    ]
 }
@@ -184,12 +195,6 @@ $ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:500
 $ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image
 ```

-[Obtaining skopeo](./install.md)
-
-
-For a detailed description how to install or build skopeo, see
-[install.md](./install.md).
-
 Contributing
 -

@@ -200,6 +205,7 @@ Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate
 | -------------------------------------------------- | ---------------------------------------------------------------------------------------------|
 | [skopeo-copy(1)](/docs/skopeo-copy.1.md)           | Copy an image (manifest, filesystem layers, signatures) from one location to another.        |
 | [skopeo-delete(1)](/docs/skopeo-delete.1.md)       | Mark the image-name for later deletion by the registry's garbage collector.                                                                |
+| [skopeo-generate-sigstore-key(1)](/docs/skopeo-generate-sigstore-key.1.md)    | Generate a sigstore public/private key pair.  |
 | [skopeo-inspect(1)](/docs/skopeo-inspect.1.md)     | Return  low-level  information about image-name in a registry.                                |
 | [skopeo-list-tags(1)](/docs/skopeo-list-tags.1.md) | Return a list of tags for the transport-specific image repository.                               |
 | [skopeo-login(1)](/docs/skopeo-login.1.md)         | Login to a container registry.                                                               |
@@ -207,7 +213,7 @@ Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate
 | [skopeo-manifest-digest(1)](/docs/skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output.   |
 | [skopeo-standalone-sign(1)](/docs/skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.                                                         |
 | [skopeo-standalone-verify(1)](/docs/skopeo-standalone-verify.1.md)| Verify an image signature.                                                    |
-| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between container registries and local directories.                       |
+| [skopeo-sync(1)](/docs/skopeo-sync.1.md)           | Synchronize images between registry repositories and local directories.                      |

 License
 -
--- a/cmd/skopeo/cgo_pthread_ordering_workaround.go
+++ b/cmd/skopeo/cgo_pthread_ordering_workaround.go
@@ -1,35 +0,0 @@
-//go:build !containers_image_openpgp
-// +build !containers_image_openpgp
-
-package main
-
-/*
-This is a pretty horrible workaround.  Due to a glibc bug
-https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
-with -lgpgme before -lpthread.  Such arguments come from various packages
-using cgo, and the ordering of these arguments is, with current (go tool link),
-dependent on the order in which the cgo-using packages are found in a
-breadth-first search following dependencies, starting from “main”.
-
-Thus, if
-   import "net"
-is processed before
-   import "…/skopeo/signature"
-it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
-"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
-lpthread (used by "runtime/cgo") to be used before -lgpgme.
-
-This might be possible to work around by careful import ordering, or by removing
-a direct dependency on "net", but that would be very fragile.
-
-So, until the above bug is fixed, add -lgpgme directly in the "main" package
-to ensure the needed build order.
-
-Unfortunately, this workaround needs to be applied at the top level of any user
-of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
-by that time this package is first processed by the linker, a -lpthread may
-already be queued and it would be too late.
-*/
-
-// #cgo LDFLAGS: -lgpgme
-import "C"
--- a/cmd/skopeo/completions.go
+++ b/cmd/skopeo/completions.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"github.com/containers/image/v5/transports"
+	"github.com/spf13/cobra"
+)
+
+// autocompleteSupportedTransports list all supported transports with the colon suffix.
+func autocompleteSupportedTransports(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+	tps := transports.ListNames()
+	suggestions := make([]string, 0, len(tps))
+	for _, tp := range tps {
+		suggestions = append(suggestions, tp+":")
+	}
+	return suggestions, cobra.ShellCompDirectiveNoFileComp
+}
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"
 	"strings"

 	commonFlag "github.com/containers/common/pkg/flag"
@@ -13,6 +13,8 @@ import (
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/pkg/cli/sigstore"
+	"github.com/containers/image/v5/signature/signer"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	encconfig "github.com/containers/ocicrypt/config"
@@ -21,24 +23,27 @@ import (
 )

 type copyOptions struct {
-	global              *globalOptions
-	deprecatedTLSVerify *deprecatedTLSVerifyOption
-	srcImage            *imageOptions
-	destImage           *imageDestOptions
-	retryOpts           *retry.RetryOptions
-	additionalTags      []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
-	removeSignatures    bool                      // Do not copy signatures from the source image
-	signByFingerprint   string                    // Sign the image using a GPG key with the specified fingerprint
-	signPassphraseFile  string                    // Path pointing to a passphrase file when signing
-	digestFile          string                    // Write digest to this file
-	format              commonFlag.OptionalString // Force conversion of the image to a specified format
-	quiet               bool                      // Suppress output information when copying images
-	all                 bool                      // Copy all of the images if the source is a list
-	multiArch           commonFlag.OptionalString // How to handle multi architecture images
-	preserveDigests     bool                      // Preserve digests during copy
-	encryptLayer        []int                     // The list of layers to encrypt
-	encryptionKeys      []string                  // Keys needed to encrypt the image
-	decryptionKeys      []string                  // Keys needed to decrypt the image
+	global                   *globalOptions
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions
+	destImage                *imageDestOptions
+	retryOpts                *retry.Options
+	additionalTags           []string                  // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing (for either signature format, but only one of them)
+	signIdentity             string                    // Identity of the signed image, must be a fully specified docker reference
+	digestFile               string                    // Write digest to this file
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	quiet                    bool                      // Suppress output information when copying images
+	all                      bool                      // Copy all of the images if the source is a list
+	multiArch                commonFlag.OptionalString // How to handle multi architecture images
+	preserveDigests          bool                      // Preserve digests during copy
+	encryptLayer             []int                     // The list of layers to encrypt
+	encryptionKeys           []string                  // Keys needed to encrypt the image
+	decryptionKeys           []string                  // Keys needed to decrypt the image
 }

 func copyCmd(global *globalOptions) *cobra.Command {
@@ -63,8 +68,9 @@ Supported transports:

 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -80,7 +86,10 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE-IMAGE")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
-	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
+	flags.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
+	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "Read a passphrase for signing an image from `PATH`")
+	flags.StringVar(&opts.signIdentity, "sign-identity", "", "Identity of signed image, must be a fully specified docker reference. Defaults to the target docker reference.")
 	flags.StringVar(&opts.digestFile, "digestfile", "", "Write the digest of the pushed image to the specified file")
 	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
 	flags.StringSliceVar(&opts.encryptionKeys, "encryption-key", []string{}, "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)")
@@ -110,7 +119,7 @@ func parseMultiArch(multiArch string) (copy.ImageListSelection, error) {
 	}
 }

-func (opts *copyOptions) run(args []string, stdout io.Writer) error {
+func (opts *copyOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
@@ -125,7 +134,11 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 	if err != nil {
 		return fmt.Errorf("Error loading trust policy: %v", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	srcRef, err := alltransports.ParseImageName(imageNames[0])
 	if err != nil {
@@ -222,25 +235,71 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 		decConfig = cc.DecryptConfig
 	}

-	passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
-	if err != nil {
-		return err
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
+	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} // opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
+
+	var signers []*signer.Signer
+	if opts.signBySigstoreParamFile != "" {
+		signer, err := sigstore.NewSignerFromParameterFile(opts.signBySigstoreParamFile, &sigstore.Options{
+			PrivateKeyPassphrasePrompt: func(keyFile string) (string, error) {
+				return promptForPassphrase(keyFile, os.Stdin, os.Stdout)
+			},
+			Stdin:  os.Stdin,
+			Stdout: stdout,
+		})
+		if err != nil {
+			return fmt.Errorf("Error using --sign-by-sigstore: %w", err)
+		}
+		defer signer.Close()
+		signers = append(signers, signer)
 	}

-	return retry.RetryIfNecessary(ctx, func() error {
+	var signIdentity reference.Named = nil
+	if opts.signIdentity != "" {
+		signIdentity, err = reference.ParseNamed(opts.signIdentity)
+		if err != nil {
+			return fmt.Errorf("Could not parse --sign-identity: %v", err)
+		}
+	}
+
+	opts.destImage.warnAboutIneffectiveOptions(destRef.Transport())
+
+	return retry.IfNecessary(ctx, func() error {
 		manifestBytes, err := copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
-			RemoveSignatures:      opts.removeSignatures,
-			SignBy:                opts.signByFingerprint,
-			SignPassphrase:        passphrase,
-			ReportWriter:          stdout,
-			SourceCtx:             sourceCtx,
-			DestinationCtx:        destinationCtx,
-			ForceManifestMIMEType: manifestType,
-			ImageListSelection:    imageListSelection,
-			PreserveDigests:       opts.preserveDigests,
-			OciDecryptConfig:      decConfig,
-			OciEncryptLayers:      encLayers,
-			OciEncryptConfig:      encConfig,
+			RemoveSignatures:                 opts.removeSignatures,
+			Signers:                          signers,
+			SignBy:                           opts.signByFingerprint,
+			SignPassphrase:                   passphrase,
+			SignBySigstorePrivateKeyFile:     opts.signBySigstorePrivateKey,
+			SignSigstorePrivateKeyPassphrase: []byte(passphrase),
+			SignIdentity:                     signIdentity,
+			ReportWriter:                     stdout,
+			SourceCtx:                        sourceCtx,
+			DestinationCtx:                   destinationCtx,
+			ForceManifestMIMEType:            manifestType,
+			ImageListSelection:               imageListSelection,
+			PreserveDigests:                  opts.preserveDigests,
+			OciDecryptConfig:                 decConfig,
+			OciEncryptLayers:                 encLayers,
+			OciEncryptConfig:                 encConfig,
 		})
 		if err != nil {
 			return err
@@ -250,7 +309,7 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) error {
 			if err != nil {
 				return err
 			}
-			if err = ioutil.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
+			if err = os.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
 				return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
 			}
 		}
--- a/cmd/skopeo/delete.go
+++ b/cmd/skopeo/delete.go
@@ -15,7 +15,7 @@ import (
 type deleteOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func deleteCmd(global *globalOptions) *cobra.Command {
@@ -35,8 +35,9 @@ Supported transports:
 %s
 See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
-		RunE:    commandAction(opts.run),
-		Example: `skopeo delete docker://registry.example.com/example/pause:latest`,
+		RunE:              commandAction(opts.run),
+		Example:           `skopeo delete docker://registry.example.com/example/pause:latest`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -69,7 +70,7 @@ func (opts *deleteOptions) run(args []string, stdout io.Writer) error {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()

-	return retry.RetryIfNecessary(ctx, func() error {
+	return retry.IfNecessary(ctx, func() error {
 		return ref.DeleteImage(ctx, sys)
 	}, opts.retryOpts)
 }
--- a/cmd/skopeo/generate_sigstore_key.go
+++ b/cmd/skopeo/generate_sigstore_key.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+
+	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/signature/sigstore"
+	"github.com/spf13/cobra"
+)
+
+type generateSigstoreKeyOptions struct {
+	outputPrefix   string
+	passphraseFile string
+}
+
+func generateSigstoreKeyCmd() *cobra.Command {
+	var opts generateSigstoreKeyOptions
+	cmd := &cobra.Command{
+		Use:     "generate-sigstore-key [command options] --output-prefix PREFIX",
+		Short:   "Generate a sigstore public/private key pair",
+		RunE:    commandAction(opts.run),
+		Example: "skopeo generate-sigstore-key --output-prefix my-key",
+	}
+	adjustUsage(cmd)
+	flags := cmd.Flags()
+	flags.StringVar(&opts.outputPrefix, "output-prefix", "", "Write the keys to `PREFIX`.pub and `PREFIX`.private")
+	flags.StringVar(&opts.passphraseFile, "passphrase-file", "", "Read a passphrase for the private key from `PATH`")
+	return cmd
+}
+
+// ensurePathDoesNotExist verifies that path does not refer to an existing file,
+// and returns an error if so.
+func ensurePathDoesNotExist(path string) error {
+	switch _, err := os.Stat(path); {
+	case err == nil:
+		return fmt.Errorf("Refusing to overwrite existing %q", path)
+	case errors.Is(err, fs.ErrNotExist):
+		return nil
+	default:
+		return fmt.Errorf("Error checking existence of %q: %w", path, err)
+	}
+}
+
+func (opts *generateSigstoreKeyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 0 || opts.outputPrefix == "" {
+		return errors.New("Usage: generate-sigstore-key --output-prefix PREFIX")
+	}
+
+	pubKeyPath := opts.outputPrefix + ".pub"
+	privateKeyPath := opts.outputPrefix + ".private"
+	if err := ensurePathDoesNotExist(pubKeyPath); err != nil {
+		return err
+	}
+	if err := ensurePathDoesNotExist(privateKeyPath); err != nil {
+		return err
+	}
+
+	var passphrase string
+	if opts.passphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.passphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else {
+		p, err := promptForPassphrase(privateKeyPath, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
+
+	keys, err := sigstore.GenerateKeyPair([]byte(passphrase))
+	if err != nil {
+		return fmt.Errorf("Error generating key pair: %w", err)
+	}
+
+	if err := os.WriteFile(privateKeyPath, keys.PrivateKey, 0600); err != nil {
+		return fmt.Errorf("Error writing private key to %q: %w", privateKeyPath, err)
+	}
+	if err := os.WriteFile(pubKeyPath, keys.PublicKey, 0644); err != nil {
+		return fmt.Errorf("Error writing private key to %q: %w", pubKeyPath, err)
+	}
+	fmt.Fprintf(stdout, "Key written to %q and %q", privateKeyPath, pubKeyPath)
+	return nil
+}
--- a/cmd/skopeo/generate_sigstore_key_test.go
+++ b/cmd/skopeo/generate_sigstore_key_test.go
@@ -0,0 +1,79 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateSigstoreKey(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"--output-prefix", "foo", "a1"},
+	} {
+		out, err := runSkopeo(append([]string{"generate-sigstore-key"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// One of the destination files already exists
+	outputSuffixes := []string{".pub", ".private"}
+	for _, suffix := range outputSuffixes {
+		dir := t.TempDir()
+		prefix := filepath.Join(dir, "prefix")
+		err := os.WriteFile(prefix+suffix, []byte{}, 0600)
+		require.NoError(t, err)
+		out, err := runSkopeo("generate-sigstore-key",
+			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
+		)
+		assertTestFailed(t, out, err, "Refusing to overwrite")
+	}
+
+	// One of the destinations is inaccessible (simulate by a symlink that tries to
+	// traverse a non-directory)
+	for _, suffix := range outputSuffixes {
+		dir := t.TempDir()
+		nonDirectory := filepath.Join(dir, "nondirectory")
+		err := os.WriteFile(nonDirectory, []byte{}, 0600)
+		require.NoError(t, err)
+		prefix := filepath.Join(dir, "prefix")
+		err = os.Symlink(filepath.Join(nonDirectory, "unaccessible"), prefix+suffix)
+		require.NoError(t, err)
+		out, err := runSkopeo("generate-sigstore-key",
+			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
+		)
+		assertTestFailed(t, out, err, prefix+suffix) // + an OS-specific error message
+	}
+	destDir := t.TempDir()
+	// Error reading passphrase
+	out, err := runSkopeo("generate-sigstore-key",
+		"--output-prefix", filepath.Join(destDir, "prefix"),
+		"--passphrase-file", filepath.Join(destDir, "this-does-not-exist"),
+	)
+	assertTestFailed(t, out, err, "this-does-not-exist")
+
+	// (The interactive passphrase prompting is not yet tested)
+
+	// Error writing outputs is untested: when unit tests run as root, we can’t use permissions on a directory to cause write failures,
+	// with the --output-prefix mechanism, and refusing to even start writing to pre-exisiting files, directories are the only mechanism
+	// we have to trigger a write failure.
+
+	// Success
+	// Just a smoke-test, usability of the keys is tested in the generate implementation.
+	dir := t.TempDir()
+	prefix := filepath.Join(dir, "prefix")
+	passphraseFile := filepath.Join(dir, "passphrase")
+	err = os.WriteFile(passphraseFile, []byte("some passphrase"), 0600)
+	require.NoError(t, err)
+	out, err = runSkopeo("generate-sigstore-key",
+		"--output-prefix", prefix, "--passphrase-file", passphraseFile,
+	)
+	assert.NoError(t, err)
+	for _, suffix := range outputSuffixes {
+		assert.Contains(t, out, prefix+suffix)
+	}
+
+}
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -2,12 +2,10 @@ package main

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
-	"os"
 	"strings"
-	"text/tabwriter"
-	"text/template"

 	"github.com/containers/common/pkg/report"
 	"github.com/containers/common/pkg/retry"
@@ -17,8 +15,8 @@ import (
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/skopeo/cmd/skopeo/inspect"
+	"github.com/docker/distribution/registry/api/errcode"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -26,7 +24,7 @@ import (
 type inspectOptions struct {
 	global        *globalOptions
 	image         *imageOptions
-	retryOpts     *retry.RetryOptions
+	retryOpts     *retry.Options
 	format        string
 	raw           bool // Output the raw manifest instead of parsing information about the image
 	config        bool // Output the raw config blob instead of parsing information about the image
@@ -53,8 +51,9 @@ See skopeo(1) section "IMAGE NAMES" for the expected format
 `, strings.Join(transports.ListNames(), ", ")),
 		RunE: commandAction(opts.run),
 		Example: `skopeo inspect docker://registry.fedoraproject.org/fedora
-  skopeo inspect --config docker://docker.io/alpine
-  skopeo inspect  --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+skopeo inspect --config docker://docker.io/alpine
+skopeo inspect --format "Name: {{.Name}} Digest: {{.Digest}}" docker://registry.access.redhat.com/ubi8`,
+		ValidArgsFunction: autocompleteSupportedTransports,
 	}
 	adjustUsage(cmd)
 	flags := cmd.Flags()
@@ -73,7 +72,6 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		rawManifest []byte
 		src         types.ImageSource
 		imgInspect  *types.ImageInspectInfo
-		data        []interface{}
 	)
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -95,30 +93,30 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		return err
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		src, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error parsing image name %q", imageName)
+		return fmt.Errorf("Error parsing image name %q: %w", imageName, err)
 	}

 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		rawManifest, _, err = src.GetManifest(ctx, nil)
 		return err
 	}, opts.retryOpts); err != nil {
-		return errors.Wrapf(err, "Error retrieving manifest for image")
+		return fmt.Errorf("Error retrieving manifest for image: %w", err)
 	}

 	if opts.raw && !opts.config {
 		_, err := stdout.Write(rawManifest)
 		if err != nil {
-			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+			return fmt.Errorf("Error writing manifest to standard output: %w", err)
 		}

 		return nil
@@ -126,48 +124,37 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)

 	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
 	if err != nil {
-		return errors.Wrapf(err, "Error parsing manifest for image")
+		return fmt.Errorf("Error parsing manifest for image: %w", err)
 	}

 	if opts.config && opts.raw {
 		var configBlob []byte
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			configBlob, err = img.ConfigBlob(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading configuration blob")
+			return fmt.Errorf("Error reading configuration blob: %w", err)
 		}
 		_, err = stdout.Write(configBlob)
 		if err != nil {
-			return errors.Wrapf(err, "Error writing configuration blob to standard output")
+			return fmt.Errorf("Error writing configuration blob to standard output: %w", err)
 		}
 		return nil
 	} else if opts.config {
 		var config *v1.Image
-		if err := retry.RetryIfNecessary(ctx, func() error {
+		if err := retry.IfNecessary(ctx, func() error {
 			config, err = img.OCIConfig(ctx)
 			return err
 		}, opts.retryOpts); err != nil {
-			return errors.Wrapf(err, "Error reading OCI-formatted configuration data")
+			return fmt.Errorf("Error reading OCI-formatted configuration data: %w", err)
 		}
-		if report.IsJSON(opts.format) || opts.format == "" {
-			var out []byte
-			out, err = json.MarshalIndent(config, "", "    ")
-			if err == nil {
-				fmt.Fprintf(stdout, "%s\n", string(out))
-			}
-		} else {
-			row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
-			data = append(data, config)
-			err = printTmpl(row, data)
-		}
-		if err != nil {
-			return errors.Wrapf(err, "Error writing OCI-formatted configuration data to standard output")
+		if err := opts.writeOutput(stdout, config); err != nil {
+			return fmt.Errorf("Error writing OCI-formatted configuration data to standard output: %w", err)
 		}
 		return nil
 	}

-	if err := retry.RetryIfNecessary(ctx, func() error {
+	if err := retry.IfNecessary(ctx, func() error {
 		imgInspect, err = img.Inspect(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -185,11 +172,12 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		Architecture:  imgInspect.Architecture,
 		Os:            imgInspect.Os,
 		Layers:        imgInspect.Layers,
+		LayersData:    imgInspect.LayersData,
 		Env:           imgInspect.Env,
 	}
 	outputData.Digest, err = manifest.Digest(rawManifest)
 	if err != nil {
-		return errors.Wrapf(err, "Error computing manifest digest")
+		return fmt.Errorf("Error computing manifest digest: %w", err)
 	}
 	if dockerRef := img.Reference().DockerReference(); dockerRef != nil {
 		outputData.Name = dockerRef.Name()
@@ -201,34 +189,48 @@ func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error)
 		}
 		outputData.RepoTags, err = docker.GetRepositoryTags(ctx, sys, img.Reference())
 		if err != nil {
-			// some registries may decide to block the "list all tags" endpoint
-			// gracefully allow the inspect to continue in this case. Currently
-			// the IBM Bluemix container registry has this restriction.
-			// In addition, AWS ECR rejects it with 403 (Forbidden) if the "ecr:ListImages"
-			// action is not allowed.
-			if !strings.Contains(err.Error(), "401") && !strings.Contains(err.Error(), "403") {
-				return errors.Wrapf(err, "Error determining repository tags")
+			// Some registries may decide to block the "list all tags" endpoint;
+			// gracefully allow the inspect to continue in this case:
+			fatalFailure := true
+			// - AWS ECR rejects it if the "ecr:ListImages" action is not allowed.
+			//   https://github.com/containers/skopeo/issues/726
+			var ec errcode.ErrorCoder
+			if ok := errors.As(err, &ec); ok && ec.ErrorCode() == errcode.ErrorCodeDenied {
+				fatalFailure = false
+			}
+			// - public.ecr.aws does not implement the endpoint at all, and fails with 404:
+			//   https://github.com/containers/skopeo/issues/1230
+			//   This is actually "code":"NOT_FOUND", and the parser doesn’t preserve that.
+			//   So, also check the error text.
+			if ok := errors.As(err, &ec); ok && ec.ErrorCode() == errcode.ErrorCodeUnknown {
+				var e errcode.Error
+				if ok := errors.As(err, &e); ok && e.Code == errcode.ErrorCodeUnknown && e.Message == "404 page not found" {
+					fatalFailure = false
+				}
+			}
+			if fatalFailure {
+				return fmt.Errorf("Error determining repository tags: %w", err)
 			}
 			logrus.Warnf("Registry disallows tag list retrieval; skipping")
 		}
 	}
+	return opts.writeOutput(stdout, outputData)
+}
+
+// writeOutput writes data depending on opts.format to stdout
+func (opts *inspectOptions) writeOutput(stdout io.Writer, data any) error {
 	if report.IsJSON(opts.format) || opts.format == "" {
-		out, err := json.MarshalIndent(outputData, "", "    ")
+		out, err := json.MarshalIndent(data, "", "    ")
 		if err == nil {
 			fmt.Fprintf(stdout, "%s\n", string(out))
 		}
 		return err
 	}
-	row := "{{range . }}" + report.NormalizeFormat(opts.format) + "{{end}}"
-	data = append(data, outputData)
-	return printTmpl(row, data)
-}

-func printTmpl(row string, data []interface{}) error {
-	t, err := template.New("skopeo inspect").Parse(row)
+	rpt, err := report.New(stdout, "skopeo inspect").Parse(report.OriginUser, opts.format)
 	if err != nil {
 		return err
 	}
-	w := tabwriter.NewWriter(os.Stdout, 8, 2, 2, ' ', 0)
-	return t.Execute(w, data)
+	defer rpt.Flush()
+	return rpt.Execute([]any{data})
 }
--- a/cmd/skopeo/inspect/output.go
+++ b/cmd/skopeo/inspect/output.go
@@ -3,6 +3,7 @@ package inspect
 import (
 	"time"

+	"github.com/containers/image/v5/types"
 	digest "github.com/opencontainers/go-digest"
 )

@@ -19,5 +20,6 @@ type Output struct {
 	Architecture  string
 	Os            string
 	Layers        []string
+	LayersData    []types.ImageInspectLayer
 	Env           []string
 }
--- a/cmd/skopeo/layers.go
+++ b/cmd/skopeo/layers.go
@@ -1,9 +1,9 @@
 package main

 import (
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"

@@ -13,14 +13,13 @@ import (
 	"github.com/containers/image/v5/pkg/blobinfocache"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 type layersOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
 }

 func layersCmd(global *globalOptions) *cobra.Command {
@@ -69,25 +68,25 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		rawSource types.ImageSource
 		src       types.ImageCloser
 	)
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		rawSource, err = parseImageSource(ctx, opts.image, imageName)
 		return err
 	}, opts.retryOpts); err != nil {
 		return err
 	}
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		src, err = image.FromSource(ctx, sys, rawSource)
 		return err
 	}, opts.retryOpts); err != nil {
 		if closeErr := rawSource.Close(); closeErr != nil {
-			return errors.Wrapf(err, " (close error: %v)", closeErr)
+			return fmt.Errorf("%w (closing image source: %v)", err, closeErr)
 		}

 		return err
 	}
 	defer func() {
 		if err := src.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing image", err)
 		}
 	}()

@@ -122,7 +121,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 	}

-	tmpDir, err := ioutil.TempDir(".", "layers-")
+	tmpDir, err := os.MkdirTemp(".", "layers-")
 	if err != nil {
 		return err
 	}
@@ -137,7 +136,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {

 	defer func() {
 		if err := dest.Close(); err != nil {
-			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			retErr = noteCloseFailure(retErr, "closing destination", err)
 		}
 	}()

@@ -146,7 +145,7 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 			r        io.ReadCloser
 			blobSize int64
 		)
-		if err = retry.RetryIfNecessary(ctx, func() error {
+		if err = retry.IfNecessary(ctx, func() error {
 			r, blobSize, err = rawSource.GetBlob(ctx, types.BlobInfo{Digest: bd.digest, Size: -1}, cache)
 			return err
 		}, opts.retryOpts); err != nil {
@@ -154,14 +153,14 @@ func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
 		}
 		if _, err := dest.PutBlob(ctx, r, types.BlobInfo{Digest: bd.digest, Size: blobSize}, cache, bd.isConfig); err != nil {
 			if closeErr := r.Close(); closeErr != nil {
-				return errors.Wrapf(err, " (close error: %v)", closeErr)
+				return fmt.Errorf("%w (close error: %v)", err, closeErr)
 			}
 			return err
 		}
 	}

 	var manifest []byte
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		manifest, _, err = src.Manifest(ctx)
 		return err
 	}, opts.retryOpts); err != nil {
--- a/cmd/skopeo/list_tags.go
+++ b/cmd/skopeo/list_tags.go
@@ -3,29 +3,44 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"sort"
 	"strings"

 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/archive"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/maps"
 )

 // tagListOutput is the output format of (skopeo list-tags), primarily so that we can format it with a simple json.MarshalIndent.
 type tagListOutput struct {
-	Repository string
+	Repository string `json:",omitempty"`
 	Tags       []string
 }

 type tagsOptions struct {
 	global    *globalOptions
 	image     *imageOptions
-	retryOpts *retry.RetryOptions
+	retryOpts *retry.Options
+}
+
+var transportHandlers = map[string]func(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error){
+	docker.Transport.Name():  listDockerRepoTags,
+	archive.Transport.Name(): listDockerArchiveTags,
+}
+
+// supportedTransports returns all the supported transports
+func supportedTransports(joinStr string) string {
+	res := maps.Keys(transportHandlers)
+	sort.Strings(res)
+	return strings.Join(res, joinStr)
 }

 func tagsCmd(global *globalOptions) *cobra.Command {
@@ -38,13 +53,14 @@ func tagsCmd(global *globalOptions) *cobra.Command {
 		image:     imageOpts,
 		retryOpts: retryOpts,
 	}
+
 	cmd := &cobra.Command{
-		Use:   "list-tags [command options] REPOSITORY-NAME",
-		Short: "List tags in the transport/repository specified by the REPOSITORY-NAME",
-		Long: `Return the list of tags from the transport/repository "REPOSITORY-NAME"
+		Use:   "list-tags [command options] SOURCE-IMAGE",
+		Short: "List tags in the transport/repository specified by the SOURCE-IMAGE",
+		Long: `Return the list of tags from the transport/repository "SOURCE-IMAGE"

 Supported transports:
-docker
+` + supportedTransports(" ") + `

 See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 `,
@@ -63,15 +79,15 @@ See skopeo-list-tags(1) section "REPOSITORY NAMES" for the expected format
 // Would really love to not have this, but needed to enforce tag-less and digest-less names
 func parseDockerRepositoryReference(refString string) (types.ImageReference, error) {
 	if !strings.HasPrefix(refString, docker.Transport.Name()+"://") {
-		return nil, errors.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
+		return nil, fmt.Errorf("docker: image reference %s does not start with %s://", refString, docker.Transport.Name())
 	}

-	parts := strings.SplitN(refString, ":", 2)
-	if len(parts) != 2 {
-		return nil, errors.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
+	_, dockerImageName, hasColon := strings.Cut(refString, ":")
+	if !hasColon {
+		return nil, fmt.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, refString)
 	}

-	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(parts[1], "//"))
+	ref, err := reference.ParseNormalizedNamed(strings.TrimPrefix(dockerImageName, "//"))
 	if err != nil {
 		return nil, err
 	}
@@ -90,11 +106,63 @@ func listDockerTags(ctx context.Context, sys *types.SystemContext, imgRef types.

 	tags, err := docker.GetRepositoryTags(ctx, sys, imgRef)
 	if err != nil {
-		return ``, nil, fmt.Errorf("Error listing repository tags: %v", err)
+		return ``, nil, fmt.Errorf("Error listing repository tags: %w", err)
 	}
 	return repositoryName, tags, nil
 }

+// return the tagLists from a docker repo
+func listDockerRepoTags(ctx context.Context, sys *types.SystemContext, opts *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	// Do transport-specific parsing and validation to get an image reference
+	imgRef, err := parseDockerRepositoryReference(userInput)
+	if err != nil {
+		return
+	}
+	if err = retry.IfNecessary(ctx, func() error {
+		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
+		return err
+	}, opts.retryOpts); err != nil {
+		return
+	}
+	return
+}
+
+// return the tagLists from a docker archive file
+func listDockerArchiveTags(_ context.Context, sys *types.SystemContext, _ *tagsOptions, userInput string) (repositoryName string, tagListing []string, err error) {
+	ref, err := alltransports.ParseImageName(userInput)
+	if err != nil {
+		return
+	}
+
+	tarReader, _, err := archive.NewReaderForReference(sys, ref)
+	if err != nil {
+		return
+	}
+	defer tarReader.Close()
+
+	imageRefs, err := tarReader.List()
+	if err != nil {
+		return
+	}
+
+	var repoTags []string
+	for imageIndex, items := range imageRefs {
+		for _, ref := range items {
+			repoTags, err = tarReader.ManifestTagsForReference(ref)
+			if err != nil {
+				return
+			}
+			// handle for each untagged image
+			if len(repoTags) == 0 {
+				repoTags = []string{fmt.Sprintf("@%d", imageIndex)}
+			}
+			tagListing = append(tagListing, repoTags...)
+		}
+	}
+
+	return
+}
+
 func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 	ctx, cancel := opts.global.commandTimeoutContext()
 	defer cancel()
@@ -113,23 +181,17 @@ func (opts *tagsOptions) run(args []string, stdout io.Writer) (retErr error) {
 		return fmt.Errorf("Invalid %q: does not specify a transport", args[0])
 	}

-	if transport.Name() != docker.Transport.Name() {
-		return fmt.Errorf("Unsupported transport '%v' for tag listing. Only '%v' currently supported", transport.Name(), docker.Transport.Name())
-	}
-
-	// Do transport-specific parsing and validation to get an image reference
-	imgRef, err := parseDockerRepositoryReference(args[0])
-	if err != nil {
-		return err
-	}
-
 	var repositoryName string
 	var tagListing []string
-	if err = retry.RetryIfNecessary(ctx, func() error {
-		repositoryName, tagListing, err = listDockerTags(ctx, sys, imgRef)
-		return err
-	}, opts.retryOpts); err != nil {
-		return err
+
+	if val, ok := transportHandlers[transport.Name()]; ok {
+		repositoryName, tagListing, err = val(ctx, sys, opts, args[0])
+		if err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("Unsupported transport '%s' for tag listing. Only supported: %s",
+			transport.Name(), supportedTransports(", "))
 	}

 	outputData := tagListOutput{
--- a/cmd/skopeo/list_tags_test.go
+++ b/cmd/skopeo/list_tags_test.go
@@ -16,7 +16,6 @@ func TestDockerRepositoryReferenceParser(t *testing.T) {
 		{"docker://somehost.com"},          // Valid default expansion
 		{"docker://nginx"},                 // Valid default expansion
 	} {
-
 		ref, err := parseDockerRepositoryReference(test[0])
 		require.NoError(t, err)
 		expected, err := alltransports.ParseImageName(test[0])
@@ -47,7 +46,6 @@ func TestDockerRepositoryReferenceParserDrift(t *testing.T) {
 		{"docker://somehost.com", "docker.io/library/somehost.com"}, // Valid default expansion
 		{"docker://nginx", "docker.io/library/nginx"},               // Valid default expansion
 	} {
-
 		ref, err := parseDockerRepositoryReference(test[0])
 		ref2, err2 := alltransports.ParseImageName(test[0])

--- a/cmd/skopeo/login_test.go
+++ b/cmd/skopeo/login_test.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestLogin(t *testing.T) {
+	dir := t.TempDir()
+	authFile := filepath.Join(dir, "auth.json")
+	compatAuthFile := filepath.Join(dir, "config.json")
+
+	// Just a trivial smoke-test exercising one error-handling path.
+	// We can’t test full operation without a registry, unit tests should mostly
+	// exist in c/common/pkg/auth, not here.
+	out, err := runSkopeo("login", "--authfile", authFile, "--compat-auth-file", compatAuthFile, "example.com")
+	assertTestFailed(t, out, err, "options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
+}
--- a/cmd/skopeo/logout_test.go
+++ b/cmd/skopeo/logout_test.go
@@ -0,0 +1,25 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestLogout(t *testing.T) {
+	dir := t.TempDir()
+	authFile := filepath.Join(dir, "auth.json")
+	compatAuthFile := filepath.Join(dir, "config.json")
+
+	// Just a trivial smoke-test exercising one error-handling path.
+	// We can’t test full operation without a registry, unit tests should mostly
+	// exist in c/common/pkg/auth, not here.
+	err := os.WriteFile(authFile, []byte("{}"), 0o700)
+	require.NoError(t, err)
+	err = os.WriteFile(compatAuthFile, []byte("{}"), 0o700)
+	require.NoError(t, err)
+	out, err := runSkopeo("logout", "--authfile", authFile, "--compat-auth-file", compatAuthFile, "example.com")
+	assertTestFailed(t, out, err, "options for paths to the credential file and to the Docker-compatible credential file can not be set simultaneously")
+}
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -55,19 +55,14 @@ func createApp() (*cobra.Command, *globalOptions) {
 	opts := globalOptions{}

 	rootCommand := &cobra.Command{
-		Use:  "skopeo",
-		Long: "Various operations with container images and container image registries",
-		RunE: requireSubcommand,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.before(cmd)
-		},
-		SilenceUsage:  true,
-		SilenceErrors: true,
-		// Currently, skopeo uses manually written completions.  Cobra allows
-		// for auto-generating completions for various shells.  Podman is
-		// already making us of that.  If Skopeo decides to follow, please
-		// remove the line below (and hide the `completion` command).
-		CompletionOptions: cobra.CompletionOptions{DisableDefaultCmd: true},
+		Use:               "skopeo",
+		Long:              "Various operations with container images and container image registries",
+		RunE:              requireSubcommand,
+		PersistentPreRunE: opts.before,
+		SilenceUsage:      true,
+		SilenceErrors:     true,
+		// Hide the completion command which is provided by cobra
+		CompletionOptions: cobra.CompletionOptions{HiddenDefaultCmd: true},
 		// This is documented to parse "local" (non-PersistentFlags) flags of parent commands before
 		// running subcommands and handling their options. We don't really run into such cases,
 		// because all of our flags on rootCommand are in PersistentFlags, except for the deprecated --tls-verify;
@@ -101,6 +96,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 	rootCommand.AddCommand(
 		copyCmd(&opts),
 		deleteCmd(&opts),
+		generateSigstoreKeyCmd(),
 		inspectCmd(&opts),
 		layersCmd(&opts),
 		loginCmd(&opts),
@@ -117,7 +113,7 @@ func createApp() (*cobra.Command, *globalOptions) {
 }

 // before is run by the cli package for any command, before running the command-specific handler.
-func (opts *globalOptions) before(cmd *cobra.Command) error {
+func (opts *globalOptions) before(cmd *cobra.Command, args []string) error {
 	if opts.debug {
 		logrus.SetLevel(logrus.DebugLevel)
 	}
--- a/cmd/skopeo/manifest.go
+++ b/cmd/skopeo/manifest.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"

 	"github.com/containers/image/v5/manifest"
 	"github.com/spf13/cobra"
@@ -31,7 +31,7 @@ func (opts *manifestDigestOptions) run(args []string, stdout io.Writer) error {
 	}
 	manifestPath := args[0]

-	man, err := ioutil.ReadFile(manifestPath)
+	man, err := os.ReadFile(manifestPath)
 	if err != nil {
 		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
--- a/cmd/skopeo/proxy.go
+++ b/cmd/skopeo/proxy.go
@@ -73,11 +73,16 @@ import (

 	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
+	ocilayout "github.com/containers/image/v5/oci/layout"
 	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
