bump to v0.1.20

- support image-spec v1.0.0-rc5

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

.gitignore

@@ -1,2 +1,3 @@
-skopeo
-skopeo.1
+/docs/skopeo.1
+/layers-*
+/skopeo

.travis.yml

@@ -7,5 +7,4 @@ notifications:
   email: false
 
 script:
-  - make validate
-  - make test-integration
+  - make check

CONTRIBUTING.md

@@ -0,0 +1,142 @@
+# Contributing to Skopeo
+
+We'd love to have you join the community! Below summarizes the processes
+that we follow.
+
+## Topics
+
+* [Reporting Issues](#reporting-issues)
+* [Submitting Pull Requests](#submitting-pull-requests)
+* [Communications](#communications)
+* [Becoming a Maintainer](#becoming-a-maintainer)
+
+## Reporting Issues
+
+Before reporting an issue, check our backlog of 
+[open issues](https://github.com/projectatomic/skopeo/issues)
+to see if someone else has already reported it. If so, feel free to add
+your scenario, or additional information, to the discussion. Or simply 
+"subscribe" to it to be notified when it is updated.
+
+If you find a new issue with the project we'd love to hear about it! The most
+important aspect of a bug report is that it includes enough information for
+us to reproduce it. So, please include as much detail as possible and try
+to remove the extra stuff that doesn't really relate to the issue itself.
+The easier it is for us to reproduce it, the faster it'll be fixed!
+
+Please don't include any private/sensitive information in your issue!
+
+## Submitting Pull Requests
+
+No Pull Request (PR) is too small! Typos, additional comments in the code,
+new testcases, bug fixes, new features, more documentation, ... it's all 
+welcome!
+
+While bug fixes can first be identified via an "issue", that is not required.
+It's ok to just open up a PR with the fix, but make sure you include the same
+information you would have included in an issue - like how to reproduce it.
+
+PRs for new features should include some background on what use cases the
+new code is trying to address. And, when possible and it makes, try to break-up
+larger PRs into smaller ones - it's easier to review smaller
+code changes. But, only if those smaller ones make sense as stand-alone PRs.
+
+Regardless of the type of PR, all PRs should include:
+* well documented code changes
+* additional testcases. Ideally, they should fail w/o your code change applied
+* documentation changes
+
+Squash your commits into logical pieces of work that might want to be reviewed
+separate from the rest of the PRs. But, squashing down to just one commit is ok
+too since in the end the entire PR will be reviewed anyway. When in doubt, 
+squash.
+
+PRs that fix issues should include a reference like `Closes #XXXX` in the
+commit message so that github will automatically close the referenced issue
+when the PR is merged.
+
+<!--
+All PRs require at least two LGTMs (Looks Good To Me) from maintainers.
+-->
+
+### Sign your PRs
+
+The sign-off is a line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+## Communications
+
+For general questions, or dicsussions, please use the 
+IRC group on `irc.freenode.net` called `container-projects`
+that has been setup.
+
+For discussions around issues/bugs and features, you can use the github
+[issues](https://github.com/projectatomic/skopeo/issues)
+and
+[PRs](https://github.com/projectatomic/skopeo/pulls)
+tracking system.
+
+<!--
+## Becoming a Maintainer
+
+To become a maintainer you must first be nominated by an existing maintainer.
+If a majority (>50%) of maintainers agree then the proposal is adopted and
+you will be added to the list.
+
+Removing a maintainer requires at least 75% of the remaining maintainers
+approval, or if the person requests to be removed then it is automatic.
+Normally, a maintainer will only be removed if they are considered to be
+inactive for a long period of time or are viewed as disruptive to the community.
+
+The current list of maintainers can be found in the 
+[MAINTAINERS](MAINTAINERS) file.
+-->

Dockerfile

@@ -1,6 +1,12 @@
 FROM fedora
 
 RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md2man \
+	# storage deps
+	btrfs-progs-devel \
+	device-mapper-devel \
+	# gpgme bindings deps
+	libassuan-devel gpgme-devel \
+	gnupg \
 	# registry v1 deps
 	xz-devel \
 	python-devel \
@@ -37,9 +43,19 @@ RUN set -x \
 		< "$DRV1/contrib/boto_header_patch.diff" \
 	&& dnf -y update && dnf install -y m2crypto
 
-ENV GOPATH /usr/share/gocode:/go
-WORKDIR /go/src/github.com/runcom/skopeo
+RUN set -x \
+	&& yum install -y which git tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
+	&& export GOPATH=$(mktemp -d) \
+	&& git clone -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
+	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
+	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
+	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
+	&& mkdir /registry
 
-COPY . /go/src/github.com/runcom/skopeo
+ENV GOPATH /usr/share/gocode:/go
+ENV PATH $GOPATH/bin:/usr/share/gocode/bin:$PATH
+RUN go get github.com/golang/lint/golint
+WORKDIR /go/src/github.com/projectatomic/skopeo
+COPY . /go/src/github.com/projectatomic/skopeo
 
 #ENTRYPOINT ["hack/dind"]

Dockerfile.build

@@ -0,0 +1,5 @@
+FROM ubuntu:16.04
+RUN apt-get update
+RUN apt-get install -y golang btrfs-tools git-core libdevmapper-dev libgpgme11-dev go-md2man
+ENV GOPATH=/
+WORKDIR /src/github.com/projectatomic/skopeo

LICENSE

@@ -1,7 +1,7 @@
 
                                  Apache License
                            Version 2.0, January 2004
-                        http://www.apache.org/licenses/
+                        https://www.apache.org/licenses/
 
    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
@@ -176,13 +176,11 @@
 
    END OF TERMS AND CONDITIONS
 
-   Copyright 2016 Antonio Murdaca <runcom@redhat.com>
-
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at
 
-       http://www.apache.org/licenses/LICENSE-2.0
+       https://www.apache.org/licenses/LICENSE-2.0
 
    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,

Makefile

@@ -1,10 +1,19 @@
-.PHONY: all binary build clean install install-binary man shell test-integration
+.PHONY: all binary build-container build-local clean install install-binary install-completions shell test-integration
 
 export GO15VENDOREXPERIMENT=1
 
 PREFIX ?= ${DESTDIR}/usr
 INSTALLDIR=${PREFIX}/bin
 MANINSTALLDIR=${PREFIX}/share/man
+CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
+REGISTRIESDDIR=${CONTAINERSSYSCONFIGDIR}/registries.d
+SIGSTOREDIR=${DESTDIR}/var/lib/atomic/sigstore
+BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+GO_MD2MAN ?= go-md2man
+
+ifeq ($(DEBUG), 1)
+  override GOGCFLAGS += -N -l
+endif
 
 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 DOCKER_IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
@@ -19,33 +28,87 @@ ifeq ($(INTERACTIVE), 1)
 endif
 DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
 
-all: man binary
+GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)
 
-binary:
-	go build -o ${DEST}skopeo .
+MANPAGES_MD = $(wildcard docs/*.md)
+
+BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh)
+LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG)
+BUILDTAGS += $(LOCAL_BUILD_TAGS)
+
+#   make all DEBUG=1
+#     Note: Uses the -N -l go compiler options to disable compiler optimizations
+#           and inlining. Using these build options allows you to subsequently
+#           use source debugging tools like delve.
+all: binary docs
+
+# Build a docker image (skopeobuild) that has everything we need to build.
+# Then do the build and the output (skopeo) should appear in current dir
+binary: cmd/skopeo
+	docker build ${DOCKER_BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
+	docker run --rm --security-opt label:disable -v $$(pwd):/src/github.com/projectatomic/skopeo \
+		skopeobuildimage make binary-local $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+
+binary-static: cmd/skopeo
+	docker build ${DOCKER_BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
+	docker run --rm --security-opt label:disable -v $$(pwd):/src/github.com/projectatomic/skopeo \
+		skopeobuildimage make binary-local-static $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+
+# Build w/o using Docker containers
+binary-local:
+	go build -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
+
+binary-local-static:
+	go build -ldflags "-extldflags \"-static\" -X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
 
 build-container:
 	docker build ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" .
 
+docs/%.1: docs/%.1.md
+	$(GO_MD2MAN) -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@
+
+.PHONY: docs
+docs: $(MANPAGES_MD:%.md=%)
+
 clean:
-	rm -f skopeo
-	rm -f skopeo.1
+	rm -f skopeo docs/*.1
 
-install: install-binary
-	install -m 644 skopeo.1 ${MANINSTALLDIR}/man1/
+install: install-binary install-docs install-completions
+	install -d -m 755 ${SIGSTOREDIR}
+	install -D -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
+	install -D -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml
 
-install-binary:
-	install -d -m 0755 ${INSTALLDIR}
-	install -m 755 skopeo ${INSTALLDIR}
+install-binary: ./skopeo
+	install -D -m 755 skopeo ${INSTALLDIR}/skopeo
 
-man:
-	go-md2man -in man/skopeo.1.md -out skopeo.1
+install-docs: docs/skopeo.1
+	install -D -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1
+
+install-completions:
+	install -m 644 -D completions/bash/skopeo ${BASHINSTALLDIR}/skopeo
 
 shell: build-container
 	$(DOCKER_RUN_DOCKER) bash
 
+check: validate test-unit test-integration
+
+# The tests can run out of entropy and block in containers, so replace /dev/random.
 test-integration: build-container
-	$(DOCKER_RUN_DOCKER) hack/make.sh test-integration
+	$(DOCKER_RUN_DOCKER) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-integration'
+
+test-unit: build-container
+	# Just call (make test unit-local) here instead of worrying about environment differences, e.g. GO15VENDOREXPERIMENT.
+	$(DOCKER_RUN_DOCKER) make test-unit-local BUILDTAGS='$(BUILDTAGS)'
 
 validate: build-container
 	$(DOCKER_RUN_DOCKER) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+
+# This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
+test-all-local: validate-local test-unit-local
+
+validate-local:
+	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+
+test-unit-local:
+	go test -tags "$(BUILDTAGS)" $$(go list -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')

README.md

@@ -1,55 +1,75 @@
-skopeo [![Build Status](https://travis-ci.org/runcom/skopeo.svg?branch=master)](https://travis-ci.org/runcom/skopeo)
+skopeo [![Build Status](https://travis-ci.org/projectatomic/skopeo.svg?branch=master)](https://travis-ci.org/projectatomic/skopeo)
 =
 
-_Please be aware `skopeo` is still work in progress_
+_Please be aware `skopeo` is still work in progress and it currently supports only registry API V2_
 
-`skopeo` is a command line utility which is able to _inspect_ a repository on a Docker registry.
+`skopeo` is a command line utility for various operations on container images and image repositories.
+
+Inspecting a repository
+-
+`skopeo` is able to _inspect_ a repository on a Docker registry and fetch images layers.
 By _inspect_ I mean it fetches the repository's manifest and it is able to show you a `docker inspect`-like
 json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about
 a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?
 
 Examples:
 ```sh
-# show repository's labels of rhel7:latest
-$ skopeo registry.access.redhat.com/rhel7 | jq '.Config.Labels'
+# show properties of fedora:latest
+$ skopeo inspect docker://docker.io/fedora
 {
-  "Architecture": "x86_64",
-  "Authoritative_Registry": "registry.access.redhat.com",
-  "BZComponent": "rhel-server-docker",
-  "Build_Host": "rcm-img04.build.eng.bos.redhat.com",
-  "Name": "rhel7/rhel",
-  "Release": "38",
-  "Vendor": "Red Hat, Inc.",
-  "Version": "7.2"
+    "Name": "docker.io/library/fedora",
+    "Tag": "latest",
+    "Digest": "sha256:cfd8f071bf8da7a466748f522406f7ae5908d002af1b1a1c0dcf893e183e5b32",
+    "RepoTags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "heisenbug",
+        "latest",
+        "rawhide"
+    ],
+    "Created": "2016-03-04T18:40:02.92155334Z",
+    "DockerVersion": "1.9.1",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:236608c7b546e2f4e7223526c74fc71470ba06d46ec82aeb402e704bfdee02a2",
+        "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+    ]
 }
 
-# show repository's tags
-$ skopeo docker.io/fedora | jq '.RepoTags'
-[
-  "20",
-  "21",
-  "22",
-  "23",
-  "heisenbug",
-  "latest",
-  "rawhide"
-]
-
-# show image's digest
-$ skopeo docker.io/fedora:rawhide | jq '.Digest'
+# show unverifed image's digest
+$ skopeo inspect docker://docker.io/fedora:rawhide | jq '.Digest'
 "sha256:905b4846938c8aef94f52f3e41a11398ae5b40f5855fb0e40ed9c157e721d7f8"
 ```
 
+Copying images
+-
+`skopeo` can copy container images between various storage mechanisms,
+e.g. Docker registries (including the Docker Hub), the Atomic Registry,
+local directories, and local OCI-layout directories:
+
+```sh
+$ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
+$ skopeo copy docker://busybox:latest dir:existingemptydirectory
+$ skopeo copy docker://busybox:latest oci:busybox_ocilayout
+```
+
+Deleting images
+-
+For example,
+```sh
+$ skopeo delete docker://localhost:5000/imagename:latest
+```
+
 Private registries with authentication
 -
-When interacting with private registries, `skopeo` first looks for the Docker's cli config file (usually located at `$HOME/.docker/config.json`) to get the credentials needed to authenticate. When the file isn't available it falls back looking for `--username` and `--password` flags. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.
+When interacting with private registries, `skopeo` first looks for `--creds` (for `skopeo inspect|delete`) or `--src-creds|--dest-creds` (for `skopeo copy`) flags. If those aren't provided, it looks for the Docker's cli config file (usually located at `$HOME/.docker/config.json`) to get the credentials needed to authenticate. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.
 
 Examples:
 ```sh
-# on my system
-$ skopeo --help | grep docker-cfg
-   --docker-cfg "/home/runcom/.docker"	Docker's cli config for auth
-
 $ cat /home/runcom/.docker/config.json
 {
 	"auths": {
@@ -61,35 +81,47 @@ $ cat /home/runcom/.docker/config.json
 }
 
 # we can see I'm already authenticated via docker login so everything will be fine
-$ skopeo myregistrydomain.com:5000/busybox
+$ skopeo inspect docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
 
 # let's try now to fake a non existent Docker's config file
-$ skopeo --docker-cfg="" myregistrydomain.com:5000/busybox
-FATA[0000] Get https://myregistrydomain.com:5000/v2/busybox/manifests/latest: no basic auth credentials
+$ cat /home/runcom/.docker/config.json
+{}
 
-# passing --username and --password - we can see that everything goes fine
-$ skopeo --docker-cfg="" --username=testuser --password=testpassword myregistrydomain.com:5000/busybox
+$ skopeo inspect docker://myregistrydomain.com:5000/busybox
+FATA[0000] unauthorized: authentication required
+
+# passing --creds - we can see that everything goes fine
+$ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
+
+# skopeo copy example:
+$ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image
 ```
 If your cli config is found but it doesn't contain the necessary credentials for the queried registry
-you'll get an error. You can fix this by either logging in (via `docker login`) or providing `--username`
-and `--password`.
+you'll get an error. You can fix this by either logging in (via `docker login`) or providing `--creds` or `--src-creds|--dest-creds`.
+
 Building
 -
-To build `skopeo` you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag. Also, make sure to clone the repository in your `GOPATH` - otherwise compilation fails.
+To build the manual you will need go-md2man.
 ```sh
-$ cd $GOPATH/src
-$ mkdir -p github.com/runcom
-$ cd runcom
-$ git clone https://github.com/runcom/skopeo
-$ cd skopeo && make binary
+$ sudo apt-get install go-md2man
 ```
-Man:
--
-To build the man page you need [`go-md2man`](https://github.com/cpuguy83/go-md2man) available on your system, then:
+To build the `skopeo` binary you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag. Also, make sure to clone the repository in your `GOPATH` - otherwise compilation fails.  
+```sh
+$ git clone https://github.com/projectatomic/skopeo $GOPATH/src/github.com/projectatomic/skopeo
+$ cd $GOPATH/src/github.com/projectatomic/skopeo && make all
 ```
-$ make man
+
+To build localy on OSX:
+```sh
+$ brew install gpgme
+$ make binary-local
+```
+
+You may need to install additional development packages: `gpgme-devel` and `libassuan-devel`
+```sh
+$ dnf install gpgme-devel libassuan-devel
 ```
 Installing
 -
@@ -101,18 +133,11 @@ $ sudo make install
 ```sh
 sudo dnf install skopeo
 ```
-Tests
--
-_You need Docker installed on your system in order to run the test suite_
-```sh
-$ make test-integration
-```
 TODO
 -
-- make skopeo docker registry v2 only
-- output raw manifest
-- download layers and support docker load tar(s)
-- get rid of docker/docker code (?)
+- list all images on registry?
+- registry v2 search?
+- support output to docker load tar(s)
 - show repo tags via flag or when reference isn't tagged or digested
 - add tests (integration with deployed registries in container - Docker-like)
 - support rkt/appc image spec
@@ -121,6 +146,29 @@ NOT TODO
 -
 - provide a _format_ flag - just use the awesome [jq](https://stedolan.github.io/jq/)
 