+	dockerdistributionerrcode "github.com/docker/distribution/registry/api/errcode"
+	dockerdistributionapi "github.com/docker/distribution/registry/api/v2"
 	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )

@@ -88,7 +93,10 @@ import (
 // 0.2.1: Initial version
 // 0.2.2: Added support for fetching image configuration as OCI
 // 0.2.3: Added GetFullConfig
-const protocolVersion = "0.2.3"
+// 0.2.4: Added OpenImageOptional
+// 0.2.5: Added LayerInfoJSON
+// 0.2.6: Policy Verification before pulling OCI
+const protocolVersion = "0.2.6"

 // maxMsgSize is the current limit on a packet size.
 // Note that all non-metadata (i.e. payload data) is sent over a pipe.
@@ -98,14 +106,17 @@ const maxMsgSize = 32 * 1024
 // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
 // We hard error if the input JSON numbers we expect to be
 // integers are above this.
-const maxJSONFloat = float64(1<<53 - 1)
+const maxJSONFloat = float64(uint64(1)<<53 - 1)
+
+// sentinelImageID represents "image not found" on the wire
+const sentinelImageID = 0

 // request is the JSON serialization of a function call
 type request struct {
 	// Method is the name of the function
 	Method string `json:"method"`
 	// Args is the arguments (parsed inside the function)
-	Args []interface{} `json:"args"`
+	Args []any `json:"args"`
 }

 // reply is serialized to JSON as the return value from a function call.
@@ -113,7 +124,7 @@ type reply struct {
 	// Success is true if and only if the call succeeded.
 	Success bool `json:"success"`
 	// Value is an arbitrary value (or values, as array/map) returned from the call.
-	Value interface{} `json:"value"`
+	Value any `json:"value"`
 	// PipeID is an index into open pipes, and should be passed to FinishPipe
 	PipeID uint32 `json:"pipeid"`
 	// Error should be non-empty if Success == false
@@ -123,7 +134,7 @@ type reply struct {
 // replyBuf is our internal deserialization of reply plus optional fd
 type replyBuf struct {
 	// value will be converted to a reply Value
-	value interface{}
+	value any
 	// fd is the read half of a pipe, passed back to the client
 	fd *os.File
 	// pipeid will be provided to the client as PipeID, an index into our open pipes
@@ -144,7 +155,7 @@ type activePipe struct {
 // openImage is an opened image reference
 type openImage struct {
 	// id is an opaque integer handle
-	id        uint32
+	id        uint64
 	src       types.ImageSource
 	cachedimg types.Image
 }
@@ -159,15 +170,23 @@ type proxyHandler struct {
 	cache  types.BlobInfoCache

 	// imageSerial is a counter for open images
-	imageSerial uint32
+	imageSerial uint64
 	// images holds our opened images
-	images map[uint32]*openImage
+	images map[uint64]*openImage
 	// activePipes maps from "pipeid" to a pipe + goroutine pair
 	activePipes map[uint32]*activePipe
 }

+// convertedLayerInfo is the reduced form of the OCI type BlobInfo
+// Used in the return value of GetLayerInfo
+type convertedLayerInfo struct {
+	Digest    digest.Digest `json:"digest"`
+	Size      int64         `json:"size"`
+	MediaType string        `json:"media_type"`
+}
+
 // Initialize performs one-time initialization, and returns the protocol version
-func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) Initialize(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -196,7 +215,30 @@ func (h *proxyHandler) Initialize(args []interface{}) (replyBuf, error) {

 // OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
 // The return value is an opaque integer handle.
-func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) OpenImage(args []any) (replyBuf, error) {
+	return h.openImageImpl(args, false)
+}
+
+// isDockerManifestUnknownError is a copy of code from containers/image,
+// please update there first.
+func isDockerManifestUnknownError(err error) bool {
+	var ec dockerdistributionerrcode.ErrorCoder
+	if !errors.As(err, &ec) {
+		return false
+	}
+	return ec.ErrorCode() == dockerdistributionapi.ErrorCodeManifestUnknown
+}
+
+// isNotFoundImageError heuristically attempts to determine whether an error
+// is saying the remote source couldn't find the image (as opposed to an
+// authentication error, an I/O error etc.)
+// TODO drive this into containers/image properly
+func isNotFoundImageError(err error) bool {
+	return isDockerManifestUnknownError(err) ||
+		errors.Is(err, ocilayout.ImageNotFoundError{})
+}
+
+func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (retReplyBuf replyBuf, retErr error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
 	var ret replyBuf
@@ -218,9 +260,34 @@ func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
 	}
 	imgsrc, err := imgRef.NewImageSource(context.Background(), h.sysctx)
 	if err != nil {
+		if allowNotFound && isNotFoundImageError(err) {
+			ret.value = sentinelImageID
+			return ret, nil
+		}
 		return ret, err
 	}

+	policyContext, err := h.opts.global.getPolicyContext()
+	if err != nil {
+		return ret, err
+	}
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()
+
+	unparsedTopLevel := image.UnparsedInstance(imgsrc, nil)
+	allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
+	if err != nil {
+		return ret, err
+	}
+	if !allowed {
+		return ret, fmt.Errorf("internal inconsistency: policy verification failed without returning an error")
+	}
+
+	// Note that we never return zero as an imageid; this code doesn't yet
+	// handle overflow though.
 	h.imageSerial++
 	openimg := &openImage{
 		id:  h.imageSerial,
@@ -232,7 +299,14 @@ func (h *proxyHandler) OpenImage(args []interface{}) (replyBuf, error) {
 	return ret, nil
 }

-func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
+// OpenImage accepts a string image reference i.e. TRANSPORT:REF - like `skopeo copy`.
+// The return value is an opaque integer handle.  If the image does not exist, zero
+// is returned.
+func (h *proxyHandler) OpenImageOptional(args []any) (replyBuf, error) {
+	return h.openImageImpl(args, true)
+}
+
+func (h *proxyHandler) CloseImage(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()
 	var ret replyBuf
@@ -253,16 +327,8 @@ func (h *proxyHandler) CloseImage(args []interface{}) (replyBuf, error) {
 	return ret, nil
 }

-func parseImageID(v interface{}) (uint32, error) {
-	imgidf, ok := v.(float64)
-	if !ok {
-		return 0, fmt.Errorf("expecting integer imageid, not %T", v)
-	}
-	return uint32(imgidf), nil
-}
-
 // parseUint64 validates that a number fits inside a JavaScript safe integer
-func parseUint64(v interface{}) (uint64, error) {
+func parseUint64(v any) (uint64, error) {
 	f, ok := v.(float64)
 	if !ok {
 		return 0, fmt.Errorf("expecting numeric, not %T", v)
@@ -273,11 +339,14 @@ func parseUint64(v interface{}) (uint64, error) {
 	return uint64(f), nil
 }

-func (h *proxyHandler) parseImageFromID(v interface{}) (*openImage, error) {
-	imgid, err := parseImageID(v)
+func (h *proxyHandler) parseImageFromID(v any) (*openImage, error) {
+	imgid, err := parseUint64(v)
 	if err != nil {
 		return nil, err
 	}
+	if imgid == sentinelImageID {
+		return nil, fmt.Errorf("Invalid imageid value of zero")
+	}
 	imgref, ok := h.images[imgid]
 	if !ok {
 		return nil, fmt.Errorf("no image %v", imgid)
@@ -300,7 +369,7 @@ func (h *proxyHandler) allocPipe() (*os.File, *activePipe, error) {

 // returnBytes generates a return pipe() from a byte array
 // In the future it might be nicer to return this via memfd_create()
-func (h *proxyHandler) returnBytes(retval interface{}, buf []byte) (replyBuf, error) {
+func (h *proxyHandler) returnBytes(retval any, buf []byte) (replyBuf, error) {
 	var ret replyBuf
 	piper, f, err := h.allocPipe()
 	if err != nil {
@@ -362,7 +431,7 @@ func (h *proxyHandler) cacheTargetManifest(img *openImage) error {

 // GetManifest returns a copy of the manifest, converted to OCI format, along with the original digest.
 // Manifest lists are resolved to the current operating system and architecture.
-func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetManifest(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -433,7 +502,7 @@ func (h *proxyHandler) GetManifest(args []interface{}) (replyBuf, error) {

 // GetFullConfig returns a copy of the image configuration, converted to OCI format.
 // https://github.com/opencontainers/image-spec/blob/main/config.md
-func (h *proxyHandler) GetFullConfig(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetFullConfig(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -470,7 +539,7 @@ func (h *proxyHandler) GetFullConfig(args []interface{}) (replyBuf, error) {
 // GetConfig returns a copy of the container runtime configuration, converted to OCI format.
 // Note that due to a historical mistake, this returns not the full image configuration,
 // but just the container runtime configuration.  You should use GetFullConfig instead.
-func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetConfig(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -505,7 +574,7 @@ func (h *proxyHandler) GetConfig(args []interface{}) (replyBuf, error) {
 }

 // GetBlob fetches a blob, performing digest verification.
-func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) GetBlob(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -542,10 +611,12 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {

 	piper, f, err := h.allocPipe()
 	if err != nil {
+		blobr.Close()
 		return ret, err
 	}
 	go func() {
 		// Signal completion when we return
+		defer blobr.Close()
 		defer f.wg.Done()
 		verifier := d.Verifier()
 		tr := io.TeeReader(blobr, verifier)
@@ -568,8 +639,58 @@ func (h *proxyHandler) GetBlob(args []interface{}) (replyBuf, error) {
 	return ret, nil
 }

+// GetLayerInfo returns data about the layers of an image, useful for reading the layer contents.
+//
+// This needs to be called since the data returned by GetManifest() does not allow to correctly
+// calling GetBlob() for the containers-storage: transport (which doesn’t store the original compressed
+// representations referenced in the manifest).
+func (h *proxyHandler) GetLayerInfo(args []any) (replyBuf, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+
+	var ret replyBuf
+
+	if h.sysctx == nil {
+		return ret, fmt.Errorf("client error: must invoke Initialize")
+	}
+
+	if len(args) != 1 {
+		return ret, fmt.Errorf("found %d args, expecting (imgid)", len(args))
+	}
+
+	imgref, err := h.parseImageFromID(args[0])
+	if err != nil {
+		return ret, err
+	}
+
+	ctx := context.TODO()
+
+	err = h.cacheTargetManifest(imgref)
+	if err != nil {
+		return ret, err
+	}
+	img := imgref.cachedimg
+
+	layerInfos, err := img.LayerInfosForCopy(ctx)
+	if err != nil {
+		return ret, err
+	}
+
+	if layerInfos == nil {
+		layerInfos = img.LayerInfos()
+	}
+
+	layers := make([]convertedLayerInfo, 0, len(layerInfos))
+	for _, layer := range layerInfos {
+		layers = append(layers, convertedLayerInfo{layer.Digest, layer.Size, layer.MediaType})
+	}
+
+	ret.value = layers
+	return ret, nil
+}
+
 // FinishPipe waits for the worker goroutine to finish, and closes the write side of the pipe.
-func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
+func (h *proxyHandler) FinishPipe(args []any) (replyBuf, error) {
 	h.lock.Lock()
 	defer h.lock.Unlock()

@@ -596,6 +717,17 @@ func (h *proxyHandler) FinishPipe(args []interface{}) (replyBuf, error) {
 	return ret, err
 }

+// close releases all resources associated with this proxy backend
+func (h *proxyHandler) close() {
+	for _, image := range h.images {
+		err := image.src.Close()
+		if err != nil {
+			// This shouldn't be fatal
+			logrus.Warnf("Failed to close image %s: %v", transports.ImageName(image.cachedimg.Reference()), err)
+		}
+	}
+}
+
 // send writes a reply buffer to the socket
 func (buf replyBuf) send(conn *net.UnixConn, err error) error {
 	replyToSerialize := reply{
@@ -664,13 +796,22 @@ func proxyCmd(global *globalOptions) *cobra.Command {
 // processRequest dispatches a remote request.
 // replyBuf is the result of the invocation.
 // terminate should be true if processing of requests should halt.
-func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool, err error) {
+func (h *proxyHandler) processRequest(readBytes []byte) (rb replyBuf, terminate bool, err error) {
+	var req request
+
+	// Parse the request JSON
+	if err = json.Unmarshal(readBytes, &req); err != nil {
+		err = fmt.Errorf("invalid request: %v", err)
+		return
+	}
 	// Dispatch on the method
 	switch req.Method {
 	case "Initialize":
 		rb, err = h.Initialize(req.Args)
 	case "OpenImage":
 		rb, err = h.OpenImage(req.Args)
+	case "OpenImageOptional":
+		rb, err = h.OpenImageOptional(req.Args)
 	case "CloseImage":
 		rb, err = h.CloseImage(req.Args)
 	case "GetManifest":
@@ -681,10 +822,14 @@ func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool,
 		rb, err = h.GetFullConfig(req.Args)
 	case "GetBlob":
 		rb, err = h.GetBlob(req.Args)
+	case "GetLayerInfo":
+		rb, err = h.GetLayerInfo(req.Args)
 	case "FinishPipe":
 		rb, err = h.FinishPipe(req.Args)
 	case "Shutdown":
 		terminate = true
+	// NOTE: If you add a method here, you should very likely be bumping the
+	// const protocolVersion above.
 	default:
 		err = fmt.Errorf("unknown method: %s", req.Method)
 	}
@@ -695,9 +840,10 @@ func (h *proxyHandler) processRequest(req request) (rb replyBuf, terminate bool,
 func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
 	handler := &proxyHandler{
 		opts:        opts,
-		images:      make(map[uint32]*openImage),
+		images:      make(map[uint64]*openImage),
 		activePipes: make(map[uint32]*activePipe),
 	}
+	defer handler.close()

 	// Convert the socket FD passed by client into a net.FileConn
 	fd := os.NewFile(uintptr(opts.sockFd), "sock")
@@ -717,18 +863,15 @@ func (opts *proxyOptions) run(args []string, stdout io.Writer) error {
 			}
 			return fmt.Errorf("reading socket: %v", err)
 		}
-		// Parse the request JSON
 		readbuf := buf[0:n]
-		var req request
-		if err := json.Unmarshal(readbuf, &req); err != nil {
-			rb := replyBuf{}
-			rb.send(conn, fmt.Errorf("invalid request: %v", err))
-		}

-		rb, terminate, err := handler.processRequest(req)
+		rb, terminate, err := handler.processRequest(readbuf)
 		if terminate {
 			return nil
 		}
-		rb.send(conn, err)
+
+		if err := rb.send(conn, err); err != nil {
+			return fmt.Errorf("writing to socket: %w", err)
+		}
 	}
 }
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -5,7 +5,8 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"os"
+	"strings"

 	"github.com/containers/image/v5/pkg/cli"
 	"github.com/containers/image/v5/signature"
@@ -39,14 +40,14 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 	dockerReference := args[1]
 	fingerprint := args[2]

-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	if err != nil {
-		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
+		return fmt.Errorf("Error reading %s: %w", manifestPath, err)
 	}

 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
-		return fmt.Errorf("Error initializing GPG: %v", err)
+		return fmt.Errorf("Error initializing GPG: %w", err)
 	}
 	defer mech.Close()

@@ -57,25 +58,31 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {

 	signature, err := signature.SignDockerManifestWithOptions(manifest, dockerReference, mech, fingerprint, &signature.SignOptions{Passphrase: passphrase})
 	if err != nil {
-		return fmt.Errorf("Error creating signature: %v", err)
+		return fmt.Errorf("Error creating signature: %w", err)
 	}

-	if err := ioutil.WriteFile(opts.output, signature, 0644); err != nil {
-		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
+	if err := os.WriteFile(opts.output, signature, 0644); err != nil {
+		return fmt.Errorf("Error writing signature to %s: %w", opts.output, err)
 	}
 	return nil
 }

 type standaloneVerifyOptions struct {
+	publicKeyFile string
 }

 func standaloneVerifyCmd() *cobra.Command {
 	opts := standaloneVerifyOptions{}
 	cmd := &cobra.Command{
-		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+		Use:   "standalone-verify MANIFEST DOCKER-REFERENCE KEY-FINGERPRINTS SIGNATURE",
 		Short: "Verify a signature using local files",
-		RunE:  commandAction(opts.run),
+		Long: `Verify a signature using local files
+
+KEY-FINGERPRINTS can be a comma separated list of fingerprints, or "any" if you trust all the keys in the public key file.`,
+		RunE: commandAction(opts.run),
 	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.publicKeyFile, "public-key-file", "", `File containing public keys. If not specified, will use local GPG keys.`)
 	adjustUsage(cmd)
 	return cmd
 }
@@ -86,29 +93,51 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 	}
 	manifestPath := args[0]
 	expectedDockerReference := args[1]
-	expectedFingerprint := args[2]
+	expectedFingerprints := strings.Split(args[2], ",")
 	signaturePath := args[3]

-	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
-	if err != nil {
-		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	if opts.publicKeyFile == "" && len(expectedFingerprints) == 1 && expectedFingerprints[0] == "any" {
+		return fmt.Errorf("Cannot use any fingerprint without a public key file")
 	}
-	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	unverifiedManifest, err := os.ReadFile(manifestPath)
 	if err != nil {
-		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
+		return fmt.Errorf("Error reading manifest from %s: %w", manifestPath, err)
+	}
+	unverifiedSignature, err := os.ReadFile(signaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading signature from %s: %w", signaturePath, err)
 	}

-	mech, err := signature.NewGPGSigningMechanism()
-	if err != nil {
-		return fmt.Errorf("Error initializing GPG: %v", err)
+	var mech signature.SigningMechanism
+	var publicKeyfingerprints []string
+	if opts.publicKeyFile != "" {
+		publicKeys, err := os.ReadFile(opts.publicKeyFile)
+		if err != nil {
+			return fmt.Errorf("Error reading public keys from %s: %w", opts.publicKeyFile, err)
+		}
+		mech, publicKeyfingerprints, err = signature.NewEphemeralGPGSigningMechanism(publicKeys)
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %w", err)
+
+		}
+	} else {
+		mech, err = signature.NewGPGSigningMechanism()
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %w", err)
+		}
 	}
 	defer mech.Close()
-	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
-	if err != nil {
-		return fmt.Errorf("Error verifying signature: %v", err)
+
+	if len(expectedFingerprints) == 1 && expectedFingerprints[0] == "any" {
+		expectedFingerprints = publicKeyfingerprints
 	}

-	fmt.Fprintf(stdout, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	sig, verificationFingerprint, err := signature.VerifyImageManifestSignatureUsingKeyIdentityList(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprints)
+	if err != nil {
+		return fmt.Errorf("Error verifying signature: %w", err)
+	}
+
+	fmt.Fprintf(stdout, "Signature verified using fingerprint %s, digest %s\n", verificationFingerprint, sig.DockerManifestDigest)
 	return nil
 }

@@ -139,9 +168,9 @@ func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer)
 	}
 	untrustedSignaturePath := args[0]

-	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	untrustedSignature, err := os.ReadFile(untrustedSignaturePath)
 	if err != nil {
-		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+		return fmt.Errorf("Error reading untrusted signature from %s: %w", untrustedSignaturePath, err)
 	}

 	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -2,7 +2,6 @@ package main

 import (
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -25,9 +24,8 @@ const (
 // Test that results of runSkopeo failed with nothing on stdout, and substring
 // within the error message.
 func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
-	assert.Error(t, err)
+	assert.ErrorContains(t, err, substring)
 	assert.Empty(t, stdout)
-	assert.Contains(t, err.Error(), substring)
 }

 func TestStandaloneSign(t *testing.T) {
@@ -40,8 +38,7 @@ func TestStandaloneSign(t *testing.T) {

 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
@@ -78,7 +75,7 @@ func TestStandaloneSign(t *testing.T) {
 	assertTestFailed(t, out, err, "/dev/full")

 	// Success
-	sigOutput, err := ioutil.TempFile("", "sig")
+	sigOutput, err := os.CreateTemp("", "sig")
 	require.NoError(t, err)
 	defer os.Remove(sigOutput.Name())
 	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
@@ -86,9 +83,9 @@ func TestStandaloneSign(t *testing.T) {
 	require.NoError(t, err)
 	assert.Empty(t, out)

-	sig, err := ioutil.ReadFile(sigOutput.Name())
+	sig, err := os.ReadFile(sigOutput.Name())
 	require.NoError(t, err)
-	manifest, err := ioutil.ReadFile(manifestPath)
+	manifest, err := os.ReadFile(manifestPath)
 	require.NoError(t, err)
 	mech, err = signature.NewGPGSigningMechanism()
 	require.NoError(t, err)
@@ -103,8 +100,7 @@ func TestStandaloneVerify(t *testing.T) {
 	manifestPath := "fixtures/image.manifest.json"
 	signaturePath := "fixtures/image.signature"
 	dockerReference := "testing/manifest"
-	os.Setenv("GNUPGHOME", "fixtures")
-	defer os.Unsetenv("GNUPGHOME")
+	t.Setenv("GNUPGHOME", "fixtures")

 	// Invalid command-line arguments
 	for _, args := range [][]string{
@@ -131,11 +127,36 @@ func TestStandaloneVerify(t *testing.T) {
 		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
 	assertTestFailed(t, out, err, "Error verifying signature")

+	// Error using any without a public key file
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, "any", signaturePath)
+	assertTestFailed(t, out, err, "Cannot use any fingerprint without a public key file")
+
 	// Success
 	out, err = runSkopeo("standalone-verify", manifestPath,
 		dockerReference, fixturesTestKeyFingerprint, signaturePath)
 	assert.NoError(t, err)
-	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using multiple fingerprints
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, "0123456789ABCDEF0123456789ABCDEF01234567,"+fixturesTestKeyFingerprint+",DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF", signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using a public key file
+	t.Setenv("GNUPGHOME", "")
+	out, err = runSkopeo("standalone-verify", "--public-key-file", "fixtures/pubring.gpg", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+
+	// Using a public key file matching any public key
+	t.Setenv("GNUPGHOME", "")
+	out, err = runSkopeo("standalone-verify", "--public-key-file", "fixtures/pubring.gpg", manifestPath,
+		dockerReference, "any", signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified using fingerprint "+fixturesTestKeyFingerprint+", digest "+fixturesTestImageManifestDigest.String()+"\n", out)
 }

 func TestUntrustedSignatureDump(t *testing.T) {
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -2,15 +2,17 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"

+	"github.com/Masterminds/semver/v3"
 	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
 	"github.com/containers/image/v5/copy"
@@ -18,32 +20,38 @@ import (
 	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/pkg/cli"
+	"github.com/containers/image/v5/pkg/cli/sigstore"
+	"github.com/containers/image/v5/signature/signer"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v2"
+	"golang.org/x/exp/slices"
+	"gopkg.in/yaml.v3"
 )

 // syncOptions contains information retrieved from the skopeo sync command line.
 type syncOptions struct {
-	global              *globalOptions // Global (not command dependent) skopeo options
-	deprecatedTLSVerify *deprecatedTLSVerifyOption
-	srcImage            *imageOptions     // Source image options
-	destImage           *imageDestOptions // Destination image options
-	retryOpts           *retry.RetryOptions
-	removeSignatures    bool                      // Do not copy signatures from the source image
-	signByFingerprint   string                    // Sign the image using a GPG key with the specified fingerprint
-	signPassphraseFile  string                    // Path pointing to a passphrase file when signing
-	format              commonFlag.OptionalString // Force conversion of the image to a specified format
-	source              string                    // Source repository name
-	destination         string                    // Destination registry name
-	scoped              bool                      // When true, namespace copied images at destination using the source repository name
-	all                 bool                      // Copy all of the images if an image in the source is a list
-	preserveDigests     bool                      // Preserve digests during sync
-	keepGoing           bool                      // Whether or not to abort the sync if there are any errors during syncing the images
+	global                   *globalOptions // Global (not command dependent) skopeo options
+	deprecatedTLSVerify      *deprecatedTLSVerifyOption
+	srcImage                 *imageOptions     // Source image options
+	destImage                *imageDestOptions // Destination image options
+	retryOpts                *retry.Options
+	removeSignatures         bool                      // Do not copy signatures from the source image
+	signByFingerprint        string                    // Sign the image using a GPG key with the specified fingerprint
+	signBySigstoreParamFile  string                    // Sign the image using a sigstore signature per configuration in a param file
+	signBySigstorePrivateKey string                    // Sign the image using a sigstore private key
+	signPassphraseFile       string                    // Path pointing to a passphrase file when signing
+	format                   commonFlag.OptionalString // Force conversion of the image to a specified format
+	source                   string                    // Source repository name
+	destination              string                    // Destination registry name
+	scoped                   bool                      // When true, namespace copied images at destination using the source repository name
+	all                      bool                      // Copy all of the images if an image in the source is a list
+	dryRun                   bool                      // Don't actually copy anything, just output what it would have done
+	preserveDigests          bool                      // Preserve digests during sync
+	keepGoing                bool                      // Whether or not to abort the sync if there are any errors during syncing the images
+	appendSuffix             string                    // Suffix to append to destination image tag
 }

 // repoDescriptor contains information of a single repository used as a sync source.
@@ -64,6 +72,7 @@ type tlsVerifyConfig struct {
 type registrySyncConfig struct {
 	Images           map[string][]string    // Images map images name to slices with the images' references (tags, digests)
 	ImagesByTagRegex map[string]string      `yaml:"images-by-tag-regex"` // Images map images name to regular expression with the images' tags
+	ImagesBySemver   map[string]string      `yaml:"images-by-semver"`    // ImagesBySemver maps a repository to a semver constraint (e.g. '>=3.14') to match images' tags to
 	Credentials      types.DockerAuthConfig // Username and password used to authenticate with the registry
 	TLSVerify        tlsVerifyConfig        `yaml:"tls-verify"` // TLS verification mode (enabled by default)
 	CertDir          string                 `yaml:"cert-dir"`   // Path to the TLS certificates of the registry
@@ -104,12 +113,16 @@ See skopeo-sync(1) for details.
 	flags := cmd.Flags()
 	flags.BoolVar(&opts.removeSignatures, "remove-signatures", false, "Do not copy signatures from SOURCE images")
 	flags.StringVar(&opts.signByFingerprint, "sign-by", "", "Sign the image using a GPG key with the specified `FINGERPRINT`")
+	flags.StringVar(&opts.signBySigstoreParamFile, "sign-by-sigstore", "", "Sign the image using a sigstore parameter file at `PATH`")
+	flags.StringVar(&opts.signBySigstorePrivateKey, "sign-by-sigstore-private-key", "", "Sign the image using a sigstore private key at `PATH`")
 	flags.StringVar(&opts.signPassphraseFile, "sign-passphrase-file", "", "File that contains a passphrase for the --sign-by key")
 	flags.VarP(commonFlag.NewOptionalStringValue(&opts.format), "format", "f", `MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
 	flags.StringVarP(&opts.source, "src", "s", "", "SOURCE transport type")
 	flags.StringVarP(&opts.destination, "dest", "d", "", "DESTINATION transport type")
 	flags.BoolVar(&opts.scoped, "scoped", false, "Images at DESTINATION are prefix using the full source image path as scope")
+	flags.StringVar(&opts.appendSuffix, "append-suffix", "", "String to append to DESTINATION tags")
 	flags.BoolVarP(&opts.all, "all", "a", false, "Copy all images if SOURCE-IMAGE is a list")
+	flags.BoolVar(&opts.dryRun, "dry-run", false, "Run without actually copying data")
 	flags.BoolVar(&opts.preserveDigests, "preserve-digests", false, "Preserve digests of images and lists")
 	flags.BoolVarP(&opts.keepGoing, "keep-going", "", false, "Do not abort the sync if any image copy fails")
 	flags.AddFlagSet(&sharedFlags)
@@ -121,12 +134,12 @@ See skopeo-sync(1) for details.
 }

 // UnmarshalYAML is the implementation of the Unmarshaler interface method
-// method for the tlsVerifyConfig type.
+// for the tlsVerifyConfig type.
 // It unmarshals the 'tls-verify' YAML key so that, when they key is not
 // specified, tls verification is enforced.
-func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+func (tls *tlsVerifyConfig) UnmarshalYAML(value *yaml.Node) error {
 	var verify bool
-	if err := unmarshal(&verify); err != nil {
+	if err := value.Decode(&verify); err != nil {
 		return err
 	}

@@ -138,13 +151,13 @@ func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) err
 // It returns a new unmarshaled sourceConfig object and any error encountered.
 func newSourceConfig(yamlFile string) (sourceConfig, error) {
 	var cfg sourceConfig
-	source, err := ioutil.ReadFile(yamlFile)
+	source, err := os.ReadFile(yamlFile)
 	if err != nil {
 		return cfg, err
 	}
 	err = yaml.Unmarshal(source, &cfg)
 	if err != nil {
-		return cfg, errors.Wrapf(err, "Failed to unmarshal %q", yamlFile)
+		return cfg, fmt.Errorf("Failed to unmarshal %q: %w", yamlFile, err)
 	}
 	return cfg, nil
 }
@@ -156,7 +169,7 @@ func parseRepositoryReference(input string) (reference.Named, error) {
 		return nil, err
 	}
 	if !reference.IsNameOnly(ref) {
-		return nil, errors.Errorf("input names a reference, not a repository")
+		return nil, errors.New("input names a reference, not a repository")
 	}
 	return ref, nil
 }
@@ -174,24 +187,24 @@ func destinationReference(destination string, transport string) (types.ImageRefe
 	case directory.Transport.Name():
 		_, err := os.Stat(destination)
 		if err == nil {
-			return nil, errors.Errorf("Refusing to overwrite destination directory %q", destination)
+			return nil, fmt.Errorf("Refusing to overwrite destination directory %q", destination)
 		}
 		if !os.IsNotExist(err) {
-			return nil, errors.Wrap(err, "Destination directory could not be used")
+			return nil, fmt.Errorf("Destination directory could not be used: %w", err)
 		}
 		// the directory holding the image must be created here
 		if err = os.MkdirAll(destination, 0755); err != nil {
-			return nil, errors.Wrapf(err, "Error creating directory for image %s", destination)
+			return nil, fmt.Errorf("Error creating directory for image %s: %w", destination, err)
 		}
 		imageTransport = directory.Transport
 	default:
-		return nil, errors.Errorf("%q is not a valid destination transport", transport)
+		return nil, fmt.Errorf("%q is not a valid destination transport", transport)
 	}
 	logrus.Debugf("Destination for transport %q: %s", transport, destination)

 	destRef, err := imageTransport.ParseReference(destination)
 	if err != nil {
-		return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", imageTransport.Name(), destination)
+		return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", imageTransport.Name(), destination, err)
 	}

 	return destRef, nil
@@ -211,16 +224,8 @@ func getImageTags(ctx context.Context, sysCtx *types.SystemContext, repoRef refe
 		return nil, err // Should never happen for a reference with tag and no digest
 	}
 	tags, err := docker.GetRepositoryTags(ctx, sysCtx, dockerRef)
-
-	switch err := err.(type) {
-	case nil:
-		break
-	case docker.ErrUnauthorizedForCredentials:
-		// Some registries may decide to block the "list all tags" endpoint.
-		// Gracefully allow the sync to continue in this case.
-		logrus.Warnf("Registry disallows tag list retrieval: %s", err)
-	default:
-		return tags, errors.Wrapf(err, "Error determining repository tags for image %s", name)
+	if err != nil {
+		return nil, fmt.Errorf("Error determining repository tags for repo %s: %w", name, err)
 	}

 	return tags, nil
@@ -240,11 +245,15 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 	for _, tag := range tags {
 		taggedRef, err := reference.WithTag(repoRef, tag)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Error creating a reference for repository %s and tag %q", repoRef.Name(), tag)
+			logrus.WithFields(logrus.Fields{
+				"repo": repoRef.Name(),
+				"tag":  tag,
+			}).Errorf("Error creating a tagged reference from registry tag list: %v", err)
+			continue
 		}
 		ref, err := docker.NewReference(taggedRef)
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %s", docker.Transport.Name(), taggedRef.String())
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %s: %w", docker.Transport.Name(), taggedRef.String(), err)
 		}
 		sourceReferences = append(sourceReferences, ref)
 	}
@@ -257,15 +266,15 @@ func imagesToCopyFromRepo(sys *types.SystemContext, repoRef reference.Named) ([]
 // and any error encountered.
 func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
 	var sourceReferences []types.ImageReference
-	err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
+	err := filepath.WalkDir(dirPath, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
+		if !d.IsDir() && d.Name() == "manifest.json" {
 			dirname := filepath.Dir(path)
 			ref, err := directory.Transport.ParseReference(dirname)
 			if err != nil {
-				return errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", directory.Transport.Name(), dirname)
+				return fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", directory.Transport.Name(), dirname, err)
 			}
 			sourceReferences = append(sourceReferences, ref)
 			return filepath.SkipDir
@@ -275,7 +284,7 @@ func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {

 	if err != nil {
 		return sourceReferences,
-			errors.Wrapf(err, "Error walking the path %q", dirPath)
+			fmt.Errorf("Error walking the path %q: %w", dirPath, err)
 	}

 	return sourceReferences, nil
@@ -297,6 +306,14 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 		serverCtx.DockerAuthConfig = &cfg.Credentials
 	}
 	var repoDescList []repoDescriptor
+
+	if len(cfg.Images) == 0 && len(cfg.ImagesByTagRegex) == 0 && len(cfg.ImagesBySemver) == 0 {
+		logrus.WithFields(logrus.Fields{
+			"registry": registryName,
+		}).Warn("No images specified for registry")
+		return repoDescList, nil
+	}
+
 	for imageName, refs := range cfg.Images {
 		repoLogger := logrus.WithFields(logrus.Fields{
 			"repo":     imageName,
@@ -361,63 +378,146 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 			Context:   serverCtx})
 	}

-	for imageName, tagRegex := range cfg.ImagesByTagRegex {
-		repoLogger := logrus.WithFields(logrus.Fields{
-			"repo":     imageName,
-			"registry": registryName,
-		})
-		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, imageName))
+	// include repository descriptors for cfg.ImagesByTagRegex
+	{
+		filterCollection, err := tagRegexFilterCollection(cfg.ImagesByTagRegex)
 		if err != nil {
-			repoLogger.Error("Error parsing repository name, skipping")
 			logrus.Error(err)
-			continue
+		} else {
+			additionalRepoDescList := filterSourceReferences(serverCtx, registryName, filterCollection)
+			repoDescList = append(repoDescList, additionalRepoDescList...)
 		}
+	}

-		repoLogger.Info("Processing repo")
-
-		var sourceReferences []types.ImageReference
-
-		tagReg, err := regexp.Compile(tagRegex)
+	// include repository descriptors for cfg.ImagesBySemver
+	{
+		filterCollection, err := semverFilterCollection(cfg.ImagesBySemver)
 		if err != nil {
-			repoLogger.WithFields(logrus.Fields{
-				"regex": tagRegex,
-			}).Error("Error parsing regex, skipping")
 			logrus.Error(err)
-			continue
+		} else {
+			additionalRepoDescList := filterSourceReferences(serverCtx, registryName, filterCollection)
+			repoDescList = append(repoDescList, additionalRepoDescList...)
 		}
-
-		repoLogger.Info("Querying registry for image tags")
-		allSourceReferences, err := imagesToCopyFromRepo(serverCtx, repoRef)
-		if err != nil {
-			repoLogger.Error("Error processing repo, skipping")
-			logrus.Error(err)
-			continue
-		}
-
-		repoLogger.Infof("Start filtering using the regular expression: %v", tagRegex)
-		for _, sReference := range allSourceReferences {
-			tagged, isTagged := sReference.DockerReference().(reference.Tagged)
-			if !isTagged {
-				repoLogger.Errorf("Internal error, reference %s does not have a tag, skipping", sReference.DockerReference())
-				continue
-			}
-			if tagReg.MatchString(tagged.Tag()) {
-				sourceReferences = append(sourceReferences, sReference)
-			}
-		}
-
-		if len(sourceReferences) == 0 {
-			repoLogger.Warnf("No refs to sync found")
-			continue
-		}
-		repoDescList = append(repoDescList, repoDescriptor{
-			ImageRefs: sourceReferences,
-			Context:   serverCtx})
 	}

 	return repoDescList, nil
 }

+// filterFunc is a function used to limit the initial set of image references
+// using tags, patterns, semver, etc.
+type filterFunc func(*logrus.Entry, types.ImageReference) bool
+
+// filterCollection is a map of repository names to filter functions.
+type filterCollection map[string]filterFunc
+
+// filterSourceReferences lists tags for images specified in the collection and
+// filters them using assigned filter functions.
+// It returns a list of repoDescriptors.
+func filterSourceReferences(sys *types.SystemContext, registryName string, collection filterCollection) []repoDescriptor {
+	var repoDescList []repoDescriptor
+	for repoName, filter := range collection {
+		logger := logrus.WithFields(logrus.Fields{
+			"repo":     repoName,
+			"registry": registryName,
+		})
+
+		repoRef, err := parseRepositoryReference(fmt.Sprintf("%s/%s", registryName, repoName))
+		if err != nil {
+			logger.Error("Error parsing repository name, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		logger.Info("Processing repo")
+
+		var sourceReferences []types.ImageReference
+
+		logger.Info("Querying registry for image tags")
+		sourceReferences, err = imagesToCopyFromRepo(sys, repoRef)
+		if err != nil {
+			logger.Error("Error processing repo, skipping")
+			logrus.Error(err)
+			continue
+		}
+
+		var filteredSourceReferences []types.ImageReference
+		for _, ref := range sourceReferences {
+			if filter(logger, ref) {
+				filteredSourceReferences = append(filteredSourceReferences, ref)
+			}
+		}
+
+		if len(filteredSourceReferences) == 0 {
+			logger.Warnf("No refs to sync found")
+			continue
+		}
+
+		repoDescList = append(repoDescList, repoDescriptor{
+			ImageRefs: filteredSourceReferences,
+			Context:   sys,
+		})
+	}
+	return repoDescList
+}
+
+// tagRegexFilterCollection converts a map of (repository name, tag regex) pairs
+// into a filterCollection, which is a map of (repository name, filter function)
+// pairs.
+func tagRegexFilterCollection(collection map[string]string) (filterCollection, error) {
+	filters := filterCollection{}
+
+	for repoName, tagRegex := range collection {
+		pattern, err := regexp.Compile(tagRegex)
+		if err != nil {
+			return nil, err
+		}
+
+		f := func(logger *logrus.Entry, sourceReference types.ImageReference) bool {
+			tagged, isTagged := sourceReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				logger.Errorf("Internal error, reference %s does not have a tag, skipping", sourceReference.DockerReference())
+				return false
+			}
+			return pattern.MatchString(tagged.Tag())
+		}
+		filters[repoName] = f
+	}
+
+	return filters, nil
+}
+
+// semverFilterCollection converts a map of (repository name, array of semver constraints) pairs
+// into a filterCollection, which is a map of (repository name, filter function)
+// pairs.
+func semverFilterCollection(collection map[string]string) (filterCollection, error) {
+	filters := filterCollection{}
+
+	for repoName, constraintString := range collection {
+		constraint, err := semver.NewConstraint(constraintString)
+		if err != nil {
+			return nil, err
+		}
+
+		f := func(logger *logrus.Entry, sourceReference types.ImageReference) bool {
+			tagged, isTagged := sourceReference.DockerReference().(reference.Tagged)
+			if !isTagged {
+				logger.Errorf("Internal error, reference %s does not have a tag, skipping", sourceReference.DockerReference())
+				return false
+			}
+			tagVersion, err := semver.NewVersion(tagged.Tag())
+			if err != nil {
+				logger.Tracef("Tag %q cannot be parsed as semver, skipping", tagged.Tag())
+				return false
+			}
+			return constraint.Check(tagVersion)
+		}
+
+		filters[repoName] = f
+	}
+
+	return filters, nil
+}
+
 // imagesToCopy retrieves all the images to copy from a specified sync source
 // and transport.
 // It returns a slice of repository descriptors, where each descriptor is a
@@ -433,7 +533,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}
 		named, err := reference.ParseNormalizedNamed(source) // May be a repository or an image.
 		if err != nil {
-			return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), source)
+			return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), source, err)
 		}
 		imageTagged := !reference.IsNameOnly(named)
 		logrus.WithFields(logrus.Fields{
@@ -443,7 +543,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		if imageTagged {
 			srcRef, err := docker.NewReference(named)
 			if err != nil {
-				return nil, errors.Wrapf(err, "Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), named.String())
+				return nil, fmt.Errorf("Cannot obtain a valid image reference for transport %q and reference %q: %w", docker.Transport.Name(), named.String(), err)
 			}
 			desc.ImageRefs = []types.ImageReference{srcRef}
 		} else {
@@ -452,7 +552,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 				return descriptors, err
 			}
 			if len(desc.ImageRefs) == 0 {
-				return descriptors, errors.Errorf("No images to sync found in %q", source)
+				return descriptors, fmt.Errorf("No images to sync found in %q", source)
 			}
 		}
 		descriptors = append(descriptors, desc)
@@ -463,7 +563,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 		}

 		if _, err := os.Stat(source); err != nil {
-			return descriptors, errors.Wrap(err, "Invalid source directory specified")
+			return descriptors, fmt.Errorf("Invalid source directory specified: %w", err)
 		}
 		desc.DirBasePath = source
 		var err error
@@ -472,7 +572,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		if len(desc.ImageRefs) == 0 {
-			return descriptors, errors.Errorf("No images to sync found in %q", source)
+			return descriptors, fmt.Errorf("No images to sync found in %q", source)
 		}
 		descriptors = append(descriptors, desc)

@@ -482,16 +582,9 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 			return descriptors, err
 		}
 		for registryName, registryConfig := range cfg {
-			if len(registryConfig.Images) == 0 && len(registryConfig.ImagesByTagRegex) == 0 {
-				logrus.WithFields(logrus.Fields{
-					"registry": registryName,
-				}).Warn("No images specified for registry")
-				continue
-			}
-
 			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
 			if err != nil {
-				return descriptors, errors.Wrapf(err, "Failed to retrieve list of images from registry %q", registryName)
+				return descriptors, fmt.Errorf("Failed to retrieve list of images from registry %q: %w", registryName, err)
 			}
 			descriptors = append(descriptors, descs...)
 		}
@@ -500,7 +593,7 @@ func imagesToCopy(source string, transport string, sourceCtx *types.SystemContex
 	return descriptors, nil
 }

-func (opts *syncOptions) run(args []string, stdout io.Writer) error {
+func (opts *syncOptions) run(args []string, stdout io.Writer) (retErr error) {
 	if len(args) != 2 {
 		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
 	}
@@ -508,38 +601,35 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {

 	policyContext, err := opts.global.getPolicyContext()
 	if err != nil {
-		return errors.Wrapf(err, "Error loading trust policy")
+		return fmt.Errorf("Error loading trust policy: %w", err)
 	}
-	defer policyContext.Destroy()
+	defer func() {
+		if err := policyContext.Destroy(); err != nil {
+			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
+		}
+	}()

 	// validate source and destination options
-	contains := func(val string, list []string) (_ bool) {
-		for _, l := range list {
-			if l == val {
-				return true
-			}
-		}
-		return
-	}
-
 	if len(opts.source) == 0 {
 		return errors.New("A source transport must be specified")
 	}
-	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
-		return errors.Errorf("%q is not a valid source transport", opts.source)
+	if !slices.Contains([]string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}, opts.source) {
+		return fmt.Errorf("%q is not a valid source transport", opts.source)
 	}

 	if len(opts.destination) == 0 {
 		return errors.New("A destination transport must be specified")
 	}
-	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
-		return errors.Errorf("%q is not a valid destination transport", opts.destination)
+	if !slices.Contains([]string{docker.Transport.Name(), directory.Transport.Name()}, opts.destination) {
+		return fmt.Errorf("%q is not a valid destination transport", opts.destination)
 	}

 	if opts.source == opts.destination && opts.source == directory.Transport.Name() {
 		return errors.New("sync from 'dir' to 'dir' not implemented, consider using rsync instead")
 	}

+	opts.destImage.warnAboutIneffectiveOptions(transports.Get(opts.destination))
+
 	imageListSelection := copy.CopySystemImage
 	if opts.all {
 		imageListSelection = copy.CopyAllImages
@@ -563,7 +653,7 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {

 	sourceArg := args[0]
 	var srcRepoList []repoDescriptor
-	if err = retry.RetryIfNecessary(ctx, func() error {
+	if err = retry.IfNecessary(ctx, func() error {
 		srcRepoList, err = imagesToCopy(sourceArg, opts.source, sourceCtx)
 		return err
 	}, opts.retryOpts); err != nil {
@@ -576,15 +666,51 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 		return err
 	}

-	passphrase, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
-	if err != nil {
-		return err
+	// c/image/copy.Image does allow creating both simple signing and sigstore signatures simultaneously,
+	// with independent passphrases, but that would make the CLI probably too confusing.
+	// For now, use the passphrase with either, but only one of them.
+	if opts.signPassphraseFile != "" && opts.signByFingerprint != "" && opts.signBySigstorePrivateKey != "" {
+		return fmt.Errorf("Only one of --sign-by and sign-by-sigstore-private-key can be used with sign-passphrase-file")
 	}
+	var passphrase string
+	if opts.signPassphraseFile != "" {
+		p, err := cli.ReadPassphraseFile(opts.signPassphraseFile)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	} else if opts.signBySigstorePrivateKey != "" {
+		p, err := promptForPassphrase(opts.signBySigstorePrivateKey, os.Stdin, os.Stdout)
+		if err != nil {
+			return err
+		}
+		passphrase = p
+	}
+
+	var signers []*signer.Signer
+	if opts.signBySigstoreParamFile != "" {
+		signer, err := sigstore.NewSignerFromParameterFile(opts.signBySigstoreParamFile, &sigstore.Options{
+			PrivateKeyPassphrasePrompt: func(keyFile string) (string, error) {
+				return promptForPassphrase(keyFile, os.Stdin, os.Stdout)
+			},
+			Stdin:  os.Stdin,
+			Stdout: stdout,
+		})
+		if err != nil {
+			return fmt.Errorf("Error using --sign-by-sigstore: %w", err)
+		}
+		defer signer.Close()
+		signers = append(signers, signer)
+	}
+
 	options := copy.Options{
 		RemoveSignatures:                      opts.removeSignatures,
+		Signers:                               signers,
 		SignBy:                                opts.signByFingerprint,
 		SignPassphrase:                        passphrase,
-		ReportWriter:                          os.Stdout,
+		SignBySigstorePrivateKeyFile:          opts.signBySigstorePrivateKey,
+		SignSigstorePrivateKeyPassphrase:      []byte(passphrase),
+		ReportWriter:                          stdout,
 		DestinationCtx:                        destinationCtx,
 		ImageListSelection:                    imageListSelection,
 		PreserveDigests:                       opts.preserveDigests,
@@ -593,6 +719,10 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 	}
 	errorsPresent := false
 	imagesNumber := 0
+	if opts.dryRun {
+		logrus.Warn("Running in dry-run mode")
+	}
+
 	for _, srcRepo := range srcRepoList {
 		options.SourceCtx = srcRepo.Context
 		for counter, ref := range srcRepo.ImageRefs {
@@ -614,34 +744,42 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) error {
 				destSuffix = path.Base(destSuffix)
 			}

-			destRef, err := destinationReference(path.Join(destination, destSuffix), opts.destination)
+			destRef, err := destinationReference(path.Join(destination, destSuffix)+opts.appendSuffix, opts.destination)
 			if err != nil {
 				return err
 			}

-			logrus.WithFields(logrus.Fields{
+			fromToFields := logrus.Fields{
 				"from": transports.ImageName(ref),
 				"to":   transports.ImageName(destRef),
-			}).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
-
-			if err = retry.RetryIfNecessary(ctx, func() error {
-				_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
-				return err
-			}, opts.retryOpts); err != nil {
-				if !opts.keepGoing {
-					return errors.Wrapf(err, "Error copying ref %q", transports.ImageName(ref))
+			}
+			if opts.dryRun {
+				logrus.WithFields(fromToFields).Infof("Would have copied image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+			} else {
+				logrus.WithFields(fromToFields).Infof("Copying image ref %d/%d", counter+1, len(srcRepo.ImageRefs))
+				if err = retry.IfNecessary(ctx, func() error {
+					_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
+					return err
+				}, opts.retryOpts); err != nil {
+					if !opts.keepGoing {
+						return fmt.Errorf("Error copying ref %q: %w", transports.ImageName(ref), err)
+					}
+					// log the error, keep a note that there was a failure and move on to the next
+					// image ref
+					errorsPresent = true
+					logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
+					continue
 				}
-				// log the error, keep a note that there was a failure and move on to the next
-				// image ref
-				errorsPresent = true
-				logrus.WithError(err).Errorf("Error copying ref %q", transports.ImageName(ref))
-				continue
 			}
 			imagesNumber++
 		}
 	}

-	logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	if opts.dryRun {
+		logrus.Infof("Would have synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	} else {
+		logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	}
 	if !errorsPresent {
 		return nil
 	}
--- a/cmd/skopeo/sync_test.go
+++ b/cmd/skopeo/sync_test.go
@@ -0,0 +1,46 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/containers/image/v5/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+var _ yaml.Unmarshaler = (*tlsVerifyConfig)(nil)
+
+func TestTLSVerifyConfig(t *testing.T) {
+	type container struct { // An example of a larger config file
+		TLSVerify tlsVerifyConfig `yaml:"tls-verify"`
+	}
+
+	for _, c := range []struct {
+		input    string
+		expected tlsVerifyConfig
+	}{
+		{
+			input:    `tls-verify: true`,
+			expected: tlsVerifyConfig{skip: types.OptionalBoolFalse},
+		},
+		{
+			input:    `tls-verify: false`,
+			expected: tlsVerifyConfig{skip: types.OptionalBoolTrue},
+		},
+		{
+			input:    ``, // No value
+			expected: tlsVerifyConfig{skip: types.OptionalBoolUndefined},
+		},
+	} {
+		config := container{}
+		err := yaml.Unmarshal([]byte(c.input), &config)
+		require.NoError(t, err, c.input)
+		assert.Equal(t, c.expected, config.TLSVerify, c.input)
+	}
+
+	// Invalid input
+	config := container{}
+	err := yaml.Unmarshal([]byte(`tls-verify: "not a valid bool"`), &config)
+	assert.Error(t, err)
+}
--- a/cmd/skopeo/unshare.go
+++ b/cmd/skopeo/unshare.go
@@ -3,6 +3,6 @@

 package main

-func reexecIfNecessaryForImages(inputImageNames ...string) error {
+func reexecIfNecessaryForImages(_ ...string) error {
 	return nil
 }
--- a/cmd/skopeo/unshare_linux.go
+++ b/cmd/skopeo/unshare_linux.go
@@ -1,10 +1,12 @@
 package main

 import (
+	"fmt"
+
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/storage/pkg/unshare"
-	"github.com/pkg/errors"
 	"github.com/syndtr/gocapability/capability"
+	"golang.org/x/exp/slices"
 )

 var neededCapabilities = []capability.Cap{
@@ -20,29 +22,32 @@ func maybeReexec() error {
 	// With Skopeo we need only the subset of the root capabilities necessary
 	// for pulling an image to the storage.  Do not attempt to create a namespace
 	// if we already have the capabilities we need.
-	capabilities, err := capability.NewPid(0)
+	capabilities, err := capability.NewPid2(0)
 	if err != nil {
-		return errors.Wrapf(err, "error reading the current capabilities sets")
+		return fmt.Errorf("error reading the current capabilities sets: %w", err)
 	}
-	for _, cap := range neededCapabilities {
-		if !capabilities.Get(capability.EFFECTIVE, cap) {
-			// We miss a capability we need, create a user namespaces
-			unshare.MaybeReexecUsingUserNamespace(true)
-			return nil
-		}
+	if err := capabilities.Load(); err != nil {
+		return fmt.Errorf("error loading the current capabilities sets: %w", err)
+	}
+	if slices.ContainsFunc(neededCapabilities, func(cap capability.Cap) bool {
+		return !capabilities.Get(capability.EFFECTIVE, cap)
+	}) {
+		// We miss a capability we need, create a user namespaces
+		unshare.MaybeReexecUsingUserNamespace(true)
+		return nil
 	}
 	return nil
 }

 func reexecIfNecessaryForImages(imageNames ...string) error {
 	// Check if container-storage is used before doing unshare
-	for _, imageName := range imageNames {
+	if slices.ContainsFunc(imageNames, func(imageName string) bool {
 		transport := alltransports.TransportFromImageName(imageName)
 		// Hard-code the storage name to avoid a reference on c/image/storage.
 		// See https://github.com/containers/skopeo/issues/771#issuecomment-563125006.
-		if transport != nil && transport.Name() == "containers-storage" {
-			return maybeReexec()
-		}
+		return transport != nil && transport.Name() == "containers-storage"
+	}) {
+		return maybeReexec()
 	}
 	return nil
 }
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -9,15 +10,16 @@ import (

 	commonFlag "github.com/containers/common/pkg/flag"
 	"github.com/containers/common/pkg/retry"
+	"github.com/containers/image/v5/directory"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"golang.org/x/term"
 )

 // errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that cli.ShowSubcommandHelp should be called.
@@ -25,6 +27,27 @@ type errorShouldDisplayUsage struct {
 	error
 }

+// noteCloseFailure returns (possibly-nil) err modified to account for (non-nil) closeErr.
+// The error for closeErr is annotated with description (which is not a format string)
+// Typical usage:
+//
+//	defer func() {
+//		if err := something.Close(); err != nil {
+//			returnedErr = noteCloseFailure(returnedErr, "closing something", err)
+//		}
+//	}
+func noteCloseFailure(err error, description string, closeErr error) error {
+	// We don’t accept a Closer() and close it ourselves because signature.PolicyContext has .Destroy(), not .Close().
+	// This also makes it harder for a caller to do
+	//     defer noteCloseFailure(returnedErr, …)
+	// which doesn’t use the right value of returnedErr, and doesn’t update it.
+	if err == nil {
+		return fmt.Errorf("%s: %w", description, closeErr)
+	}
+	// In this case we prioritize the primary error for use with %w; closeErr is usually less relevant, or might be a consequence of the primary error.
+	return fmt.Errorf("%w (%s: %v)", err, description, closeErr)
+}
+
 // commandAction intermediates between the RunE interface and the real handler,
 // primarily to ensure that cobra.Command is not available to the handler, which in turn
 // makes sure that the cmd.Flags() etc. flag access functions are not used,
@@ -33,8 +56,9 @@ type errorShouldDisplayUsage struct {
 func commandAction(handler func(args []string, stdout io.Writer) error) func(cmd *cobra.Command, args []string) error {
 	return func(c *cobra.Command, args []string) error {
 		err := handler(args, c.OutOrStdout())
-		if _, ok := err.(errorShouldDisplayUsage); ok {
-			c.Help()
+		var shouldDisplayUsage errorShouldDisplayUsage
+		if errors.As(err, &shouldDisplayUsage) {
+			return c.Help()
 		}
 		return err
 	}
@@ -151,8 +175,8 @@ func imageFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLS
 	return fs, opts
 }

-func retryFlags() (pflag.FlagSet, *retry.RetryOptions) {
-	opts := retry.RetryOptions{}
+func retryFlags() (pflag.FlagSet, *retry.Options) {
+	opts := retry.Options{}
 	fs := pflag.FlagSet{}
 	fs.IntVar(&opts.MaxRetry, "retry-times", 0, "the number of times to possibly retry")
 	return fs, &opts
@@ -221,6 +245,7 @@ func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
 }

 // imageDestOptions is a superset of imageOptions specialized for image destinations.
+// Every user should call imageDestOptions.warnAboutIneffectiveOptions() as part of handling the CLI
 type imageDestOptions struct {
 	*imageOptions
 	dirForceCompression         bool                   // Compress layers when saving to the dir: transport
@@ -229,12 +254,13 @@ type imageDestOptions struct {
 	compressionFormat           string                 // Format to use for the compression
 	compressionLevel            commonFlag.OptionalInt // Level to use for the compression
 	precomputeDigests           bool                   // Precompute digests to dedup layers when saving to the docker: transport
+	imageDestFlagPrefix         string
 }

 // imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
 func imageDestFlags(global *globalOptions, shared *sharedImageOptions, deprecatedTLSVerify *deprecatedTLSVerifyOption, flagPrefix, credsOptionAlias string) (pflag.FlagSet, *imageDestOptions) {
 	genericFlags, genericOptions := imageFlags(global, shared, deprecatedTLSVerify, flagPrefix, credsOptionAlias)
-	opts := imageDestOptions{imageOptions: genericOptions}
+	opts := imageDestOptions{imageOptions: genericOptions, imageDestFlagPrefix: flagPrefix}
 	fs := pflag.FlagSet{}
 	fs.AddFlagSet(&genericFlags)
 	fs.BoolVar(&opts.dirForceCompression, flagPrefix+"compress", false, "Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
@@ -272,18 +298,28 @@ func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
 	return ctx, err
 }

+// warnAboutIneffectiveOptions warns if any ineffective option was set by the user
+// Every user should call this as part of handling the CLI
+func (opts *imageDestOptions) warnAboutIneffectiveOptions(destTransport types.ImageTransport) {
+	if destTransport.Name() != directory.Transport.Name() {
+		if opts.dirForceCompression {
+			logrus.Warnf("--%s can only be used if the destination transport is 'dir'", opts.imageDestFlagPrefix+"compress")
+		}
+		if opts.dirForceDecompression {
+			logrus.Warnf("--%s can only be used if the destination transport is 'dir'", opts.imageDestFlagPrefix+"decompress")
+		}
+	}
+}
+
 func parseCreds(creds string) (string, string, error) {
 	if creds == "" {
 		return "", "", errors.New("credentials can't be empty")
 	}
-	up := strings.SplitN(creds, ":", 2)
-	if len(up) == 1 {
-		return up[0], "", nil
-	}
-	if up[0] == "" {
+	username, password, _ := strings.Cut(creds, ":") // Sets password to "" if there is no ":"
+	if username == "" {
 		return "", "", errors.New("username can't be empty")
 	}
-	return up[0], up[1], nil
+	return username, password, nil
 }

 func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
@@ -354,3 +390,19 @@ func adjustUsage(c *cobra.Command) {
 	c.SetUsageTemplate(usageTemplate)
 	c.DisableFlagsInUseLine = true
 }
+
+// promptForPassphrase interactively prompts for a passphrase related to privateKeyFile
+func promptForPassphrase(privateKeyFile string, stdin, stdout *os.File) (string, error) {
+	stdinFd := int(stdin.Fd())
+	if !term.IsTerminal(stdinFd) {
+		return "", fmt.Errorf("Cannot prompt for a passphrase for key %s, standard input is not a TTY", privateKeyFile)
+	}
+
+	fmt.Fprintf(stdout, "Passphrase for key %s: ", privateKeyFile)
+	passphrase, err := term.ReadPassword(stdinFd)
+	if err != nil {
+		return "", fmt.Errorf("Error reading password: %w", err)
+	}
+	fmt.Fprintf(stdout, "\n")
+	return string(passphrase), nil
+}
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -1,7 +1,7 @@
 package main

 import (
-	"os"
+	"errors"
 	"testing"

 	"github.com/containers/image/v5/manifest"
@@ -13,6 +13,27 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func TestNoteCloseFailure(t *testing.T) {
+	const description = "description"
+
+	mainErr := errors.New("main")
+	closeErr := errors.New("closing")
+
+	// Main success, closing failed
+	res := noteCloseFailure(nil, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+
+	// Both main and closing failed
+	res = noteCloseFailure(mainErr, description, closeErr)
+	require.NotNil(t, res)
+	assert.Contains(t, res.Error(), mainErr.Error())
+	assert.Contains(t, res.Error(), description)
+	assert.Contains(t, res.Error(), closeErr.Error())
+	assert.ErrorIs(t, res, mainErr)
+}
+
 // fakeGlobalOptions creates globalOptions and sets it according to flags.
 func fakeGlobalOptions(t *testing.T, flags []string) (*globalOptions, *cobra.Command) {
 	app, opts := createApp()
@@ -128,17 +149,9 @@ func TestImageDestOptionsNewSystemContext(t *testing.T) {
 		DockerRegistryUserAgent: defaultUserAgent,
 	}, res)

-	oldXRD, hasXRD := os.LookupEnv("REGISTRY_AUTH_FILE")
-	defer func() {
-		if hasXRD {
-			os.Setenv("REGISTRY_AUTH_FILE", oldXRD)
-		} else {
-			os.Unsetenv("REGISTRY_AUTH_FILE")
-		}
-	}()
 	authFile := "/tmp/auth.json"
 	// Make sure when REGISTRY_AUTH_FILE is set the auth file is used
-	os.Setenv("REGISTRY_AUTH_FILE", authFile)
+	t.Setenv("REGISTRY_AUTH_FILE", authFile)

 	// Explicitly set everything to default, except for when the default is “not present”
 	opts = fakeImageDestOptions(t, "dest-", true, []string{}, []string{
@@ -372,7 +385,6 @@ func TestParseManifestFormat(t *testing.T) {
 // since there is a shared authfile image option and a non-shared (prefixed) one, make sure the override logic
 // works correctly.
 func TestImageOptionsAuthfileOverride(t *testing.T) {
-
 	for _, testCase := range []struct {
 		flagPrefix           string
 		cmdFlags             []string
--- a/completions/bash/skopeo
+++ b/completions/bash/skopeo
@@ -1,341 +0,0 @@
-#! /bin/bash
-
-_complete_() {
-    local options_with_args=$1
-    local boolean_options="$2 -h --help"
-    local transports=$3
-
-    local option_with_args
-    for option_with_args in $options_with_args $transports
-    do
-        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
-        then
-            return
-        fi
-    done
-
-    case "$cur" in
-        -*)
-            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-            ;;
-        *)
-            if [ -n "$transports" ]
-            then
-                compopt -o nospace
-                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
-            fi
-            ;;
-    esac
-}
-
-_skopeo_supported_transports() {
-    local subcommand=$1
-
-    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
-}
-
-_skopeo_copy() {
-    local options_with_args="
-    --authfile
-    --src-authfile
-    --dest-authfile
-    --format -f
-    --multi-arch
-    --sign-by
-    --sign-passphrase-file
-    --src-creds --screds
-    --src-cert-dir
-    --src-tls-verify
-    --dest-creds --dcreds
-    --dest-cert-dir
-    --dest-tls-verify
-    --src-daemon-host
-    --dest-daemon-host
-    --src-registry-token
-    --dest-registry-token
-    --src-username
-    --src-password
-    --dest-username
-    --dest-password
-    "
-
-    local boolean_options="
-    --all
-    --dest-compress
-    --dest-decompress
-    --remove-signatures
-    --src-no-creds
-    --dest-no-creds
-    --dest-oci-accept-uncompressed-layers
-    --dest-precompute-digests
-    --preserve-digests
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_sync() {
-    local options_with_args="
-    --authfile
-    --dest
-    --dest-authfile
-    --dest-cert-
-    --dest-creds
-    --dest-registry-token string
-    --format
-    --retry-times
-    --sign-by
-    --sign-passphrase-file
-    --src
-    --src-authfile
-    --src-cert-dir
-    --src-creds
-    --src-registry-token
-    --src-username
-    --src-password
-    --dest-username
-    --dest-password
-    "
-
-    local boolean_options="
-    --all
-    --dest-no-creds
-    --dest-tls-verify
-    --remove-signatures
-    --scoped
-    --src-no-creds
-    --src-tls-verify
-    --keep-going
-    --preserve-digests
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_inspect() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --format
-     --retry-times
-     --registry-token
-    --username
-    --password
-     "
-     local boolean_options="
-     --config
-     --raw
-     --tls-verify
-     --no-creds
-     --no-tags -n
-    "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_standalone_sign() {
-     local options_with_args="
-       -o --output
-       --passphrase-file
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_standalone_verify() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_manifest_digest() {
-     local options_with_args="
-     "
-     local boolean_options="
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_delete() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-    --username
-    --password
-     "
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-
-    local transports
-    transports="
-    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
-    "
-
-    _complete_ "$options_with_args" "$boolean_options" "$transports"
-}
-
-_skopeo_layers() {
-     local options_with_args="
-       --authfile
-       --creds
-       --cert-dir
-       --registry-token
-      --username
-      --password
-     "
-     local boolean_options="
-       --tls-verify
-       --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_list_repository_tags() {
-     local options_with_args="
-     --authfile
-     --creds
-     --cert-dir
-     --registry-token
-    --username
-    --password
-     "
-
-     local boolean_options="
-     --tls-verify
-     --no-creds
-     "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_login() {
-    local options_with_args="
-    --authfile
-    --cert-dir
-    --password -p
-    --username -u
-    "
-
-    local boolean_options="
-    --get-login
-    --tls-verify
-    --password-stdin
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_logout() {
-    local options_with_args="
-    --authfile
-    "
-
-    local boolean_options="
-    --all -a
-    "
-    _complete_ "$options_with_args" "$boolean_options"
-}
-
-_skopeo_skopeo() {
-     # XXX: Changes here need to be reflected in the manually expanded
-     # string in the `case` statement below as well.
-     local options_with_args="
-       --policy
-       --registries.d
-       --override-arch
-       --override-os
-       --override-variant
-       --command-timeout
-       --tmpdir
-     "
-     local boolean_options="
-       --insecure-policy
-       --debug
-       --version -v
-       --help -h
-     "
-
-     local commands=(
-       copy
-       delete
-       inspect
-       list-tags
-       login
-       logout
-       manifest-digest
-       standalone-sign
-       standalone-verify
-       sync
-       help
-       h
-     )
-
-     case "$prev" in
-         # XXX: Changes here need to be reflected in $options_with_args as well.
-         --policy|--registries.d|--override-arch|--override-os|--override-variant|--command-timeout)
-             return
-             ;;
-     esac
-
-     case "$cur" in
-         -*)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
-             ;;
-         *)
-             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
-             ;;
-     esac
-}
-
-_cli_bash_autocomplete() {
-     local cur
-
-     COMPREPLY=()
-     cur="${COMP_WORDS[COMP_CWORD]}"
-     COMPREPLY=()
-     local cur prev words cword
-
-     _get_comp_words_by_ref -n : cur prev words cword
-
-     local command="skopeo" cpos=0
-     local counter=1
-     while [ $counter -lt "$cword" ]; do
-         case "${words[$counter]}" in
-             skopeo|copy|sync|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h|list-repository-tags)
-                 command="${words[$counter]//-/_}"
-                 cpos=$counter
-                 (( cpos++ ))
-                 break
-                 ;;
-         esac
-         (( counter++ ))
-     done
-
-     local completions_func=_skopeo_${command}
-     declare -F "$completions_func" >/dev/null && $completions_func
-
-     return 0
-}
-
- complete -F _cli_bash_autocomplete skopeo
--- a/contrib/cirrus/ostree_ext.dockerfile
+++ b/contrib/cirrus/ostree_ext.dockerfile
@@ -0,0 +1,15 @@
+ARG BASE_FQIN=quay.io/coreos-assembler/fcos-buildroot:testing-devel
+FROM $BASE_FQIN
+
+# See 'Danger of using COPY and ADD instructions'
+# at https://cirrus-ci.org/guide/docker-builder-vm/#dockerfile-as-a-ci-environment
+# Provide easy way to force-invalidate image cache by .cirrus.yml change
+ARG CIRRUS_IMAGE_VERSION
+ENV CIRRUS_IMAGE_VERSION=$CIRRUS_IMAGE_VERSION
+ADD https://sh.rustup.rs /var/tmp/rustup_installer.sh
+
+RUN dnf erase -y rust && \
+    chmod +x /var/tmp/rustup_installer.sh && \
+    /var/tmp/rustup_installer.sh -y --default-toolchain stable --profile minimal
+
+ENV PATH=/root/.cargo/bin:/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
--- a/contrib/cirrus/runner.sh
+++ b/contrib/cirrus/runner.sh
@@ -6,17 +6,6 @@

 set -e

-_EOL=20270501
-if [[ $(date +%Y%m%d) -ge $_EOL ]]; then
-    die "As of $_EOL this branch is probably
-no longer supported in RHEL 9.0/8.8, please
-confirm this with RHEL Program Management.  If so:
-It should be removed from Cirrus-Cron,
-the .cirrus.yml file removed, and
-the VM images (manually) unmarked
-'permanent=true'"
-fi
-
 # BEGIN Global export of all variables
 set -a

@@ -123,18 +112,19 @@ _run_unit() {
    make test-unit-local BUILDTAGS="$BUILDTAGS"
 }

-_run_integration() {
+_podman_reset() {
    # Ensure we start with a clean-slate
-    podman system reset --force
+    showrun podman system reset --force
+}

+_run_integration() {
+    _podman_reset
    make test-integration-local BUILDTAGS="$BUILDTAGS"
 }

 _run_system() {
-    # Ensure we start with a clean-slate
-    podman system reset --force
-
-    # Executes with containers required for testing.
+    _podman_reset
+    ##### Note: Test MODIFIES THE HOST SETUP #####
    make test-system-local BUILDTAGS="$BUILDTAGS"
 }

--- a/contrib/skopeoimage/README.md
+++ b/contrib/skopeoimage/README.md
@@ -1,56 +1,2 @@
-<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">
-
----
-
-# skopeoimage
-
-## Overview
-
-This directory contains the Dockerfiles necessary to create the skopeoimage container
-images that are housed on quay.io under the skopeo account.  All repositories where
-the images live are public and can be pulled without credentials.  These container images are secured and the
-resulting containers can run safely with privileges within the container.
-
-The container images are built using the latest Fedora and then Skopeo is installed into them.
-The PATH in the container images is set to the default PATH provided by Fedora.  Also, the
-ENTRYPOINT and the WORKDIR variables are not set within these container images, as such they
-default to `/`.
-
-The container images are:
-
-  * `quay.io/containers/skopeo:<version>` and `quay.io/skopeo/stable:<version>` -
-    These images are built when a new Skopeo version becomes available in
-    Fedora.  These images are intended to be unchanging and stable, they will
-    never be updated by automation once they've been pushed.  For build details,
-    please [see the configuration file](stable/Dockerfile).
-  * `quay.io/containers/skopeo:latest` and `quay.io/skopeo/stable:latest` -
-    Built daily using the same Dockerfile as above.  The skopeo version
-    will remain the "latest" available in Fedora, however the image
-    contents may vary compared to the version-tagged images.
-  * `quay.io/skopeo/testing:latest` - This image is built daily, using the
-    latest version of Skopeo that was in the Fedora `updates-testing` repository.
-    The image is Built with [the testing Dockerfile](testing/Dockerfile).
-  * `quay.io/skopeo/upstream:latest` - This image is built daily using the latest
-    code found in this GitHub repository.  Due to the image changing frequently,
-    it's not guaranteed to be stable or even executable.  The image is built with
-    [the upstream Dockerfile](upstream/Dockerfile).
-
-
-## Sample Usage
-
-Although not required, it is suggested that [Podman](https://github.com/containers/podman) be used with these container images.
-
-```
-# Get Help on Skopeo
-podman run docker://quay.io/skopeo/stable:latest --help
-
-# Get help on the Skopeo Copy command
-podman run docker://quay.io/skopeo/stable:latest copy --help
-
-# Copy the Skopeo container image from quay.io to
-# a private registry
-podman run docker://quay.io/skopeo/stable:latest copy docker://quay.io/skopeo/stable docker://registry.internal.company.com/skopeo
-
-# Inspect the fedora:latest image
-podman run docker://quay.io/skopeo/stable:latest inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
-```
+The skopeo container image build context and automation have been
+moved to [https://github.com/containers/image_build/tree/main/skopeo](https://github.com/containers/image_build/tree/main/skopeo)
--- a/contrib/skopeoimage/stable/Dockerfile
+++ b/contrib/skopeoimage/stable/Dockerfile
@@ -1,33 +0,0 @@
-# stable/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# stable version of Skopeo on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/testing/Dockerfile
+++ b/contrib/skopeoimage/testing/Dockerfile
@@ -1,34 +0,0 @@
-# testing/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# version of Skopeo that is in updates-testing
-# on the Fedoras Updates System.
-# https://bodhi.fedoraproject.org/updates/?search=skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; yum -y install skopeo fuse-overlayfs --enablerepo updates-testing --exclude container-selinux; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/contrib/skopeoimage/upstream/Dockerfile
+++ b/contrib/skopeoimage/upstream/Dockerfile
@@ -1,54 +0,0 @@
-# upstream/Dockerfile
-#
-# Build a Skopeo container image from the latest
-# upstream version of Skopeo on GitHub.
-# https://github.com/containers/skopeo
-# This image can be used to create a secured container
-# that runs safely with privileges within the container.
-#
-FROM registry.fedoraproject.org/fedora:latest
-
-# Don't include container-selinux and remove
-# directories used by yum that are just taking
-# up space.  Also reinstall shadow-utils as without
-# doing so, the setuid/setgid bits on newuidmap
-# and newgidmap are lost in the Fedora images. 
-RUN useradd skopeo; yum -y update; yum -y reinstall shadow-utils; \
-yum -y install make \
-golang \
-git \
-go-md2man \
-fuse-overlayfs \
-fuse3 \
-containers-common \
-gpgme-devel \
-libassuan-devel \
-btrfs-progs-devel \
-device-mapper-devel --enablerepo updates-testing --exclude container-selinux; \
-mkdir /root/skopeo; \
-git clone https://github.com/containers/skopeo /root/skopeo/src/github.com/containers/skopeo; \
-export GOPATH=/root/skopeo; \
-cd /root/skopeo/src/github.com/containers/skopeo; \
-make bin/skopeo;\
-make PREFIX=/usr install;\
-rm -rf /root/skopeo/*; \
-yum -y remove git golang go-md2man make; \
-yum -y clean all; yum -y clean all; rm -rf /var/cache/dnf/* /var/log/dnf* /var/log/yum*
-
-
-# Adjust storage.conf to enable Fuse storage.
-RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-
-# Setup the ability to use additional stores
-# with this container image.
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock
-
-# Setup skopeo's uid/guid entries
-RUN echo skopeo:100000:65536 > /etc/subuid
-RUN echo skopeo:100000:65536 > /etc/subgid
-
-# Point to the Authorization file
-ENV REGISTRY_AUTH_FILE=/tmp/auth.json
-
-# Set the entrypoint
-ENTRYPOINT ["/usr/bin/skopeo"]
--- a/default.yaml
+++ b/default.yaml
@@ -1,19 +1,21 @@
 # This is a default registries.d configuration file.  You may
 # add to this file or create additional files in registries.d/.
 #
-# sigstore: indicates a location that is read and write
-# sigstore-staging: indicates a location that is only for write
+# lookaside: for reading/writing simple signing signatures
+# lookaside-staging: for writing simple signing signatures, preferred over lookaside
 #
-# sigstore and sigstore-staging take a value of the following:
-#   sigstore:  {schema}://location
+# lookaside and lookaside-staging take a value of the following:
+#   lookaside:  {schema}://location
 #
 # For reading signatures, schema may be http, https, or file.
 # For writing signatures, schema may only be file.

-# This is the default signature write location for docker registries.
+# The default locations are built-in, for both reading and writing:
+# /var/lib/containers/sigstore for root, or
+# ~/.local/share/containers/sigstore for non-root users.
 default-docker:
-#  sigstore: file:///var/lib/containers/sigstore
-  sigstore-staging: file:///var/lib/containers/sigstore
+#  lookaside: https://…
+#  lookaside-staging: file:///…

 # The 'docker' indicator here is the start of the configuration
 # for docker registries.
@@ -21,6 +23,6 @@ default-docker:
 # docker:
 #
 #   privateregistry.com:
-#    sigstore: http://privateregistry.com/sigstore/
-#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+#    lookaside: https://privateregistry.com/sigstore/
+#    lookaside-staging: /mnt/nfs/privateregistry/sigstore

--- a/docs/skopeo-copy.1.md
+++ b/docs/skopeo-copy.1.md
@@ -20,6 +20,8 @@ automatically inherit any parts of the source name.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--additional-tag**=_strings_

 Additional tags (supports docker-archive).
@@ -58,6 +60,8 @@ After copying the image, write the digest of the resulting image to the file.

 Preserve the digests during copying. Fail if the digest cannot be preserved.

+This option does not change what will be copied; consider using `--all` at the same time.
+
 **--encrypt-layer** _ints_

 *Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)
@@ -70,7 +74,7 @@ MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifes

 Print usage statement

-**--multi-arch**
+**--multi-arch** _option_

 Control what is copied if _source-image_ refers to a multi-architecture image. Default is system.

@@ -89,13 +93,26 @@ Suppress output information when copying images.

 Do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by**=_key-id_
+**--sign-by** _key-id_

-Add a signature using that key ID for an image name corresponding to _destination-image_
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_

-**--sign-passphrase-file**=_path_
+**--sign-by-sigstore** _param-file_

-The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
+See containers-sigstore-signing-params.yaml(5) for details about the file format.
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+
+**--sign-identity** _reference_
+
+The identity to use when signing the image. The identity must be a fully specified docker reference. If the identity is not specified, the target docker reference will be used.

 **--src-shared-blob-dir** _directory_

@@ -165,7 +182,7 @@ Existing signatures, if any, are preserved as well.

 **--dest-compress-format** _format_

-Specifies the compression format to use.  Supported values are: `gzip` and `zstd`.
+Specifies the compression format to use.  Supported values are: `gzip`, `zstd` and `zstd:chunked`.

 **--dest-compress-level** _format_

@@ -206,12 +223,12 @@ The password to access the destination registry.
 ## EXAMPLES

 To just copy an image from one registry to another:
-```sh
+```console
 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
 ```