+CONTRIBUTING
+-
+
+### Dependencies management
+
+`skopeo` uses [`vndr`](https://github.com/LK4D4/vndr) for dependencies management.
+
+In order to add a new dependency to this project:
+
+- add a new line to `vendor.conf` according to `vndr` rules (e.g. `github.com/pkg/errors master`)
+- run `vndr github.com/pkg/errors`
+
+In order to update an existing dependency:
+
+- update the relevant dependency line in `vendor.conf`
+- run `vndr github.com/pkg/errors`
+
+In order to test out new PRs from [containers/image](https://github.com/containers/image) to not break `skopeo`:
+
+- update `vendor.conf`. Find out the `containers/image` dependency; update it to vendor from your own branch and your own repository fork (e.g. `github.com/containers/image my-branch https://github.com/runcom/image`)
+- run `vndr github.com/containers/image`
+
 License
 -
-ASL 2.0
+skopeo is licensed under the Apache License, Version 2.0. See
+[LICENSE](LICENSE) for the full license text.

cmd/skopeo/cgo_pthread_ordering_workaround.go

@@ -0,0 +1,32 @@
+package main
+
+/*
+This is a pretty horrible workaround.  Due to a glibc bug
+https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
+with -lgpgme before -lpthread.  Such arguments come from various packages
+using cgo, and the ordering of these arguments is, with current (go tool link),
+dependent on the order in which the cgo-using packages are found in a
+breadth-first search following dependencies, starting from “main”.
+
+Thus, if
+   import "net"
+is processed before
+   import "…/skopeo/signature"
+it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
+"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
+-lpthread (used by "runtime/cgo") to be used before -lgpgme.
+
+This might be possible to work around by careful import ordering, or by removing
+a direct dependency on "net", but that would be very fragile.
+
+So, until the above bug is fixed, add -lgpgme directly in the "main" package
+to ensure the needed build order.
+
+Unfortunately, this workaround needs to be applied at the top level of any user
+of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
+by that time this package is first processed by the linker, a -lpthread may
+already be queued and it would be too late.
+*/
+
+// #cgo LDFLAGS: -lgpgme
+import "C"

cmd/skopeo/copy.go

@@ -0,0 +1,114 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/containers/image/copy"
+	"github.com/containers/image/transports/alltransports"
+	"github.com/containers/image/types"
+	"github.com/urfave/cli"
+)
+
+// contextsFromGlobalOptions returns source and destionation types.SystemContext depending on c.
+func contextsFromGlobalOptions(c *cli.Context) (*types.SystemContext, *types.SystemContext, error) {
+	sourceCtx, err := contextFromGlobalOptions(c, "src-")
+	if err != nil {
+		return nil, nil, err
+	}
+
+	destinationCtx, err := contextFromGlobalOptions(c, "dest-")
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return sourceCtx, destinationCtx, nil
+}
+
+func copyHandler(context *cli.Context) error {
+	if len(context.Args()) != 2 {
+		return errors.New("Usage: copy source destination")
+	}
+
+	policyContext, err := getPolicyContext(context)
+	if err != nil {
+		return fmt.Errorf("Error loading trust policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
+	srcRef, err := alltransports.ParseImageName(context.Args()[0])
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", context.Args()[0], err)
+	}
+	destRef, err := alltransports.ParseImageName(context.Args()[1])
+	if err != nil {
+		return fmt.Errorf("Invalid destination name %s: %v", context.Args()[1], err)
+	}
+	signBy := context.String("sign-by")
+	removeSignatures := context.Bool("remove-signatures")
+
+	sourceCtx, destinationCtx, err := contextsFromGlobalOptions(context)
+	if err != nil {
+		return err
+	}
+
+	return copy.Image(policyContext, destRef, srcRef, &copy.Options{
+		RemoveSignatures: removeSignatures,
+		SignBy:           signBy,
+		ReportWriter:     os.Stdout,
+		SourceCtx:        sourceCtx,
+		DestinationCtx:   destinationCtx,
+	})
+}
+
+var copyCmd = cli.Command{
+	Name:      "copy",
+	Usage:     "Copy an image from one location to another",
+	ArgsUsage: "SOURCE-IMAGE DESTINATION-IMAGE",
+	Action:    copyHandler,
+	// FIXME: Do we need to namespace the GPG aspect?
+	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "remove-signatures",
+			Usage: "Do not copy signatures from SOURCE-IMAGE",
+		},
+		cli.StringFlag{
+			Name:  "sign-by",
+			Usage: "Sign the image using a GPG key with the specified `FINGERPRINT`",
+		},
+		cli.StringFlag{
+			Name:  "src-creds, screds",
+			Value: "",
+			Usage: "Use `USERNAME[:PASSWORD]` for accessing the source registry",
+		},
+		cli.StringFlag{
+			Name:  "dest-creds, dcreds",
+			Value: "",
+			Usage: "Use `USERNAME[:PASSWORD]` for accessing the destination registry",
+		},
+		cli.StringFlag{
+			Name:  "src-cert-dir",
+			Value: "",
+			Usage: "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the source registry",
+		},
+		cli.BoolTFlag{
+			Name:  "src-tls-verify",
+			Usage: "require HTTPS and verify certificates when talking to the docker source registry (defaults to true)",
+		},
+		cli.StringFlag{
+			Name:  "dest-cert-dir",
+			Value: "",
+			Usage: "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the destination registry",
+		},
+		cli.BoolTFlag{
+			Name:  "dest-tls-verify",
+			Usage: "require HTTPS and verify certificates when talking to the docker destination registry (defaults to true)",
+		},
+		cli.StringFlag{
+			Name:  "dest-ostree-tmp-dir",
+			Value: "",
+			Usage: "`DIRECTORY` to use for OSTree temporary files",
+		},
+	},
+}

cmd/skopeo/delete.go

@@ -0,0 +1,52 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/containers/image/transports/alltransports"
+	"github.com/urfave/cli"
+)
+
+func deleteHandler(context *cli.Context) error {
+	if len(context.Args()) != 1 {
+		return errors.New("Usage: delete imageReference")
+	}
+
+	ref, err := alltransports.ParseImageName(context.Args()[0])
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", context.Args()[0], err)
+	}
+
+	ctx, err := contextFromGlobalOptions(context, "")
+	if err != nil {
+		return err
+	}
+	if err := ref.DeleteImage(ctx); err != nil {
+		return err
+	}
+	return nil
+}
+
+var deleteCmd = cli.Command{
+	Name:      "delete",
+	Usage:     "Delete image IMAGE-NAME",
+	ArgsUsage: "IMAGE-NAME",
+	Action:    deleteHandler,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "creds",
+			Value: "",
+			Usage: "Use `USERNAME[:PASSWORD]` for accessing the registry",
+		},
+		cli.StringFlag{
+			Name:  "cert-dir",
+			Value: "",
+			Usage: "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry",
+		},
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+		},
+	},
+}

cmd/skopeo/fixtures/.gitignore

@@ -0,0 +1,4 @@
+/*.gpg~
+/.gpg-v21-migrated
+/private-keys-v1.d
+/random_seed

cmd/skopeo/fixtures/image.manifest.json

@@ -0,0 +1,26 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+        "mediaType": "application/vnd.docker.container.image.v1+json",
+        "size": 7023,
+        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 32654,
+            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 16724,
+            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 73109,
+            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+        }
+    ]
+}

cmd/skopeo/fixtures/v2s1-invalid-signatures.manifest.json

@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 1,
+   "name": "mitr/buxybox",
+   "tag": "latest",
+   "architecture": "amd64",
+   "fsLayers": [
+   ],
+   "history": [
+   ],
+   "signatures": 1
+}

cmd/skopeo/inspect.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker"
+	"github.com/containers/image/manifest"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli"
+)
+
+// inspectOutput is the output format of (skopeo inspect), primarily so that we can format it with a simple json.MarshalIndent.
+type inspectOutput struct {
+	Name          string `json:",omitempty"`
+	Tag           string `json:",omitempty"`
+	Digest        digest.Digest
+	RepoTags      []string
+	Created       time.Time
+	DockerVersion string
+	Labels        map[string]string
+	Architecture  string
+	Os            string
+	Layers        []string
+}
+
+var inspectCmd = cli.Command{
+	Name:      "inspect",
+	Usage:     "Inspect image IMAGE-NAME",
+	ArgsUsage: "IMAGE-NAME",
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "cert-dir",
+			Value: "",
+			Usage: "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry",
+		},
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+		},
+		cli.BoolFlag{
+			Name:  "raw",
+			Usage: "output raw manifest",
+		},
+		cli.StringFlag{
+			Name:  "creds",
+			Value: "",
+			Usage: "Use `USERNAME[:PASSWORD]` for accessing the registry",
+		},
+	},
+	Action: func(c *cli.Context) (retErr error) {
+		img, err := parseImage(c)
+		if err != nil {
+			return err
+		}
+
+		defer func() {
+			if err := img.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+			}
+		}()
+
+		rawManifest, _, err := img.Manifest()
+		if err != nil {
+			return err
+		}
+		if c.Bool("raw") {
+			_, err := c.App.Writer.Write(rawManifest)
+			if err != nil {
+				return fmt.Errorf("Error writing manifest to standard output: %v", err)
+			}
+			return nil
+		}
+		imgInspect, err := img.Inspect()
+		if err != nil {
+			return err
+		}
+		outputData := inspectOutput{
+			Name: "", // Possibly overridden for a docker.Image.
+			Tag:  imgInspect.Tag,
+			// Digest is set below.
+			RepoTags:      []string{}, // Possibly overriden for a docker.Image.
+			Created:       imgInspect.Created,
+			DockerVersion: imgInspect.DockerVersion,
+			Labels:        imgInspect.Labels,
+			Architecture:  imgInspect.Architecture,
+			Os:            imgInspect.Os,
+			Layers:        imgInspect.Layers,
+		}
+		outputData.Digest, err = manifest.Digest(rawManifest)
+		if err != nil {
+			return fmt.Errorf("Error computing manifest digest: %v", err)
+		}
+		if dockerImg, ok := img.(*docker.Image); ok {
+			outputData.Name = dockerImg.SourceRefFullName()
+			outputData.RepoTags, err = dockerImg.GetRepositoryTags()
+			if err != nil {
+				// some registries may decide to block the "list all tags" endpoint
+				// gracefully allow the inspect to continue in this case. Currently
+				// the IBM Bluemix container registry has this restriction.
+				if !strings.Contains(err.Error(), "401") {
+					return fmt.Errorf("Error determining repository tags: %v", err)
+				}
+				logrus.Warnf("Registry disallows tag list retrieval; skipping")
+			}
+		}
+		out, err := json.MarshalIndent(outputData, "", "    ")
+		if err != nil {
+			return err
+		}
+		fmt.Fprintln(c.App.Writer, string(out))
+		return nil
+	},
+}

cmd/skopeo/layers.go

@@ -0,0 +1,124 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containers/image/directory"
+	"github.com/containers/image/image"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli"
+)
+
+var layersCmd = cli.Command{
+	Name:      "layers",
+	Usage:     "Get layers of IMAGE-NAME",
+	ArgsUsage: "IMAGE-NAME [LAYER...]",
+	Hidden:    true,
+	Action: func(c *cli.Context) (retErr error) {
+		fmt.Fprintln(os.Stderr, `DEPRECATED: skopeo layers is deprecated in favor of skopeo copy`)
+		if c.NArg() == 0 {
+			return errors.New("Usage: layers imageReference [layer...]")
+		}
+		rawSource, err := parseImageSource(c, c.Args()[0], []string{
+			// TODO: skopeo layers only supports these now
+			// eventually we'll remove this command altogether...
+			manifest.DockerV2Schema1SignedMediaType,
+			manifest.DockerV2Schema1MediaType,
+		})
+		if err != nil {
+			return err
+		}
+		src, err := image.FromSource(rawSource)
+		if err != nil {
+			if closeErr := rawSource.Close(); closeErr != nil {
+				return errors.Wrapf(err, " (close error: %v)", closeErr)
+			}
+
+			return err
+		}
+		defer func() {
+			if err := src.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			}
+		}()
+
+		var blobDigests []digest.Digest
+		for _, dString := range c.Args().Tail() {
+			if !strings.HasPrefix(dString, "sha256:") {
+				dString = "sha256:" + dString
+			}
+			d, err := digest.Parse(dString)
+			if err != nil {
+				return err
+			}
+			blobDigests = append(blobDigests, d)
+		}
+
+		if len(blobDigests) == 0 {
+			layers := src.LayerInfos()
+			seenLayers := map[digest.Digest]struct{}{}
+			for _, info := range layers {
+				if _, ok := seenLayers[info.Digest]; !ok {
+					blobDigests = append(blobDigests, info.Digest)
+					seenLayers[info.Digest] = struct{}{}
+				}
+			}
+			configInfo := src.ConfigInfo()
+			if configInfo.Digest != "" {
+				blobDigests = append(blobDigests, configInfo.Digest)
+			}
+		}
+
+		tmpDir, err := ioutil.TempDir(".", "layers-")
+		if err != nil {
+			return err
+		}
+		tmpDirRef, err := directory.NewReference(tmpDir)
+		if err != nil {
+			return err
+		}
+		dest, err := tmpDirRef.NewImageDestination(nil)
+		if err != nil {
+			return err
+		}
+
+		defer func() {
+			if err := dest.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+			}
+		}()
+
+		for _, digest := range blobDigests {
+			r, blobSize, err := rawSource.GetBlob(types.BlobInfo{Digest: digest, Size: -1})
+			if err != nil {
+				return err
+			}
+			if _, err := dest.PutBlob(r, types.BlobInfo{Digest: digest, Size: blobSize}); err != nil {
+				if closeErr := r.Close(); closeErr != nil {
+					return errors.Wrapf(err, " (close error: %v)", closeErr)
+				}
+				return err
+			}
+		}
+
+		manifest, _, err := src.Manifest()
+		if err != nil {
+			return err
+		}
+		if err := dest.PutManifest(manifest); err != nil {
+			return err
+		}
+
+		if err := dest.Commit(); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}

cmd/skopeo/main.go

@@ -0,0 +1,102 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/signature"
+	"github.com/containers/storage/pkg/reexec"
+	"github.com/projectatomic/skopeo/version"
+	"github.com/urfave/cli"
+)
+
+// gitCommit will be the hash that the binary was built from
+// and will be populated by the Makefile
+var gitCommit = ""
+
+// createApp returns a cli.App to be run or tested.
+func createApp() *cli.App {
+	app := cli.NewApp()
+	app.EnableBashCompletion = true
+	app.Name = "skopeo"
+	if gitCommit != "" {
+		app.Version = fmt.Sprintf("%s commit: %s", version.Version, gitCommit)
+	} else {
+		app.Version = version.Version
+	}
+	app.Usage = "Various operations with container images and container image registries"
+	app.Flags = []cli.Flag{
+		cli.BoolFlag{
+			Name:  "debug",
+			Usage: "enable debug output",
+		},
+		cli.BoolTFlag{
+			Name:   "tls-verify",
+			Usage:  "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+			Hidden: true,
+		},
+		cli.StringFlag{
+			Name:  "policy",
+			Value: "",
+			Usage: "Path to a trust policy file",
+		},
+		cli.BoolFlag{
+			Name:  "insecure-policy",
+			Usage: "run the tool without any policy check",
+		},
+		cli.StringFlag{
+			Name:  "registries.d",
+			Value: "",
+			Usage: "use registry configuration files in `DIR` (e.g. for docker signature storage)",
+		},
+	}
+	app.Before = func(c *cli.Context) error {
+		if c.GlobalBool("debug") {
+			logrus.SetLevel(logrus.DebugLevel)
+		}
+		if c.GlobalIsSet("tls-verify") {
+			logrus.Warn("'--tls-verify' is deprecated, please set this on the specific subcommand")
+		}
+		return nil
+	}
+	app.Commands = []cli.Command{
+		copyCmd,
+		inspectCmd,
+		layersCmd,
+		deleteCmd,
+		manifestDigestCmd,
+		standaloneSignCmd,
+		standaloneVerifyCmd,
+		untrustedSignatureDumpCmd,
+	}
+	return app
+}
+
+func main() {
+	if reexec.Init() {
+		return
+	}
+	app := createApp()
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// getPolicyContext handles the global "policy" flag.
+func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) {
+	policyPath := c.GlobalString("policy")
+	var policy *signature.Policy // This could be cached across calls, if we had an application context.
+	var err error
+	if c.GlobalBool("insecure-policy") {
+		policy = &signature.Policy{Default: []signature.PolicyRequirement{signature.NewPRInsecureAcceptAnything()}}
+	} else if policyPath == "" {
+		policy, err = signature.DefaultPolicy(nil)
+	} else {
+		policy, err = signature.NewPolicyFromFile(policyPath)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return signature.NewPolicyContext(policy)
+}