 To copy the layers of the docker.io busybox image to a local directory:
-```sh
+```console
 $ mkdir -p /var/lib/images/busybox
 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
 $ ls /var/lib/images/busybox/*
@@ -220,42 +237,46 @@ $ ls /var/lib/images/busybox/*
  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
 ```

-To copy and sign an image:
+To create an archive consumable by `docker load` (but note that using a registry is almost always more efficient):
+```console
+$ skopeo copy docker://busybox:latest docker-archive:archive-file.tar:busybox:latest
+```

-```sh
-# skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
+To copy and sign an image:
+```console
+$ skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
 ```

 To encrypt an image:
-```sh
-skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
+```console
+$ skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8

-openssl genrsa -out private.key 1024
-openssl rsa -in private.key -pubout > public.key
+$ openssl genrsa -out private.key 1024
+$ openssl rsa -in private.key -pubout > public.key

-skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+$ skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
 ```

 To decrypt an image:
-```sh
-skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```console
+$ skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
 ```

 To copy encrypted image without decryption:
-```sh
-skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
+```console
+$ skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
 ```

 To decrypt an image that requires more than one key:
-```sh
-skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```console
+$ skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
 ```

 Container images can also be partially encrypted by specifying the index of the layer. Layers are 0-indexed indices, with support for negative indexing. i.e. 0 is the first layer, -1 is the last layer.

 Let's say out of 3 layers that the image `docker.io/library/nginx:1.17.8` is made up of, we only want to encrypt the 2nd layer,
-```sh
-skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
+```console
+$ skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
 ```

 ## SEE ALSO
--- a/docs/skopeo-delete.1.md
+++ b/docs/skopeo-delete.1.md
@@ -6,21 +6,33 @@ skopeo\-delete - Mark the _image-name_ for later deletion by the registry's garb
 ## SYNOPSIS
 **skopeo delete** [*options*] _image-name_

-Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
+## DESCRIPTION
+
+Mark _image-name_ for deletion.
+The effect of this is registry-specific; many registries don’t support this operation, or don’t allow it in some circumstances / configurations.
+
+**WARNING**: If _image-name_ contains a digest, this affects the referenced manifest, and may delete all tags (within the current repository?) pointing to that manifest.
+
+**WARNING**: If _image-name_ contains a tag (but not a digest), in the current version of Skopeo this resolves the tag into a digest, and then deletes the manifest by digest, as described above (possibly deleting all tags pointing to that manifest, not just the provided tag). This behavior may change in the future.
+
+
+When using the github.com/distribution/distribution registry server:
+To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,

 ```
 /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
+```
 Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml

 If you are running the container registry inside of a container you would execute something like:
-
+```
 $ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
-
 ```

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
@@ -75,8 +87,8 @@ The password to access the registry.
 ## EXAMPLES

 Mark image example/pause for deletion from the registry.example.com registry:
-```sh
-$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```console
+$ skopeo delete docker://registry.example.com/example/pause:latest
 ```
 See above for additional details on using the command **delete**.

--- a/docs/skopeo-generate-sigstore-key.1.md
+++ b/docs/skopeo-generate-sigstore-key.1.md
@@ -0,0 +1,49 @@
+% skopeo-generate-sigstore-key(1)
+
+## NAME
+skopeo\-generate-sigstore-key - Generate a sigstore public/private key pair.
+
+## SYNOPSIS
+**skopeo generate-sigstore-key** [*options*] **--output-prefix** _prefix_
+
+## DESCRIPTION
+
+Generates a public/private key pair suitable for creating sigstore image signatures.
+The private key is encrypted with a passphrase;
+if one is not provided using an option, this command prompts for it interactively.
+
+The private key is written to _prefix_**.private** .
+The private key is written to _prefix_**.pub** .
+
+## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
+**--help**, **-h**
+
+Print usage statement
+
+**--output-prefix** _prefix_
+
+Mandatory.
+Path prefix for the output keys (_prefix_**.private** and _prefix_**.pub**).
+
+**--passphrase-file** _path_
+
+The passphare to use to encrypt the private key.
+Only the first line will be read.
+A passphrase stored in a file is of questionable security if other users can read this file.
+Do not use this option if at all avoidable.
+
+## EXAMPLES
+
+```console
+$ skopeo generate-sigstore-key --output-prefix mykey
+```
+
+# SEE ALSO
+skopeo(1), skopeo-copy(1), containers-policy.json(5)
+
+## AUTHORS
+
+Miloslav Trmač <mitr@redhat.com>
--- a/docs/skopeo-inspect.1.md
+++ b/docs/skopeo-inspect.1.md
@@ -17,6 +17,8 @@ To see values for a different architecture/OS, use the **--override-os** / **--o

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
@@ -42,6 +44,7 @@ Use docker daemon host at _host_ (`docker-daemon:` transport only)

 Format the output using the given Go template.
 The keys of the returned JSON can be used as the values for the --format flag (see examples below).
+Supports the Go templating functions available at https://pkg.go.dev/github.com/containers/common/pkg/report#hdr-Template_Functions

 **--help**, **-h**

@@ -87,74 +90,90 @@ Do not list the available tags from the repository in the output. When `true`, t
 ## EXAMPLES

 To review information for the image fedora from the docker.io registry:
-```sh
+```console
 $ skopeo inspect docker://docker.io/fedora
+
 {
    "Name": "docker.io/library/fedora",
-    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "Digest": "sha256:f99efcddc4dd6736d8a88cc1ab6722098ec1d77dbf7aed9a7a514fc997ca08e0",
    "RepoTags": [
-	"20",
-	"21",
-	"22",
-	"23",
-	"24",
-	"heisenbug",
-	"latest",
-	"rawhide"
+        "20",
+        "21",
+        "..."
    ],
-    "Created": "2016-06-20T19:33:43.220526898Z",
-    "DockerVersion": "1.10.3",
-    "Labels": {},
+    "Created": "2022-11-16T07:26:42.618327645Z",
+    "DockerVersion": "20.10.12",
+    "Labels": {
+        "maintainer": "Clement Verna \u003ccverna@fedoraproject.org\u003e"
+    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-	"sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+        "sha256:cb8b1ed77979b894115a983f391465651aa7eb3edd036be4b508eea47271eb93"
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:cb8b1ed77979b894115a983f391465651aa7eb3edd036be4b508eea47271eb93",
+            "Size": 65990920,
+            "Annotations": null
+        }
+    ],
+    "Env": [
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "DISTTAG=f37container",
+        "FGC=f37",
+        "FBR=f37"
    ]
 }
 ```

 To inspect python from the docker.io registry and not show the available tags:
-```sh
+```console
 $ skopeo inspect --no-tags docker://docker.io/library/python
 {
    "Name": "docker.io/library/python",
-    "Digest": "sha256:5ca194a80ddff913ea49c8154f38da66a41d2b73028c5cf7e46bc3c1d6fda572",
+    "Digest": "sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d",
    "RepoTags": [],
-    "Created": "2021-10-05T23:40:54.936108045Z",
-    "DockerVersion": "20.10.7",
+    "Created": "2022-11-16T06:55:28.566254104Z",
+    "DockerVersion": "20.10.12",
    "Labels": null,
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
-        "sha256:df5590a8898bedd76f02205dc8caa5cc9863267dbcd8aac038bcd212688c1cc7",
-        "sha256:705bb4cb554eb7751fd21a994f6f32aee582fbe5ea43037db6c43d321763992b",
-        "sha256:519df5fceacdeaadeec563397b1d9f4d7c29c9f6eff879739cab6f0c144f49e1",
-        "sha256:ccc287cbeddc96a0772397ca00ec85482a7b7f9a9fac643bfddd87b932f743db",
-        "sha256:e3f8e6af58ed3a502f0c3c15dce636d9d362a742eb5b67770d0cfcb72f3a9884",
-        "sha256:aebed27b2d86a5a3a2cbe186247911047a7e432b9d17daad8f226597c0ea4276",
-        "sha256:54c32182bdcc3041bf64077428467109a70115888d03f7757dcf614ff6d95ebe",
-        "sha256:cc8b7caedab13af07adf4836e13af2d4e9e54d794129b0fd4c83ece6b1112e86",
-        "sha256:462c3718af1d5cdc050cfba102d06c26f78fe3b738ce2ca2eb248034b1738945"
+        "sha256:a8ca11554fce00d9177da2d76307bdc06df7faeb84529755c648ac4886192ed1",
+        "sha256:e4e46864aba2e62ba7c75965e4aa33ec856ee1b1074dda6b478101c577b63abd",
+        "..."
+    ],
+    "LayersData": [
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:a8ca11554fce00d9177da2d76307bdc06df7faeb84529755c648ac4886192ed1",
+            "Size": 55038615,
+            "Annotations": null
+        },
+        {
+            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "Digest": "sha256:e4e46864aba2e62ba7c75965e4aa33ec856ee1b1074dda6b478101c577b63abd",
+            "Size": 5164893,
+            "Annotations": null
+        },
+        "..."
    ],
    "Env": [
        "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "LANG=C.UTF-8",
-        "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
-        "PYTHON_VERSION=3.10.0",
-        "PYTHON_PIP_VERSION=21.2.4",
-        "PYTHON_SETUPTOOLS_VERSION=57.5.0",
-        "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/d781367b97acf0ece7e9e304bf281e99b618bf10/public/get-pip.py",
-        "PYTHON_GET_PIP_SHA256=01249aa3e58ffb3e1686b7141b4e9aac4d398ef4ac3012ed9dff8dd9f685ffe0"
+        "...",
    ]
 }
 ```

-```
+```console
 $ /bin/skopeo inspect --config docker://registry.fedoraproject.org/fedora --format "{{ .Architecture }}"
 amd64
 ```

-```
+```console
 $ /bin/skopeo inspect --format '{{ .Env }}' docker://registry.access.redhat.com/ubi8
 [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci]
 ```
--- a/docs/skopeo-list-tags.1.md
+++ b/docs/skopeo-list-tags.1.md
@@ -1,17 +1,19 @@
 % skopeo-list-tags(1)

 ## NAME
-skopeo\-list\-tags - List tags in the transport-specific image repository.
+skopeo\-list\-tags - List image names in a transport-specific collection of images.

 ## SYNOPSIS
-**skopeo list-tags** [*options*] _repository-name_
+**skopeo list-tags** [*options*] _source-image_

-Return a list of tags from _repository-name_ in a registry.
+Return a list of tags from _source-image_ in a registry or a local docker-archive file.

-  _repository-name_ name of repository to retrieve tag listing from
+  _source-image_ name of the repository to retrieve a tag listing from or a local docker-archive file.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile** _path_

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
@@ -53,7 +55,7 @@ The password to access the registry.

 ## REPOSITORY NAMES

-Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags". Currently, only the Docker transport is supported.
+Repository names are transport-specific references as each transport may have its own concept of a "repository" and "tags".

 This commands refers to repositories using a _transport_`:`_details_ format. The following formats are supported:

@@ -72,12 +74,14 @@ This commands refers to repositories using a _transport_`:`_details_ format. The
        "docker.io/myuser/myimage:v1.0"
        "docker.io/myuser/myimage@sha256:f48c4cc192f4c3c6a069cb5cca6d0a9e34d6076ba7c214fd0cc3ca60e0af76bb"

+  **docker-archive:path[:docker-reference]
+  more than one images were stored in a docker save-formatted file. 

 ## EXAMPLES

 ### Docker Transport
 To get the list of tags in the "fedora" repository from the docker.io registry (the repository name expands to "library/fedora" per docker transport canonical form):
-```sh
+```console
 $ skopeo list-tags docker://docker.io/fedora
 {
    "Repository": "docker.io/library/fedora",
@@ -108,7 +112,7 @@ $ skopeo list-tags docker://docker.io/fedora

 To list the tags in a local host docker/distribution registry on port 5000, in this case for the "fedora" repository:

-```sh
+```console
 $ skopeo list-tags docker://localhost:5000/fedora
 {
    "Repository": "localhost:5000/fedora",
@@ -121,8 +125,48 @@ $ skopeo list-tags docker://localhost:5000/fedora

 ```

+### Docker-archive Transport
+
+To list the tags in a local docker-archive file:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/busybox.tar.gz
+{
+    "Tags": [
+        "busybox:1.28.3"
+    ]
+}
+```
+
+Also supports more than one tags in an archive:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/docker-two-images.tar.gz
+{
+    "Tags": [
+        "example.com/empty:latest",
+        "example.com/empty/but:different"
+    ]
+}
+```
+
+Will include a source-index entry for each untagged image:
+
+```console
+$ skopeo list-tags docker-archive:/tmp/four-tags-with-an-untag.tar
+{
+    "Tags": [
+        "image1:tag1",
+        "image2:tag2",
+        "@2",
+        "image4:tag4"
+    ]
+}
+```
+
+
 # SEE ALSO
-skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5)
+skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-transports(1)

 ## AUTHORS

--- a/docs/skopeo-login.1.md
+++ b/docs/skopeo-login.1.md
@@ -15,6 +15,8 @@ flag. The default path used is **${XDG\_RUNTIME\_DIR}/containers/auth.json**.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--password**, **-p**=*password*

 Password for registry
@@ -34,6 +36,10 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`

+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--get-login**

 Return the logged-in user for the registry. Return error if no login is found.
@@ -57,41 +63,41 @@ Write more detailed information to stdout

 ## EXAMPLES

-```
+```console
 $ skopeo login docker.io
 Username: testuser
 Password:
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login -u testuser -p testpassword localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --authfile authdir/myauths.json docker.io
 Username: testuser
 Password:
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --tls-verify=false -u test -p test localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login --cert-dir /etc/containers/certs.d/ -u foo -p bar localhost:5000
 Login Succeeded!
 ```

-```
+```console
 $ skopeo login -u testuser  --password-stdin < testpassword.txt docker.io
 Login Succeeded!
 ```

-```
+```console
 $ echo $testpassword | skopeo login -u testuser --password-stdin docker.io
 Login Succeeded!
 ```
--- a/docs/skopeo-logout.1.md
+++ b/docs/skopeo-logout.1.md
@@ -14,6 +14,8 @@ All the cached credentials can be removed by setting the **all** flag.

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--authfile**=*path*

 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json
@@ -21,6 +23,10 @@ Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth
 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE
 environment variable. `export REGISTRY_AUTH_FILE=path`

+**--compat-auth-file**=*path*
+
+Instead of updating the default credentials file, update the one at *path*, and use a Docker-compatible format.
+
 **--all**, **-a**

 Remove the cached credentials for all registries in the auth file
@@ -35,17 +41,17 @@ Require HTTPS and verify certificates when talking to the container registry or

 ## EXAMPLES

-```
+```console
 $ skopeo logout docker.io
 Remove login credentials for docker.io
 ```

-```
+```console
 $ skopeo logout --authfile authdir/myauths.json docker.io
 Remove login credentials for docker.io
 ```

-```
+```console
 $ skopeo logout --all
 Remove login credentials for all registries
 ```
--- a/docs/skopeo-manifest-digest.1.md
+++ b/docs/skopeo-manifest-digest.1.md
@@ -18,7 +18,7 @@ Print usage statement

 ## EXAMPLES

-```sh
+```console
 $ skopeo manifest-digest manifest.json
 sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
 ```
--- a/docs/skopeo-standalone-sign.1.md
+++ b/docs/skopeo-standalone-sign.1.md
@@ -17,6 +17,8 @@ This is primarily a debugging tool, useful for special cases, and usually should

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--help**, **-h**

 Print usage statement
@@ -31,7 +33,7 @@ The passphare to use when signing with the key ID from `--sign-by`. Only the fir

 ## EXAMPLES

-```sh
+```console
 $ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
 $
 ```
--- a/docs/skopeo-standalone-verify.1.md
+++ b/docs/skopeo-standalone-verify.1.md
@@ -4,7 +4,7 @@
 skopeo\-standalone\-verify - Verify an image signature.

 ## SYNOPSIS
-**skopeo standalone-verify** _manifest_ _docker-reference_ _key-fingerprint_ _signature_
+**skopeo standalone-verify** _manifest_ _docker-reference_ _key-fingerprints_ _signature_

 ## DESCRIPTION

@@ -16,7 +16,7 @@ as per containers-policy.json(5).

  _docker-reference_ A docker reference expected to identify the image in the signature

-  _key-fingerprint_ Expected identity of the signing key
+  _key-fingerprints_ Identities of trusted signing keys (comma separated), or "any" to trust any known key when using a public key file

  _signature_ Path to signature file

@@ -24,13 +24,19 @@ as per containers-policy.json(5).

 ## OPTIONS

+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--help**, **-h**

 Print usage statement

+**--public-key-file** _public key file_
+
+File containing the public keys to use when verifying signatures. If this is not specified, keys from the GPG homedir are used.
+
 ## EXAMPLES

-```sh
+```console
 $ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
 Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
 ```
--- a/docs/skopeo-sync.1.md
+++ b/docs/skopeo-sync.1.md
@@ -1,17 +1,14 @@
 % skopeo-sync(1)

 ## NAME
-skopeo\-sync - Synchronize images between container registries and local directories.
+skopeo\-sync - Synchronize images between registry repositories and local directories.