cmd/skopeo/main_test.go

@@ -0,0 +1,14 @@
+package main
+
+import "bytes"
+
+// runSkopeo creates an app object and runs it with args, with an implied first "skopeo".
+// Returns output intended for stdout and the returned error, if any.
+func runSkopeo(args ...string) (string, error) {
+	app := createApp()
+	stdout := bytes.Buffer{}
+	app.Writer = &stdout
+	args = append([]string{"skopeo"}, args...)
+	err := app.Run(args)
+	return stdout.String(), err
+}

cmd/skopeo/manifest.go

@@ -0,0 +1,35 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/containers/image/manifest"
+	"github.com/urfave/cli"
+)
+
+func manifestDigest(context *cli.Context) error {
+	if len(context.Args()) != 1 {
+		return errors.New("Usage: skopeo manifest-digest manifest")
+	}
+	manifestPath := context.Args()[0]
+
+	man, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	digest, err := manifest.Digest(man)
+	if err != nil {
+		return fmt.Errorf("Error computing digest: %v", err)
+	}
+	fmt.Fprintf(context.App.Writer, "%s\n", digest)
+	return nil
+}
+
+var manifestDigestCmd = cli.Command{
+	Name:      "manifest-digest",
+	Usage:     "Compute a manifest digest of a file",
+	ArgsUsage: "MANIFEST",
+	Action:    manifestDigest,
+}

cmd/skopeo/manifest_test.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestManifestDigest(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+	} {
+		out, err := runSkopeo(append([]string{"manifest-digest"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("manifest-digest", "/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error computing manifest
+	out, err = runSkopeo("manifest-digest", "fixtures/v2s1-invalid-signatures.manifest.json")
+	assertTestFailed(t, out, err, "computing digest")
+
+	// Success
+	out, err = runSkopeo("manifest-digest", "fixtures/image.manifest.json")
+	assert.NoError(t, err)
+	assert.Equal(t, fixturesTestImageManifestDigest.String()+"\n", out)
+}

cmd/skopeo/signing.go

@@ -0,0 +1,130 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/containers/image/signature"
+	"github.com/urfave/cli"
+)
+
+func standaloneSign(context *cli.Context) error {
+	outputFile := context.String("output")
+	if len(context.Args()) != 3 || outputFile == "" {
+		return errors.New("Usage: skopeo standalone-sign manifest docker-reference key-fingerprint -o signature")
+	}
+	manifestPath := context.Args()[0]
+	dockerReference := context.Args()[1]
+	fingerprint := context.Args()[2]
+
+	manifest, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
+	}
+
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return fmt.Errorf("Error initializing GPG: %v", err)
+	}
+	defer mech.Close()
+	signature, err := signature.SignDockerManifest(manifest, dockerReference, mech, fingerprint)
+	if err != nil {
+		return fmt.Errorf("Error creating signature: %v", err)
+	}
+
+	if err := ioutil.WriteFile(outputFile, signature, 0644); err != nil {
+		return fmt.Errorf("Error writing signature to %s: %v", outputFile, err)
+	}
+	return nil
+}
+
+var standaloneSignCmd = cli.Command{
+	Name:      "standalone-sign",
+	Usage:     "Create a signature using local files",
+	ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT",
+	Action:    standaloneSign,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "output, o",
+			Usage: "output the signature to `SIGNATURE`",
+		},
+	},
+}
+
+func standaloneVerify(context *cli.Context) error {
+	if len(context.Args()) != 4 {
+		return errors.New("Usage: skopeo standalone-verify manifest docker-reference key-fingerprint signature")
+	}
+	manifestPath := context.Args()[0]
+	expectedDockerReference := context.Args()[1]
+	expectedFingerprint := context.Args()[2]
+	signaturePath := context.Args()[3]
+
+	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
+	}
+
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return fmt.Errorf("Error initializing GPG: %v", err)
+	}
+	defer mech.Close()
+	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
+	if err != nil {
+		return fmt.Errorf("Error verifying signature: %v", err)
+	}
+
+	fmt.Fprintf(context.App.Writer, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	return nil
+}
+
+var standaloneVerifyCmd = cli.Command{
+	Name:      "standalone-verify",
+	Usage:     "Verify a signature using local files",
+	ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+	Action:    standaloneVerify,
+}
+
+func untrustedSignatureDump(context *cli.Context) error {
+	if len(context.Args()) != 1 {
+		return errors.New("Usage: skopeo untrusted-signature-dump-without-verification signature")
+	}
+	untrustedSignaturePath := context.Args()[0]
+
+	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+	}
+
+	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
+	if err != nil {
+		return fmt.Errorf("Error decoding untrusted signature: %v", err)
+	}
+	untrustedOut, err := json.MarshalIndent(untrustedInfo, "", "    ")
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(context.App.Writer, string(untrustedOut))
+	return nil
+}
+
+// WARNING: Do not use the contents of this for ANY security decisions,
+// and be VERY CAREFUL about showing this information to humans in any way which suggest that these values “are probably” reliable.
+// There is NO REASON to expect the values to be correct, or not intentionally misleading
+// (including things like “✅ Verified by $authority”)
+//
+// The subcommand is undocumented, and it may be renamed or entirely disappear in the future.
+var untrustedSignatureDumpCmd = cli.Command{
+	Name:      "untrusted-signature-dump-without-verification",
+	Usage:     "Dump contents of a signature WITHOUT VERIFYING IT",
+	ArgsUsage: "SIGNATURE",
+	Hidden:    true,
+	Action:    untrustedSignatureDump,
+}

cmd/skopeo/signing_test.go

@@ -0,0 +1,178 @@
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/containers/image/signature"
+	"github.com/opencontainers/go-digest"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	// fixturesTestImageManifestDigest is the Docker manifest digest of "image.manifest.json"
+	fixturesTestImageManifestDigest = digest.Digest("sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55")
+	// fixturesTestKeyFingerprint is the fingerprint of the private key.
+	fixturesTestKeyFingerprint = "1D8230F6CDB6A06716E414C1DB72F2188BB46CC8"
+	// fixturesTestKeyFingerprint is the key ID of the private key.
+	fixturesTestKeyShortID = "DB72F2188BB46CC8"
+)
+
+// Test that results of runSkopeo failed with nothing on stdout, and substring
+// within the error message.
+func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
+	assert.Error(t, err)
+	assert.Empty(t, stdout)
+	assert.Contains(t, err.Error(), substring)
+}
+
+func TestStandaloneSign(t *testing.T) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	require.NoError(t, err)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil {
+		t.Skipf("Signing not supported: %v", err)
+	}
+
+	manifestPath := "fixtures/image.manifest.json"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4"},
+		{"-o", "o", "a1", "a2"},
+		{"-o", "o", "a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-sign"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-sign", "-o", "/dev/null",
+		"/this/doesnt/exist", dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Invalid Docker reference
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, "" /* empty reference */, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "empty signature content")
+
+	// Unknown key.
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, dockerReference, "UNKNOWN GPG FINGERPRINT")
+	assert.Error(t, err)
+	assert.Empty(t, out)
+
+	// Error writing output
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/full",
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/dev/full")
+
+	// Success
+	sigOutput, err := ioutil.TempFile("", "sig")
+	require.NoError(t, err)
+	defer os.Remove(sigOutput.Name())
+	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	require.NoError(t, err)
+	assert.Empty(t, out)
+
+	sig, err := ioutil.ReadFile(sigOutput.Name())
+	require.NoError(t, err)
+	manifest, err := ioutil.ReadFile(manifestPath)
+	require.NoError(t, err)
+	mech, err = signature.NewGPGSigningMechanism()
+	require.NoError(t, err)
+	defer mech.Close()
+	verified, err := signature.VerifyDockerManifestSignature(sig, manifest, dockerReference, mech, fixturesTestKeyFingerprint)
+	require.NoError(t, err)
+	assert.Equal(t, dockerReference, verified.DockerReference)
+	assert.Equal(t, fixturesTestImageManifestDigest, verified.DockerManifestDigest)
+}
+
+func TestStandaloneVerify(t *testing.T) {
+	manifestPath := "fixtures/image.manifest.json"
+	signaturePath := "fixtures/image.signature"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4", "a5"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-verify"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-verify", "/this/doesnt/exist",
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error reading signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error verifying signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
+	assertTestFailed(t, out, err, "Error verifying signature")
+
+	// Success
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+}
+
+func TestUntrustedSignatureDump(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"untrusted-signature-dump-without-verification"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("untrusted-signature-dump-without-verification",
+		"/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error reading signature (input is not a signature)
+	out, err = runSkopeo("untrusted-signature-dump-without-verification", "fixtures/image.manifest.json")
+	assertTestFailed(t, out, err, "Error decoding untrusted signature")
+
+	// Success
+	for _, path := range []string{"fixtures/image.signature", "fixtures/corrupt.signature"} {
+		// Success
+		out, err = runSkopeo("untrusted-signature-dump-without-verification", path)
+		require.NoError(t, err)
+
+		var info signature.UntrustedSignatureInformation
+		err := json.Unmarshal([]byte(out), &info)
+		require.NoError(t, err)
+		assert.Equal(t, fixturesTestImageManifestDigest, info.UntrustedDockerManifestDigest)
+		assert.Equal(t, "testing/manifest", info.UntrustedDockerReference)
+		assert.NotNil(t, info.UntrustedCreatorID)
+		assert.Equal(t, "atomic ", *info.UntrustedCreatorID)
+		assert.NotNil(t, info.UntrustedTimestamp)
+		assert.True(t, time.Unix(1458239713, 0).Equal(*info.UntrustedTimestamp))
+		assert.Equal(t, fixturesTestKeyShortID, info.UntrustedShortKeyIdentifier)
+	}
+}

cmd/skopeo/utils.go

@@ -0,0 +1,87 @@
+package main
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/containers/image/transports/alltransports"
+	"github.com/containers/image/types"
+	"github.com/urfave/cli"
+)
+
+func contextFromGlobalOptions(c *cli.Context, flagPrefix string) (*types.SystemContext, error) {
+	ctx := &types.SystemContext{
+		RegistriesDirPath: c.GlobalString("registries.d"),
+		DockerCertPath:    c.String(flagPrefix + "cert-dir"),
+		// DEPRECATED: keep this here for backward compatibility, but override
+		// them if per subcommand flags are provided (see below).
+		DockerInsecureSkipTLSVerify: !c.GlobalBoolT("tls-verify"),
+		OSTreeTmpDirPath:            c.String(flagPrefix + "ostree-tmp-dir"),
+	}
+	if c.IsSet(flagPrefix + "tls-verify") {
+		ctx.DockerInsecureSkipTLSVerify = !c.BoolT(flagPrefix + "tls-verify")
+	}
+	if c.IsSet(flagPrefix + "creds") {
+		var err error
+		ctx.DockerAuthConfig, err = getDockerAuth(c.String(flagPrefix + "creds"))
+		if err != nil {
+			return nil, err
+		}
+	}
+	return ctx, nil
+}
+
+func parseCreds(creds string) (string, string, error) {
+	if creds == "" {
+		return "", "", errors.New("credentials can't be empty")
+	}
+	up := strings.SplitN(creds, ":", 2)
+	if len(up) == 1 {
+		return up[0], "", nil
+	}
+	if up[0] == "" {
+		return "", "", errors.New("username can't be empty")
+	}
+	return up[0], up[1], nil
+}
+
+func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
+	username, password, err := parseCreds(creds)
+	if err != nil {
+		return nil, err
+	}
+	return &types.DockerAuthConfig{
+		Username: username,
+		Password: password,
+	}, nil
+}
+
+// parseImage converts image URL-like string to an initialized handler for that image.
+// The caller must call .Close() on the returned Image.
+func parseImage(c *cli.Context) (types.Image, error) {
+	imgName := c.Args().First()
+	ref, err := alltransports.ParseImageName(imgName)
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := contextFromGlobalOptions(c, "")
+	if err != nil {
+		return nil, err
+	}
+	return ref.NewImage(ctx)
+}
+
+// parseImageSource converts image URL-like string to an ImageSource.
+// requestedManifestMIMETypes is as in types.ImageReference.NewImageSource.
+// The caller must call .Close() on the returned ImageSource.
+func parseImageSource(c *cli.Context, name string, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	ref, err := alltransports.ParseImageName(name)
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := contextFromGlobalOptions(c, "")
+	if err != nil {
+		return nil, err
+	}
+	return ref.NewImageSource(ctx, requestedManifestMIMETypes)
+}

completions/bash/skopeo

@@ -0,0 +1,159 @@
+#! /bin/bash
+
+: ${PROG:=$(basename ${BASH_SOURCE})}
+
+_complete_() {
+    local options_with_args=$1
+    local boolean_options="$2 -h --help"
+
+    case "$prev" in
+	$options_with_args)
+	    return
+	    ;;
+    esac
+
+    case "$cur" in
+	-*)
+	    COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+	    ;;
+    esac
+}
+
+_skopeo_copy() {
+     local options_with_args="
+	--sign-by
+	--src-creds --screds
+	--src-cert-dir
+	--src-tls-verify
+	--dest-creds --dcreds
+	--dest-cert-dir
+	--dest-ostree-tmp-dir
+	--dest-tls-verify
+     "
+     local boolean_options="
+	--remove-signatures
+     "
+     _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_inspect() {
+     local options_with_args="
+	--creds
+	--cert-dir
+     "
+     local boolean_options="
+	--raw
+	--tls-verify
+    "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_standalone_sign() {
+     local options_with_args="
+	   -o --output
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_standalone_verify() {
+     local options_with_args="
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_manifest_digest() {
+     local options_with_args="
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_delete() {
+     local options_with_args="
+	   --creds
+	   --cert-dir
+     "
+     local boolean_options="
+	   --tls-verify
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_layers() {
+     local options_with_args="
+	   --creds
+	   --cert-dir
+     "
+     local boolean_options="
+	   --tls-verify
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_skopeo() {
+     local options_with_args="
+	   --policy
+	   --registries.d
+     "
+     local boolean_options="
+	   --insecure-policy
+	   --debug
+	   --version -v
+	   --help -h
+     "
+     commands=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion )
+
+     case "$prev" in
+	 $main_options_with_args_glob )
+	     return
+	     ;;
+     esac
+
+     case "$cur" in
+	 -*)
+	     COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+	     ;;
+	 *)
+	     COMPREPLY=( $( compgen -W "${commands[*]} help" -- "$cur" ) )
+	     ;;
+     esac
+}
+
+_cli_bash_autocomplete() {
+     local cur opts base
+
+     COMPREPLY=()
+     cur="${COMP_WORDS[COMP_CWORD]}"
+     COMPREPLY=()
+     local cur prev words cword
+
+     _get_comp_words_by_ref -n : cur prev words cword
+
+     local command=${PROG} cpos=0
+     local counter=1
+     counter=1
+     while [ $counter -lt $cword ]; do
+	 case "!${words[$counter]}" in
+	     *)
+		 command=$(echo "${words[$counter]}" | sed 's/-/_/g')
+		 cpos=$counter
+		 (( cpos++ ))
+		 break
+		 ;;
+	 esac
+	 (( counter++ ))
+     done
+
+     local completions_func=_skopeo_${command}
+     declare -F $completions_func >/dev/null && $completions_func
+
+     eval "$previous_extglob_setting"
+     return 0
+}
+
+ complete -F _cli_bash_autocomplete $PROG

default-policy.json

@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}

default.yaml

@@ -0,0 +1,26 @@
+# This is a default registries.d configuration file.  You may
+# add to this file or create additional files in registries.d/.
+#
+# sigstore: indicates a location that is read and write
+# sigstore-staging: indicates a location that is only for write
+#
+# sigstore and sigstore-staging take a value of the following:
+#   sigstore:  {schema}://location
+#
+# For reading signatures, schema may be http, https, or file.
+# For writing signatures, schema may only be file.
+
+# This is the default signature write location for docker registries.
+default-docker:
+#  sigstore: file:///var/lib/atomic/sigstore
+  sigstore-staging: file:///var/lib/atomic/sigstore
+
+# The 'docker' indicator here is the start of the configuration
+# for docker registries.
+#
+# docker:
+#
+#   privateregistry.com:
+#    sigstore: http://privateregistry.com/sigstore/
+#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+