 ## SYNOPSIS
 **skopeo sync** [*options*] --src _transport_ --dest _transport_ _source_ _destination_

 ## DESCRIPTION
-Synchronize images between container registries and local directories.
-The synchronization is achieved by copying all the images found at _source_ to _destination_.
-
-Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
+Synchronize images between registry repositories and local directories. Synchronization is achieved by copying all the images found at _source_ to _destination_ - useful when synchronizing a local container registry mirror or for populating registries running inside of air-gapped environments.

 Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from _source_ and _destination_.
 One of the problems of prefixing a destination with its transport is that, the registry `docker://hostname:port` would be wrongly interpreted as an image reference at a non-fully qualified registry, with `hostname` and `port` the image name and tag.
@@ -32,6 +29,9 @@ When the `--scoped` option is specified, images are prefixed with the source ima
 name can be stored at _destination_.

 ## OPTIONS
+
+See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
+
 **--all**, **-a**
 If one of the images in __src__ refers to a list of images, instead of copying just the image which matches the current OS and
 architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
@@ -50,6 +50,10 @@ Path of the authentication file for the source registry. Uses path given by `--a

 Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.

+**--dry-run**
+
+Run the sync without actually copying data to the destination.
+
 **--src**, **-s** _transport_ Transport for the source repository.

 **--dest**, **-d** _transport_ Destination transport.
@@ -62,13 +66,32 @@ Print usage statement.

 **--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.

-**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved.
+**--append-suffix** _tag-suffix_ String to append to destination tags.
+
+**--preserve-digests**
+
+Preserve the digests during copying. Fail if the digest cannot be preserved.
+
+This option does not change what will be copied; consider using `--all` at the same time.

 **--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.

-**--sign-by**=_key-id_ Add a signature using that key ID for an image name corresponding to _destination-image_.
+**--sign-by** _key-id_

-**--sign-passphrase-file**=_path_ The passphare to use when signing with the key ID from `--sign-by`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.
+Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
+
+**--sign-by-sigstore** _param-file_
+
+Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
+See containers-sigstore-signing-params.yaml(5) for details about the file format.
+
+**--sign-by-sigstore-private-key** _path_
+
+Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
+
+**--sign-passphrase-file** _path_
+
+The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-private-key`. Only the first line will be read. A passphrase stored in a file is of questionable security if other users can read this file. Do not use this option if at all avoidable.

 **--src-creds** _username[:password]_ for accessing the source registry.

@@ -114,7 +137,7 @@ The password to access the destination registry.
 ## EXAMPLES

 ### Synchronizing to a local directory
-```
+```console
 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
 ```
 Images are located at:
@@ -132,7 +155,7 @@ Images are located at:
 /media/usb/busybox:1-glibc
 ```
 Sync run
-```
+```console
 $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
 ```
 Destination registry content:
@@ -142,7 +165,7 @@ my-registry.local.lan/test/busybox   1-glibc
 ```

 ### Synchronizing to a local directory, scoped
-```
+```console
 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
 ```
 Images are located at:
@@ -155,8 +178,8 @@ Images are located at:
 ```

 ### Synchronizing to a container registry
-```
-skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
+```console
+$ skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
 ```
 Destination registry content:
 ```
@@ -165,8 +188,8 @@ registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
 ```

 ### Synchronizing to a container registry keeping the repository
-```
-skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
+```console
+$ skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
 ```
 Destination registry content:
 ```
@@ -174,6 +197,16 @@ REPO                              TAGS
 registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
 ```

+### Synchronizing to a container registry with tag suffix
+```console
+$ skopeo sync --src docker --dest docker --append-suffix '-mirror' registry.example.com/busybox my-registry.local.lan
+```
+Destination registry content:
+```
+REPO                         TAGS
+registry.local.lan/busybox   1-glibc-mirror, 1-musl-mirror, 1-ubuntu-mirror, ..., latest-mirror
+```
+
 ### YAML file content (used _source_ for `**--src yaml**`)

 ```yaml
@@ -186,6 +219,8 @@ registry.example.com:
            - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
    images-by-tag-regex:
        nginx: ^1\.13\.[12]-alpine-perl$
+    images-by-semver:
+        alpine: ">= 3.12.0"
    credentials:
        username: john
        password: this is a secret
@@ -198,14 +233,22 @@ quay.io:
            - latest
 ```
 If the yaml filename is `sync.yml`, sync run:
-```
-skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
+```console
+$ skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
 ```
 This will copy the following images:
 - Repository `registry.example.com/busybox`: all images, as no tags are specified.
 - Repository `registry.example.com/redis`: images tagged "1.0" and "2.0" along with image with digest "sha256:0000000000000000000000000000000011111111111111111111111111111111".
 - Repository `registry.example.com/nginx`: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl".
 - Repository `quay.io/coreos/etcd`: images tagged "latest".
+- Repository `registry.example.com/alpine`: all images with tags match the semantic version constraint ">= 3.12.0" ("3.12.0, "3.12.1", ... ,"4.0.0", ...)
+
+The full list of possible semantic version comparisons can be found in the
+upstream library's documentation:
+https://github.com/Masterminds/semver/tree/v3.2.0#basic-comparisons.
+
+Version ordering and precedence is understood as defined here:
+https://semver.org/#spec-item-11.

 For the registry `registry.example.com`, the "john"/"this is a secret" credentials are used, with server TLS certificates located at `/home/john/certs`.

--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -47,10 +47,13 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
  **oci-archive:**_path_**:**_tag_
  An image _tag_ in a tar archive compliant with "Open Container Image Layout Specification" at _path_.

-See [containers-transports(5)](https://github.com/containers/image/blob/master/docs/containers-transports.5.md) for details.
+See [containers-transports(5)](https://github.com/containers/image/blob/main/docs/containers-transports.5.md) for details.

 ## OPTIONS

+These options should be placed before the subcommand name.
+Individual subcommands have their own options.
+
 **--command-timeout** _duration_

 Timeout for the command execution.
@@ -101,23 +104,24 @@ Print the version number
 | ----------------------------------------- | ------------------------------------------------------------------------------ |
 | [skopeo-copy(1)](skopeo-copy.1.md)        | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
 | [skopeo-delete(1)](skopeo-delete.1.md)    | Mark the _image-name_ for later deletion by the registry's garbage collector.  |
+| [skopeo-generate-sigstore-key(1)](skopeo-generate-sigstore-key.1.md)    | Generate a sigstore public/private key pair.  |
 | [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about _image-name_ in a registry.                 |
-| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List tags in the transport-specific image repository.                      |
+| [skopeo-list-tags(1)](skopeo-list-tags.1.md)  | List image names in a transport-specific collection of images.|
 | [skopeo-login(1)](skopeo-login.1.md)  | Login to a container registry. |
 | [skopeo-logout(1)](skopeo-logout.1.md)  | Logout of a container registry. |
 | [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest for a manifest-file and write it to standard output. |
 | [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md)    | Debugging tool - Publish and sign an image in one step.      |
 | [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Verify an image signature.                                   |
-| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between container registries and local directories.                 |
+| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between registry repositories and local directories.                |

 ## FILES
  **/etc/containers/policy.json**
  Default trust policy file, if **--policy** is not specified.
-  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md) .
+  The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md) .

  **/etc/containers/registries.d**
  Default directory containing registry configuration, if **--registries.d** is not specified.
-  The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md).
+  The contents of this directory are documented in [containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md).

 ## SEE ALSO
 skopeo-login(1), docker-login(1), containers-auth.json(5), containers-storage.conf(5), containers-policy.json(5), containers-transports(5)
--- a/docs/skopeo.svg
+++ b/docs/skopeo.svg
@@ -1,546 +1,74 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:xlink="http://www.w3.org/1999/xlink"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="480.61456"
-   height="472.66098"
-   viewBox="0 0 127.1626 125.05822"
-   version="1.1"
-   id="svg8"
-   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
-   sodipodi:docname="skopeo.svg"
-   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
-   inkscape:export-xdpi="90"
-   inkscape:export-ydpi="90">
-  <defs
-     id="defs2">
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84477">
-      <stop
-         style="stop-color:#0093d9;stop-opacity:1"
-         offset="0"
-         id="stop84473" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84475" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84469">
-      <stop
-         style="stop-color:#f6e6c8;stop-opacity:1"
-         offset="0"
-         id="stop84465" />
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1"
-         offset="1"
-         id="stop84467" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84461">
-      <stop
-         style="stop-color:#bfdce8;stop-opacity:1;"
-         offset="0"
-         id="stop84457" />
-      <stop
-         style="stop-color:#2a72ac;stop-opacity:1"
-         offset="1"
-         id="stop84459" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84420">
-      <stop
-         style="stop-color:#a7a9ac;stop-opacity:1;"
-         offset="0"
-         id="stop84416" />
-      <stop
-         style="stop-color:#e7e8e9;stop-opacity:1"
-         offset="1"
-         id="stop84418" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84347">
-      <stop
-         style="stop-color:#2c2d2f;stop-opacity:1;"
-         offset="0"
-         id="stop84343" />
-      <stop
-         style="stop-color:#000000;stop-opacity:1"
-         offset="1"
-         id="stop84345" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84339">
-      <stop
-         style="stop-color:#002442;stop-opacity:1;"
-         offset="0"
-         id="stop84335" />
-      <stop
-         style="stop-color:#151617;stop-opacity:1"
-         offset="1"
-         id="stop84337" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84331">
-      <stop
-         style="stop-color:#003d6e;stop-opacity:1;"
-         offset="0"
-         id="stop84327" />
-      <stop
-         style="stop-color:#59b5ff;stop-opacity:1"
-         offset="1"
-         id="stop84329" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       id="linearGradient84323">
-      <stop
-         style="stop-color:#dc9f2e;stop-opacity:1;"
-         offset="0"
-         id="stop84319" />
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1"
-         offset="1"
-         id="stop84321" />
-    </linearGradient>
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84325"
-       x1="221.5741"
-       y1="250.235"
-       x2="219.20772"
-       y2="221.99771"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84331"
-       id="linearGradient84333"
-       x1="223.23239"
-       y1="212.83418"
-       x2="245.52328"
-       y2="129.64345"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84341"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84347"
-       id="linearGradient84349"
-       x1="212.05453"
-       y1="215.20055"
-       x2="237.73705"
-       y2="230.02835"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84363"
-       x1="193.61516"
-       y1="225.045"
-       x2="224.08698"
-       y2="223.54327"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84323"
-       id="linearGradient84377"
-       x1="182.72513"
-       y1="222.54439"
-       x2="184.01024"
-       y2="210.35291"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84408"
-       x1="211.73801"
-       y1="225.48302"
-       x2="204.24324"
-       y2="238.46432"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84422"
-       x1="190.931"
-       y1="221.83777"
-       x2="187.53873"
-       y2="229.26593"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84339"
-       id="linearGradient84425"
-       gradientUnits="userSpaceOnUse"
-       x1="190.36137"
-       y1="217.8925"
-       x2="205.20828"
-       y2="209.32063"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84441"
-       x1="169.95944"
-       y1="215.77036"
-       x2="174.0289"
-       y2="207.81528"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84420"
-       id="linearGradient84455"
-       x1="234.08092"
-       y1="252.39755"
-       x2="245.88477"
-       y2="251.21777"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84461"
-       id="radialGradient84463"
-       cx="213.19594"
-       cy="223.40646"
-       fx="214.12064"
-       fy="217.34077"
-       r="33.39888"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84469"
-       id="radialGradient84471"
-       cx="207.18298"
-       cy="211.06483"
-       fx="207.18298"
-       fy="211.06483"
-       r="2.77954"
-       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient84477"
-       id="linearGradient84479"
-       x1="241.60336"
-       y1="255.46982"
-       x2="244.45177"
-       y2="250.4846"
-       gradientUnits="userSpaceOnUse"
-       gradientTransform="translate(0,10.583333)" />
+<svg width="168.71024mm" height="145.54036mm" viewBox="0 0 168.71024 145.54036" version="1.1" id="svg2674" inkscape:version="1.2 (dc2aedaf03, 2022-05-15)" sodipodi:docname="skopeo-badge-full-vert.svg" inkscape:export-filename="skopeo-badge-full-vert.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs id="defs2668">
+    <inkscape:path-effect is_visible="true" id="path-effect10334" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10336" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect9986" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect9984" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect10300" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect10304" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124972" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect124976" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163593" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163605" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163611" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163615" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163619" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163629" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163633" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163651" effect="spiro" lpeversion="0"/>
+    <inkscape:path-effect effect="spiro" id="path-effect163655" is_visible="true" lpeversion="0"/>
+    <inkscape:path-effect is_visible="true" id="path-effect163597" effect="spiro" lpeversion="0"/>
  </defs>
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="1"
-     inkscape:cx="517.27113"
-     inkscape:cy="314.79773"
-     inkscape:document-units="mm"
-     inkscape:current-layer="layer1"
-     inkscape:document-rotation="0"
-     showgrid="false"
-     units="px"
-     inkscape:snap-global="false"
-     inkscape:window-width="2560"
-     inkscape:window-height="1376"
-     inkscape:window-x="0"
-     inkscape:window-y="27"
-     inkscape:window-maximized="1"
-     fit-margin-top="0"
-     fit-margin-left="0"
-     fit-margin-right="0"
-     fit-margin-bottom="0" />
-  <metadata
-     id="metadata5">
+  <sodipodi:namedview id="base" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:pageopacity="0.0" inkscape:pageshadow="2" inkscape:zoom="0.7" inkscape:cx="399.28571" inkscape:cy="187.14286" inkscape:document-units="mm" inkscape:current-layer="g1208" showgrid="false" fit-margin-top="10" fit-margin-left="10" fit-margin-right="10" fit-margin-bottom="10" inkscape:window-width="2560" inkscape:window-height="1403" inkscape:window-x="0" inkscape:window-y="0" inkscape:window-maximized="1" inkscape:pagecheckerboard="0" inkscape:showpageshadow="2" inkscape:deskcolor="#d1d1d1"/>
+  <metadata id="metadata2671">
    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
+      <cc:Work rdf:about="">
        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
      </cc:Work>
    </rdf:RDF>
  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-149.15784,-175.92614)">
-    <g
-       id="g84497"
-       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
-       transform="translate(0,10.583333)">
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84485"
-         width="31.605196"
-         height="19.16976"
-         x="299.48376"
-         y="87.963303"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84487"
-         width="16.725054"
-         height="9.8947001"
-         x="258.07639"
-         y="92.60083"
-         transform="rotate(30)" />
-      <rect
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         id="rect84489"
-         width="4.8383565"
-         height="11.503917"
-         x="253.2236"
-         y="91.796227"
-         transform="rotate(30)" />
-      <rect
-         y="86.859642"
-         x="331.21924"
-         height="21.377089"
-         width="4.521956"
-         id="rect84491"
-         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-         transform="rotate(30)" />
+  <g inkscape:label="Layer 1" inkscape:groupmode="layer" id="layer1" transform="translate(378.90631,201.21016)">
+    <g id="g1208">
+      <g id="g81584" transform="matrix(1.7276536,0,0,1.7276536,-401.82487,-530.26362)" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/new skopeo/skopeo-logomark_medium_transparent-bg.png" inkscape:export-xdpi="51.86108" inkscape:export-ydpi="51.86108">
+        <g style="fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-opacity:1" id="g81528" transform="translate(-734.38295,98.0028)">
+          <path inkscape:connector-curvature="0" style="opacity:1;fill:#ffffff;fill-opacity:1;stroke:#3c6eb4;stroke-width:1.05833;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 796.57913,145.63255 -19.29817,-9.23285 -4.82036,-20.8616 13.2871,-16.780616 21.38926,-0.06408 13.38485,16.701146 -4.69887,20.8897 z" id="path81526"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,80.461942)" id="g81554">
+          <rect style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81530" width="16.725054" height="9.8947001" x="158.13725" y="255.21965" transform="rotate(30)"/>
+          <rect style="fill:#ffffff;stroke:#000000;stroke-width:1.32292;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6" id="rect81532" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+          <path sodipodi:nodetypes="cczc" inkscape:connector-curvature="0" id="path81534" d="m 78.802289,335.54596 -9.111984,15.78242 c 1.40192,0.25963 4.990131,-0.63196 7.869989,-5.61868 2.879866,-4.98671 2.168498,-9.07865 1.241995,-10.16374 z" style="fill:#9dc6e7;fill-opacity:1;stroke:#2a72ac;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" y="250.58212" x="199.54463" height="19.16976" width="31.605196" id="rect81536" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1"/>
+          <rect transform="rotate(30)" style="fill:#b3b3b3;fill-opacity:1;stroke:#808080;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81538" width="16.459545" height="15.252436" x="178.48766" y="252.54079"/>
+          <g style="stroke:#808080;stroke-opacity:1" id="g81548">
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81540" width="4.521956" height="21.377089" x="195.04353" y="249.47847" transform="rotate(30)"/>
+            <rect y="251.64348" x="174.76939" height="17.047071" width="3.617183" id="rect81542" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+            <rect style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="rect81544" width="4.8383565" height="11.503917" x="153.28447" y="254.41505" transform="rotate(30)"/>
+            <rect y="249.47847" x="231.28011" height="21.377089" width="4.521956" id="rect81546" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81574;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" transform="rotate(30)"/>
+          </g>
+          <path inkscape:connector-curvature="0" id="path81550" d="m 47.691007,322.31629 22.49734,12.98884" style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"/>
+          <path style="fill:#ffffff;fill-rule:evenodd;stroke:#ffffff;stroke-width:3.02523;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 27.886021,312.45704 9.423431,5.07506" id="path81552" inkscape:connector-curvature="0"/>
+        </g>
+        <g transform="matrix(0.43729507,0,0,0.43729507,42.235192,101.28812)" id="g81568">
+          <path style="fill:#2a72ac;fill-opacity:1;stroke:#003e6f;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" d="m 34.507847,231.71327 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z" id="path81556" inkscape:connector-curvature="0" sodipodi:nodetypes="cccccc"/>
+          <path sodipodi:nodetypes="ccccc" inkscape:connector-curvature="0" id="path81558" d="m 28.119527,245.45648 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z" style="fill:#808080;fill-opacity:1;stroke:#000000;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6"/>
+          <path style="fill:#4d4d4d;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 24.616967,251.5299 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z" id="path81560" inkscape:connector-curvature="0" sodipodi:nodetypes="ccccc"/>
+          <ellipse ry="3.8438656" rx="3.8395541" style="fill:#e1ae4f;fill-opacity:1;stroke:#a1721b;stroke-width:1.81514;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:6;stroke-opacity:1" id="ellipse81562" cx="39.230743" cy="255.66997"/>
+          <path sodipodi:nodetypes="ccc" style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 71.999346,266.02935 -8.9307,-5.38071 10.81942,-5.07707" id="path81564" inkscape:connector-curvature="0"/>
+          <path style="fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#9dc6e7;stroke-width:1.81514;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 35.169799,245.57008 10.37702,-6.1817 -7.12581,-2.30459" id="path81566" inkscape:connector-curvature="0" sodipodi:nodetypes="ccc"/>
+        </g>
+        <g style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-opacity:1" id="g81582" transform="translate(0.69195604,69.064926)">
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 83.087609,145.72448 -3.6551,1.27991" id="path81570" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 51.138114,129.84674 1.971302,3.71206" id="path81572" inkscape:connector-curvature="0" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png" inkscape:connector-curvature="0" id="path81574" d="m 70.63337,129.84674 -2.345479,4.17978" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-xdpi="96.181694" inkscape:export-ydpi="96.181694"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" inkscape:connector-curvature="0" id="path81576" d="m 61.405599,166.31541 v 5.83669" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" inkscape:connector-curvature="0" id="path81578" d="m 43.729779,164.25283 4.216366,-4.18995" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" sodipodi:nodetypes="cc" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+          <path inkscape:export-ydpi="96.181694" inkscape:export-xdpi="96.181694" sodipodi:nodetypes="cc" style="fill:none;fill-opacity:1;stroke:#9dc6e7;stroke-width:0.79375;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" d="m 79.100039,164.25283 -1.50358,-1.57071" id="path81580" inkscape:connector-curvature="0" inkscape:export-filename="/home/duffy/Documents/Projects/Favors/Buildah logo/final/color-not-color.png"/>
+        </g>
+      </g>
+      <text id="text81524" y="-73.044861" x="-363.40085" style="font-style:normal;font-weight:normal;font-size:37.592px;line-height:22.5552px;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#e1ae4f;fill-opacity:1;stroke:none;stroke-width:0.264583px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" xml:space="preserve"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#e1ae4f;fill-opacity:1;stroke-width:0.264583px" y="-73.044861" x="-363.40085" id="tspan81522" sodipodi:role="line" dx="0 0 0 0 0 0"><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81514">sk</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81516">o</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#294172;fill-opacity:1" id="tspan81518">pe</tspan><tspan style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-family:Montserrat;-inkscape-font-specification:'Montserrat Medium';fill:#2a72ac;fill-opacity:1" id="tspan81520">o</tspan></tspan></text>
    </g>
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       id="path84483"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="cccccc"
-       inkscape:connector-curvature="0"
-       id="path84481"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <circle
-       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="path84224"
-       cx="213.64427"
-       cy="234.18927"
-       r="35.482784" />
-    <circle
-       r="33.39888"
-       cy="234.18927"
-       cx="213.64427"
-       id="circle84226"
-       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84114"
-       width="31.605196"
-       height="19.16976"
-       x="304.77545"
-       y="97.128738"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84116"
-       width="4.521956"
-       height="21.377089"
-       x="300.27435"
-       y="96.025078"
-       transform="rotate(30)" />
-    <rect
-       y="99.087395"
-       x="283.71848"
-       height="15.252436"
-       width="16.459545"
-       id="rect84118"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       y="98.190086"
-       x="280.00021"
-       height="17.047071"
-       width="3.617183"
-       id="rect84120"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84122"
-       width="16.725054"
-       height="9.8947001"
-       x="263.36807"
-       y="101.76627"
-       transform="rotate(30)" />
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       id="rect84124"
-       width="4.8383565"
-       height="11.503917"
-       x="258.51526"
-       y="100.96166"
-       transform="rotate(30)" />
-    <rect
-       y="96.025078"
-       x="336.51093"
-       height="21.377089"
-       width="4.521956"
-       id="rect84126"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       transform="rotate(30)" />
-    <path
-       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
-       id="rect84313"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84128"
-       d="m 215.3335,241.36799 22.49734,12.98884"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84130"
-       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
-       id="path84134"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccccc" />
-    <path
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
-       id="path84136"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
-       id="rect84410"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
-       id="path84284"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
-       id="rect84351"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
-       id="rect84365"
-       inkscape:connector-curvature="0" />
-    <path
-       sodipodi:nodetypes="ccccc"
-       inkscape:connector-curvature="0"
-       id="path84138"
-       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <ellipse
-       cy="223.01579"
-       cx="207.08998"
-       id="circle84140"
-       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       rx="3.8395541"
-       ry="3.8438656" />
-    <path
-       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
-       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
-       id="path84272"
-       inkscape:connector-curvature="0" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84142"
-       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
-    <path
-       inkscape:connector-curvature="0"
-       id="path84144"
-       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       sodipodi:nodetypes="ccc" />
-    <path
-       sodipodi:nodetypes="ccc"
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
-       id="path84280"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
-       id="path84290"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccc" />
-    <path
-       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
-       id="ellipse84292"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
-       id="path84298"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="cccccc" />
-    <path
-       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
-       id="path84379"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
-       id="rect84396"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
-       id="rect84429"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
-       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
-       id="rect84443"
-       inkscape:connector-curvature="0" />
-    <path
-       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 215.55025,240.82707 22.49734,12.98884"
-       id="path84521"
-       inkscape:connector-curvature="0" />
  </g>
 </svg>
--- a/go.mod
+++ b/go.mod
@@ -1,103 +1,140 @@
 module github.com/containers/skopeo

-go 1.17
+go 1.19

 require (
-	github.com/containers/common v0.47.4
-	github.com/containers/image/v5 v5.19.1
-	github.com/containers/ocicrypt v1.1.2
-	github.com/containers/storage v1.38.2
-	github.com/docker/docker v20.10.12+incompatible
+	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/containers/common v0.58.4
+	github.com/containers/image/v5 v5.30.2
+	github.com/containers/ocicrypt v1.1.10
+	github.com/containers/storage v1.53.0
+	github.com/docker/distribution v2.8.3+incompatible
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20211202193544-a5463b7f9c84
+	github.com/opencontainers/image-spec v1.1.0
 	github.com/opencontainers/image-tools v1.0.0-rc3
-	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.3.0
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.7.0
+	github.com/stretchr/testify v1.9.0
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
-	gopkg.in/yaml.v2 v2.4.0
+	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
+	golang.org/x/term v0.18.0
+	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	github.com/BurntSushi/toml v1.0.0 // indirect
-	github.com/Microsoft/go-winio v0.5.1 // indirect
-	github.com/Microsoft/hcsshim v0.9.2 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.12.0-rc.3 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/containerd/cgroups v1.0.1 // indirect
-	github.com/containerd/containerd v1.5.9 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.11.0 // indirect
-	github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b // indirect
-	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
+	github.com/coreos/go-oidc/v3 v3.9.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/distribution v2.8.0+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
+	github.com/distribution/reference v0.5.0 // indirect
+	github.com/docker/docker v25.0.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.21.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/runtime v0.26.0 // indirect
+	github.com/go-openapi/spec v0.20.9 // indirect
+	github.com/go-openapi/strfmt v0.22.2 // indirect
+	github.com/go-openapi/swag v0.22.10 // indirect
+	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-containerregistry v0.19.0 // indirect
 	github.com/google/go-intervals v0.0.2 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.14.2 // indirect
-	github.com/klauspost/pgzip v1.2.5 // indirect
-	github.com/kr/pretty v0.2.1 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/miekg/pkcs11 v1.0.3 // indirect
-	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible // indirect
-	github.com/moby/sys/mountinfo v0.5.0 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mistifyio/go-zfs/v3 v3.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/opencontainers/runc v1.1.0 // indirect
-	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
-	github.com/opencontainers/selinux v1.10.0 // indirect
-	github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/proglottis/gpgme v0.1.1 // indirect
-	github.com/prometheus/client_golang v1.11.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.26.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/proglottis/gpgme v0.1.3 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/sigstore/fulcio v1.4.3 // indirect
+	github.com/sigstore/rekor v1.2.2 // indirect
+	github.com/sigstore/sigstore v1.8.2 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect
-	github.com/sylabs/sif/v2 v2.3.1 // indirect
-	github.com/tchap/go-patricia v2.3.0+incompatible // indirect
-	github.com/ulikunitz/xz v0.5.10 // indirect
-	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/vbauerster/mpb/v7 v7.3.2 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b // indirect
+	github.com/sylabs/sif/v2 v2.15.1 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/vbauerster/mpb/v8 v8.7.2 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect
-	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.42.0 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect
+	go.opentelemetry.io/otel v1.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect
+	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/mod v0.15.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.18.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
+	google.golang.org/grpc v1.59.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/hack/btrfs_installed_tag.sh
+++ b/hack/btrfs_installed_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 cc -E - > /dev/null 2> /dev/null << EOF
 #include <btrfs/ioctl.h>
 EOF
--- a/hack/btrfs_tag.sh
+++ b/hack/btrfs_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 cc -E - > /dev/null 2> /dev/null << EOF
 #include <btrfs/version.h>
 EOF
--- a/hack/libdm_tag.sh
+++ b/hack/libdm_tag.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
--- a/hack/libsubid_tag.sh
+++ b/hack/libsubid_tag.sh
@@ -5,11 +5,16 @@ fi
 tmpdir="$PWD/tmp.$RANDOM"
 mkdir -p "$tmpdir"
 trap 'rm -fr "$tmpdir"' EXIT
-cc -o "$tmpdir"/libsubid_tag -l subid -x c - > /dev/null 2> /dev/null << EOF
+cc -o "$tmpdir"/libsubid_tag -x c - -l subid > /dev/null 2> /dev/null << EOF
 #include <shadow/subid.h>
+#include <stdlib.h>
 int main() {
 	struct subid_range *ranges = NULL;
+#if SUBID_ABI_MAJOR >= 4
+	subid_get_uid_ranges("root", &ranges);
+#else
 	get_subuid_ranges("root", &ranges);
+#endif
 	free(ranges);
 	return 0;
 }
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -1,92 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# This script builds various binary from a checkout of the skopeo
-# source code. DO NOT CALL THIS SCRIPT DIRECTLY.
-#
-# Requirements:
-# - The current directory should be a checkout of the skopeo source code
-#   (https://github.com/containers/skopeo). Whatever version is checked out
-#   will be built.
-# - The script is intended to be run inside the container specified
-#   in the output of hack/get_fqin.sh
-# - The right way to call this script is to invoke "make" from
-#   your checkout of the skopeo repository.
-#   the Makefile will do a "docker build -t skopeo ." and then
-#   "docker run hack/make.sh" in the resulting image.
-#
-
-set -o pipefail
-
-export SKOPEO_PKG='github.com/containers/skopeo'
-export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-export MAKEDIR="$SCRIPTDIR/make"
-
-# Set this to 1 to enable installation/modification of environment/services
-export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
-
-if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
-    (
-    echo "***************************************************************"
-    echo "WARNING: Executing tests directly on the local development"
-    echo "         host is highly discouraged.  Many important items"
-    echo "         will be skipped.  For manual execution, please utilize"
-    echo "         the Makefile targets WITHOUT the '-local' suffix."
-    echo "***************************************************************"
-    ) > /dev/stderr
-    sleep 5s
-fi
-
-echo
-
-# List of bundles to create when no argument is passed
-# TODO(runcom): these are the one left from Docker...for now
-# test-unit
-# validate-dco
-# cover
-DEFAULT_BUNDLES=(
-	validate-gofmt
-	validate-lint
-	validate-vet
-	validate-git-marks
-
-	test-integration
-)
-
-# Go module support: set `-mod=vendor` to use the vendored sources
-# See also the top-level Makefile.
-mod_vendor=
-if go help mod >/dev/null 2>&1; then
-  export GO111MODULE=on
-  mod_vendor='-mod=vendor'
-fi
-
-go_test_dir() {
-	dir=$1
-	(
-		echo '+ go test' $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
-		cd "$dir"
-		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
-	)
-}
-
-bundle() {
-	local bundle="$1"; shift
-	echo "---> Making bundle: $(basename "$bundle")"
-	source "$SCRIPTDIR/make/$bundle" "$@"
-}
-
-main() {
-	if [ $# -lt 1 ]; then
-		bundles=(${DEFAULT_BUNDLES[@]})
-	else
-		bundles=($@)
-	fi
-	for bundle in ${bundles[@]}; do
-		bundle "$bundle"
-		echo
-	done
-}
-
-main "$@"
--- a/hack/make/.validate
+++ b/hack/make/.validate
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-if [ -z "$VALIDATE_UPSTREAM" ]; then
-	# this is kind of an expensive check, so let's not do this twice if we
-	# are running more than one validate bundlescript
-	
-	VALIDATE_REPO='https://github.com/containers/skopeo.git'
-	VALIDATE_BRANCH='main'
-	
-	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
-		VALIDATE_REPO="https://github.com/${TRAVIS_REPO_SLUG}.git"
-		VALIDATE_BRANCH="${TRAVIS_BRANCH}"
-	fi
-	
-	VALIDATE_HEAD="$(git rev-parse --verify HEAD)"
-	
-	git fetch -q "$VALIDATE_REPO" "refs/heads/$VALIDATE_BRANCH"
-	VALIDATE_UPSTREAM="$(git rev-parse --verify FETCH_HEAD)"
-	
-	VALIDATE_COMMIT_LOG="$VALIDATE_UPSTREAM..$VALIDATE_HEAD"
-	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
-	
-	validate_diff() {
-		git diff "$VALIDATE_UPSTREAM" "$@"
-	}
-	validate_log() {
-		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
-			git log "$VALIDATE_COMMIT_LOG" "$@"
-		fi
-	}
-fi
--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -1,12 +0,0 @@
-#!/bin/bash
-set -e
-
-bundle_test_integration() {
-	go_test_dir ./integration
-}
-
-# subshell so that we can export PATH without breaking other things
-(
-	make PREFIX=/usr install
-	bundle_test_integration
-) 2>&1
--- a/hack/make/test-system
+++ b/hack/make/test-system
@@ -1,24 +0,0 @@
-#!/bin/bash
-set -e
-
-# These tests can run in/outside of a container.  However,
-# not all storage drivers are supported in a container
-# environment.  Detect this and setup storage when
-# running in a container.
-if ((SKOPEO_CONTAINER_TESTS)) && [[ -r /etc/containers/storage.conf ]]; then
-    sed -i \
-        -e 's/^driver\s*=.*/driver = "vfs"/' \
-        -e 's/^mountopt/#mountopt/' \
-        /etc/containers/storage.conf
-elif ((SKOPEO_CONTAINER_TESTS)); then
-    cat >> /etc/containers/storage.conf << EOF
-[storage]
-driver = "vfs"
-EOF
-fi
-
-# Build skopeo, install into /usr/bin
-make PREFIX=/usr install
-
-# Run tests
-SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
--- a/hack/make/validate-git-marks
+++ b/hack/make/validate-git-marks
@@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-# folders=$(find * -type d | egrep -v '^Godeps|bundles|.git')
-
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*' | grep -v '^vendor/' || true) )
-unset IFS
-
-badFiles=()
-for f in "${files[@]}"; do
-    if [ $(grep -r "^<<<<<<<" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-
-    if [ $(grep -r "^>>>>>>>" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-
-    if [ $(grep -r "^=======$" $f) ]; then
-        badFiles+=( "$f" )
-        continue
-    fi
-    set -e
-done
-
-
-if [ ${#badFiles[@]} -eq 0 ]; then
-	echo 'Congratulations!  There is no conflict.'
-else
-	{
-		echo "There is trace of conflict(s) in the following files :"
-		for f in "${badFiles[@]}"; do
-			echo " - $f"
-		done
-		echo
-		echo 'Please fix the conflict(s) commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/make/validate-lint
+++ b/hack/make/validate-lint
@@ -1,33 +0,0 @@
-#!/bin/bash
-
-source "$(dirname "$BASH_SOURCE")/.validate"
-
-# We will eventually get to the point where packages should be the complete list
-# of subpackages, vendoring excluded, as given by:
-#
-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/\|^integration' || true) )
-unset IFS
-
-errors=()
-for f in "${files[@]}"; do
-	failedLint=$(golint "$f")
-	if [ "$failedLint" ]; then
-		errors+=( "$failedLint" )
-	fi
-done
-
-if [ ${#errors[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files have been linted.'
-else
-	{
-		echo "Errors from golint:"
-		for err in "${errors[@]}"; do
-			echo "$err"
-		done
-		echo
-		echo 'Please fix the above errors. You can test via "golint" and commit the result.'
-		echo
-	} >&2
-	false
-fi
--- a/hack/test-integration.sh
+++ b/hack/test-integration.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+make PREFIX=/usr install
+
+echo "cd ./integration;" go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
+cd ./integration
+go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
--- a/hack/test-system.sh
+++ b/hack/test-system.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+
+# These tests can run in/outside of a container.  However,
+# not all storage drivers are supported in a container
+# environment.  Detect this and setup storage when
+# running in a container.
+#
+# Paradoxically (FIXME: clean this up), SKOPEO_CONTAINER_TESTS is set
+# both inside a container and without a container (in a CI VM); it actually means
+# "it is safe to destructively modify the system for tests".
+#
+# On a CI VM, we can just use Podman as it is already configured; the changes below,
+# to use VFS, are necessary only inside a container, because overlay-inside-overlay
+# does not work. So, make these changes conditional on both
+# SKOPEO_CONTAINER_TESTS (for acceptability to do destructive modification) and !CI
+# (for necessity to adjust for in-container operation)
+if ((SKOPEO_CONTAINER_TESTS)) && [[ "$CI" != true ]]; then
+    if [[ -r /etc/containers/storage.conf ]]; then
+        echo "MODIFYING existing storage.conf"
+        sed -i \
+            -e 's/^driver\s*=.*/driver = "vfs"/' \
+            -e 's/^mountopt/#mountopt/' \
+            /etc/containers/storage.conf
+    else
+        echo "CREATING NEW storage.conf"
+        cat >> /etc/containers/storage.conf << EOF
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+EOF
+    fi
+    # The logic of finding the relevant storage.conf file is convoluted
+    # and in effect differs between Skopeo and Podman, at least in some versions;
+    # explicitly point at the file we want to use to hopefully avoid that.
+    export CONTAINERS_STORAGE_CONF=/etc/containers/storage.conf
+fi
+
+# Build skopeo, install into /usr/bin
+make PREFIX=/usr install
+
+# Run tests
+SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
--- a/hack/tree_status.sh
+++ b/hack/tree_status.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e

 STATUS=$(git status --porcelain)
--- a/hack/validate-git-marks.sh
+++ b/hack/validate-git-marks.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+IFS=$'\n'
+files=( $(git ls-tree -r HEAD --name-only | grep -v '^vendor/' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+    if [ $(grep -r "^\(<<<<<<<\|>>>>>>>\|^=======$\)" $f) ]; then
+        badFiles+=( "$f" )
+        continue
+    fi
+    set -e
+done
+
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  There is no conflict.'
+else
+	{
+		echo "There is trace of conflict(s) in the following files :"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please fix the conflict(s) commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/make/validate-gofmt
+++ b/hack/make/validate-gofmt
@@ -1,9 +1,7 @@
 #!/bin/bash

-source "$(dirname "$BASH_SOURCE")/.validate"
-
 IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
+files=( $(find . -name '*.go' | grep -v '^./vendor/' | sort || true) )
 unset IFS

 badFiles=()
@@ -25,5 +23,5 @@ else
 		echo 'Please reformat the above files using "gofmt -s -w" and commit the result.'
 		echo
 	} >&2
-	false
+	exit 1
 fi
--- a/hack/validate-lint.sh
+++ b/hack/validate-lint.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+errors=$($GOBIN/golangci-lint run --build-tags "${BUILDTAGS}" 2>&1)
+
+if [ -z "$errors" ]; then
+	echo 'Congratulations!  All Go source files have been linted.'
+else
+	{
+		echo "Errors from golangci-lint:"
+		echo "$errors"
+		echo
+		echo 'Please fix the above errors. You can test via "golangci-lint" and commit the result.'
+		echo
+	} >&2
+	exit 1
+fi
--- a/hack/make/validate-vet
+++ b/hack/make/validate-vet
@@ -1,6 +1,6 @@
 #!/bin/bash

-errors=$(go vet -tags="${BUILDTAGS}" $mod_vendor $(go list $mod_vendor -e ./...))
+errors=$(go vet -tags="${BUILDTAGS}" ./... 2>&1)

 if [ -z "$errors" ]; then
 	echo 'Congratulations!  All Go source files have been vetted.'
@@ -12,5 +12,5 @@ else
 		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
 		echo
 	} >&2
-	false
+	exit 1
 fi
--- a/hack/warn-destructive-tests.sh
+++ b/hack/warn-destructive-tests.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -e
+
+# Set this to 1 to enable installation/modification of environment/services
+export SKOPEO_CONTAINER_TESTS=${SKOPEO_CONTAINER_TESTS:-0}
+
+if [[ "$SKOPEO_CONTAINER_TESTS" == "0" ]] && [[ "$CI" != "true" ]]; then
+    (
+    echo "***************************************************************"
+    echo "WARNING: Executing tests directly on the local development"
+    echo "         host is highly discouraged.  Many important items"
+    echo "         will be skipped.  For manual execution, please utilize"
+    echo "         the Makefile targets WITHOUT the '-local' suffix."
+    echo "***************************************************************"
+    ) > /dev/stderr
+    sleep 5
+fi
--- a/install.md
+++ b/install.md
@@ -1,7 +1,8 @@
 # Installing Skopeo

 ## Distribution Packages
-`skopeo` may already be packaged in your distribution.
+`skopeo` may already be packaged in your distribution. This document lists the
+installation steps for many distros, along with their information and support links.

 ### Fedora

@@ -9,30 +10,67 @@
 sudo dnf -y install skopeo
 ```