docker/inspect.go

@@ -1,345 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"fmt"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/docker/distribution/digest"
-	distreference "github.com/docker/distribution/reference"
-	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/distribution/registry/api/v2"
-	"github.com/docker/distribution/registry/client"
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/cliconfig"
-	"github.com/docker/docker/distribution"
-	"github.com/docker/docker/dockerversion"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/opts"
-	versionPkg "github.com/docker/docker/pkg/version"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	engineTypes "github.com/docker/engine-api/types"
-	registryTypes "github.com/docker/engine-api/types/registry"
-	"github.com/runcom/skopeo/types"
-	"golang.org/x/net/context"
-)
-
-// fallbackError wraps an error that can possibly allow fallback to a different
-// endpoint.
-type fallbackError struct {
-	// err is the error being wrapped.
-	err error
-	// confirmedV2 is set to true if it was confirmed that the registry
-	// supports the v2 protocol. This is used to limit fallbacks to the v1
-	// protocol.
-	confirmedV2 bool
-	transportOK bool
-}
-
-// Error renders the FallbackError as a string.
-func (f fallbackError) Error() string {
-	return f.err.Error()
-}
-
-type manifestFetcher interface {
-	Fetch(ctx context.Context, ref reference.Named) (*types.ImageInspect, error)
-}
-
-func validateName(name string) error {
-	distref, err := distreference.ParseNamed(name)
-	if err != nil {
-		return err
-	}
-	hostname, _ := distreference.SplitHostname(distref)
-	if hostname == "" {
-		return fmt.Errorf("Please use a fully qualified repository name")
-	}
-	return nil
-}
-
-func GetData(c *cli.Context, name string) (*types.ImageInspect, error) {
-	if err := validateName(name); err != nil {
-		return nil, err
-	}
-	ref, err := reference.ParseNamed(name)
-	if err != nil {
-		return nil, err
-	}
-	repoInfo, err := registry.ParseRepositoryInfo(ref)
-	if err != nil {
-		return nil, err
-	}
-	authConfig, err := getAuthConfig(c, repoInfo.Index)
-	if err != nil {
-		return nil, err
-	}
-	if err := validateRepoName(repoInfo.Name()); err != nil {
-		return nil, err
-	}
-	options := &registry.Options{}
-	options.Mirrors = opts.NewListOpts(nil)
-	options.InsecureRegistries = opts.NewListOpts(nil)
-	options.InsecureRegistries.Set("0.0.0.0/0")
-	registryService := registry.NewService(options)
-	// TODO(runcom): hacky, provide a way of passing tls cert (flag?) to be used to lookup
-	for _, ic := range registryService.Config.IndexConfigs {
-		ic.Secure = false
-	}
-
-	endpoints, err := registryService.LookupPullEndpoints(repoInfo.Hostname())
-	if err != nil {
-		return nil, err
-	}
-	logrus.Debugf("endpoints: %v", endpoints)
-
-	var (
-		ctx                    = context.Background()
-		lastErr                error
-		discardNoSupportErrors bool
-		imgInspect             *types.ImageInspect
-		confirmedV2            bool
-		confirmedTLSRegistries = make(map[string]struct{})
-	)
-
-	for _, endpoint := range endpoints {
-		// make sure I can reach the registry, same as docker pull does
-		v1endpoint, err := endpoint.ToV1Endpoint(dockerversion.DockerUserAgent(), nil)
-		if err != nil {
-			return nil, err
-		}
-		if _, err := v1endpoint.Ping(); err != nil {
-			if strings.Contains(err.Error(), "timeout") {
-				return nil, err
-			}
-			continue
-		}
-
-		if confirmedV2 && endpoint.Version == registry.APIVersion1 {
-			logrus.Debugf("Skipping v1 endpoint %s because v2 registry was detected", endpoint.URL)
-			continue
-		}
-
-		if endpoint.URL.Scheme != "https" {
-			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
-				logrus.Debugf("Skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)
-				continue
-			}
-		}
-
-		logrus.Debugf("Trying to fetch image manifest of %s repository from %s %s", repoInfo.Name(), endpoint.URL, endpoint.Version)
-
-		//fetcher, err := newManifestFetcher(endpoint, repoInfo, config)
-		fetcher, err := newManifestFetcher(endpoint, repoInfo, authConfig, registryService)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-
-		if imgInspect, err = fetcher.Fetch(ctx, ref); err != nil {
-			// Was this fetch cancelled? If so, don't try to fall back.
-			fallback := false
-			select {
-			case <-ctx.Done():
-			default:
-				if fallbackErr, ok := err.(fallbackError); ok {
-					fallback = true
-					confirmedV2 = confirmedV2 || fallbackErr.confirmedV2
-					if fallbackErr.transportOK && endpoint.URL.Scheme == "https" {
-						confirmedTLSRegistries[endpoint.URL.Host] = struct{}{}
-					}
-					err = fallbackErr.err
-				}
-			}
-			if fallback {
-				if _, ok := err.(distribution.ErrNoSupport); !ok {
-					// Because we found an error that's not ErrNoSupport, discard all subsequent ErrNoSupport errors.
-					discardNoSupportErrors = true
-					// save the current error
-					lastErr = err
-				} else if !discardNoSupportErrors {
-					// Save the ErrNoSupport error, because it's either the first error or all encountered errors
-					// were also ErrNoSupport errors.
-					lastErr = err
-				}
-				continue
-			}
-			logrus.Errorf("Not continuing with pull after error: %v", err)
-			return nil, err
-		}
-
-		return imgInspect, nil
-	}
-
-	if lastErr == nil {
-		lastErr = fmt.Errorf("no endpoints found for %s", ref.String())
-	}
-
-	return nil, lastErr
-}
-
-func newManifestFetcher(endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, authConfig engineTypes.AuthConfig, registryService *registry.Service) (manifestFetcher, error) {
-	switch endpoint.Version {
-	case registry.APIVersion2:
-		return &v2ManifestFetcher{
-			endpoint:   endpoint,
-			authConfig: authConfig,
-			service:    registryService,
-			repoInfo:   repoInfo,
-		}, nil
-	case registry.APIVersion1:
-		return &v1ManifestFetcher{
-			endpoint:   endpoint,
-			authConfig: authConfig,
-			service:    registryService,
-			repoInfo:   repoInfo,
-		}, nil
-	}
-	return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)
-}
-
-func getAuthConfig(c *cli.Context, index *registryTypes.IndexInfo) (engineTypes.AuthConfig, error) {
-	var (
-		username      = c.GlobalString("username")
-		password      = c.GlobalString("password")
-		cfg           = c.GlobalString("docker-cfg")
-		defAuthConfig = engineTypes.AuthConfig{
-			Username: c.GlobalString("username"),
-			Password: c.GlobalString("password"),
-			Email:    "stub@example.com",
-		}
-	)
-
-	//
-	// FINAL TODO(runcom): avoid returning empty config! just fallthrough and return
-	// the first useful authconfig
-	//
-
-	// TODO(runcom): ??? atomic needs this
-	// TODO(runcom): implement this to opt-in for docker-cfg, no need to make this
-	// work by default with docker's conf
-	//useDockerConf := c.GlobalString("use-docker-cfg")
-
-	if username != "" && password != "" {
-		return defAuthConfig, nil
-	}
-
-	confFile, err := cliconfig.Load(cfg)
-	if err != nil {
-		return engineTypes.AuthConfig{}, err
-	}
-	authConfig := registry.ResolveAuthConfig(confFile.AuthConfigs, index)
-	logrus.Debugf("authConfig for %s: %v", index.Name, authConfig)
-
-	return authConfig, nil
-}
-
-func validateRepoName(name string) error {
-	if name == "" {
-		return fmt.Errorf("Repository name can't be empty")
-	}
-	if name == api.NoBaseImageSpecifier {
-		return fmt.Errorf("'%s' is a reserved name", api.NoBaseImageSpecifier)
-	}
-	return nil
-}
-
-func makeImageInspect(img *image.Image, tag string, dgst digest.Digest, tagList []string) *types.ImageInspect {
-	var digest string
-	if err := dgst.Validate(); err == nil {
-		digest = dgst.String()
-	}
-	return &types.ImageInspect{
-		Tag:             tag,
-		Digest:          digest,
-		RepoTags:        tagList,
-		Comment:         img.Comment,
-		Created:         img.Created.Format(time.RFC3339Nano),
-		ContainerConfig: &img.ContainerConfig,
-		DockerVersion:   img.DockerVersion,
-		Author:          img.Author,
-		Config:          img.Config,
-		Architecture:    img.Architecture,
-		Os:              img.OS,
-	}
-}
-
-func makeRawConfigFromV1Config(imageJSON []byte, rootfs *image.RootFS, history []image.History) (map[string]*json.RawMessage, error) {
-	var dver struct {
-		DockerVersion string `json:"docker_version"`
-	}
-
-	if err := json.Unmarshal(imageJSON, &dver); err != nil {
-		return nil, err
-	}
-
-	useFallback := versionPkg.Version(dver.DockerVersion).LessThan("1.8.3")
-
-	if useFallback {
-		var v1Image image.V1Image
-		err := json.Unmarshal(imageJSON, &v1Image)
-		if err != nil {
-			return nil, err
-		}
-		imageJSON, err = json.Marshal(v1Image)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	var c map[string]*json.RawMessage
-	if err := json.Unmarshal(imageJSON, &c); err != nil {
-		return nil, err
-	}
-
-	c["rootfs"] = rawJSON(rootfs)
-	c["history"] = rawJSON(history)
-
-	return c, nil
-}
-
-func rawJSON(value interface{}) *json.RawMessage {
-	jsonval, err := json.Marshal(value)
-	if err != nil {
-		return nil
-	}
-	return (*json.RawMessage)(&jsonval)
-}
-
-func continueOnError(err error) bool {
-	switch v := err.(type) {
-	case errcode.Errors:
-		if len(v) == 0 {
-			return true
-		}
-		return continueOnError(v[0])
-	case distribution.ErrNoSupport:
-		return continueOnError(v.Err)
-	case errcode.Error:
-		return shouldV2Fallback(v)
-	case *client.UnexpectedHTTPResponseError:
-		return true
-	case ImageConfigPullError:
-		return false
-	case error:
-		return !strings.Contains(err.Error(), strings.ToLower(syscall.ENOSPC.Error()))
-	}
-	// let's be nice and fallback if the error is a completely
-	// unexpected one.
-	// If new errors have to be handled in some way, please
-	// add them to the switch above.
-	return true
-}
-
-// shouldV2Fallback returns true if this error is a reason to fall back to v1.
-func shouldV2Fallback(err errcode.Error) bool {
-	switch err.Code {
-	case errcode.ErrorCodeUnauthorized, v2.ErrorCodeManifestUnknown, v2.ErrorCodeNameUnknown:
-		return true
-	}
-	return false
-}

docker/inspect_v1.go

@@ -1,170 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/registry/client/transport"
-	dockerdistribution "github.com/docker/docker/distribution"
-	"github.com/docker/docker/dockerversion"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/image/v1"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	engineTypes "github.com/docker/engine-api/types"
-	"github.com/runcom/skopeo/types"
-	"golang.org/x/net/context"
-)
-
-type v1ManifestFetcher struct {
-	endpoint    registry.APIEndpoint
-	repoInfo    *registry.RepositoryInfo
-	repo        distribution.Repository
-	confirmedV2 bool
-	// wrap in a config?
-	authConfig engineTypes.AuthConfig
-	service    *registry.Service
-	session    *registry.Session
-}
-
-func (mf *v1ManifestFetcher) Fetch(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	var (
-		imgInspect *types.ImageInspect
-	)
-	if _, isCanonical := ref.(reference.Canonical); isCanonical {
-		// Allowing fallback, because HTTPS v1 is before HTTP v2
-		return nil, fallbackError{err: dockerdistribution.ErrNoSupport{errors.New("Cannot pull by digest with v1 registry")}}
-	}
-	tlsConfig, err := mf.service.TLSConfig(mf.repoInfo.Index.Name)
-	if err != nil {
-		return nil, err
-	}
-	// Adds Docker-specific headers as well as user-specified headers (metaHeaders)
-	tr := transport.NewTransport(
-		registry.NewTransport(tlsConfig),
-		//registry.DockerHeaders(mf.config.MetaHeaders)...,
-		registry.DockerHeaders(dockerversion.DockerUserAgent(), nil)...,
-	)
-	client := registry.HTTPClient(tr)
-	//v1Endpoint, err := mf.endpoint.ToV1Endpoint(mf.config.MetaHeaders)
-	v1Endpoint, err := mf.endpoint.ToV1Endpoint(dockerversion.DockerUserAgent(), nil)
-	if err != nil {
-		logrus.Debugf("Could not get v1 endpoint: %v", err)
-		return nil, fallbackError{err: err}
-	}
-	mf.session, err = registry.NewSession(client, &mf.authConfig, v1Endpoint)
-	if err != nil {
-		logrus.Debugf("Fallback from error: %s", err)
-		return nil, fallbackError{err: err}
-	}
-	imgInspect, err = mf.fetchWithSession(ctx, ref)
-	if err != nil {
-		return nil, err
-	}
-	return imgInspect, nil
-}
-
-func (mf *v1ManifestFetcher) fetchWithSession(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	repoData, err := mf.session.GetRepositoryData(mf.repoInfo)
-	if err != nil {
-		if strings.Contains(err.Error(), "HTTP code: 404") {
-			return nil, fmt.Errorf("Error: image %s not found", mf.repoInfo.RemoteName())
-		}
-		// Unexpected HTTP error
-		return nil, err
-	}
-
-	var tagsList map[string]string
-	tagsList, err = mf.session.GetRemoteTags(repoData.Endpoints, mf.repoInfo)
-	if err != nil {
-		logrus.Errorf("unable to get remote tags: %s", err)
-		return nil, err
-	}
-
-	logrus.Debugf("Retrieving the tag list")
-	tagged, isTagged := ref.(reference.NamedTagged)
-	var tagID, tag string
-	if isTagged {
-		tag = tagged.Tag()
-		tagsList[tagged.Tag()] = tagID
-	} else {
-		ref, err = reference.WithTag(ref, reference.DefaultTag)
-		if err != nil {
-			return nil, err
-		}
-		tagged, _ := ref.(reference.NamedTagged)
-		tag = tagged.Tag()
-		tagsList[tagged.Tag()] = tagID
-	}
-	tagID, err = mf.session.GetRemoteTag(repoData.Endpoints, mf.repoInfo, tag)
-	if err == registry.ErrRepoNotFound {
-		return nil, fmt.Errorf("Tag %s not found in repository %s", tag, mf.repoInfo.FullName())
-	}
-	if err != nil {
-		logrus.Errorf("unable to get remote tags: %s", err)
-		return nil, err
-	}
-
-	tagList := []string{}
-	for tag := range tagsList {
-		tagList = append(tagList, tag)
-	}
-
-	img := repoData.ImgList[tagID]
-
-	var pulledImg *image.Image
-	for _, ep := range mf.repoInfo.Index.Mirrors {
-		if pulledImg, err = mf.pullImageJSON(img.ID, ep, repoData.Tokens); err != nil {
-			// Don't report errors when pulling from mirrors.
-			logrus.Debugf("Error pulling image json of %s:%s, mirror: %s, %s", mf.repoInfo.FullName(), img.Tag, ep, err)
-			continue
-		}
-		break
-	}
-	if pulledImg == nil {
-		for _, ep := range repoData.Endpoints {
-			if pulledImg, err = mf.pullImageJSON(img.ID, ep, repoData.Tokens); err != nil {
-				// It's not ideal that only the last error is returned, it would be better to concatenate the errors.
-				logrus.Infof("Error pulling image json of %s:%s, endpoint: %s, %v", mf.repoInfo.FullName(), img.Tag, ep, err)
-				continue
-			}
-			break
-		}
-	}
-	if err != nil {
-		return nil, fmt.Errorf("Error pulling image (%s) from %s, %v", img.Tag, mf.repoInfo.FullName(), err)
-	}
-	if pulledImg == nil {
-		return nil, fmt.Errorf("No such image %s:%s", mf.repoInfo.FullName(), tag)
-	}
-
-	return makeImageInspect(pulledImg, tag, "", tagList), nil
-}
-
-func (mf *v1ManifestFetcher) pullImageJSON(imgID, endpoint string, token []string) (*image.Image, error) {
-	imgJSON, _, err := mf.session.GetRemoteImageJSON(imgID, endpoint)
-	if err != nil {
-		return nil, err
-	}
-	h, err := v1.HistoryFromConfig(imgJSON, false)
-	if err != nil {
-		return nil, err
-	}
-	configRaw, err := makeRawConfigFromV1Config(imgJSON, image.NewRootFS(), []image.History{h})
-	if err != nil {
-		return nil, err
-	}
-	config, err := json.Marshal(configRaw)
-	if err != nil {
-		return nil, err
-	}
-	img, err := image.NewFromJSON(config)
-	if err != nil {
-		return nil, err
-	}
-	return img, nil
-}

docker/inspect_v2.go

@@ -1,486 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"runtime"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/digest"
-	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/docker/distribution/manifest/schema1"
-	"github.com/docker/distribution/manifest/schema2"
-	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/distribution/registry/client"
-	dockerdistribution "github.com/docker/docker/distribution"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/image/v1"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	engineTypes "github.com/docker/engine-api/types"
-	"github.com/runcom/skopeo/types"
-	"golang.org/x/net/context"
-)
-
-type v2ManifestFetcher struct {
-	endpoint    registry.APIEndpoint
-	repoInfo    *registry.RepositoryInfo
-	repo        distribution.Repository
-	confirmedV2 bool
-	// wrap in a config?
-	authConfig engineTypes.AuthConfig
-	service    *registry.Service
-}
-
-func (mf *v2ManifestFetcher) Fetch(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	var (
-		imgInspect *types.ImageInspect
-		err        error
-	)
-
-	//mf.repo, mf.confirmedV2, err = distribution.NewV2Repository(ctx, mf.repoInfo, mf.endpoint, mf.config.MetaHeaders, mf.config.AuthConfig, "pull")
-	mf.repo, mf.confirmedV2, err = dockerdistribution.NewV2Repository(ctx, mf.repoInfo, mf.endpoint, nil, &mf.authConfig, "pull")
-	if err != nil {
-		logrus.Debugf("Error getting v2 registry: %v", err)
-		return nil, err
-	}
-
-	imgInspect, err = mf.fetchWithRepository(ctx, ref)
-	if err != nil {
-		if _, ok := err.(fallbackError); ok {
-			return nil, err
-		}
-		if continueOnError(err) {
-			logrus.Errorf("Error trying v2 registry: %v", err)
-			return nil, fallbackError{err: err, confirmedV2: mf.confirmedV2, transportOK: true}
-		}
-	}
-	return imgInspect, err
-}
-
-func (mf *v2ManifestFetcher) fetchWithRepository(ctx context.Context, ref reference.Named) (*types.ImageInspect, error) {
-	var (
-		manifest    distribution.Manifest
-		tagOrDigest string // Used for logging/progress only
-		tagList     = []string{}
-	)
-
-	manSvc, err := mf.repo.Manifests(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if _, isTagged := ref.(reference.NamedTagged); !isTagged {
-		ref, err = reference.WithTag(ref, reference.DefaultTag)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
-		// NOTE: not using TagService.Get, since it uses HEAD requests
-		// against the manifests endpoint, which are not supported by
-		// all registry versions.
-		manifest, err = manSvc.Get(ctx, "", client.WithTag(tagged.Tag()))
-		if err != nil {
-			return nil, allowV1Fallback(err)
-		}
-		tagOrDigest = tagged.Tag()
-	} else if digested, isDigested := ref.(reference.Canonical); isDigested {
-		manifest, err = manSvc.Get(ctx, digested.Digest())
-		if err != nil {
-			return nil, err
-		}
-		tagOrDigest = digested.Digest().String()
-	} else {
-		return nil, fmt.Errorf("internal error: reference has neither a tag nor a digest: %s", ref.String())
-	}
-
-	if manifest == nil {
-		return nil, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
-	}
-
-	// If manSvc.Get succeeded, we can be confident that the registry on
-	// the other side speaks the v2 protocol.
-	mf.confirmedV2 = true
-
-	tagList, err = mf.repo.Tags(ctx).All(ctx)
-	if err != nil {
-		// If this repository doesn't exist on V2, we should
-		// permit a fallback to V1.
-		return nil, allowV1Fallback(err)
-	}
-
-	var (
-		image          *image.Image
-		manifestDigest digest.Digest
-	)
-
-	switch v := manifest.(type) {
-	case *schema1.SignedManifest:
-		image, manifestDigest, err = mf.pullSchema1(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	case *schema2.DeserializedManifest:
-		image, manifestDigest, err = mf.pullSchema2(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	case *manifestlist.DeserializedManifestList:
-		image, manifestDigest, err = mf.pullManifestList(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, errors.New("unsupported manifest format")
-	}
-
-	// TODO(runcom)
-	//var showTags bool
-	//if reference.IsNameOnly(ref) {
-	//showTags = true
-	//logrus.Debug("Using default tag: latest")
-	//ref = reference.WithDefaultTag(ref)
-	//}
-	//_ = showTags
-	return makeImageInspect(image, tagOrDigest, manifestDigest, tagList), nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema1(ctx context.Context, ref reference.Named, unverifiedManifest *schema1.SignedManifest) (img *image.Image, manifestDigest digest.Digest, err error) {
-	var verifiedManifest *schema1.Manifest
-	verifiedManifest, err = verifySchema1Manifest(unverifiedManifest, ref)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// remove duplicate layers and check parent chain validity
-	err = fixManifestLayers(verifiedManifest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// Image history converted to the new format
-	var history []image.History
-
-	// Note that the order of this loop is in the direction of bottom-most
-	// to top-most, so that the downloads slice gets ordered correctly.
-	for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
-		var throwAway struct {
-			ThrowAway bool `json:"throwaway,omitempty"`
-		}
-		if err := json.Unmarshal([]byte(verifiedManifest.History[i].V1Compatibility), &throwAway); err != nil {
-			return nil, "", err
-		}
-
-		h, err := v1.HistoryFromConfig([]byte(verifiedManifest.History[i].V1Compatibility), throwAway.ThrowAway)
-		if err != nil {
-			return nil, "", err
-		}
-		history = append(history, h)
-	}
-
-	rootFS := image.NewRootFS()
-	configRaw, err := makeRawConfigFromV1Config([]byte(verifiedManifest.History[0].V1Compatibility), rootFS, history)
-
-	config, err := json.Marshal(configRaw)
-	if err != nil {
-		return nil, "", err
-	}
-
-	img, err = image.NewFromJSON(config)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestDigest = digest.FromBytes(unverifiedManifest.Canonical)
-
-	return img, manifestDigest, nil
-}
-
-func verifySchema1Manifest(signedManifest *schema1.SignedManifest, ref reference.Named) (m *schema1.Manifest, err error) {
-	// If pull by digest, then verify the manifest digest. NOTE: It is
-	// important to do this first, before any other content validation. If the
-	// digest cannot be verified, don't even bother with those other things.
-	if digested, isCanonical := ref.(reference.Canonical); isCanonical {
-		verifier, err := digest.NewDigestVerifier(digested.Digest())
-		if err != nil {
-			return nil, err
-		}
-		if _, err := verifier.Write(signedManifest.Canonical); err != nil {
-			return nil, err
-		}
-		if !verifier.Verified() {
-			err := fmt.Errorf("image verification failed for digest %s", digested.Digest())
-			logrus.Error(err)
-			return nil, err
-		}
-	}
-	m = &signedManifest.Manifest
-
-	if m.SchemaVersion != 1 {
-		return nil, fmt.Errorf("unsupported schema version %d for %q", m.SchemaVersion, ref.String())
-	}
-	if len(m.FSLayers) != len(m.History) {
-		return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
-	}
-	if len(m.FSLayers) == 0 {
-		return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
-	}
-	return m, nil
-}
-
-func fixManifestLayers(m *schema1.Manifest) error {
-	imgs := make([]*image.V1Image, len(m.FSLayers))
-	for i := range m.FSLayers {
-		img := &image.V1Image{}
-
-		if err := json.Unmarshal([]byte(m.History[i].V1Compatibility), img); err != nil {
-			return err
-		}
-
-		imgs[i] = img
-		if err := v1.ValidateID(img.ID); err != nil {
-			return err
-		}
-	}
-
-	if imgs[len(imgs)-1].Parent != "" && runtime.GOOS != "windows" {
-		// Windows base layer can point to a base layer parent that is not in manifest.
-		return errors.New("Invalid parent ID in the base layer of the image.")
-	}
-
-	// check general duplicates to error instead of a deadlock
-	idmap := make(map[string]struct{})
-
-	var lastID string
-	for _, img := range imgs {
-		// skip IDs that appear after each other, we handle those later
-		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
-		}
-		lastID = img.ID
-		idmap[lastID] = struct{}{}
-	}
-
-	// backwards loop so that we keep the remaining indexes after removing items
-	for i := len(imgs) - 2; i >= 0; i-- {
-		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
-			m.FSLayers = append(m.FSLayers[:i], m.FSLayers[i+1:]...)
-			m.History = append(m.History[:i], m.History[i+1:]...)
-		} else if imgs[i].Parent != imgs[i+1].ID {
-			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
-		}
-	}
-
-	return nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema2(ctx context.Context, ref reference.Named, mfst *schema2.DeserializedManifest) (img *image.Image, manifestDigest digest.Digest, err error) {
-	manifestDigest, err = schema2ManifestDigest(ref, mfst)
-	if err != nil {
-		return nil, "", err
-	}
-
-	target := mfst.Target()
-
-	configChan := make(chan []byte, 1)
-	errChan := make(chan error, 1)
-	var cancel func()
-	ctx, cancel = context.WithCancel(ctx)
-
-	// Pull the image config
-	go func() {
-		configJSON, err := mf.pullSchema2ImageConfig(ctx, target.Digest)
-		if err != nil {
-			errChan <- ImageConfigPullError{Err: err}
-			cancel()
-			return
-		}
-		configChan <- configJSON
-	}()
-
-	var (
-		configJSON         []byte      // raw serialized image config
-		unmarshalledConfig image.Image // deserialized image config
-	)
-	if runtime.GOOS == "windows" {
-		configJSON, unmarshalledConfig, err = receiveConfig(configChan, errChan)
-		if err != nil {
-			return nil, "", err
-		}
-		if unmarshalledConfig.RootFS == nil {
-			return nil, "", errors.New("image config has no rootfs section")
-		}
-	}
-
-	if configJSON == nil {
-		configJSON, unmarshalledConfig, err = receiveConfig(configChan, errChan)
-		if err != nil {
-			return nil, "", err
-		}
-	}
-
-	img, err = image.NewFromJSON(configJSON)
-	if err != nil {
-		return nil, "", err
-	}
-
-	return img, manifestDigest, nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema2ImageConfig(ctx context.Context, dgst digest.Digest) (configJSON []byte, err error) {
-	blobs := mf.repo.Blobs(ctx)
-	configJSON, err = blobs.Get(ctx, dgst)
-	if err != nil {
-		return nil, err
-	}
-
-	// Verify image config digest
-	verifier, err := digest.NewDigestVerifier(dgst)
-	if err != nil {
-		return nil, err
-	}
-	if _, err := verifier.Write(configJSON); err != nil {
-		return nil, err
-	}
-	if !verifier.Verified() {
-		err := fmt.Errorf("image config verification failed for digest %s", dgst)
-		logrus.Error(err)
-		return nil, err
-	}
-
-	return configJSON, nil
-}
-
-func receiveConfig(configChan <-chan []byte, errChan <-chan error) ([]byte, image.Image, error) {
-	select {
-	case configJSON := <-configChan:
-		var unmarshalledConfig image.Image
-		if err := json.Unmarshal(configJSON, &unmarshalledConfig); err != nil {
-			return nil, image.Image{}, err
-		}
-		return configJSON, unmarshalledConfig, nil
-	case err := <-errChan:
-		return nil, image.Image{}, err
-		// Don't need a case for ctx.Done in the select because cancellation
-		// will trigger an error in p.pullSchema2ImageConfig.
-	}
-}
-
-// ImageConfigPullError is an error pulling the image config blob
-// (only applies to schema2).
-type ImageConfigPullError struct {
-	Err error
-}
-
-// Error returns the error string for ImageConfigPullError.
-func (e ImageConfigPullError) Error() string {
-	return "error pulling image configuration: " + e.Err.Error()
-}
-
-// allowV1Fallback checks if the error is a possible reason to fallback to v1
-// (even if confirmedV2 has been set already), and if so, wraps the error in
-// a fallbackError with confirmedV2 set to false. Otherwise, it returns the
-// error unmodified.
-func allowV1Fallback(err error) error {
-	switch v := err.(type) {
-	case errcode.Errors:
-		if len(v) != 0 {
-			if v0, ok := v[0].(errcode.Error); ok && shouldV2Fallback(v0) {
-				return fallbackError{err: err, confirmedV2: false, transportOK: true}
-			}
-		}
-	case errcode.Error:
-		if shouldV2Fallback(v) {
-			return fallbackError{err: err, confirmedV2: false, transportOK: true}
-		}
-	}
-	return err
-}
-
-// schema2ManifestDigest computes the manifest digest, and, if pulling by
-// digest, ensures that it matches the requested digest.
-func schema2ManifestDigest(ref reference.Named, mfst distribution.Manifest) (digest.Digest, error) {
-	_, canonical, err := mfst.Payload()
-	if err != nil {
-		return "", err
-	}
-
-	// If pull by digest, then verify the manifest digest.
-	if digested, isDigested := ref.(reference.Canonical); isDigested {
-		verifier, err := digest.NewDigestVerifier(digested.Digest())
-		if err != nil {
-			return "", err
-		}
-		if _, err := verifier.Write(canonical); err != nil {
-			return "", err
-		}
-		if !verifier.Verified() {
-			err := fmt.Errorf("manifest verification failed for digest %s", digested.Digest())
-			logrus.Error(err)
-			return "", err
-		}
-		return digested.Digest(), nil
-	}
-
-	return digest.FromBytes(canonical), nil
-}
-
-// pullManifestList handles "manifest lists" which point to various
-// platform-specifc manifests.
-func (mf *v2ManifestFetcher) pullManifestList(ctx context.Context, ref reference.Named, mfstList *manifestlist.DeserializedManifestList) (img *image.Image, manifestListDigest digest.Digest, err error) {
-	manifestListDigest, err = schema2ManifestDigest(ref, mfstList)
-	if err != nil {
-		return nil, "", err
-	}
-
-	var manifestDigest digest.Digest
-	for _, manifestDescriptor := range mfstList.Manifests {
-		// TODO(aaronl): The manifest list spec supports optional
-		// "features" and "variant" fields. These are not yet used.
-		// Once they are, their values should be interpreted here.
-		if manifestDescriptor.Platform.Architecture == runtime.GOARCH && manifestDescriptor.Platform.OS == runtime.GOOS {
-			manifestDigest = manifestDescriptor.Digest
-			break
-		}
-	}
-
-	if manifestDigest == "" {
-		return nil, "", errors.New("no supported platform found in manifest list")
-	}
-
-	manSvc, err := mf.repo.Manifests(ctx)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifest, err := manSvc.Get(ctx, manifestDigest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestRef, err := reference.WithDigest(ref, manifestDigest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	switch v := manifest.(type) {
-	case *schema1.SignedManifest:
-		img, _, err = mf.pullSchema1(ctx, manifestRef, v)
-		if err != nil {
-			return nil, "", err
-		}
-	case *schema2.DeserializedManifest:
-		img, _, err = mf.pullSchema2(ctx, manifestRef, v)
-		if err != nil {
-			return nil, "", err
-		}
-	default:
-		return nil, "", errors.New("unsupported manifest format")
-	}
-
-	return img, manifestListDigest, err
-}