-### RHEL/CentOS ≥ 8 and CentOS Stream
+[Package Info](https://src.fedoraproject.org/rpms/skopeo) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Fedora&component=skopeo&product=Fedora)
+
+Fedora bugs can be reported on the Skopeo GitHub [Issues](https://github.com/containers/skopeo/issues) page.
+
+### RHEL / CentOS Stream ≥ 8

 ```sh
 sudo dnf -y install skopeo
 ```

+If you are a RHEL customer, please reach out through the official RHEL support
+channels for any issues.
+
+CentOS Stream 9: [Package Info](https://gitlab.com/redhat/centos-stream/rpms/skopeo/-/tree/c9s) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%209&version=CentOS%20Stream)
+
+CentOS Stream 8: [Package Info](https://git.centos.org/rpms/skopeo/tree/c8s-stream-rhel8) and
+[Bugzilla](https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&classification=Red%20Hat&component=skopeo&product=Red%20Hat%20Enterprise%20Linux%208&version=CentOS%20Stream)
+
+
 ### RHEL/CentOS ≤ 7.x

 ```sh
 sudo yum -y install skopeo
 ```

+CentOS 7: [Package Repo](https://git.centos.org/rpms/skopeo/tree/c7-extras)
+
 ### openSUSE

 ```sh
 sudo zypper install skopeo
 ```

+[Package Info](https://software.opensuse.org/package/skopeo)
+
 ### Alpine

 ```sh
 sudo apk add skopeo
 ```

+[Package Info](https://pkgs.alpinelinux.org/packages?name=skopeo)
+
+### Gentoo
+
+```sh
+sudo emerge app-containers/skopeo
+```
+
+[Package Info](https://packages.gentoo.org/packages/app-containers/skopeo)
+
+### Arch Linux
+
+```sh
+sudo pacman -S skopeo
+```
+
+[Package Info](https://archlinux.org/packages/extra/x86_64/skopeo/)
+
 ### macOS

 ```sh
@@ -44,6 +82,8 @@ brew install skopeo
 $ nix-env -i skopeo
 ```

+[Package Info](https://search.nixos.org/packages?&show=skopeo&query=skopeo)
+
 ### Debian

 The skopeo package is available on [Bullseye](https://packages.debian.org/bullseye/skopeo),
@@ -55,6 +95,8 @@ sudo apt-get update
 sudo apt-get -y install skopeo
 ```

+[Package Info](https://packages.debian.org/stable/skopeo)
+
 ### Raspberry Pi OS arm64 (beta)

 Raspberry Pi OS uses the standard Debian's repositories,
@@ -73,24 +115,13 @@ sudo apt-get -y update
 sudo apt-get -y install skopeo
 ```

-The [Kubic project](https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/skopeo)
-provides packages for Ubuntu 20.04 (it should also work with direct derivatives like Pop!\_OS).
-
-```bash
-. /etc/os-release
-echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
-sudo apt-get update
-sudo apt-get -y upgrade
-sudo apt-get -y install skopeo
-```
+[Package Info](https://packages.ubuntu.com/jammy/skopeo)

 ### Windows
 Skopeo has not yet been packaged for Windows. There is an [open feature
 request](https://github.com/containers/skopeo/issues/715) and contributions are
 always welcome.

-
 ## Container Images

 Skopeo container images are available at `quay.io/skopeo/stable:latest`.
@@ -100,14 +131,15 @@ For example,
 podman run docker://quay.io/skopeo/stable:latest copy --help
 ```

-[Read more](./contrib/skopeoimage/README.md).
+The skopeo container image build context and automation are
+located at [https://github.com/containers/image_build/tree/main/skopeo](https://github.com/containers/image_build/tree/main/skopeo)


 ## Building from Source

 Otherwise, read on for building and installing it from source:

-To build the `skopeo` binary you need at least Go 1.12.
+To build the `skopeo` binary you need at least Go 1.19.

 There are two ways to build skopeo: in a container, or locally without a
 container. Choose the one which better matches your needs and environment.
@@ -143,6 +175,11 @@ brew install gpgme
 sudo zypper install libgpgme-devel device-mapper-devel libbtrfs-devel glib2-devel
 ```

+```bash
+# Arch Linux:
+sudo pacman -S base-devel gpgme device-mapper btrfs-progs
+```
+
 Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.

 ```bash
@@ -158,6 +195,22 @@ document generation can be skipped by passing `DISABLE_DOCS=1`:
 DISABLE_DOCS=1 make
 ```

+#### Additional prerequisites
+
+In order to dynamically link against system libraries and avoid compilation errors the ```CGO_ENABLED='1'``` flag must be enabled. You can easily check by ```go env | grep CGO_ENABLED```.
+
+An alternative would be to set the `BUILDTAGS=containers_image_openpgp` (this removes the dependency on `libgpgme` and its companion libraries).
+
+### Cross-compilation
+
+For cross-building skopeo, use the command `make bin/skopeo.OS.ARCH`, where OS represents
+the target operating system and ARCH stands for the desired architecture. For instance,
+to build skopeo for RISC-V 64-bit Linux, execute:
+
+```bash
+make bin/skopeo.linux.riscv64
+```
+
 ### Building documentation

 To build the manual you will need go-md2man.
@@ -196,6 +249,13 @@ Building in a container is simpler, but more restrictive:
 $ make binary
 ```

+### Shell completion scripts
+
+Skopeo has shell completion scripts for bash, zsh, fish and powershell. They are installed as part of `make install`.
+You may have to restart your shell in order for them to take effect.
+
+For instructions to manually generate and load the scripts please see `skopeo completion --help`.
+
 ### Installation

 Finally, after the binary and documentation is built:
@@ -212,15 +272,8 @@ There have been efforts in the past to produce and maintain static builds, but t

 That being said, if you would like to build Skopeo statically, you might be able to do it by combining all the following steps.
 - Export environment variable `CGO_ENABLED=0` (disabling CGO causes Go to prefer native libraries when possible, instead of dynamically linking against system libraries).
- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this remove the dependency on `libgpgme` and its companion libraries).
- Clear the `GO_DYN_FLAGS` Make variable (which otherwise seems to force the creation of a dynamic executable).
-
-The following command implements these steps to produce a static binary in the `bin` subdirectory of the repository:
-
-```bash
-docker run -v $PWD:/src -w /src -e CGO_ENABLED=0 golang \
-make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
-```
+- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this removes the dependency on `libgpgme` and its companion libraries).
+- Clear the `GO_DYN_FLAGS` Make variable if even a dependency on the ELF interpreter is undesirable.

 Keep in mind that the resulting binary is unsupported and might crash randomly. Only use if you know what you're doing!

--- a/integration/blocked_test.go
+++ b/integration/blocked_test.go
@@ -1,34 +1,34 @@
 package main

-import (
-	"gopkg.in/check.v1"
-)
-
 const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
 const blockedErrorRegex = `.*registry registry-blocked.com is blocked in .*`

-func (s *SkopeoSuite) TestCopyBlockedSource(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestCopyBlockedSource() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "copy",
 		"docker://registry-blocked.com/image:test",
 		"docker://registry-unblocked.com/image:test")
 }

-func (s *SkopeoSuite) TestCopyBlockedDestination(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestCopyBlockedDestination() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "copy",
 		"docker://registry-unblocked.com/image:test",
 		"docker://registry-blocked.com/image:test")
 }

-func (s *SkopeoSuite) TestInspectBlocked(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestInspectBlocked() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "inspect",
 		"docker://registry-blocked.com/image:test")
 }

-func (s *SkopeoSuite) TestDeleteBlocked(c *check.C) {
-	assertSkopeoFails(c, blockedErrorRegex,
+func (s *skopeoSuite) TestDeleteBlocked() {
+	t := s.T()
+	assertSkopeoFails(t, blockedErrorRegex,
 		"--registries-conf", blockedRegistriesConf, "delete",
 		"docker://registry-blocked.com/image:test")
 }
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -6,7 +6,9 @@ import (
 	"testing"

 	"github.com/containers/skopeo/version"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 const (
@@ -14,100 +16,104 @@ const (
 	privateRegistryURL1 = "127.0.0.1:5001"
 )

-func Test(t *testing.T) {
-	check.TestingT(t)
+func TestSkopeo(t *testing.T) {
+	suite.Run(t, &skopeoSuite{})
 }

-func init() {
-	check.Suite(&SkopeoSuite{})
-}
-
-type SkopeoSuite struct {
+type skopeoSuite struct {
+	suite.Suite
 	regV2         *testRegistryV2
 	regV2WithAuth *testRegistryV2
 }

-func (s *SkopeoSuite) SetUpSuite(c *check.C) {
+var _ = suite.SetupAllSuite(&skopeoSuite{})
+var _ = suite.TearDownAllSuite(&skopeoSuite{})
+
+func (s *skopeoSuite) SetupSuite() {
+	t := s.T()
 	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
-	s.regV2 = setupRegistryV2At(c, privateRegistryURL0, false, false)
-	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL1, true, false)
+	require.NoError(t, err)
+	s.regV2 = setupRegistryV2At(t, privateRegistryURL0, false, false)
+	s.regV2WithAuth = setupRegistryV2At(t, privateRegistryURL1, true, false)
 }

-func (s *SkopeoSuite) TearDownSuite(c *check.C) {
+func (s *skopeoSuite) TearDownSuite() {
 	if s.regV2 != nil {
-		s.regV2.Close()
+		s.regV2.tearDown()
 	}
 	if s.regV2WithAuth != nil {
-		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
-		//c.Assert(cmd.Run(), check.IsNil)
-		s.regV2WithAuth.Close()
+		// cmd := exec.Command("docker", "logout", s.regV2WithAuth)
+		// require.Noerror(t, cmd.Run())
+		s.regV2WithAuth.tearDown()
 	}
 }

-// TODO like dockerCmd but much easier, just out,err
-//func skopeoCmd()
-
-func (s *SkopeoSuite) TestVersion(c *check.C) {
-	wanted := fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version)
-	assertSkopeoSucceeds(c, wanted, "--version")
+func (s *skopeoSuite) TestVersion() {
+	t := s.T()
+	assertSkopeoSucceeds(t, fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version),
+		"--version")
 }

-func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	wanted := ".*manifest unknown: manifest unknown.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+func (s *skopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg() {
+	t := s.T()
+	assertSkopeoFails(t, ".*manifest unknown.*",
+		"--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

-func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	wanted := ".*unauthorized: authentication required.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+func (s *skopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg() {
+	t := s.T()
+	assertSkopeoFails(t, ".*authentication required.*",
+		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

-func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
-	wanted := ".*unknown flag: --cert-path.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
-	wanted = ".*unauthorized: authentication required.*"
-	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
+func (s *skopeoSuite) TestCertDirInsteadOfCertPath() {
+	t := s.T()
+	assertSkopeoFails(t, ".*unknown flag: --cert-path.*",
+		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
+	assertSkopeoFails(t, ".*authentication required.*",
+		"--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
 }

 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
 // not just get image not found :)
-func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
+func (s *skopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound() {
+	t := s.T()
 	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := ".*manifest unknown.*"
-	c.Assert(string(out), check.Matches, "(?s)"+wanted) // (?s) : '.' will also match newlines
-	wanted = ".*unauthorized: authentication required.*"
-	c.Assert(string(out), check.Not(check.Matches), "(?s)"+wanted) // (?s) : '.' will also match newlines
+	assert.Error(t, err, "%s", string(out))
+	assert.Regexp(t, "(?s).*manifest unknown.*", string(out))                         // (?s) : '.' will also match newlines
+	assert.NotRegexp(t, "(?s).*unauthorized: authentication required.*", string(out)) // (?s) : '.' will also match newlines
 }

-func (s *SkopeoSuite) TestInspectFailsWhenReferenceIsInvalid(c *check.C) {
-	assertSkopeoFails(c, `.*Invalid image name.*`, "inspect", "unknown")
+func (s *skopeoSuite) TestInspectFailsWhenReferenceIsInvalid() {
+	t := s.T()
+	assertSkopeoFails(t, `.*Invalid image name.*`, "inspect", "unknown")
 }

-func (s *SkopeoSuite) TestLoginLogout(c *check.C) {
-	wanted := "^Login Succeeded!\n$"
-	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
+func (s *skopeoSuite) TestLoginLogout() {
+	t := s.T()
+	assertSkopeoSucceeds(t, "^Login Succeeded!\n$",
+		"login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
 	// test --get-login returns username
-	wanted = fmt.Sprintf("^%s\n$", s.regV2WithAuth.username)
-	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--get-login", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(t, fmt.Sprintf("^%s\n$", s.regV2WithAuth.username),
+		"login", "--tls-verify=false", "--get-login", s.regV2WithAuth.url)
 	// test logout
-	wanted = fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url)
-	assertSkopeoSucceeds(c, wanted, "logout", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(t, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
+		"logout", s.regV2WithAuth.url)
 }

-func (s *SkopeoSuite) TestCopyWithLocalAuth(c *check.C) {
-	wanted := "^Login Succeeded!\n$"
-	assertSkopeoSucceeds(c, wanted, "login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
+func (s *skopeoSuite) TestCopyWithLocalAuth() {
+	t := s.T()
+	assertSkopeoSucceeds(t, "^Login Succeeded!\n$",
+		"login", "--tls-verify=false", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, s.regV2WithAuth.url)
 	// copy to private registry using local authentication
 	imageName := fmt.Sprintf("docker://%s/busybox:mine", s.regV2WithAuth.url)
-	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", testFQIN+":latest", imageName)
+	assertSkopeoSucceeds(t, "", "copy", "--dest-tls-verify=false", testFQIN+":latest", imageName)
 	// inspect from private registry
-	assertSkopeoSucceeds(c, "", "inspect", "--tls-verify=false", imageName)
+	assertSkopeoSucceeds(t, "", "inspect", "--tls-verify=false", imageName)
 	// logout from the registry
-	wanted = fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url)
-	assertSkopeoSucceeds(c, wanted, "logout", s.regV2WithAuth.url)
+	assertSkopeoSucceeds(t, fmt.Sprintf("^Removed login credentials for %s\n$", s.regV2WithAuth.url),
+		"logout", s.regV2WithAuth.url)
 	// inspect from private registry should fail after logout
-	wanted = ".*unauthorized: authentication required.*"
-	assertSkopeoFails(c, wanted, "inspect", "--tls-verify=false", imageName)
+	assertSkopeoFails(t, ".*authentication required.*",
+		"inspect", "--tls-verify=false", imageName)
 }
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
--- a/integration/decompress-dirs.sh
+++ b/integration/decompress-dirs.sh
@@ -1,23 +0,0 @@
-#!/bin/bash -e
-# Account for differences between dir: images that are solely due to one being
-# compressed (fresh from a registry) and the other not being compressed (read
-# from storage, which decompressed it and had to reassemble the layer blobs).
-for dir in "$@" ; do
-    # Updating the manifest's blob digests may change the formatting, so
-    # use jq to get them into similar shape.
-    jq -M . "${dir}"/manifest.json > "${dir}"/manifest.json.tmp && mv "${dir}"/manifest.json.tmp "${dir}"/manifest.json
-    for candidate in "${dir}"/???????????????????????????????????????????????????????????????? ; do
-        # If a digest-identified file looks like it was compressed,
-        # decompress it, and replace its hash and size in the manifest
-        # with the values for their decompressed versions.
-        uncompressed=`zcat "${candidate}" 2> /dev/null | sha256sum | cut -c1-64`
-        if test $? -eq 0 ; then
-            if test "$uncompressed" != e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ; then
-                zcat "${candidate}" > "${dir}"/${uncompressed}
-                sed -r -i -e "s#sha256:$(basename ${candidate})#sha256:${uncompressed}#g" "${dir}"/manifest.json
-                sed -r -i -e "s#\"size\": $(wc -c < ${candidate}),#\"size\": $(wc -c < ${dir}/${uncompressed}),#g" "${dir}"/manifest.json
-                rm -f "${candidate}"
-            fi
-        fi
-    done
-done
--- a/integration/fixtures/registries.yaml
+++ b/integration/fixtures/registries.yaml
@@ -1,6 +1,6 @@
 docker:
   localhost:5555:
-        sigstore: file://@sigstore@
+        lookaside: file://@lookaside@
   localhost:5555/public:
-        sigstore-staging: file://@split-staging@
-        sigstore: @split-read@
+        lookaside-staging: file://@split-staging@
+        lookaside: @split-read@
--- a/integration/openshift.go
+++ b/integration/openshift.go
@@ -5,15 +5,15 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"testing"
 	"time"

-	"github.com/docker/docker/pkg/homedir"
-	"gopkg.in/check.v1"
+	"github.com/containers/storage/pkg/homedir"
+	"github.com/stretchr/testify/require"
 )

 var adminKUBECONFIG = map[string]string{
@@ -31,24 +31,21 @@ type openshiftCluster struct {
 // startOpenshiftCluster creates a new openshiftCluster.
 // WARNING: This affects state in users' home directory! Only run
 // in isolated test environment.
-func startOpenshiftCluster(c *check.C) *openshiftCluster {
+func startOpenshiftCluster(t *testing.T) *openshiftCluster {
 	cluster := &openshiftCluster{}
+	cluster.workingDir = t.TempDir()

-	dir, err := ioutil.TempDir("", "openshift-cluster")
-	c.Assert(err, check.IsNil)
-	cluster.workingDir = dir
-
-	cluster.startMaster(c)
-	cluster.prepareRegistryConfig(c)
-	cluster.startRegistry(c)
-	cluster.ocLoginToProject(c)
-	cluster.dockerLogin(c)
-	cluster.relaxImageSignerPermissions(c)
+	cluster.startMaster(t)
+	cluster.prepareRegistryConfig(t)
+	cluster.startRegistry(t)
+	cluster.ocLoginToProject(t)
+	cluster.dockerLogin(t)
+	cluster.relaxImageSignerPermissions(t)

 	return cluster
 }

-// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment
+// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment.
 func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string, args ...string) *exec.Cmd {
 	cmd := exec.Command(name, args...)
 	cmd.Dir = cluster.workingDir
@@ -60,21 +57,20 @@ func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string,
 }

 // startMaster starts the OpenShift master (etcd+API server) and waits for it to be ready, or terminates on failure.
-func (cluster *openshiftCluster) startMaster(c *check.C) {
+func (cluster *openshiftCluster) startMaster(t *testing.T) {
 	cmd := cluster.clusterCmd(nil, "openshift", "start", "master")
 	cluster.processes = append(cluster.processes, cmd)
 	stdout, err := cmd.StdoutPipe()
-	c.Assert(err, check.IsNil)
-	// Send both to the same pipe. This might cause the two streams to be mixed up,
+	require.NoError(t, err)
 	// but logging actually goes only to stderr - this primarily ensure we log any
 	// unexpected output to stdout.
 	cmd.Stderr = cmd.Stdout
 	err = cmd.Start()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	portOpen, terminatePortCheck := newPortChecker(c, 8443)
+	portOpen, terminatePortCheck := newPortChecker(t, 8443)
 	defer func() {
-		c.Logf("Terminating port check")
+		t.Logf("Terminating port check")
 		terminatePortCheck <- true
 	}()

@@ -82,12 +78,12 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 	logCheckFound := make(chan bool)
 	go func() {
 		defer func() {
-			c.Logf("Log checker exiting")
+			t.Logf("Log checker exiting")
 		}()
 		scanner := bufio.NewScanner(stdout)
 		for scanner.Scan() {
 			line := scanner.Text()
-			c.Logf("Log line: %s", line)
+			t.Logf("Log line: %s", line)
 			if strings.Contains(line, "Started Origin Controllers") {
 				logCheckFound <- true
 				return
@@ -96,7 +92,7 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 			// Note: we can block before we get here.
 			select {
 			case <-terminateLogCheck:
-				c.Logf("terminated")
+				t.Logf("terminated")
 				return
 			default:
 				// Do not block here and read the next line.
@@ -105,7 +101,7 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 		logCheckFound <- false
 	}()
 	defer func() {
-		c.Logf("Terminating log check")
+		t.Logf("Terminating log check")
 		terminateLogCheck <- true
 	}()

@@ -114,26 +110,26 @@ func (cluster *openshiftCluster) startMaster(c *check.C) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	defer cancel()
 	for !gotPortCheck || !gotLogCheck {
-		c.Logf("Waiting for master")
+		t.Logf("Waiting for master")
 		select {
 		case <-portOpen:
-			c.Logf("port check done")
+			t.Logf("port check done")
 			gotPortCheck = true
 		case found := <-logCheckFound:
-			c.Logf("log check done, found: %t", found)
+			t.Logf("log check done, found: %t", found)
 			if !found {
-				c.Fatal("log check done, success message not found")
+				t.Fatal("log check done, success message not found")
 			}
 			gotLogCheck = true
 		case <-ctx.Done():
-			c.Fatalf("Timed out waiting for master: %v", ctx.Err())
+			t.Fatalf("Timed out waiting for master: %v", ctx.Err())
 		}
 	}
-	c.Logf("OK, master started!")
+	t.Logf("OK, master started!")
 }

 // prepareRegistryConfig creates a registry service account and a related k8s client configuration in ${cluster.workingDir}/openshift.local.registry.
-func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
+func (cluster *openshiftCluster) prepareRegistryConfig(t *testing.T) {
 	// This partially mimics the objects created by (oadm registry), except that we run the
 	// server directly as an ordinary process instead of a pod with an implicitly attached service account.
 	saJSON := `{
@@ -144,93 +140,93 @@ func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
 		}
 	}`
 	cmd := cluster.clusterCmd(adminKUBECONFIG, "oc", "create", "-f", "-")
-	runExecCmdWithInput(c, cmd, saJSON)
+	runExecCmdWithInput(t, cmd, saJSON)

 	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-user", "system:registry", "-z", "registry")
 	out, err := cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.Assert(string(out), check.Equals, "cluster role \"system:registry\" added: \"registry\"\n")
+	require.NoError(t, err, "%s", string(out))
+	require.Equal(t, "cluster role \"system:registry\" added: \"registry\"\n", string(out))

 	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "create-api-client-config", "--client-dir=openshift.local.registry", "--basename=openshift-registry", "--user=system:serviceaccount:default:registry")
 	out, err = cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.Assert(string(out), check.Equals, "")
+	require.NoError(t, err, "%s", string(out))
+	require.Equal(t, "", string(out))
 }

 // startRegistry starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
-func (cluster *openshiftCluster) startRegistryProcess(c *check.C, port int, configPath string) *exec.Cmd {
+func (cluster *openshiftCluster) startRegistryProcess(t *testing.T, port uint16, configPath string) *exec.Cmd {
 	cmd := cluster.clusterCmd(map[string]string{
 		"KUBECONFIG":          "openshift.local.registry/openshift-registry.kubeconfig",
 		"DOCKER_REGISTRY_URL": fmt.Sprintf("127.0.0.1:%d", port),
 	}, "dockerregistry", configPath)
-	consumeAndLogOutputs(c, fmt.Sprintf("registry-%d", port), cmd)
+	consumeAndLogOutputs(t, fmt.Sprintf("registry-%d", port), cmd)
 	err := cmd.Start()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err, "%s")

-	portOpen, terminatePortCheck := newPortChecker(c, port)
+	portOpen, terminatePortCheck := newPortChecker(t, port)
 	defer func() {
 		terminatePortCheck <- true
 	}()
-	c.Logf("Waiting for registry to start")
+	t.Logf("Waiting for registry to start")
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 	select {
 	case <-portOpen:
-		c.Logf("OK, Registry port open")
+		t.Logf("OK, Registry port open")
 	case <-ctx.Done():
-		c.Fatalf("Timed out waiting for registry to start: %v", ctx.Err())
+		t.Fatalf("Timed out waiting for registry to start: %v", ctx.Err())
 	}

 	return cmd
 }

 // startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
-func (cluster *openshiftCluster) startRegistry(c *check.C) {
+func (cluster *openshiftCluster) startRegistry(t *testing.T) {
 	// Our “primary” registry
-	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5000, "/atomic-registry-config.yml"))
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(t, 5000, "/atomic-registry-config.yml"))

 	// A registry configured with acceptschema2:false
-	schema1Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+	schema1Config := fileFromFixture(t, "/atomic-registry-config.yml", map[string]string{
 		"addr: :5000":              "addr: :5005",
 		"rootdirectory: /registry": "rootdirectory: /registry-schema1",
 		// The default configuration currently already contains acceptschema2: false
 	})
 	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
-	configContents, err := ioutil.ReadFile(schema1Config)
-	c.Assert(err, check.IsNil)
-	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
-	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
+	configContents, err := os.ReadFile(schema1Config)
+	require.NoError(t, err)
+	require.Regexp(t, "(?s).*acceptschema2: false.*", string(configContents))
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(t, 5005, schema1Config))

 	// A registry configured with acceptschema2:true
-	schema2Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+	schema2Config := fileFromFixture(t, "/atomic-registry-config.yml", map[string]string{
 		"addr: :5000":              "addr: :5006",
 		"rootdirectory: /registry": "rootdirectory: /registry-schema2",
 		"acceptschema2: false":     "acceptschema2: true",
 	})
-	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5006, schema2Config))
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(t, 5006, schema2Config))
 }

 // ocLogin runs (oc login) and (oc new-project) on the cluster, or terminates on failure.
-func (cluster *openshiftCluster) ocLoginToProject(c *check.C) {
-	c.Logf("oc login")
+func (cluster *openshiftCluster) ocLoginToProject(t *testing.T) {
+	t.Logf("oc login")
 	cmd := cluster.clusterCmd(nil, "oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
 	out, err := cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines
+	require.NoError(t, err, "%s", out)
+	require.Regexp(t, "(?s).*Login successful.*", string(out)) // (?s) : '.' will also match newlines

-	outString := combinedOutputOfCommand(c, "oc", "new-project", "myns")
-	c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
+	outString := combinedOutputOfCommand(t, "oc", "new-project", "myns")
+	require.Regexp(t, `(?s).*Now using project "myns".*`, outString) // (?s) : '.' will also match newlines
 }

 // dockerLogin simulates (docker login) to the cluster, or terminates on failure.
 // We do not run (docker login) directly, because that requires a running daemon and a docker package.
-func (cluster *openshiftCluster) dockerLogin(c *check.C) {
+func (cluster *openshiftCluster) dockerLogin(t *testing.T) {
 	cluster.dockerDir = filepath.Join(homedir.Get(), ".docker")
 	err := os.Mkdir(cluster.dockerDir, 0700)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
-	c.Logf("oc config value: %s", out)
+	out := combinedOutputOfCommand(t, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
+	t.Logf("oc config value: %s", out)
 	authValue := base64.StdEncoding.EncodeToString([]byte("unused:" + out))
 	auths := []string{}
 	for _, port := range []int{5000, 5005, 5006} {
@@ -240,30 +236,30 @@ func (cluster *openshiftCluster) dockerLogin(c *check.C) {
 			}`, port, authValue))
 	}
 	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
-	err = ioutil.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
-	c.Assert(err, check.IsNil)
+	err = os.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
+	require.NoError(t, err)
 }

 // relaxImageSignerPermissions opens up the system:image-signer permissions so that
 // anyone can work with signatures
 // FIXME: This also allows anyone to DoS anyone else; this design is really not all
 // that workable, but it is the best we can do for now.
-func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
+func (cluster *openshiftCluster) relaxImageSignerPermissions(t *testing.T) {
 	cmd := cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
 	out, err := cmd.CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
-	c.Assert(string(out), check.Equals, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n")
+	require.NoError(t, err, "%s", string(out))
+	require.Equal(t, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n", string(out))
 }

 // tearDown stops the cluster services and deletes (only some!) of the state.
-func (cluster *openshiftCluster) tearDown(c *check.C) {
+func (cluster *openshiftCluster) tearDown(t *testing.T) {
 	for i := len(cluster.processes) - 1; i >= 0; i-- {
-		cluster.processes[i].Process.Kill()
-	}
-	if cluster.workingDir != "" {
-		os.RemoveAll(cluster.workingDir)
+		// It’s undocumented what Kill() returns if the process has terminated,
+		// so we couldn’t check just for that. This is running in a container anyway…
+		_ = cluster.processes[i].Process.Kill()
 	}
 	if cluster.dockerDir != "" {
-		os.RemoveAll(cluster.dockerDir)
+		err := os.RemoveAll(cluster.dockerDir)
+		require.NoError(t, err)
 	}
 }
--- a/integration/openshift_shell_test.go
+++ b/integration/openshift_shell_test.go
@@ -7,7 +7,8 @@ import (
 	"os"
 	"os/exec"

-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 /*
@@ -15,11 +16,15 @@ TestRunShell is not really a test; it is a convenient way to use the registry se
 in openshift.go and CopySuite to get an interactive environment for experimentation.

 To use it, run:
+
 	sudo make shell
+
 to start a container, then within the container:
-	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -check.v -check.vv -check.f='CopySuite.TestRunShell'
+
+	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -run='copySuite.TestRunShell'

 An example of what can be done within the container:
+
 	cd ..; make bin/skopeo PREFIX=/usr install
 	./skopeo --tls-verify=false  copy --sign-by=personal@example.com docker://quay.io/libpod/busybox:latest atomic:localhost:5000/myns/personal:personal
 	oc get istag personal:personal -o json
@@ -29,13 +34,14 @@ An example of what can be done within the container:
 	curl -L -v 'http://localhost:5000/v2/myns/personal/manifests/personal' --header 'Authorization: Bearer $token_from_oauth'
 	curl -L -v 'http://localhost:5000/extensions/v2/myns/personal/signatures/$manifest_digest' --header 'Authorization: Bearer $token_from_oauth'
 */
-func (s *CopySuite) TestRunShell(c *check.C) {
+func (s *copySuite) TestRunShell() {
+	t := s.T()
 	cmd := exec.Command("bash", "-i")
 	tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	cmd.Stdin = tty
 	cmd.Stdout = tty
 	cmd.Stderr = tty
 	err = cmd.Run()
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)
 }
--- a/integration/procutils.go
+++ b/integration/procutils.go
@@ -7,6 +7,6 @@ import (
 	"os/exec"
 )

-// cmdLifecycleToParentIfPossible tries to exit if the parent process exits (only works on Linux)
+// cmdLifecycleToParentIfPossible tries to exit if the parent process exits (only works on Linux).
 func cmdLifecycleToParentIfPossible(c *exec.Cmd) {
 }
--- a/integration/proxy_test.go
+++ b/integration/proxy_test.go
@@ -3,22 +3,27 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"os"
 	"os/exec"
 	"strings"
 	"syscall"
+	"testing"
 	"time"

-	"gopkg.in/check.v1"
-
 	"github.com/containers/image/v5/manifest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 // This image is known to be x86_64 only right now
-const knownNotManifestListedImage_x8664 = "docker://quay.io/coreos/11bot"
+const knownNotManifestListedImageX8664 = "docker://quay.io/coreos/11bot"
+
+// knownNotExtantImage would be very surprising if it did exist
+const knownNotExtantImage = "docker://quay.io/centos/centos:opensusewindowsubuntu"

 const expectedProxySemverMajor = "0.2"

@@ -29,7 +34,7 @@ type request struct {
 	// Method is the name of the function
 	Method string `json:"method"`
 	// Args is the arguments (parsed inside the function)
-	Args []interface{} `json:"args"`
+	Args []any `json:"args"`
 }

 // reply is copied from proxy.go
@@ -37,7 +42,7 @@ type reply struct {
 	// Success is true if and only if the call succeeded.
 	Success bool `json:"success"`
 	// Value is an arbitrary value (or values, as array/map) returned from the call.
-	Value interface{} `json:"value"`
+	Value any `json:"value"`
 	// PipeID is an index into open pipes, and should be passed to FinishPipe
 	PipeID uint32 `json:"pipeid"`
 	// Error should be non-empty if Success == false
@@ -57,7 +62,7 @@ type pipefd struct {
 	fd *os.File
 }

-func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd *pipefd, err error) {
+func (p *proxy) call(method string, args []any) (rval any, fd *pipefd, err error) {
 	req := request{
 		Method: method,
 		Args:   args,
@@ -66,7 +71,7 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 	if err != nil {
 		return
 	}
-	n, err := self.c.Write(reqbuf)
+	n, err := p.c.Write(reqbuf)
 	if err != nil {
 		return
 	}
@@ -76,9 +81,9 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 	}
 	oob := make([]byte, syscall.CmsgSpace(1))
 	replybuf := make([]byte, maxMsgSize)
-	n, oobn, _, _, err := self.c.ReadMsgUnix(replybuf, oob)
+	n, oobn, _, _, err := p.c.ReadMsgUnix(replybuf, oob)
 	if err != nil {
-		err = fmt.Errorf("reading reply: %v", err)
+		err = fmt.Errorf("reading reply: %w", err)
 		return
 	}
 	var reply reply
@@ -96,7 +101,7 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 		var scms []syscall.SocketControlMessage
 		scms, err = syscall.ParseSocketControlMessage(oob[:oobn])
 		if err != nil {
-			err = fmt.Errorf("failed to parse control message: %v", err)
+			err = fmt.Errorf("failed to parse control message: %w", err)
 			return
 		}
 		if len(scms) != 1 {
@@ -106,7 +111,7 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 		var fds []int
 		fds, err = syscall.ParseUnixRights(&scms[0])
 		if err != nil {
-			err = fmt.Errorf("failed to parse unix rights: %v", err)
+			err = fmt.Errorf("failed to parse unix rights: %w", err)
 			return
 		}
 		fd = &pipefd{
@@ -119,9 +124,9 @@ func (self *proxy) call(method string, args []interface{}) (rval interface{}, fd
 	return
 }

-func (self *proxy) callNoFd(method string, args []interface{}) (rval interface{}, err error) {
+func (p *proxy) callNoFd(method string, args []any) (rval any, err error) {
 	var fd *pipefd
-	rval, fd, err = self.call(method, args)
+	rval, fd, err = p.call(method, args)
 	if err != nil {
 		return
 	}
@@ -132,9 +137,9 @@ func (self *proxy) callNoFd(method string, args []interface{}) (rval interface{}
 	return rval, nil
 }

-func (self *proxy) callReadAllBytes(method string, args []interface{}) (rval interface{}, buf []byte, err error) {
+func (p *proxy) callReadAllBytes(method string, args []any) (rval any, buf []byte, err error) {
 	var fd *pipefd
-	rval, fd, err = self.call(method, args)
+	rval, fd, err = p.call(method, args)
 	if err != nil {
 		return
 	}
@@ -144,13 +149,13 @@ func (self *proxy) callReadAllBytes(method string, args []interface{}) (rval int
 	}
 	fetchchan := make(chan byteFetch)
 	go func() {
-		manifestBytes, err := ioutil.ReadAll(fd.fd)
+		manifestBytes, err := io.ReadAll(fd.fd)
 		fetchchan <- byteFetch{
 			content: manifestBytes,
 			err:     err,
 		}
 	}()
-	_, err = self.callNoFd("FinishPipe", []interface{}{fd.id})
+	_, err = p.callNoFd("FinishPipe", []any{fd.id})
 	if err != nil {
 		return
 	}
@@ -211,17 +216,12 @@ func newProxy() (*proxy, error) {
 	return p, nil
 }

-func init() {
-	check.Suite(&ProxySuite{})
+func TestProxy(t *testing.T) {
+	suite.Run(t, &proxySuite{})
 }

-type ProxySuite struct {
-}
-
-func (s *ProxySuite) SetUpSuite(c *check.C) {
-}
-
-func (s *ProxySuite) TearDownSuite(c *check.C) {
+type proxySuite struct {
+	suite.Suite
 }

 type byteFetch struct {
@@ -230,7 +230,7 @@ type byteFetch struct {
 }

 func runTestGetManifestAndConfig(p *proxy, img string) error {
-	v, err := p.callNoFd("OpenImage", []interface{}{knownNotManifestListedImage_x8664})
+	v, err := p.callNoFd("OpenImage", []any{img})
 	if err != nil {
 		return err
 	}
@@ -239,9 +239,32 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	if !ok {
 		return fmt.Errorf("OpenImage return value is %T", v)
 	}
-	imgid := uint32(imgidv)
+	imgid := uint64(imgidv)
+	if imgid == 0 {
+		return fmt.Errorf("got zero from expected image")
+	}

-	v, manifestBytes, err := p.callReadAllBytes("GetManifest", []interface{}{imgid})
+	// Also verify the optional path
+	v, err = p.callNoFd("OpenImageOptional", []any{img})
+	if err != nil {
+		return err
+	}
+
+	imgidv, ok = v.(float64)
+	if !ok {
+		return fmt.Errorf("OpenImageOptional return value is %T", v)
+	}
+	imgid2 := uint64(imgidv)
+	if imgid2 == 0 {
+		return fmt.Errorf("got zero from expected image")
+	}
+
+	_, err = p.callNoFd("CloseImage", []any{imgid2})
+	if err != nil {
+		return err
+	}
+
+	_, manifestBytes, err := p.callReadAllBytes("GetManifest", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -250,7 +273,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 		return err
 	}

-	v, configBytes, err := p.callReadAllBytes("GetFullConfig", []interface{}{imgid})
+	_, configBytes, err := p.callReadAllBytes("GetFullConfig", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -269,7 +292,7 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 	}

 	// Also test this legacy interface
-	v, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []interface{}{imgid})
+	_, ctrconfigBytes, err := p.callReadAllBytes("GetConfig", []any{imgid})
 	if err != nil {
 		return err
 	}
@@ -284,24 +307,51 @@ func runTestGetManifestAndConfig(p *proxy, img string) error {
 		return fmt.Errorf("No CMD or ENTRYPOINT set")
 	}

-	_, err = p.callNoFd("CloseImage", []interface{}{imgid})
+	_, err = p.callNoFd("CloseImage", []any{imgid})
+	if err != nil {
+		return err
+	}

 	return nil
 }

-func (s *ProxySuite) TestProxy(c *check.C) {
-	p, err := newProxy()
-	c.Assert(err, check.IsNil)
-
-	err = runTestGetManifestAndConfig(p, knownNotManifestListedImage_x8664)
+func runTestOpenImageOptionalNotFound(p *proxy, img string) error {
+	v, err := p.callNoFd("OpenImageOptional", []any{img})
 	if err != nil {
-		err = fmt.Errorf("Testing image %s: %v", knownNotManifestListedImage_x8664, err)
+		return err
 	}
-	c.Assert(err, check.IsNil)
+
+	imgidv, ok := v.(float64)
+	if !ok {
+		return fmt.Errorf("OpenImageOptional return value is %T", v)
+	}
+	imgid := uint64(imgidv)
+	if imgid != 0 {
+		return fmt.Errorf("Unexpected optional image id %v", imgid)
+	}
+	return nil
+}
+
+func (s *proxySuite) TestProxy() {
+	t := s.T()
+	p, err := newProxy()
+	require.NoError(t, err)
+
+	err = runTestGetManifestAndConfig(p, knownNotManifestListedImageX8664)
+	if err != nil {
+		err = fmt.Errorf("Testing image %s: %v", knownNotManifestListedImageX8664, err)
+	}
+	assert.NoError(t, err)

 	err = runTestGetManifestAndConfig(p, knownListImage)
 	if err != nil {
 		err = fmt.Errorf("Testing image %s: %v", knownListImage, err)
 	}
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)
+
+	err = runTestOpenImageOptionalNotFound(p, knownNotExtantImage)
+	if err != nil {
+		err = fmt.Errorf("Testing optional image %s: %v", knownNotExtantImage, err)
+	}
+	assert.NoError(t, err)
 }
--- a/integration/registry.go
+++ b/integration/registry.go
@@ -2,14 +2,14 @@ package main

 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"testing"
 	"time"

-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/require"
 )

 const (
@@ -20,15 +20,14 @@ const (
 type testRegistryV2 struct {
 	cmd      *exec.Cmd
 	url      string
-	dir      string
 	username string
 	password string
 	email    string
 }

-func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistryV2 {
-	reg, err := newTestRegistryV2At(c, url, auth, schema1)
-	c.Assert(err, check.IsNil)
+func setupRegistryV2At(t *testing.T, url string, auth, schema1 bool) *testRegistryV2 {
+	reg, err := newTestRegistryV2At(t, url, auth, schema1)
+	require.NoError(t, err)

 	// Wait for registry to be ready to serve requests.
 	for i := 0; i != 50; i++ {
@@ -39,16 +38,13 @@ func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistry
 	}

 	if err != nil {
-		c.Fatal("Timeout waiting for test registry to become available")
+		t.Fatal("Timeout waiting for test registry to become available")
 	}
 	return reg
 }

-func newTestRegistryV2At(c *check.C, url string, auth, schema1 bool) (*testRegistryV2, error) {
-	tmp, err := ioutil.TempDir("", "registry-test-")
-	if err != nil {
-		return nil, err
-	}
+func newTestRegistryV2At(t *testing.T, url string, auth, schema1 bool) (*testRegistryV2, error) {
+	tmp := t.TempDir()
 	template := `version: 0.1
 loglevel: debug
 storage:
@@ -58,6 +54,9 @@ storage:
        enabled: true
 http:
    addr: %s
+compatibility:
+    schema1:
+        enabled: true
 %s`
 	var (
 		htpasswd string
@@ -71,7 +70,7 @@ http:
 		username = "testuser"
 		password = "testpassword"
 		email = "test@test.org"
-		if err := ioutil.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
+		if err := os.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
 			return nil, err
 		}
 		htpasswd = fmt.Sprintf(`auth:
@@ -86,47 +85,47 @@ http:
 		return nil, err
 	}
 	if _, err := fmt.Fprintf(config, template, tmp, url, htpasswd); err != nil {
-		os.RemoveAll(tmp)
 		return nil, err
 	}

-	binary := binaryV2
+	var cmd *exec.Cmd
 	if schema1 {
-		binary = binaryV2Schema1
+		cmd = exec.Command(binaryV2Schema1, confPath)
+	} else {
+		cmd = exec.Command(binaryV2, "serve", confPath)
 	}

-	cmd := exec.Command(binary, confPath)
-	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
+	consumeAndLogOutputs(t, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
-		os.RemoveAll(tmp)
 		if os.IsNotExist(err) {
-			c.Skip(err.Error())
+			t.Skip(err.Error())
 		}
 		return nil, err
 	}
 	return &testRegistryV2{
 		cmd:      cmd,
 		url:      url,
-		dir:      tmp,
 		username: username,
 		password: password,
 		email:    email,
 	}, nil
 }

-func (t *testRegistryV2) Ping() error {
+func (r *testRegistryV2) Ping() error {
 	// We always ping through HTTP for our test registry.
-	resp, err := http.Get(fmt.Sprintf("http://%s/v2/", t.url))
+	resp, err := http.Get(fmt.Sprintf("http://%s/v2/", r.url))
 	if err != nil {
 		return err
 	}
+	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
 		return fmt.Errorf("registry ping replied with an unexpected status code %d", resp.StatusCode)
 	}
 	return nil
 }

-func (t *testRegistryV2) Close() {
-	t.cmd.Process.Kill()
-	os.RemoveAll(t.dir)
+func (r *testRegistryV2) tearDown() {
+	// It’s undocumented what Kill() returns if the process has terminated,
+	// so we couldn’t check just for that. This is running in a container anyway…
+	_ = r.cmd.Process.Kill()
 }
--- a/integration/signing_test.go
+++ b/integration/signing_test.go
@@ -3,28 +3,31 @@ package main
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"strings"
+	"testing"

 	"github.com/containers/image/v5/signature"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 const (
 	gpgBinary = "gpg"
 )

-func init() {
-	check.Suite(&SigningSuite{})
+func TestSigning(t *testing.T) {
+	suite.Run(t, &signingSuite{})
 }

-type SigningSuite struct {
-	gpgHome     string
+type signingSuite struct {
+	suite.Suite
 	fingerprint string
 }

+var _ = suite.SetupAllSuite(&signingSuite{})
+
 func findFingerprint(lineBytes []byte) (string, error) {
 	lines := string(lineBytes)
 	for _, line := range strings.Split(lines, "\n") {
@@ -36,50 +39,41 @@ func findFingerprint(lineBytes []byte) (string, error) {
 	return "", errors.New("No fingerprint found")
 }

-func (s *SigningSuite) SetUpSuite(c *check.C) {
+func (s *signingSuite) SetupSuite() {
+	t := s.T()
 	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	s.gpgHome, err = ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	os.Setenv("GNUPGHOME", s.gpgHome)
+	gpgHome := t.TempDir()
+	t.Setenv("GNUPGHOME", gpgHome)

-	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")
+	runCommandWithInput(t, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", gpgHome, "--batch", "--gen-key")

-	lines, err := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
-	c.Assert(err, check.IsNil)
+	lines, err := exec.Command(gpgBinary, "--homedir", gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
+	require.NoError(t, err)
 	s.fingerprint, err = findFingerprint(lines)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 }

-func (s *SigningSuite) TearDownSuite(c *check.C) {
-	if s.gpgHome != "" {
-		err := os.RemoveAll(s.gpgHome)
-		c.Assert(err, check.IsNil)
-	}
-	s.gpgHome = ""
-
-	os.Unsetenv("GNUPGHOME")
-}
-
-func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
+func (s *signingSuite) TestSignVerifySmoke() {
+	t := s.T()
 	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	defer mech.Close()
 	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
-		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+		t.Skipf("Signing not supported: %v", err)
 	}

 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/smoketest"

-	sigOutput, err := ioutil.TempFile("", "sig")
-	c.Assert(err, check.IsNil)
+	sigOutput, err := os.CreateTemp("", "sig")
+	require.NoError(t, err)
 	defer os.Remove(sigOutput.Name())
-	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
+	assertSkopeoSucceeds(t, "^$", "standalone-sign", "-o", sigOutput.Name(),
 		manifestPath, dockerReference, s.fingerprint)

-	expected := fmt.Sprintf("^Signature verified, digest %s\n$", TestImageManifestDigest)
-	assertSkopeoSucceeds(c, expected, "standalone-verify", manifestPath,
+	expected := fmt.Sprintf("^Signature verified using fingerprint %s, digest %s\n$", s.fingerprint, TestImageManifestDigest)
+	assertSkopeoSucceeds(t, expected, "standalone-verify", manifestPath,
 		dockerReference, s.fingerprint, sigOutput.Name())
 }
--- a/integration/sync_test.go
+++ b/integration/sync_test.go
@@ -3,26 +3,29 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"testing"

 	"github.com/containers/image/v5/docker"
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/types"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 )

 const (
 	// A repository with a path with multiple components in it which
 	// contains multiple tags, preferably with some tags pointing to
 	// manifest lists, and with some tags that don't.
-	pullableRepo = "quay.io/libpod/testimage"
+	pullableRepo = "registry.k8s.io/coredns/coredns"
 	// A tagged image in the repository that we can inspect and copy.
 	pullableTaggedImage = "registry.k8s.io/coredns/coredns:v1.6.6"
 	// A tagged manifest list in the repository that we can inspect and copy.
@@ -33,31 +36,36 @@ const (
 	pullableRepoWithLatestTag = "registry.k8s.io/pause"
 )

-func init() {
-	check.Suite(&SyncSuite{})
+func TestSync(t *testing.T) {
+	suite.Run(t, &syncSuite{})
 }

-type SyncSuite struct {
+type syncSuite struct {
+	suite.Suite
 	cluster  *openshiftCluster
 	registry *testRegistryV2
-	gpgHome  string
 }

-func (s *SyncSuite) SetUpSuite(c *check.C) {
+var _ = suite.SetupAllSuite(&syncSuite{})
+var _ = suite.TearDownAllSuite(&syncSuite{})
+
+func (s *syncSuite) SetupSuite() {
+	t := s.T()
+
 	const registryAuth = false
 	const registrySchema1 = false

 	if os.Getenv("SKOPEO_LOCAL_TESTS") == "1" {
-		c.Log("Running tests without a container")
+		t.Log("Running tests without a container")
 		fmt.Printf("NOTE: tests requires a V2 registry at url=%s, with auth=%t, schema1=%t \n", v2DockerRegistryURL, registryAuth, registrySchema1)
 		return
 	}

 	if os.Getenv("SKOPEO_CONTAINER_TESTS") != "1" {
-		c.Skip("Not running in a container, refusing to affect user state")
+		t.Skip("Not running in a container, refusing to affect user state")
 	}

-	s.cluster = startOpenshiftCluster(c) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+	s.cluster = startOpenshiftCluster(t) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.

 	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression", "schema1", "schema2"} {
 		isJSON := fmt.Sprintf(`{
@@ -68,207 +76,210 @@ func (s *SyncSuite) SetUpSuite(c *check.C) {
 			},
 			"spec": {}
 		}`, stream)
-		runCommandWithInput(c, isJSON, "oc", "create", "-f", "-")
+		runCommandWithInput(t, isJSON, "oc", "create", "-f", "-")
 	}

 	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
-	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, registryAuth, registrySchema1)
+	s.registry = setupRegistryV2At(t, v2DockerRegistryURL, registryAuth, registrySchema1)

-	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
-	c.Assert(err, check.IsNil)
-	s.gpgHome = gpgHome
-	os.Setenv("GNUPGHOME", s.gpgHome)
+	gpgHome := t.TempDir()
+	t.Setenv("GNUPGHOME", gpgHome)

 	for _, key := range []string{"personal", "official"} {
 		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%no-protection\n%%commit\n",
 			key, key)
-		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")
+		runCommandWithInput(t, batchInput, gpgBinary, "--batch", "--gen-key")

-		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