docs/skopeo.1.md

@@ -0,0 +1,243 @@
+% SKOPEO(1) Skopeo Man Pages
+% Jhon Honce
+% August 2016
+# NAME
+skopeo -- Various operations with container images images and container image registries
+# SYNOPSIS
+**skopeo** [_global options_] _command_ [_command options_]
+# DESCRIPTION
+`skopeo` is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a Docker registry and fetch image. It fetches the repository's manifest and it is able to show you a `docker inspect`-like json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - which tags are available for the given repository? which labels the image has?
+
+It also allows you to copy container images between various registries, possibly converting them as necessary, and to sign and verify images.
+## IMAGE NAMES
+Most commands refer to container images, using a _transport_`:`_details_ format. The following formats are supported:
+
+  **atomic:**_namespace_**/**_stream_**:**_tag_
+  An image in the current project of the current default Atomic
+  Registry. The current project and Atomic Registry instance are by
+  default read from `$HOME/.kube/config`, which is set e.g. using
+  `(oc login)`.
+
+  **dir:**_path_
+  An existing local directory _path_ storing the manifest, layer
+  tarballs and signatures as individual files. This is a
+  non-standardized format, primarily useful for debugging or
+  noninvasive container inspection.
+
+  **docker://**_docker-reference_
+  An image in a registry implementing the "Docker Registry HTTP API V2".
+  By default, uses the authorization state in `$HOME/.docker/config.json`,
+  which is set e.g. using `(docker login)`.
+
+  **oci:**_path_**:**_tag_
+  An image _tag_ in a directory compliant with "Open Container Image
+  Layout Specification" at _path_.
+
+# OPTIONS
+
+  **--debug** enable debug output
+
+  **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
+
+  **--insecure-policy** Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.
+
+  **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for docker signature storage), overriding the default path.
+
+  **--help**|**-h** Show help
+
+  **--version**|**-v** print the version number
+
+# COMMANDS
+
+## skopeo copy
+**skopeo copy** [**--sign-by=**_key-ID_] _source-image destination-image_
+
+Copy an image (manifest, filesystem layers, signatures) from one location to another.
+
+Uses the system's trust policy to validate images, rejects images not trusted by the policy.
+
+  _source-image_ use the "image name" format described above
+
+  _destination-image_ use the "image name" format described above
+
+  **--remove-signatures** do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
+
+  **--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_
+
+  **--src-creds** _username[:password]_ for accessing the source registry
+
+  **--dest-creds** _username[:password]_ for accessing the destination registry
+
+  **--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry
+
+  **--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker source registry (defaults to true)
+
+  **--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry
+
+  **--dest-ostree-tmp-dir** _path_ Directory to use for OSTree temporary files.
+
+  **--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker destination registry (defaults to true)
+
+Existing signatures, if any, are preserved as well.
+
+## skopeo delete
+**skopeo delete** _image-name_
+
+Mark _image-name_ for deletion.  To release the allocated disk space, you need to execute the docker registry garabage collector. E.g.,
+
+```sh
+$ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml
+```
+
+  **--creds** _username[:password]_ for accessing the registry
+
+  **--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry
+
+  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker registries (defaults to true)
+
+Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.
+
+## skopeo inspect
+**skopeo inspect** [**--raw**] _image-name_
+
+Return low-level information about _image-name_ in a registry
+
+  **--raw** output raw manifest, default is to format in JSON
+
+  _image-name_ name of image to retrieve information about
+
+  **--creds** _username[:password]_ for accessing the registry
+
+  **--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry
+
+  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker registries (defaults to true)
+
+## skopeo manifest-digest
+**skopeo manifest-digest** _manifest-file_
+
+Compute a manifest digest of _manifest-file_ and write it to standard output.
+
+## skopeo standalone-sign
+**skopeo standalone-sign** _manifest docker-reference key-fingerprint_ **--output**|**-o** _signature_
+
+This is primarily a debugging tool, or useful for special cases,
+and usually should not be a part of your normal operational workflow; use `skopeo copy --sign-by` instead to publish and sign an image in one step.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference to identify the image with
+
+  _key-fingerprint_ Key identity to use for signing
+
+  **--output**|**-o** output file
+
+## skopeo standalone-verify
+**skopeo standalone-verify** _manifest docker-reference key-fingerprint signature_
+
+Verify a signature using local files, digest will be printed on success.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference expected to identify the image in the signature
+
+  _key-fingerprint_ Expected identity of the signing key
+
+  _signature_ Path to signature file
+
+**Note:** If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.
+
+## skopeo help
+show help for `skopeo`
+
+# FILES
+  **/etc/containers/policy.json**
+  Default trust policy file, if **--policy** is not specified.
+  The policy format is documented in https://github.com/containers/image/blob/master/docs/policy.json.md .
+
+  **/etc/containers/registries.d**
+  Default directory containing registry configuration, if **--registries.d** is not specified.
+  The contents of this directory are documented in https://github.com/containers/image/blob/master/docs/registries.d.md .
+
+# EXAMPLES
+
+## skopeo copy
+To copy the layers of the docker.io busybox image to a local directory:
+```sh
+$ mkdir -p /var/lib/images/busybox
+$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
+$ ls /var/lib/images/busybox/*
+  /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
+  /tmp/busybox/manifest.json
+  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
+```
+
+To copy and sign an image:
+
+```sh
+$ skopeo copy --sign-by dev@example.com atomic:example/busybox:streaming atomic:example/busybox:gold
+```
+## skopeo delete
+Mark image example/pause for deletion from the registry.example.com registry:
+```sh
+$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```
+See above for additional details on using the command **delete**.
+
+## skopeo inspect
+To review information for the image fedora from the docker.io registry:
+```sh
+$ skopeo inspect docker://docker.io/fedora
+{
+    "Name": "docker.io/library/fedora",
+    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "RepoTags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "24",
+        "heisenbug",
+        "latest",
+        "rawhide"
+    ],
+    "Created": "2016-06-20T19:33:43.220526898Z",
+    "DockerVersion": "1.10.3",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+    ]
+}
+```
+## skopeo layers
+Another method to retrieve the layers for the busybox image from the docker.io registry:
+```sh
+$ skopeo layers docker://busybox
+$ ls layers-500650331/
+  8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
+  manifest.json
+  a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4.tar
+```
+## skopeo manifest-digest
+```sh
+$ skopeo manifest-digest manifest.json
+sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
+```
+## skopeo standalone-sign
+```sh
+$ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
+$
+```
+
+See `skopeo copy` above for the preferred method of signing images.
+## skopeo standalone-verify
+```sh
+$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
+Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
+```
+
+# AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+

hack/.vendor-helpers.sh

@@ -1,103 +0,0 @@
-#!/usr/bin/env bash
-
-PROJECT=github.com/runcom/skopeo
-
-# Downloads dependencies into vendor/ directory
-mkdir -p vendor
-
-export GOPATH="$GOPATH:${PWD}/vendor"
-
-find="/usr/bin/find"
-
-clone() {
-	local vcs="$1"
-	local pkg="$2"
-	local rev="$3"
-	local url="$4"
-
-	: ${url:=https://$pkg}
-	local target="vendor/src/$pkg"
-
-	echo -n "$pkg @ $rev: "
-
-	if [ -d "$target" ]; then
-		echo -n 'rm old, '
-		rm -rf "$target"
-	fi
-
-	echo -n 'clone, '
-	case "$vcs" in
-		git)
-			git clone --quiet --no-checkout "$url" "$target"
-			( cd "$target" && git checkout --quiet "$rev" && git reset --quiet --hard "$rev" )
-			;;
-		hg)
-			hg clone --quiet --updaterev "$rev" "$url" "$target"
-			;;
-	esac
-
-	echo -n 'rm VCS, '
-	( cd "$target" && rm -rf .{git,hg} )
-
-	echo -n 'rm vendor, '
-	( cd "$target" && rm -rf vendor Godeps/_workspace )
-
-	echo done
-}
-
-clean() {
-	local packages=(
-		"${PROJECT}" # package main
-		"${PROJECT}/integration" # package main
-	)
-	local platforms=( linux/amd64 linux/386 )
-
-	local buildTags=(  )
-
-	echo
-
-	echo -n 'collecting import graph, '
-	local IFS=$'\n'
-	local imports=( $(
-		for platform in "${platforms[@]}"; do
-			export GOOS="${platform%/*}";
-			export GOARCH="${platform##*/}";
-			go list -e -tags "$buildTags" -f '{{join .Deps "\n"}}' "${packages[@]}"
-			go list -e -tags "$buildTags" -f '{{join .TestImports "\n"}}' "${packages[@]}"
-		done | grep -vE "^${PROJECT}" | sort -u
-	) )
-	imports=( $(go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' "${imports[@]}") )
-	unset IFS
-
-	echo -n 'pruning unused packages, '
-	findArgs=(
-		# This directory contains only .c and .h files which are necessary
-		# -path vendor/src/github.com/mattn/go-sqlite3/code
-	)
-	for import in "${imports[@]}"; do
-		[ "${#findArgs[@]}" -eq 0 ] || findArgs+=( -or )
-		findArgs+=( -path "vendor/src/$import" )
-	done
-	local IFS=$'\n'
-	local prune=( $($find vendor -depth -type d -not '(' "${findArgs[@]}" ')') )
-	unset IFS
-	for dir in "${prune[@]}"; do
-		$find "$dir" -maxdepth 1 -not -type d -not -name 'LICENSE*' -not -name 'COPYING*' -exec rm -v -f '{}' ';'
-		rmdir "$dir" 2>/dev/null || true
-	done
-
-	echo -n 'pruning unused files, '
-	$find vendor -type f -name '*_test.go' -exec rm -v '{}' ';'
-
-	echo done
-}
-
-# Fix up hard-coded imports that refer to Godeps paths so they'll work with our vendoring
-fix_rewritten_imports () {
-       local pkg="$1"
-       local remove="${pkg}/Godeps/_workspace/src/"
-       local target="vendor/src/$pkg"
-
-       echo "$pkg: fixing rewritten imports"
-       $find "$target" -name \*.go -exec sed -i -e "s|\"${remove}|\"|g" {} \;
-}

hack/btrfs_tag.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+cc -E - > /dev/null 2> /dev/null << EOF
+#include <btrfs/version.h>
+EOF
+if test $? -ne 0 ; then
+	echo btrfs_noversion
+fi

hack/libdm_tag.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+cc -c -o "$tmpdir"/libdm_tag.o -x c - > /dev/null 2> /dev/null << EOF
+#include <libdevmapper.h>
+int main() {
+	struct dm_task *task;
+	return 0;
+}
+EOF
+if test $? -ne 0 ; then
+	echo libdm_no_deferred_remove
+fi

hack/make.sh

@@ -6,7 +6,7 @@ set -e
 #
 # Requirements:
 # - The current directory should be a checkout of the skopeo source code
-#   (https://github.com/runcom/skopeo). Whatever version is checked out
+#   (https://github.com/projectatomic/skopeo). Whatever version is checked out
 #   will be built.
 # - The script is intended to be run inside the docker container specified
 #   in the Dockerfile at the root of the source. In other words:
@@ -19,7 +19,7 @@ set -e
 
 set -o pipefail
 
-export SKOPEO_PKG='github.com/runcom/skopeo'
+export SKOPEO_PKG='github.com/projectatomic/skopeo'
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export MAKEDIR="$SCRIPTDIR/make"
 
@@ -72,10 +72,10 @@ TESTFLAGS+=" -test.timeout=10m"
 go_test_dir() {
 	dir=$1
 	(
-		echo '+ go test' $TESTFLAGS "${SKOPEO_PKG}${dir#.}"
+		echo '+ go test' $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
 		cd "$dir"
 		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $TESTFLAGS
+		go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
 	)
 }
 

hack/make/.validate

@@ -4,7 +4,7 @@ if [ -z "$VALIDATE_UPSTREAM" ]; then
 	# this is kind of an expensive check, so let's not do this twice if we
 	# are running more than one validate bundlescript
 	
-	VALIDATE_REPO='https://github.com/runcom/skopeo.git'
+	VALIDATE_REPO='https://github.com/projectatomic/skopeo.git'
 	VALIDATE_BRANCH='master'
 	
 	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
@@ -21,9 +21,7 @@ if [ -z "$VALIDATE_UPSTREAM" ]; then
 	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
 	
 	validate_diff() {
-		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
-			git diff "$VALIDATE_COMMIT_DIFF" "$@"
-		fi
+		git diff "$VALIDATE_UPSTREAM" "$@"
 	}
 	validate_log() {
 		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then

hack/make/test-integration

@@ -8,8 +8,8 @@ bundle_test_integration() {
 
 # subshell so that we can export PATH without breaking other things
 (
-	make binary
-	make install-binary
+	make binary-local ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
+	make install
 	export GO15VENDOREXPERIMENT=1
 	bundle_test_integration
 ) 2>&1

hack/make/validate-gofmt

@@ -8,8 +8,7 @@ unset IFS
 
 badFiles=()
 for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed is formatted
-	if [ "$(git show "$VALIDATE_HEAD:$f" | gofmt -s -l)" ]; then
+	if [ "$(gofmt -s -l < $f)" ]; then
 		badFiles+=( "$f" )
 	fi
 done

hack/make/validate-lint

@@ -11,7 +11,6 @@ unset IFS
 
 errors=()
 for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed passes go lint
 	failedLint=$(golint "$f")
 	if [ "$failedLint" ]; then
 		errors+=( "$failedLint" )

hack/make/validate-vet

@@ -8,7 +8,6 @@ unset IFS
 
 errors=()
 for f in "${files[@]}"; do
-	# we use "git show" here to validate that what's committed passes go vet
 	failedVet=$(go vet "$f")
 	if [ "$failedVet" ]; then
 		errors+=( "$failedVet" )

hack/vendor.sh

@@ -1,27 +1,15 @@
-#!/usr/bin/env bash
+#!/bin/bash
+
+# This file is just wrapper around vndr (github.com/LK4D4/vndr) tool.
+# For updating dependencies you should change `vendor.conf` file in root of the
+# project. Please refer to https://github.com/LK4D4/vndr/blob/master/README.md for
+# vndr usage.
+
 set -e
 
-cd "$(dirname "$BASH_SOURCE")/.."
-rm -rf vendor/
-source 'hack/.vendor-helpers.sh'
+if ! hash vndr; then
+	echo "Please install vndr with \"go get github.com/LK4D4/vndr\" and put it in your \$GOPATH"
+	exit 1
+fi
 
-clone git github.com/codegangsta/cli v1.2.0
-clone git github.com/Sirupsen/logrus v0.8.7
-clone git github.com/vbatts/tar-split v0.9.11
-clone git github.com/gorilla/mux master
-clone git github.com/gorilla/context master
-clone git golang.org/x/net master https://github.com/golang/net.git
-clone git github.com/go-check/check v1
-
-clone git github.com/docker/docker 29bade2cd0a09191279f04ebc6aeedaa70c772a0
-clone git github.com/docker/engine-api 7f6071353fc48f69d2328c4ebe8f3bd0f7c75da4
-clone git github.com/docker/distribution 7b66c50bb7e0e4b3b83f8fd134a9f6ea4be08b57
-
-clone git github.com/docker/go-connections master
-clone git github.com/docker/go-units master
-clone git github.com/docker/libtrust master
-clone git github.com/opencontainers/runc master
-
-clean
-
-mv vendor/src/* vendor/
+vndr "$@"

inspect.go

@@ -1,55 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/codegangsta/cli"
-	"github.com/runcom/skopeo/docker"
-	"github.com/runcom/skopeo/types"
-)
-
-type imgKind int
-
-const (
-	imgTypeDocker = "docker://"
-	imgTypeAppc   = "appc://"
-
-	kindUnknown = iota
-	kindDocker
-	kindAppc
-)
-
-func getImgType(img string) imgKind {
-	if strings.HasPrefix(img, imgTypeDocker) {
-		return kindDocker
-	}
-	if strings.HasPrefix(img, imgTypeAppc) {
-		return kindAppc
-	}
-	// TODO(runcom): v2 will support this
-	//return kindUnknown
-	return kindDocker
-}
-
-func inspect(c *cli.Context) (*types.ImageInspect, error) {
-	var (
-		imgInspect *types.ImageInspect
-		err        error
-		name       = c.Args().First()
-		kind       = getImgType(name)
-	)
-
-	switch kind {
-	case kindDocker:
-		imgInspect, err = docker.GetData(c, strings.Replace(name, imgTypeDocker, "", -1))
-		if err != nil {
-			return nil, err
-		}
-	case kindAppc:
-		return nil, fmt.Errorf("not implemented yet")
-	default:
-		return nil, fmt.Errorf("%s image is invalid, please use either 'docker://' or 'appc://'", name)
-	}
-	return imgInspect, nil
-}

integration/check_test.go

@@ -3,10 +3,10 @@ package main
 import (
 	"fmt"
 	"os/exec"
-	"strings"
 	"testing"
 
 	"github.com/go-check/check"
+	"github.com/projectatomic/skopeo/version"
 )
 
 const (
@@ -15,8 +15,6 @@ const (
 	privateRegistryURL2 = "127.0.0.1:5002"
 	privateRegistryURL3 = "127.0.0.1:5003"
 	privateRegistryURL4 = "127.0.0.1:5004"
-
-	skopeoBinary = "skopeo"
 )
 
 func Test(t *testing.T) {
@@ -73,43 +71,34 @@ func (s *SkopeoSuite) TearDownTest(c *check.C) {
 //func skopeoCmd()
 
 func (s *SkopeoSuite) TestVersion(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--version").CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf(string(out)))
-	wanted := skopeoBinary + " version "
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version)
+	assertSkopeoSucceeds(c, wanted, "--version")
 }
 
 func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--docker-cfg=''", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, fmt.Sprintf("%s/busybox:latest", s.regV2WithAuth.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := "Error: image busybox not found"
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*manifest unknown: manifest unknown.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }
 
 func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--docker-cfg=''", fmt.Sprintf("%s/busybox:latest", s.regV2WithAuth.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := "no basic auth credentials"
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+}
+
+func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
+	wanted := ".*flag provided but not defined: -cert-path.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
+	wanted = ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
 }
 