-		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+		out := combinedOutputOfCommand(t, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
+		err := os.WriteFile(filepath.Join(gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
 			[]byte(out), 0600)
-		c.Assert(err, check.IsNil)
+		require.NoError(t, err)
 	}
 }

-func (s *SyncSuite) TearDownSuite(c *check.C) {
+func (s *syncSuite) TearDownSuite() {
+	t := s.T()
 	if os.Getenv("SKOPEO_LOCAL_TESTS") == "1" {
 		return
 	}

-	if s.gpgHome != "" {
-		os.RemoveAll(s.gpgHome)
-	}
 	if s.registry != nil {
-		s.registry.Close()
+		s.registry.tearDown()
 	}
 	if s.cluster != nil {
-		s.cluster.tearDown(c)
+		s.cluster.tearDown(t)
 	}
 }

-func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func assertNumberOfManifestsInSubdirs(t *testing.T, dir string, expectedCount int) {
+	nManifests := 0
+	err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if !d.IsDir() && d.Name() == "manifest.json" {
+			nManifests++
+			return filepath.SkipDir
+		}
+		return nil
+	})
+	require.NoError(t, err)
+	assert.Equal(t, expectedCount, nManifests)
+}
+
+func (s *syncSuite) TestDocker2DirTagged() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync docker => dir
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+dir2)
+	assertSkopeoSucceeds(t, "", "copy", "docker://"+image, "dir:"+dir2)
 	_, err = os.Stat(path.Join(dir2, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", path.Join(dir1, imagePath), dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", path.Join(dir1, imagePath), dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestDocker2DirTaggedAll(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestDocker2DirTaggedAll() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync docker => dir
-	assertSkopeoSucceeds(c, "", "sync", "--all", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--all", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--all", "docker://"+image, "dir:"+dir2)
+	assertSkopeoSucceeds(t, "", "copy", "--all", "docker://"+image, "dir:"+dir2)
 	_, err = os.Stat(path.Join(dir2, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", path.Join(dir1, imagePath), dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", path.Join(dir1, imagePath), dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestPreserveDigests(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestPreserveDigests() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedManifestList

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--all", "--preserve-digests", "docker://"+image, "dir:"+tmpDir)
-	_, err = os.Stat(path.Join(tmpDir, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(t, "", "copy", "--all", "--preserve-digests", "docker://"+image, "dir:"+tmpDir)
+	_, err := os.Stat(path.Join(tmpDir, "manifest.json"))
+	require.NoError(t, err)

-	assertSkopeoFails(c, ".*Instructed to preserve digests.*", "copy", "--all", "--preserve-digests", "--format=oci", "docker://"+image, "dir:"+tmpDir)
+	assertSkopeoFails(t, ".*Instructed to preserve digests.*", "copy", "--all", "--preserve-digests", "--format=oci", "docker://"+image, "dir:"+tmpDir)
 }

-func (s *SyncSuite) TestScoped(c *check.C) {
+func (s *syncSuite) TestScoped() {
+	t := s.T()
 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

-	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
+	dir1 := t.TempDir()
+	assertSkopeoSucceeds(t, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
-
-	os.RemoveAll(dir1)
+	require.NoError(t, err)
 }

-func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
+func (s *syncSuite) TestDirIsNotOverwritten() {
+	t := s.T()
 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepoWithLatestTag
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	// make a copy of the image in the local registry
-	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))
+	assertSkopeoSucceeds(t, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))

 	//sync upstream image to dir, not scoped
-	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
+	dir1 := t.TempDir()
+	assertSkopeoSucceeds(t, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	//sync local registry image to dir, not scoped
-	assertSkopeoFails(c, ".*Refusing to overwrite destination directory.*", "sync", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
+	assertSkopeoFails(t, ".*Refusing to overwrite destination directory.*", "sync", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)

 	//sync local registry image to dir, scoped
 	imageRef, err = docker.ParseReference(fmt.Sprintf("//%s", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference()))))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath = imageRef.DockerReference().String()
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)
 	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
-	c.Assert(err, check.IsNil)
-	os.RemoveAll(dir1)
+	require.NoError(t, err)
 }

-func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
-
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestDocker2DirUntagged() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepo
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)

 	sysCtx := types.SystemContext{}
 	tags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
-	c.Assert(err, check.IsNil)
-	c.Check(len(tags), check.Not(check.Equals), 0)
+	require.NoError(t, err)
+	assert.NotZero(t, len(tags))

 	nManifests, err := filepath.Glob(path.Join(dir1, path.Dir(imagePath), "*", "manifest.json"))
-	c.Assert(err, check.IsNil)
-	c.Assert(len(nManifests), check.Equals, len(tags))
+	require.NoError(t, err)
+	assert.Len(t, nManifests, len(tags))
 }

-func (s *SyncSuite) TestYamlUntagged(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestYamlUntagged() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	image := pullableRepo
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().Name()

 	sysCtx := types.SystemContext{}
 	tags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
-	c.Assert(err, check.IsNil)
-	c.Check(len(tags), check.Not(check.Equals), 0)
+	require.NoError(t, err)
+	assert.NotZero(t, len(tags))

 	yamlConfig := fmt.Sprintf(`
 %s:
@@ -278,8 +289,9 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {

 	// sync to the local registry
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
 	// sync back from local registry to a folder
 	os.Remove(yamlFile)
 	yamlConfig = fmt.Sprintf(`
@@ -289,39 +301,25 @@ func (s *SyncSuite) TestYamlUntagged(c *check.C) {
    %s: []
 `, v2DockerRegistryURL, imagePath)

-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)

 	sysCtx = types.SystemContext{
 		DockerInsecureSkipTLSVerify: types.NewOptionalBool(true),
 	}
 	localImageRef, err := docker.ParseReference(fmt.Sprintf("//%s/%s", v2DockerRegistryURL, imagePath))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	localTags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, localImageRef)
-	c.Assert(err, check.IsNil)
-	c.Check(len(localTags), check.Not(check.Equals), 0)
-	c.Assert(len(localTags), check.Equals, len(tags))
-
-	nManifests := 0
-	//count the number of manifest.json in dir1
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, len(tags))
+	require.NoError(t, err)
+	assert.NotZero(t, len(localTags))
+	assert.Len(t, localTags, len(tags))
+	assertNumberOfManifestsInSubdirs(t, dir1, len(tags))
 }

-func (s *SyncSuite) TestYamlRegex2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestYamlRegex2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -331,31 +329,18 @@ registry.k8s.io:
 `
 	// the       ↑    regex strings always matches only 2 images
 	var nTags = 2
-	c.Assert(nTags, check.Not(check.Equals), 0)
+	assert.NotZero(t, nTags)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, nTags)
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(t, dir1, nTags)
 }

-func (s *SyncSuite) TestYamlDigest2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestYamlDigest2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -365,28 +350,15 @@ registry.k8s.io:
    - sha256:59eec8837a4d942cc19a52b8c09ea75121acc38114a2c68b98983ce9356b8610
 `
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, 1)
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(t, dir1, 1)
 }

-func (s *SyncSuite) TestYaml2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestYaml2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")

 	yamlConfig := `
@@ -414,39 +386,26 @@ quay.io:
 			nTags++
 		}
 	}
-	c.Assert(nTags, check.Not(check.Equals), 0)
+	assert.NotZero(t, nTags)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
-
-	nManifests := 0
-	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if !info.IsDir() && info.Name() == "manifest.json" {
-			nManifests++
-			return filepath.SkipDir
-		}
-		return nil
-	})
-	c.Assert(err, check.IsNil)
-	c.Assert(nManifests, check.Equals, nTags)
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	require.NoError(t, err)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+	assertNumberOfManifestsInSubdirs(t, dir1, nTags)
 }

-func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
+func (s *syncSuite) TestYamlTLSVerify() {
+	t := s.T()
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := t.TempDir()
 	dir1 := path.Join(tmpDir, "dir1")
 	image := pullableRepoWithLatestTag
 	tag := "latest"

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	// copy docker => docker
-	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image+":"+tag, localRegURL+image+":"+tag)
+	assertSkopeoSucceeds(t, "", "copy", "--dest-tls-verify=false", "docker://"+image+":"+tag, localRegURL+image+":"+tag)

 	yamlTemplate := `
 %s:
@@ -458,7 +417,7 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	testCfg := []struct {
 		tlsVerify string
 		msg       string
-		checker   func(c *check.C, regexp string, args ...string)
+		checker   func(t *testing.T, regexp string, args ...string)
 	}{
 		{
 			tlsVerify: "tls-verify: false",
@@ -481,19 +440,19 @@ func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
 	for _, cfg := range testCfg {
 		yamlConfig := fmt.Sprintf(yamlTemplate, v2DockerRegistryURL, cfg.tlsVerify, image, tag)
 		yamlFile := path.Join(tmpDir, "registries.yaml")
-		ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		require.NoError(t, err)

-		cfg.checker(c, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+		cfg.checker(t, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 		os.Remove(yamlFile)
 		os.RemoveAll(dir1)
 	}

 }

-func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "sync-manifest-output")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestSyncManifestOutput() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	destDir1 := filepath.Join(tmpDir, "dest1")
 	destDir2 := filepath.Join(tmpDir, "dest2")
@@ -502,168 +461,162 @@ func (s *SyncSuite) TestSyncManifestOutput(c *check.C) {
 	//Split image:tag path from image URI for manifest comparison
 	imageDir := pullableTaggedImage[strings.LastIndex(pullableTaggedImage, "/")+1:]

-	assertSkopeoSucceeds(c, "", "sync", "--format=oci", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir1)
-	verifyManifestMIMEType(c, filepath.Join(destDir1, imageDir), imgspecv1.MediaTypeImageManifest)
-	assertSkopeoSucceeds(c, "", "sync", "--format=v2s2", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir2)
-	verifyManifestMIMEType(c, filepath.Join(destDir2, imageDir), manifest.DockerV2Schema2MediaType)
-	assertSkopeoSucceeds(c, "", "sync", "--format=v2s1", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir3)
-	verifyManifestMIMEType(c, filepath.Join(destDir3, imageDir), manifest.DockerV2Schema1SignedMediaType)
+	assertSkopeoSucceeds(t, "", "sync", "--format=oci", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir1)
+	verifyManifestMIMEType(t, filepath.Join(destDir1, imageDir), imgspecv1.MediaTypeImageManifest)
+	assertSkopeoSucceeds(t, "", "sync", "--format=v2s2", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir2)
+	verifyManifestMIMEType(t, filepath.Join(destDir2, imageDir), manifest.DockerV2Schema2MediaType)
+	assertSkopeoSucceeds(t, "", "sync", "--format=v2s1", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir3)
+	verifyManifestMIMEType(t, filepath.Join(destDir3, imageDir), manifest.DockerV2Schema1SignedMediaType)
 }

-func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
+func (s *syncSuite) TestDocker2DockerTagged() {
+	t := s.T()
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableTaggedImage
 	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	imagePath := imageRef.DockerReference().String()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync docker => docker
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", image, v2DockerRegistryURL)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", image, v2DockerRegistryURL)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+dir1)
+	assertSkopeoSucceeds(t, "", "copy", "docker://"+image, "dir:"+dir1)
 	_, err = os.Stat(path.Join(dir1, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", localRegURL+imagePath, "dir:"+dir2)
+	assertSkopeoSucceeds(t, "", "copy", "--src-tls-verify=false", localRegURL+imagePath, "dir:"+dir2)
 	_, err = os.Stat(path.Join(dir2, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", dir1, dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
+func (s *syncSuite) TestDir2DockerTagged() {
+	t := s.T()
 	const localRegURL = "docker://" + v2DockerRegistryURL + "/"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := t.TempDir()

 	// FIXME: It would be nice to use one of the local Docker registries instead of needing an Internet connection.
 	image := pullableRepoWithLatestTag

 	dir1 := path.Join(tmpDir, "dir1")
-	err = os.Mkdir(dir1, 0755)
-	c.Assert(err, check.IsNil)
+	err := os.Mkdir(dir1, 0755)
+	require.NoError(t, err)
 	dir2 := path.Join(tmpDir, "dir2")
 	err = os.Mkdir(dir2, 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// create leading dirs
 	err = os.MkdirAll(path.Dir(path.Join(dir1, image)), 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+path.Join(dir1, image))
+	assertSkopeoSucceeds(t, "", "copy", "docker://"+image, "dir:"+path.Join(dir1, image))
 	_, err = os.Stat(path.Join(dir1, image, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// sync dir => docker
-	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", dir1, v2DockerRegistryURL)
+	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", dir1, v2DockerRegistryURL)

 	// create leading dirs
 	err = os.MkdirAll(path.Dir(path.Join(dir2, image)), 0755)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

 	// copy docker => dir
-	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", localRegURL+image, "dir:"+path.Join(dir2, image))
+	assertSkopeoSucceeds(t, "", "copy", "--src-tls-verify=false", localRegURL+image, "dir:"+path.Join(dir2, image))
 	_, err = os.Stat(path.Join(dir2, image, "manifest.json"))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)

-	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
-	c.Assert(out, check.Equals, "")
+	out := combinedOutputOfCommand(t, "diff", "-urN", dir1, dir2)
+	assert.Equal(t, "", out)
 }

-func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestFailsWithDir2Dir() {
+	t := s.T()
+	tmpDir := t.TempDir()

 	dir1 := path.Join(tmpDir, "dir1")
 	dir2 := path.Join(tmpDir, "dir2")

 	// sync dir => dir is not allowed
-	assertSkopeoFails(c, ".*sync from 'dir' to 'dir' not implemented.*", "sync", "--scoped", "--src", "dir", "--dest", "dir", dir1, dir2)
+	assertSkopeoFails(t, ".*sync from 'dir' to 'dir' not implemented.*", "sync", "--scoped", "--src", "dir", "--dest", "dir", dir1, dir2)
 }

-func (s *SyncSuite) TestFailsNoSourceImages(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+func (s *syncSuite) TestFailsNoSourceImages() {
+	t := s.T()
+	tmpDir := t.TempDir()

-	assertSkopeoFails(c, ".*No images to sync found in .*",
+	assertSkopeoFails(t, ".*No images to sync found in .*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)

-	assertSkopeoFails(c, ".*No images to sync found in .*",
+	assertSkopeoFails(t, ".*Error determining repository tags for repo docker.io/library/hopefully_no_images_will_ever_be_called_like_this: fetching tags list: requested access to the resource is denied.*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", "hopefully_no_images_will_ever_be_called_like_this", v2DockerRegistryURL)
 }

-func (s *SyncSuite) TestFailsWithDockerSourceNoRegistry(c *check.C) {
+func (s *syncSuite) TestFailsWithDockerSourceNoRegistry() {
+	t := s.T()
 	const regURL = "google.com/namespace/imagename"

-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := t.TempDir()

 	//untagged
-	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+	assertSkopeoFails(t, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+	assertSkopeoFails(t, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL+":thetag", tmpDir)
 }

-func (s *SyncSuite) TestFailsWithDockerSourceUnauthorized(c *check.C) {
+func (s *syncSuite) TestFailsWithDockerSourceUnauthorized() {
+	t := s.T()
 	const repo = "privateimagenamethatshouldnotbepublic"
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := t.TempDir()

 	//untagged
-	assertSkopeoFails(c, ".*Registry disallows tag list retrieval.*",
+	assertSkopeoFails(t, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*unauthorized: authentication required.*",
+	assertSkopeoFails(t, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }

-func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {
+func (s *syncSuite) TestFailsWithDockerSourceNotExisting() {
+	t := s.T()
 	repo := path.Join(v2DockerRegistryURL, "imagedoesnotexist")
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	defer os.RemoveAll(tmpDir)
+	tmpDir := t.TempDir()

 	//untagged
-	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+	assertSkopeoFails(t, ".*repository name not known to registry.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo, tmpDir)

 	//tagged
-	assertSkopeoFails(c, ".*reading manifest.*",
+	assertSkopeoFails(t, ".*reading manifest.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }

-func (s *SyncSuite) TestFailsWithDirSourceNotExisting(c *check.C) {
+func (s *syncSuite) TestFailsWithDirSourceNotExisting() {
+	t := s.T()
 	// Make sure the dir does not exist!
-	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
-	c.Assert(err, check.IsNil)
-	err = os.RemoveAll(tmpDir)
-	c.Assert(err, check.IsNil)
+	tmpDir := t.TempDir()
+	tmpDir = filepath.Join(tmpDir, "this-does-not-exist")
+	err := os.RemoveAll(tmpDir)
+	require.NoError(t, err)
 	_, err = os.Stat(path.Join(tmpDir))
-	c.Check(os.IsNotExist(err), check.Equals, true)
+	assert.True(t, os.IsNotExist(err))

-	assertSkopeoFails(c, ".*no such file or directory.*",
+	assertSkopeoFails(t, ".*no such file or directory.*",
 		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)
 }
--- a/integration/utils.go
+++ b/integration/utils.go
@@ -2,38 +2,43 @@ package main

 import (
 	"bytes"
+	"compress/gzip"
+	"encoding/json"
 	"io"
-	"io/ioutil"
 	"net"
+	"net/netip"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"testing"
 	"time"

 	"github.com/containers/image/v5/manifest"
-	"gopkg.in/check.v1"
+	"github.com/opencontainers/go-digest"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 const skopeoBinary = "skopeo"
-const decompressDirsBinary = "./decompress-dirs.sh"

 const testFQIN = "docker://quay.io/libpod/busybox" // tag left off on purpose, some tests need to add a special one
 const testFQIN64 = "docker://quay.io/libpod/busybox:amd64"
-const testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:master" // multi-layer
+const testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:latest" // multi-layer

-// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
-func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
-	c.Assert(err, check.IsNil)
+// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to t.
+func consumeAndLogOutputStream(t *testing.T, id string, f io.ReadCloser, err error) {
+	require.NoError(t, err)
 	go func() {
 		defer func() {
 			f.Close()
-			c.Logf("Output %s: Closed", id)
+			t.Logf("Output %s: Closed", id)
 		}()
 		buf := make([]byte, 1024)
 		for {
-			c.Logf("Output %s: waiting", id)
+			t.Logf("Output %s: waiting", id)
 			n, err := f.Read(buf)
-			c.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
+			t.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
 			if n <= 0 {
 				break
 			}
@@ -41,72 +46,73 @@ func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error
 	}()
 }

-// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c
-func consumeAndLogOutputs(c *check.C, id string, cmd *exec.Cmd) {
+// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c.
+func consumeAndLogOutputs(t *testing.T, id string, cmd *exec.Cmd) {
 	stdout, err := cmd.StdoutPipe()
-	consumeAndLogOutputStream(c, id+" stdout", stdout, err)
+	consumeAndLogOutputStream(t, id+" stdout", stdout, err)
 	stderr, err := cmd.StderrPipe()
-	consumeAndLogOutputStream(c, id+" stderr", stderr, err)
+	consumeAndLogOutputStream(t, id+" stderr", stderr, err)
 }

 // combinedOutputOfCommand runs a command as if exec.Command().CombinedOutput(), verifies that the exit status is 0, and returns the output,
 // or terminates c on failure.
-func combinedOutputOfCommand(c *check.C, name string, args ...string) string {
-	c.Logf("Running %s %s", name, strings.Join(args, " "))
+func combinedOutputOfCommand(t *testing.T, name string, args ...string) string {
+	t.Logf("Running %s %s", name, strings.Join(args, " "))
 	out, err := exec.Command(name, args...).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	require.NoError(t, err, "%s", out)
 	return string(out)
 }

 // assertSkopeoSucceeds runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
 // and optionally that the output matches a multi-line regexp if it is nonempty;
 // or terminates c on failure
-func assertSkopeoSucceeds(c *check.C, regexp string, args ...string) {
-	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+func assertSkopeoSucceeds(t *testing.T, regexp string, args ...string) {
+	t.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
 	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	assert.NoError(t, err, "%s", out)
 	if regexp != "" {
-		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+		assert.Regexp(t, "(?s)"+regexp, string(out)) // (?s) : '.' will also match newlines
 	}
 }

 // assertSkopeoFails runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
 // and that the output matches a multi-line regexp;
 // or terminates c on failure
-func assertSkopeoFails(c *check.C, regexp string, args ...string) {
-	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+func assertSkopeoFails(t *testing.T, regexp string, args ...string) {
+	t.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
 	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf("%s", out))
-	c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	assert.Error(t, err, "%s", out)
+	assert.Regexp(t, "(?s)"+regexp, string(out)) // (?s) : '.' will also match newlines
 }

 // runCommandWithInput runs a command as if exec.Command(), sending it the input to stdin,
 // and verifies that the exit status is 0, or terminates c on failure.
-func runCommandWithInput(c *check.C, input string, name string, args ...string) {
+func runCommandWithInput(t *testing.T, input string, name string, args ...string) {
 	cmd := exec.Command(name, args...)
-	runExecCmdWithInput(c, cmd, input)
+	runExecCmdWithInput(t, cmd, input)
 }

 // runExecCmdWithInput runs an exec.Cmd, sending it the input to stdin,
 // and verifies that the exit status is 0, or terminates c on failure.
-func runExecCmdWithInput(c *check.C, cmd *exec.Cmd, input string) {
-	c.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
-	consumeAndLogOutputs(c, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
+func runExecCmdWithInput(t *testing.T, cmd *exec.Cmd, input string) {
+	t.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
+	consumeAndLogOutputs(t, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
 	stdin, err := cmd.StdinPipe()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	err = cmd.Start()
-	c.Assert(err, check.IsNil)
-	_, err = stdin.Write([]byte(input))
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
+	_, err = io.WriteString(stdin, input)
+	require.NoError(t, err)
 	err = stdin.Close()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	err = cmd.Wait()
-	c.Assert(err, check.IsNil)
+	assert.NoError(t, err)
 }

 // isPortOpen returns true iff the specified port on localhost is open.
-func isPortOpen(port int) bool {
-	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+func isPortOpen(port uint16) bool {
+	ap := netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), port)
+	conn, err := net.DialTCP("tcp", nil, net.TCPAddrFromAddrPort(ap))
 	if err != nil {
 		return false
 	}
@@ -118,29 +124,29 @@ func isPortOpen(port int) bool {
 // The checking can be aborted by sending a value to the terminate channel, which the caller should
 // always do using
 // defer func() {terminate <- true}()
-func newPortChecker(c *check.C, port int) (portOpen <-chan bool, terminate chan<- bool) {
+func newPortChecker(t *testing.T, port uint16) (portOpen <-chan bool, terminate chan<- bool) {
 	portOpenBidi := make(chan bool)
 	// Buffered, so that sending a terminate request after the goroutine has exited does not block.
 	terminateBidi := make(chan bool, 1)

 	go func() {
 		defer func() {
-			c.Logf("Port checker for port %d exiting", port)
+			t.Logf("Port checker for port %d exiting", port)
 		}()
 		for {
-			c.Logf("Checking for port %d...", port)
+			t.Logf("Checking for port %d...", port)
 			if isPortOpen(port) {
-				c.Logf("Port %d open", port)
+				t.Logf("Port %d open", port)
 				portOpenBidi <- true
 				return
 			}
-			c.Logf("Sleeping for port %d", port)
+			t.Logf("Sleeping for port %d", port)
 			sleepChan := time.After(100 * time.Millisecond)
 			select {
 			case <-sleepChan: // Try again
-				c.Logf("Sleeping for port %d done, will retry", port)
+				t.Logf("Sleeping for port %d done, will retry", port)
 			case <-terminateBidi:
-				c.Logf("Check for port %d terminated", port)
+				t.Logf("Check for port %d terminated", port)
 				return
 			}
 		}
@@ -162,54 +168,124 @@ func modifyEnviron(env []string, name, value string) []string {

 // fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
 // Callers should defer os.Remove(the_returned_path)
-func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
-	contents, err := ioutil.ReadFile(inputPath)
-	c.Assert(err, check.IsNil)
+func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) string {
+	contents, err := os.ReadFile(inputPath)
+	require.NoError(t, err)
 	for template, value := range edits {
-		updated := bytes.Replace(contents, []byte(template), []byte(value), -1)
-		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
+		updated := bytes.ReplaceAll(contents, []byte(template), []byte(value))
+		require.NotEqual(t, contents, updated, "Replacing %s in %#v failed", template, string(contents)) // Verify that the template has matched something and we are not silently ignoring it.
 		contents = updated
 	}

-	file, err := ioutil.TempFile("", "policy.json")
-	c.Assert(err, check.IsNil)
+	file, err := os.CreateTemp("", "policy.json")
+	require.NoError(t, err)
 	path := file.Name()

 	_, err = file.Write(contents)
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	err = file.Close()
-	c.Assert(err, check.IsNil)
+	require.NoError(t, err)
 	return path
 }

-// runDecompressDirs runs decompress-dirs.sh using exec.Command().CombinedOutput, verifies that the exit status is 0,
-// and optionally that the output matches a multi-line regexp if it is nonempty; or terminates c on failure
-func runDecompressDirs(c *check.C, regexp string, args ...string) {
-	c.Logf("Running %s %s", decompressDirsBinary, strings.Join(args, " "))
-	for i, dir := range args {
-		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
-		c.Assert(err, check.IsNil)
-		c.Logf("manifest %d before: %s", i+1, string(m))
-	}
-	out, err := exec.Command(decompressDirsBinary, args...).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	for i, dir := range args {
-		if len(out) > 0 {
-			c.Logf("output: %s", out)
-		}
-		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
-		c.Assert(err, check.IsNil)
-		c.Logf("manifest %d after: %s", i+1, string(m))
-	}
-	if regexp != "" {
-		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+// decompressDirs decompresses specified dir:-formatted directories
+func decompressDirs(t *testing.T, dirs ...string) {
+	t.Logf("Decompressing %s", strings.Join(dirs, " "))
+	for i, dir := range dirs {
+		m, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
+		require.NoError(t, err)
+		t.Logf("manifest %d before: %s", i+1, string(m))
+
+		decompressDir(t, dir)
+
+		m, err = os.ReadFile(filepath.Join(dir, "manifest.json"))
+		require.NoError(t, err)
+		t.Logf("manifest %d after: %s", i+1, string(m))
 	}
 }

-// Verify manifest in a dir: image at dir is expectedMIMEType.
-func verifyManifestMIMEType(c *check.C, dir string, expectedMIMEType string) {
-	manifestBlob, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
-	c.Assert(err, check.IsNil)
-	mimeType := manifest.GuessMIMEType(manifestBlob)
-	c.Assert(mimeType, check.Equals, expectedMIMEType)
+// getRawMapField assigns a value of rawMap[key] to dest,
+// failing if it does not exist or if it doesn’t have the expected type
+func getRawMapField[T any](t *testing.T, rawMap map[string]any, key string, dest *T) {
+	rawValue, ok := rawMap[key]
+	require.True(t, ok, key)
+	value, ok := rawValue.(T)
+	require.True(t, ok, key, "%#v", value)
+	*dest = value
+}
+
+// decompressDir modifies a dir:-formatted directory to replace gzip-compressed layers with uncompressed variants,
+// and to use a ~canonical formatting of manifest.json.
+func decompressDir(t *testing.T, dir string) {
+	// This is, overall, very dumb; the “obvious” way would be to invoke skopeo to decompress,
+	// or at least to use c/image to parse/format the manifest.
+	//
+	// But this is used to test (aspects of) those code paths… so, it’s acceptable for this to be
+	// dumb and to make assumptions about the data, but it should not share code.
+
+	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
+	require.NoError(t, err)
+	var rawManifest map[string]any
+	err = json.Unmarshal(manifestBlob, &rawManifest)
+	require.NoError(t, err)
+	var rawLayers []any
+	getRawMapField(t, rawManifest, "layers", &rawLayers)
+	for i, rawLayerValue := range rawLayers {
+		rawLayer, ok := rawLayerValue.(map[string]any)
+		require.True(t, ok)
+		var digestString string
+		getRawMapField(t, rawLayer, "digest", &digestString)
+		compressedDigest, err := digest.Parse(digestString)
+		require.NoError(t, err)
+		if compressedDigest.String() == "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" { // An empty file
+			continue
+		}
+
+		compressedPath := filepath.Join(dir, compressedDigest.Encoded())
+		compressedStream, err := os.Open(compressedPath)
+		require.NoError(t, err)
+		defer compressedStream.Close()
+
+		uncompressedStream, err := gzip.NewReader(compressedStream)
+		if err != nil {
+			continue // Silently assume the layer is not gzip-compressed
+		}
+		tempDest, err := os.CreateTemp(dir, "decompressing")
+		require.NoError(t, err)
+		digester := digest.Canonical.Digester()
+		uncompressedSize, err := io.Copy(tempDest, io.TeeReader(uncompressedStream, digester.Hash()))
+		require.NoError(t, err)
+		err = uncompressedStream.Close()
+		require.NoError(t, err)
+		uncompressedDigest := digester.Digest()
+		uncompressedPath := filepath.Join(dir, uncompressedDigest.Encoded())
+		err = os.Rename(tempDest.Name(), uncompressedPath)
+		require.NoError(t, err)
+		err = os.Remove(compressedPath)
+		require.NoError(t, err)
+
+		rawLayer["digest"] = uncompressedDigest.String()
+		rawLayer["size"] = uncompressedSize
+		var mimeType string
+		getRawMapField(t, rawLayer, "mediaType", &mimeType)
+		if strings.HasSuffix(mimeType, ".gzip") { // This should use CutSuffix with Go ≥1.20
+			rawLayer["mediaType"] = strings.TrimSuffix(mimeType, ".gzip")
+		}
+
+		rawLayers[i] = rawLayer
+	}
+	rawManifest["layers"] = rawLayers
+
+	manifestBlob, err = json.Marshal(rawManifest)
+	require.NoError(t, err)
+	err = os.WriteFile(filepath.Join(dir, "manifest.json"), manifestBlob, 0o600)
+	require.NoError(t, err)
+}
+
+// Verify manifest in a dir: image at dir is expectedMIMEType.
+func verifyManifestMIMEType(t *testing.T, dir string, expectedMIMEType string) {
+	manifestBlob, err := os.ReadFile(filepath.Join(dir, "manifest.json"))
+	require.NoError(t, err)
+	mimeType := manifest.GuessMIMEType(manifestBlob)
+	assert.Equal(t, expectedMIMEType, mimeType)
 }
--- a/rpm/skopeo.spec
+++ b/rpm/skopeo.spec
@@ -0,0 +1,174 @@
+%global with_debug 1
+
+%if 0%{?with_debug}
+%global _find_debuginfo_dwz_opts %{nil}
+%global _dwz_low_mem_die_limit 0
+%else
+%global debug_package %{nil}
+%endif
+
+# RHEL's default %%gobuild macro doesn't account for the BUILDTAGS variable, so we
+# set it separately here and do not depend on RHEL's go-[s]rpm-macros package
+# until that's fixed.
+# c9s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227328
+# c8s bz: https://bugzilla.redhat.com/show_bug.cgi?id=2227331
+%if %{defined rhel}
+%define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%endif
+
+%global gomodulesmode GO111MODULE=on
+
+# No btrfs on RHEL
+%if %{defined fedora}
+%define build_with_btrfs 1
+%endif
+
+# Only used in official koji builds
+# Copr builds set a separate epoch for all environments
+%if %{defined fedora}
+%define conditional_epoch 1
+%else
+%define conditional_epoch 2
+%endif
+
+Name: skopeo
+%if %{defined copr_username}
+Epoch: 102
+%else
+Epoch: %{conditional_epoch}
+%endif
+# DO NOT TOUCH the Version string!
+# The TRUE source of this specfile is:
+# https://github.com/containers/skopeo/blob/main/rpm/skopeo.spec
+# If that's what you're reading, Version must be 0, and will be updated by Packit for
+# copr and koji builds.
+# If you're reading this on dist-git, the version is automatically filled in by Packit.
+Version: 0
+# The `AND` needs to be uppercase in the License for SPDX compatibility
+License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0
+Release: %autorelease
+%if %{defined golang_arches_future}
+ExclusiveArch: %{golang_arches_future}
+%else
+ExclusiveArch: aarch64 ppc64le s390x x86_64
+%endif
+Summary: Inspect container images and repositories on registries
+URL: https://github.com/containers/%{name}
+# Tarball fetched from upstream
+Source0: %{url}/archive/v%{version}.tar.gz
+BuildRequires: %{_bindir}/go-md2man
+%if %{defined build_with_btrfs}
+BuildRequires: btrfs-progs-devel
+%endif
+BuildRequires: git-core
+BuildRequires: golang
+%if !%{defined gobuild}
+BuildRequires: go-rpm-macros
+%endif
+BuildRequires: gpgme-devel
+BuildRequires: libassuan-devel
+BuildRequires: pkgconfig(devmapper)
+BuildRequires: ostree-devel
+BuildRequires: glib2-devel
+BuildRequires: make
+BuildRequires: shadow-utils-subid-devel
+Requires: containers-common >= 4:1-21
+
+%description
+Command line utility to inspect images and repositories directly on Docker
+registries without the need to pull them
+
+%package tests
+Summary: Tests for %{name}
+
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: bats
+Requires: gnupg
+Requires: jq
+Requires: golang
+Requires: podman
+Requires: crun
+Requires: httpd-tools
+Requires: openssl
+Requires: fakeroot
+Requires: squashfs-tools
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
+%prep
+%autosetup -Sgit %{name}-%{version}
+# The %%install stage should not rebuild anything but only install what's
+# built in the %%build stage. So, remove any dependency on build targets.
+sed -i 's/^install-binary: bin\/%{name}.*/install-binary:/' Makefile
+sed -i 's/^completions: bin\/%{name}.*/completions:/' Makefile
+sed -i 's/^install-docs: docs.*/install-docs:/' Makefile
+
+%build
+%set_build_flags
+export CGO_CFLAGS=$CFLAGS
+
+# These extra flags present in $CFLAGS have been skipped for now as they break the build
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
+CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
+
+%ifarch x86_64
+export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic -fcf-protection=full"
+%endif
+
+BASEBUILDTAGS="$(hack/libdm_tag.sh) $(hack/libsubid_tag.sh)"
+%if %{defined build_with_btrfs}
+export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_tag.sh) $(hack/btrfs_installed_tag.sh)"
+%else
+export BUILDTAGS="$BASEBUILDTAGS btrfs_noversion exclude_graphdriver_btrfs"
+%endif
+
+# unset LDFLAGS earlier set from set_build_flags
+LDFLAGS=''
+
+%gobuild -o bin/%{name} ./cmd/%{name}
+%{__make} docs
+
+%install
+make \
+    DESTDIR=%{buildroot} \
+    PREFIX=%{_prefix} \
+    install-binary install-docs install-completions
+
+# system tests
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
+
+#define license tag if not already defined
+%{!?_licensedir:%global license %doc}
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}*
+%dir %{_datadir}/bash-completion
+%dir %{_datadir}/bash-completion/completions
+%{_datadir}/bash-completion/completions/%{name}
+%dir %{_datadir}/fish/vendor_completions.d
+%{_datadir}/fish/vendor_completions.d/%{name}.fish
+%dir %{_datadir}/zsh/site-functions
+%{_datadir}/zsh/site-functions/_%{name}
+
+%files tests
+%license LICENSE
+%{_datadir}/%{name}/test
+
+%changelog
+%if %{defined autochangelog}
+%autochangelog
+%else
+# NOTE: This changelog will be visible on CentOS 8 Stream builds
+# Other envs are capable of handling autochangelog
+* Tue Jun 13 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Placeholder changelog for envs that are not autochangelog-ready.
+- Contact upstream if you need to report an issue with the build.
+%endif
--- a/systemtest/010-inspect.bats
+++ b/systemtest/010-inspect.bats
@@ -32,7 +32,8 @@ load helpers
    config_digest=$(jq -r '.config.digest' <<<"$inspect_local_raw")

    # Each SHA-named layer file (but not the config) must be listed in the output of 'inspect'.
-    # As of Skopeo 1.6, (skopeo inspect)'s output lists layer digests,
+    # In all existing versions of Skopeo (with 1.6 being the current as of this comment),
+    # the output of 'inspect' lists layer digests,
    # but not the digest of the config blob ($config_digest), if any.
    layers=$(jq -r '.Layers' <<<"$inspect_local")
    for sha in $(find $workdir -type f | xargs -l1 basename | egrep '^[0-9a-f]{64}$'); do
@@ -94,10 +95,11 @@ END_EXPECT
    # is created by the make-noarch-manifest script in this directory.
    img=docker://quay.io/libpod/notmyarch:20210121

-    # Get our host arch (what we're running on). This assumes that skopeo
-    # arch matches podman; it also assumes running podman >= April 2020
-    # (prior to that, the format keys were lower-case).
-    arch=$(podman info --format '{{.Host.Arch}}')
+    # Get our host golang arch (what we're running on, according to golang).
+    # This assumes that skopeo arch matches host arch (which it always should).
+    # Buildah is used here because it depends less on the exact system config
+    # than podman - and all we're really after is the golang-flavored arch name.
+    arch=$(go env GOARCH)

    # By default, 'inspect' tries to match our host os+arch. This should fail.
    run_skopeo 1 inspect $img
--- a/systemtest/020-copy.bats
+++ b/systemtest/020-copy.bats
@@ -50,7 +50,7 @@ function setup() {

    local dir=$TESTDIR/dir

-    run_skopeo copy --dest-compress --dest-compress-format=zstd $remote_image oci:$dir:latest
+    run_skopeo copy --dest-compress-format=zstd $remote_image oci:$dir:latest

    # zstd magic number
    local magic=$(printf "\x28\xb5\x2f\xfd")
--- a/systemtest/040-local-registry-auth.bats
+++ b/systemtest/040-local-registry-auth.bats
@@ -8,38 +8,41 @@ load helpers
 function setup() {
    standard_setup

-    # Remove old/stale cred file
-    _cred_dir=$TESTDIR/credentials
-    export XDG_RUNTIME_DIR=$_cred_dir
-    mkdir -p $_cred_dir/containers
-    rm -f $_cred_dir/containers/auth.json
-
    # Start authenticated registry with random password
    testuser=testuser
    testpassword=$(random_string 15)

    start_registry --testuser=$testuser --testpassword=$testpassword --enable-delete=true reg
+
+    _cred_dir=$TESTDIR/credentials
+    # It is important to change XDG_RUNTIME_DIR only after we start the registry, otherwise it affects the path of $XDG_RUNTIME_DIR/netns maintained by Podman,
+    # making it impossible to clean up after ourselves.
+    export XDG_RUNTIME_DIR_OLD=$XDG_RUNTIME_DIR
+    export XDG_RUNTIME_DIR=$_cred_dir
+    mkdir -p $_cred_dir/containers
+    # Remove old/stale cred file
+    rm -f $_cred_dir/containers/auth.json
 }

@test "auth: credentials on command line" {
    # No creds
    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/nonesuch
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # Wrong user
    run_skopeo 1 inspect --tls-verify=false --creds=baduser:badpassword \
               docker://localhost:5000/nonesuch
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # Wrong password
    run_skopeo 1 inspect --tls-verify=false --creds=$testuser:badpassword \
               docker://localhost:5000/nonesuch
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # Correct creds, but no such image
    run_skopeo 1 inspect --tls-verify=false --creds=$testuser:$testpassword \
               docker://localhost:5000/nonesuch
-    expect_output --substring "manifest unknown: manifest unknown"
+    expect_output --substring "manifest unknown"

    # These should pass
    run_skopeo copy --dest-tls-verify=false --dcreds=$testuser:$testpassword \
@@ -64,7 +67,7 @@ function setup() {
    podman logout localhost:5000

    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/busybox:mine
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"
 }

@test "auth: copy with --src-creds and --dest-creds" {
@@ -94,7 +97,7 @@ function setup() {

    # inspect without authfile: should fail
    run_skopeo 1 inspect --tls-verify=false docker://localhost:5000/busybox:mine
-    expect_output --substring "unauthorized: authentication required"
+    expect_output --substring "authentication required"

    # inspect with authfile: should work
    run_skopeo inspect --tls-verify=false --authfile $TESTDIR/test.auth docker://localhost:5000/busybox:mine
@@ -109,6 +112,9 @@ function setup() {
 }

 teardown() {
+    # Need to restore XDG_RUNTIME_DIR.
+    XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR_OLD
+
    podman rm -f reg

    if [[ -n $_cred_dir ]]; then
--- a/systemtest/050-signing.bats
+++ b/systemtest/050-signing.bats
@@ -242,7 +242,7 @@ END_TESTS
               $fingerprint \
               $TESTDIR/busybox.signature
    # manifest digest
-    digest=$(echo "$output" | awk '{print $4;}')
+    digest=$(echo "$output" | awk '{print $NF;}')
    run_skopeo manifest-digest $TESTDIR/busybox/manifest.json
    expect_output $digest
 }
--- a/systemtest/070-list-tags.bats
+++ b/systemtest/070-list-tags.bats
@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+#
+# list-tags tests
+#
+
+load helpers
+
+# list from registry
+@test "list-tags: remote repository on a registry" {
+    local remote_image=quay.io/libpod/alpine_labels
+
+    run_skopeo list-tags "docker://${remote_image}"
+    expect_output --substring "quay.io/libpod/alpine_labels"
+    expect_output --substring "latest"
+}
+
+# list from a local docker-archive file
+@test "list-tags: from a docker-archive file" {
+    local file_name=${TEST_SOURCE_DIR}/testdata/docker-two-images.tar.xz
+
+    run_skopeo list-tags docker-archive:$file_name
+    expect_output --substring "example.com/empty:latest"
+    expect_output --substring "example.com/empty/but:different"
+
+}
+
+
+# vim: filetype=sh
--- a/systemtest/080-sync.bats
+++ b/systemtest/080-sync.bats
@@ -0,0 +1,26 @@
+#!/usr/bin/env bats
+#
+# Sync tests
+#
+
+load helpers
+
+function setup() {
+    standard_setup
+}
+
+@test "sync: --dry-run" {
+    local remote_image=quay.io/libpod/busybox:latest
+    local dir=$TESTDIR/dir
+
+    run_skopeo sync --dry-run --src docker --dest dir --scoped $remote_image $dir
+    expect_output --substring "Would have copied image"
+    expect_output --substring "from=\"docker://${remote_image}\" to=\"dir:${dir}/${remote_image}\""
+    expect_output --substring "Would have synced 1 images from 1 sources"
+}
+
+teardown() {
+    standard_teardown
+}
+
+# vim: filetype=sh
--- a/Show More
+++ b/Show More