 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
 // not just get image not found :)
 func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
-	out, err := exec.Command(skopeoBinary, fmt.Sprintf("%s/busybox:latest", s.regV2.url)).CombinedOutput()
+	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
 	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := "Error: image busybox not found"
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
-	wanted = "no basic auth credentials"
-	if strings.Contains(string(out), wanted) {
-		c.Fatalf("not wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*manifest unknown.*"
+	c.Assert(string(out), check.Matches, "(?s)"+wanted) // (?s) : '.' will also match newlines
+	wanted = ".*unauthorized: authentication required.*"
+	c.Assert(string(out), check.Not(check.Matches), "(?s)"+wanted) // (?s) : '.' will also match newlines
 }

integration/copy_test.go

@@ -0,0 +1,618 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/signature"
+	"github.com/go-check/check"
+	"github.com/opencontainers/go-digest"
+)
+
+func init() {
+	check.Suite(&CopySuite{})
+}
+
+const (
+	v2DockerRegistryURL   = "localhost:5555" // Update also policy.json
+	v2s1DockerRegistryURL = "localhost:5556"
+)
+
+type CopySuite struct {
+	cluster    *openshiftCluster
+	registry   *testRegistryV2
+	s1Registry *testRegistryV2
+	gpgHome    string
+}
+
+func (s *CopySuite) SetUpSuite(c *check.C) {
+	if os.Getenv("SKOPEO_CONTAINER_TESTS") != "1" {
+		c.Skip("Not running in a container, refusing to affect user state")
+	}
+
+	s.cluster = startOpenshiftCluster(c) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+
+	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression", "schema1", "schema2"} {
+		isJSON := fmt.Sprintf(`{
+			"kind": "ImageStream",
+			"apiVersion": "v1",
+			"metadata": {
+			    "name": "%s"
+			},
+			"spec": {}
+		}`, stream)
+		runCommandWithInput(c, isJSON, "oc", "create", "-f", "-")
+	}
+
+	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, false, false)
+	s.s1Registry = setupRegistryV2At(c, v2s1DockerRegistryURL, false, true)
+
+	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
+	c.Assert(err, check.IsNil)
+	s.gpgHome = gpgHome
+	os.Setenv("GNUPGHOME", s.gpgHome)
+
+	for _, key := range []string{"personal", "official"} {
+		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%commit\n",
+			key, key)
+		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")
+
+		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
+		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+			[]byte(out), 0600)
+		c.Assert(err, check.IsNil)
+	}
+}
+
+func (s *CopySuite) TearDownSuite(c *check.C) {
+	if s.gpgHome != "" {
+		os.RemoveAll(s.gpgHome)
+	}
+	if s.registry != nil {
+		s.registry.Close()
+	}
+	if s.s1Registry != nil {
+		s.s1Registry.Close()
+	}
+	if s.cluster != nil {
+		s.cluster.tearDown(c)
+	}
+}
+
+func (s *CopySuite) TestCopyFailsWithManifestList(c *check.C) {
+	assertSkopeoFails(c, ".*can not copy docker://estesp/busybox:latest: manifest contains multiple images.*", "copy", "docker://estesp/busybox:latest", "dir:somedir")
+}
+
+func (s *CopySuite) TestCopySimpleAtomicRegistry(c *check.C) {
+	dir1, err := ioutil.TempDir("", "copy-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	// "pull": docker: → dir:
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:amd64", "dir:"+dir1)
+	// "push": dir: → atomic:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "dir:"+dir1, "atomic:localhost:5000/myns/unsigned:unsigned")
+	// The result of pushing and pulling is an equivalent image, except for schema1 embedded names.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/unsigned:unsigned", "dir:"+dir2)
+	assertSchema1DirImagesAreEqualExceptNames(c, dir1, "estesp/busybox:amd64", dir2, "myns/unsigned:unsigned")
+}
+
+// The most basic (skopeo copy) use:
+func (s *CopySuite) TestCopySimple(c *check.C) {
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	dir1, err := ioutil.TempDir("", "copy-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	// "pull": docker: → dir:
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox", "dir:"+dir1)
+	// "push": dir: → docker(v2s2):
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "dir:"+dir1, ourRegistry+"busybox:unsigned")
+	// The result of pushing and pulling is an unmodified image.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", ourRegistry+"busybox:unsigned", "dir:"+dir2)
+	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+
+	// docker v2s2 -> OCI image layout
+	// ociDest will be created by oci: if it doesn't exist
+	// so don't create it here to exercise auto-creation
+	ociDest := "busybox-latest"
+	defer os.RemoveAll(ociDest)
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest)
+	_, err = os.Stat(ociDest)
+	c.Assert(err, check.IsNil)
+}
+
+// Check whether dir: images in dir1 and dir2 are equal, ignoring schema1 signatures.
+func assertDirImagesAreEqual(c *check.C, dir1, dir2 string) {
+	// The manifests may have different JWS signatures; so, compare the manifests by digests, which
+	// strips the signatures.
+	digests := []digest.Digest{}
+	for _, dir := range []string{dir1, dir2} {
+		manifestPath := filepath.Join(dir, "manifest.json")
+		m, err := ioutil.ReadFile(manifestPath)
+		c.Assert(err, check.IsNil)
+		digest, err := manifest.Digest(m)
+		c.Assert(err, check.IsNil)
+		digests = append(digests, digest)
+	}
+	c.Assert(digests[0], check.Equals, digests[1])
+	// Then compare the rest file by file.
+	out := combinedOutputOfCommand(c, "diff", "-urN", "-x", "manifest.json", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+}
+
+// Check whether schema1 dir: images in dir1 and dir2 are equal, ignoring schema1 signatures and the embedded path/tag values, which should have the expected values.
+func assertSchema1DirImagesAreEqualExceptNames(c *check.C, dir1, ref1, dir2, ref2 string) {
+	// The manifests may have different JWS signatures and names; so, unmarshal and delete these elements.
+	manifests := []map[string]interface{}{}
+	for dir, ref := range map[string]string{dir1: ref1, dir2: ref2} {
+		manifestPath := filepath.Join(dir, "manifest.json")
+		m, err := ioutil.ReadFile(manifestPath)
+		c.Assert(err, check.IsNil)
+		data := map[string]interface{}{}
+		err = json.Unmarshal(m, &data)
+		c.Assert(err, check.IsNil)
+		c.Assert(data["schemaVersion"], check.Equals, float64(1))
+		colon := strings.LastIndex(ref, ":")
+		c.Assert(colon, check.Not(check.Equals), -1)
+		c.Assert(data["name"], check.Equals, ref[:colon])
+		c.Assert(data["tag"], check.Equals, ref[colon+1:])
+		for _, key := range []string{"signatures", "name", "tag"} {
+			delete(data, key)
+		}
+		manifests = append(manifests, data)
+	}
+	c.Assert(manifests[0], check.DeepEquals, manifests[1])
+	// Then compare the rest file by file.
+	out := combinedOutputOfCommand(c, "diff", "-urN", "-x", "manifest.json", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+}
+
+// Streaming (skopeo copy)
+func (s *CopySuite) TestCopyStreaming(c *check.C) {
+	dir1, err := ioutil.TempDir("", "streaming-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "streaming-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	// streaming: docker: → atomic:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "docker://estesp/busybox:amd64", "atomic:localhost:5000/myns/unsigned:streaming")
+	// Compare (copies of) the original and the copy:
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:amd64", "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/unsigned:streaming", "dir:"+dir2)
+	assertSchema1DirImagesAreEqualExceptNames(c, dir1, "estesp/busybox:amd64", dir2, "myns/unsigned:streaming")
+	// FIXME: Also check pushing to docker://
+}
+
+// OCI round-trip testing. It's very important to make sure that OCI <-> Docker
+// conversion works (while skopeo handles many things, one of the most obvious
+// benefits of a tool like skopeo is that you can use OCI tooling to create an
+// image and then as the final step convert the image to a non-standard format
+// like Docker). But this only works if we _test_ it.
+func (s *CopySuite) TestCopyOCIRoundTrip(c *check.C) {
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	oci1, err := ioutil.TempDir("", "oci-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci1)
+	oci2, err := ioutil.TempDir("", "oci-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(oci2)
+
+	// Docker -> OCI
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "docker://busybox", "oci:"+oci1+":latest")
+	// OCI -> Docker
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "oci:"+oci1+":latest", ourRegistry+"original/busybox:oci_copy")
+	// Docker -> OCI
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", ourRegistry+"original/busybox:oci_copy", "oci:"+oci2+":latest")
+	// OCI -> Docker
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "oci:"+oci2+":latest", ourRegistry+"original/busybox:oci_copy2")
+
+	// TODO: Add some more tags to output to and check those work properly.
+
+	// First, make sure the OCI blobs are the same. This should _always_ be true.
+	out := combinedOutputOfCommand(c, "diff", "-urN", oci1+"/blobs", oci2+"/blobs")
+	c.Assert(out, check.Equals, "")
+
+	// For some silly reason we pass a logger to the OCI library here...
+	//logger := log.New(os.Stderr, "", 0)
+
+	// TODO: Verify using the upstream OCI image validator.
+	//err = image.ValidateLayout(oci1, nil, logger)
+	//c.Assert(err, check.IsNil)
+	//err = image.ValidateLayout(oci2, nil, logger)
+	//c.Assert(err, check.IsNil)
+
+	// Now verify that everything is identical. Currently this is true, but
+	// because we recompute the manifests on-the-fly this doesn't necessarily
+	// always have to be true (but if this breaks in the future __PLEASE__ make
+	// sure that the breakage actually makes sense before removing this check).
+	out = combinedOutputOfCommand(c, "diff", "-urN", oci1, oci2)
+	c.Assert(out, check.Equals, "")
+}
+
+// --sign-by and --policy copy, primarily using atomic:
+func (s *CopySuite) TestCopySignatures(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
+	dir, err := ioutil.TempDir("", "signatures-dest")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir)
+	dirDest := "dir:" + dir
+
+	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
+	defer os.Remove(policy)
+
+	// type: reject
+	assertSkopeoFails(c, ".*Source image rejected: Running image docker://busybox:latest is rejected by policy.*",
+		"--policy", policy, "copy", "docker://busybox:latest", dirDest)
+
+	// type: insecureAcceptAnything
+	assertSkopeoSucceeds(c, "", "--policy", policy, "copy", "docker://openshift/hello-openshift", dirDest)
+
+	// type: signedBy
+	// Sign the images
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "docker://busybox:1.26", "atomic:localhost:5006/myns/personal:personal")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "official@example.com", "docker://busybox:1.26.1", "atomic:localhost:5006/myns/official:official")
+	// Verify that we can pull them
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:personal", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:official", dirDest)
+	// Verify that mis-signed images are rejected
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack")
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest)
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest)
+
+	// Verify that signed identity is verified.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/naming:test1")
+	assertSkopeoFails(c, ".*Source image rejected: Signature for identity localhost:5006/myns/official:official is not accepted.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/naming:test1", dirDest)
+	// signedIdentity works
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/naming:naming")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/naming:naming", dirDest)
+
+	// Verify that cosigning requirements are enforced
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)
+
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest)
+}
+
+// --policy copy for dir: sources
+func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
+	topDir, err := ioutil.TempDir("", "dir-signatures-top")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	topDirDest := "dir:" + topDir
+
+	for _, suffix := range []string{"/dir1", "/dir2", "/restricted/personal", "/restricted/official", "/restricted/badidentity", "/dest"} {
+		err := os.MkdirAll(topDir+suffix, 0755)
+		c.Assert(err, check.IsNil)
+	}
+
+	// Note the "/@dirpath@": The value starts with a slash so that it is not rejected in other tests which do not replace it,
+	// but we must ensure that the result is a canonical path, not something starting with a "//".
+	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome, "/@dirpath@": topDir + "/restricted"})
+	defer os.Remove(policy)
+
+	// Get some images.
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:armfh", topDirDest+"/dir1")
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:s390x", topDirDest+"/dir2")
+
+	// Sign the images. By coping fom a topDirDest/dirN, also test that non-/restricted paths
+	// use the dir:"" default of insecureAcceptAnything.
+	// (For signing, we must push to atomic: to get a Docker identity to use in the signature.)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "--sign-by", "personal@example.com", topDirDest+"/dir1", "atomic:localhost:5000/myns/personal:dirstaging")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "--sign-by", "official@example.com", topDirDest+"/dir2", "atomic:localhost:5000/myns/official:dirstaging")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:dirstaging", topDirDest+"/restricted/personal")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:dirstaging", topDirDest+"/restricted/official")
+
+	// type: signedBy, with a signedIdentity override (necessary because dir: identities can't be signed)
+	// Verify that correct images are accepted
+	assertSkopeoSucceeds(c, "", "--policy", policy, "copy", topDirDest+"/restricted/official", topDirDest+"/dest")
+	// ... and that mis-signed images are rejected.
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--policy", policy, "copy", topDirDest+"/restricted/personal", topDirDest+"/dest")
+
+	// Verify that the signed identity is verified.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "--sign-by", "official@example.com", topDirDest+"/dir1", "atomic:localhost:5000/myns/personal:dirstaging2")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:dirstaging2", topDirDest+"/restricted/badidentity")
+	assertSkopeoFails(c, ".*Source image rejected: .*Signature for identity localhost:5000/myns/personal:dirstaging2 is not accepted.*",
+		"--policy", policy, "copy", topDirDest+"/restricted/badidentity", topDirDest+"/dest")
+}
+
+// Compression during copy
+func (s *CopySuite) TestCopyCompression(c *check.C) {
+	const uncompresssedLayerFile = "160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710.tar"
+
+	topDir, err := ioutil.TempDir("", "compression-top")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+
+	for i, t := range []struct{ fixture, remote string }{
+		{"uncompressed-image-s1", "docker://" + v2DockerRegistryURL + "/compression/compression:s1"},
+		{"uncompressed-image-s2", "docker://" + v2DockerRegistryURL + "/compression/compression:s2"},
+		{"uncompressed-image-s1", "atomic:localhost:5000/myns/compression:s1"},
+		{"uncompressed-image-s2", "atomic:localhost:5000/myns/compression:s2"},
+	} {
+		dir := filepath.Join(topDir, fmt.Sprintf("case%d", i))
+		err := os.MkdirAll(dir, 0755)
+		c.Assert(err, check.IsNil)
+
+		assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "dir:fixtures/"+t.fixture, t.remote)
+		assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", t.remote, "dir:"+dir)
+
+		// The original directory contained an uncompressed file, the copy after pushing and pulling doesn't (we use a different name for the compressed file).
+		_, err = os.Lstat(filepath.Join("fixtures", t.fixture, uncompresssedLayerFile))
+		c.Assert(err, check.IsNil)
+		_, err = os.Lstat(filepath.Join(dir, uncompresssedLayerFile))
+		c.Assert(err, check.NotNil)
+		c.Assert(os.IsNotExist(err), check.Equals, true)
+
+		// All pulled layers are smaller than the uncompressed size of uncompresssedLayerFile. (Note that this includes the manifest in s2, but that works out OK).
+		dirf, err := os.Open(dir)
+		c.Assert(err, check.IsNil)
+		fis, err := dirf.Readdir(-1)
+		c.Assert(err, check.IsNil)
+		for _, fi := range fis {
+			if strings.HasSuffix(fi.Name(), ".tar") {
+				c.Assert(fi.Size() < 2048, check.Equals, true)
+			}
+		}
+	}
+}
+
+func findRegularFiles(c *check.C, root string) []string {
+	result := []string{}
+	err := filepath.Walk(root, filepath.WalkFunc(func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.Mode().IsRegular() {
+			result = append(result, path)
+		}
+		return nil
+	}))
+	c.Assert(err, check.IsNil)
+	return result
+}
+
+// --sign-by and policy use for docker: with sigstore
+func (s *CopySuite) TestCopyDockerSigstore(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	tmpDir, err := ioutil.TempDir("", "signatures-sigstore")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+	copyDest := filepath.Join(tmpDir, "dest")
+	err = os.Mkdir(copyDest, 0755)
+	c.Assert(err, check.IsNil)
+	dirDest := "dir:" + copyDest
+	plainSigstore := filepath.Join(tmpDir, "sigstore")
+	splitSigstoreStaging := filepath.Join(tmpDir, "sigstore-staging")
+
+	splitSigstoreReadServerHandler := http.NotFoundHandler()
+	splitSigstoreReadServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		splitSigstoreReadServerHandler.ServeHTTP(w, r)
+	}))
+	defer splitSigstoreReadServer.Close()
+
+	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
+	defer os.Remove(policy)
+	registriesDir := filepath.Join(tmpDir, "registries.d")
+	err = os.Mkdir(registriesDir, 0755)
+	c.Assert(err, check.IsNil)
+	registriesFile := fileFromFixture(c, "fixtures/registries.yaml",
+		map[string]string{"@sigstore@": plainSigstore, "@split-staging@": splitSigstoreStaging, "@split-read@": splitSigstoreReadServer.URL})
+	err = os.Symlink(registriesFile, filepath.Join(registriesDir, "registries.yaml"))
+	c.Assert(err, check.IsNil)
+
+	// Get an image to work with.  Also verifies that we can use Docker repositories with no sigstore configured.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "docker://busybox", ourRegistry+"original/busybox")
+	// Pulling an unsigned image fails.
+	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
+		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"original/busybox", dirDest)
+
+	// Signing with sigstore defined succeeds,
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--sign-by", "personal@example.com", ourRegistry+"original/busybox", ourRegistry+"signed/busybox")
+	// a signature file has been created,
+	foundFiles := findRegularFiles(c, plainSigstore)
+	c.Assert(foundFiles, check.HasLen, 1)
+	// and pulling a signed image succeeds.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"signed/busybox", dirDest)
+
+	// Deleting the image succeeds,
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "delete", ourRegistry+"signed/busybox")
+	// and the signature file has been deleted (but we leave the directories around).
+	foundFiles = findRegularFiles(c, plainSigstore)
+	c.Assert(foundFiles, check.HasLen, 0)
+
+	// Signing with a read/write sigstore split succeeds,
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--sign-by", "personal@example.com", ourRegistry+"original/busybox", ourRegistry+"public/busybox")
+	// and a signature file has been created.
+	foundFiles = findRegularFiles(c, splitSigstoreStaging)
+	c.Assert(foundFiles, check.HasLen, 1)
+	// Pulling the image fails because the read sigstore URL has not been populated:
+	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
+		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
+	// Pulling the image succeeds after the read sigstore URL is available:
+	splitSigstoreReadServerHandler = http.FileServer(http.Dir(splitSigstoreStaging))
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir, "copy", ourRegistry+"public/busybox", dirDest)
+}
+
+// atomic: and docker: X-Registry-Supports-Signatures works and interoperates
+func (s *CopySuite) TestCopyAtomicExtension(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that the reading/writing works using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
+	topDir, err := ioutil.TempDir("", "atomic-extension")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	for _, subdir := range []string{"dirAA", "dirAD", "dirDA", "dirDD", "registries.d"} {
+		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
+		c.Assert(err, check.IsNil)
+	}
+	registriesDir := filepath.Join(topDir, "registries.d")
+	dirDest := "dir:" + topDir
+	policy := fileFromFixture(c, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
+	defer os.Remove(policy)
+
+	// Get an image to work with to an atomic: destination.  Also verifies that we can use Docker repositories without X-Registry-Supports-Signatures
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "docker://busybox", "atomic:localhost:5000/myns/extension:unsigned")
+	// Pulling an unsigned image using atomic: fails.
+	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
+		"--tls-verify=false", "--policy", policy,
+		"copy", "atomic:localhost:5000/myns/extension:unsigned", dirDest+"/dirAA")
+	// The same when pulling using docker:
+	assertSkopeoFails(c, ".*Source image rejected: A signature was required, but no signature exists.*",
+		"--tls-verify=false", "--policy", policy, "--registries.d", registriesDir,
+		"copy", "docker://localhost:5000/myns/extension:unsigned", dirDest+"/dirAD")
+
+	// Sign the image using atomic:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false",
+		"copy", "--sign-by", "personal@example.com", "atomic:localhost:5000/myns/extension:unsigned", "atomic:localhost:5000/myns/extension:atomic")
+	// Pulling the image using atomic: now succeeds.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy,
+		"copy", "atomic:localhost:5000/myns/extension:atomic", dirDest+"/dirAA")
+	// The same when pulling using docker:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir,
+		"copy", "docker://localhost:5000/myns/extension:atomic", dirDest+"/dirAD")
+	// Both access methods result in the same data.
+	assertDirImagesAreEqual(c, filepath.Join(topDir, "dirAA"), filepath.Join(topDir, "dirAD"))
+
+	// Get another image (different so that they don't share signatures, and sign it using docker://)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--registries.d", registriesDir,
+		"copy", "--sign-by", "personal@example.com", "docker://estesp/busybox:ppc64le", "atomic:localhost:5000/myns/extension:extension")
+	c.Logf("%s", combinedOutputOfCommand(c, "oc", "get", "istag", "extension:extension", "-o", "json"))
+	// Pulling the image using atomic: succeeds.
+	assertSkopeoSucceeds(c, "", "--debug", "--tls-verify=false", "--policy", policy,
+		"copy", "atomic:localhost:5000/myns/extension:extension", dirDest+"/dirDA")
+	// The same when pulling using docker:
+	assertSkopeoSucceeds(c, "", "--debug", "--tls-verify=false", "--policy", policy, "--registries.d", registriesDir,
+		"copy", "docker://localhost:5000/myns/extension:extension", dirDest+"/dirDD")
+	// Both access methods result in the same data.
+	assertDirImagesAreEqual(c, filepath.Join(topDir, "dirDA"), filepath.Join(topDir, "dirDD"))
+}
+
+func (s *SkopeoSuite) TestCopySrcWithAuth(c *check.C) {
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", "docker://busybox", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+	dir1, err := ioutil.TempDir("", "copy-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--src-creds=testuser:testpassword", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "dir:"+dir1)
+}
+
+func (s *SkopeoSuite) TestCopyDestWithAuth(c *check.C) {
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", "docker://busybox", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+}
+
+func (s *SkopeoSuite) TestCopySrcAndDestWithAuth(c *check.C) {
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--dest-creds=testuser:testpassword", "docker://busybox", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--src-creds=testuser:testpassword", "--dest-creds=testuser:testpassword", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), fmt.Sprintf("docker://%s/test:auth", s.regV2WithAuth.url))
+}
+
+func (s *CopySuite) TestCopyNoPanicOnHTTPResponseWOTLSVerifyFalse(c *check.C) {
+	const ourRegistry = "docker://" + v2DockerRegistryURL + "/"
+
+	// dir:test isn't created beforehand just because we already know this could
+	// just fail when evaluating the src
+	assertSkopeoFails(c, ".*server gave HTTP response to HTTPS client.*",
+		"copy", ourRegistry+"foobar", "dir:test")
+}
+
+func (s *CopySuite) TestCopySchemaConversion(c *check.C) {
+	// Test conversion / schema autodetection both for the OpenShift embedded registry…
+	s.testCopySchemaConversionRegistries(c, "docker://localhost:5005/myns/schema1", "docker://localhost:5006/myns/schema2")
+	// … and for various docker/distribution registry versions.
+	s.testCopySchemaConversionRegistries(c, "docker://"+v2s1DockerRegistryURL+"/schema1", "docker://"+v2DockerRegistryURL+"/schema2")
+}
+
+func (s *CopySuite) testCopySchemaConversionRegistries(c *check.C, schema1Registry, schema2Registry string) {
+	topDir, err := ioutil.TempDir("", "schema-conversion")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	for _, subdir := range []string{"input1", "input2", "dest2"} {
+		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
+		c.Assert(err, check.IsNil)
+	}
+	input1Dir := filepath.Join(topDir, "input1")
+	input2Dir := filepath.Join(topDir, "input2")
+	destDir := filepath.Join(topDir, "dest2")
+
+	// Ensure we are working with a schema2 image.
+	// dir: accepts any manifest format, i.e. this makes …/input2 a schema2 source which cannot be asked to produce schema1 like ordinary docker: registries can.
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox", "dir:"+input2Dir)
+	verifyManifestMIMEType(c, input2Dir, manifest.DockerV2Schema2MediaType)
+	// 2→2 (the "f2t2" in tag means "from 2 to 2")
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input2Dir, schema2Registry+":f2t2")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema2Registry+":f2t2", "dir:"+destDir)
+	verifyManifestMIMEType(c, destDir, manifest.DockerV2Schema2MediaType)
+	// 2→1; we will use the result as a schema1 image for further tests.
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input2Dir, schema1Registry+":f2t1")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema1Registry+":f2t1", "dir:"+input1Dir)
+	verifyManifestMIMEType(c, input1Dir, manifest.DockerV2Schema1SignedMediaType)
+	// 1→1
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input1Dir, schema1Registry+":f1t1")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema1Registry+":f1t1", "dir:"+destDir)
+	verifyManifestMIMEType(c, destDir, manifest.DockerV2Schema1SignedMediaType)
+	// 1→2: image stays unmodified schema1
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "dir:"+input1Dir, schema2Registry+":f1t2")
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", schema2Registry+":f1t2", "dir:"+destDir)
+	verifyManifestMIMEType(c, destDir, manifest.DockerV2Schema1SignedMediaType)
+}
+
+// Verify manifest in a dir: image at dir is expectedMIMEType.
+func verifyManifestMIMEType(c *check.C, dir string, expectedMIMEType string) {
+	manifestBlob, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+	c.Assert(err, check.IsNil)
+	mimeType := manifest.GuessMIMEType(manifestBlob)
+	c.Assert(mimeType, check.Equals, expectedMIMEType)
+}

integration/fixtures/image.manifest.json

@@ -0,0 +1,26 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+        "mediaType": "application/vnd.docker.container.image.v1+json",
+        "size": 7023,
+        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 32654,
+            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 16724,
+            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 73109,
+            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+        }
+    ]
+}

integration/fixtures/policy.json

@@ -0,0 +1,105 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "localhost:5555": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "docker.io/openshift": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "/@dirpath@": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5000/myns/official"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "localhost:5006/myns/personal": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/official": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/naming:test1": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/naming:naming": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5006/myns/official"
+                    }
+                }
+            ],
+            "localhost:5006/myns/cosigned:cosigned": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5006/myns/official"
+                    }
+                },
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ]
+        }
+    }
+}

integration/fixtures/registries.yaml

@@ -0,0 +1,6 @@
+docker:
+   localhost:5555:
+        sigstore: file://@sigstore@
+   localhost:5555/public:
+        sigstore-staging: file://@split-staging@
+        sigstore: @split-read@

integration/fixtures/uncompressed-image-s1/manifest.json

@@ -0,0 +1,32 @@
+{
+   "schemaVersion": 1,
+   "name": "nonempty",
+   "tag": "nonempty",
+   "architecture": "amd64",
+   "fsLayers": [
+      {
+         "blobSum": "sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"
+      }
+   ],
+   "history": [
+      {
+         "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"59c20544b2f4\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container\":\"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d\",\"container_config\":{\"Hostname\":\"59c20544b2f4\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /\"],\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2016-09-19T18:23:54.9949213Z\",\"docker_version\":\"1.10.3\",\"id\":\"4c224eac5061bb85f523ca4e3316618fd7921a80fe94286979667b1edb8e1bdd\",\"os\":\"linux\"}"
+      }
+   ],
+   "signatures": [
+      {
+         "header": {
+            "jwk": {
+               "crv": "P-256",
+               "kid": "DGWZ:GAUM:WCOC:IMDL:D67M:CEI6:YTVH:M2CM:5HX4:FYDD:77OD:D3F7",
+               "kty": "EC",
+               "x": "eprZNqLO9mHZ4Z4GxefucEgov_1gwEi9lehpJR2suRo",
+               "y": "wIr2ucNg32ROfVCkR_8A5VbBJ-mFmsoIUVa6vt8lIxM"
+            },
+            "alg": "ES256"
+         },
+         "signature": "bvTLWW4YVFRjAanN1EJqwQw60fWSWJPxcGO3UZGFI_gyV6ucGdW4x7jyYL6g06sg925s9cy0wN1lw91CCFv4BA",
+         "protected": "eyJmb3JtYXRMZW5ndGgiOjE0ODcsImZvcm1hdFRhaWwiOiJDbjBLIiwidGltZSI6IjIwMTYtMDktMTlUMTg6NDM6MzNaIn0"
+      }
+   ]
+}

integration/fixtures/uncompressed-image-s2/86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff.tar

@@ -0,0 +1 @@
+{"architecture":"amd64","config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d","container_config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"],"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2016-09-19T18:23:54.9949213Z","docker_version":"1.10.3","history":[{"created":"2016-09-19T18:23:54.9949213Z","created_by":"/bin/sh -c #(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"]}}

integration/fixtures/uncompressed-image-s2/manifest.json

@@ -0,0 +1,16 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+   "config": {
+      "mediaType": "application/octet-stream",
+      "size": 1272,
+      "digest": "sha256:86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+         "size": 2048,
+         "digest": "sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"
+      }
+   ]
+}

integration/fixtures_info_test.go

@@ -0,0 +1,6 @@
+package main
+
+const (
+	// TestImageManifestDigest is the Docker manifest digest of "fixtures/image.manifest.json"
+	TestImageManifestDigest = "sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55"
+)

integration/openshift.go

@@ -0,0 +1,252 @@
+package main
+
+import (
+	"bufio"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/go-check/check"
+)
+
+var adminKUBECONFIG = map[string]string{
+	"KUBECONFIG": "openshift.local.config/master/admin.kubeconfig",
+}
+
+// openshiftCluster is an OpenShift API master and integrated registry
+// running on localhost.
+type openshiftCluster struct {
+	workingDir string
+	processes  []*exec.Cmd // Processes to terminate on teardown; append to the end, terminate from end to the start.
+}
+
+// startOpenshiftCluster creates a new openshiftCluster.
+// WARNING: This affects state in users' home directory! Only run
+// in isolated test environment.
+func startOpenshiftCluster(c *check.C) *openshiftCluster {
+	cluster := &openshiftCluster{}
+
+	dir, err := ioutil.TempDir("", "openshift-cluster")
+	c.Assert(err, check.IsNil)
+	cluster.workingDir = dir
+
+	cluster.startMaster(c)
+	cluster.prepareRegistryConfig(c)
+	cluster.startRegistry(c)
+	cluster.ocLoginToProject(c)
+	cluster.dockerLogin(c)
+	cluster.relaxImageSignerPermissions(c)
+
+	return cluster
+}
+
+// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment
+func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string, args ...string) *exec.Cmd {
+	cmd := exec.Command(name, args...)
+	cmd.Dir = cluster.workingDir
+	cmd.Env = os.Environ()
+	for key, value := range env {
+		cmd.Env = modifyEnviron(cmd.Env, key, value)
+	}
+	return cmd
+}
+
+// startMaster starts the OpenShift master (etcd+API server) and waits for it to be ready, or terminates on failure.
+func (cluster *openshiftCluster) startMaster(c *check.C) {
+	cmd := cluster.clusterCmd(nil, "openshift", "start", "master")
+	cluster.processes = append(cluster.processes, cmd)
+	stdout, err := cmd.StdoutPipe()
+	// Send both to the same pipe. This might cause the two streams to be mixed up,
+	// but logging actually goes only to stderr - this primarily ensure we log any
+	// unexpected output to stdout.
+	cmd.Stderr = cmd.Stdout
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c, 8443)
+	defer func() {
+		c.Logf("Terminating port check")
+		terminatePortCheck <- true
+	}()
+
+	terminateLogCheck := make(chan bool, 1)
+	logCheckFound := make(chan bool)
+	go func() {
+		defer func() {
+			c.Logf("Log checker exiting")
+		}()
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			line := scanner.Text()
+			c.Logf("Log line: %s", line)
+			if strings.Contains(line, "Started Origin Controllers") {
+				logCheckFound <- true
+				return
+				// FIXME? We stop reading from stdout; could this block the master?
+			}
+			// Note: we can block before we get here.
+			select {
+			case <-terminateLogCheck:
+				c.Logf("terminated")
+				return
+			default:
+				// Do not block here and read the next line.
+			}
+		}
+		logCheckFound <- false
+	}()
+	defer func() {
+		c.Logf("Terminating log check")
+		terminateLogCheck <- true
+	}()
+
+	gotPortCheck := false
+	gotLogCheck := false
+	for !gotPortCheck || !gotLogCheck {
+		c.Logf("Waiting for master")
+		select {
+		case <-portOpen:
+			c.Logf("port check done")
+			gotPortCheck = true
+		case found := <-logCheckFound:
+			c.Logf("log check done, found: %t", found)
+			if !found {
+				c.Fatal("log check done, success message not found")
+			}
+			gotLogCheck = true
+		}
+	}
+	c.Logf("OK, master started!")
+}
+
+// prepareRegistryConfig creates a registry service account and a related k8s client configuration in ${cluster.workingDir}/openshift.local.registry.
+func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
+	// This partially mimics the objects created by (oadm registry), except that we run the
+	// server directly as an ordinary process instead of a pod with an implicitly attached service account.
+	saJSON := `{
+		"apiVersion": "v1",
+		"kind": "ServiceAccount",
+		"metadata": {
+			"name": "registry"
+		}
+	}`
+	cmd := cluster.clusterCmd(adminKUBECONFIG, "oc", "create", "-f", "-")
+	runExecCmdWithInput(c, cmd, saJSON)
+
+	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-user", "system:registry", "-z", "registry")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "cluster role \"system:registry\" added: \"registry\"\n")
+
+	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "create-api-client-config", "--client-dir=openshift.local.registry", "--basename=openshift-registry", "--user=system:serviceaccount:default:registry")
+	out, err = cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "")
+}
+
+// startRegistry starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
+func (cluster *openshiftCluster) startRegistryProcess(c *check.C, port int, configPath string) *exec.Cmd {
+	cmd := cluster.clusterCmd(map[string]string{
+		"KUBECONFIG":          "openshift.local.registry/openshift-registry.kubeconfig",
+		"DOCKER_REGISTRY_URL": fmt.Sprintf("127.0.0.1:%d", port),
+	}, "dockerregistry", configPath)
+	consumeAndLogOutputs(c, fmt.Sprintf("registry-%d", port), cmd)
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c, port)
+	defer func() {
+		terminatePortCheck <- true
+	}()
+	c.Logf("Waiting for registry to start")
+	<-portOpen
+	c.Logf("OK, Registry port open")
+
+	return cmd
+}
+
+// startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
+func (cluster *openshiftCluster) startRegistry(c *check.C) {
+	// Our “primary” registry
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5000, "/atomic-registry-config.yml"))
+
+	// A registry configured with acceptschema2:false
+	schema1Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+		"addr: :5000":              "addr: :5005",
+		"rootdirectory: /registry": "rootdirectory: /registry-schema1",
+		// The default configuration currently already contains acceptschema2: false
+	})
+	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
+	configContents, err := ioutil.ReadFile(schema1Config)
+	c.Assert(err, check.IsNil)
+	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
+
+	// A registry configured with acceptschema2:true
+	schema2Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+		"addr: :5000":              "addr: :5006",
+		"rootdirectory: /registry": "rootdirectory: /registry-schema2",
+		"acceptschema2: false":     "acceptschema2: true",
+	})
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5006, schema2Config))
+}
+
+// ocLogin runs (oc login) and (oc new-project) on the cluster, or terminates on failure.
+func (cluster *openshiftCluster) ocLoginToProject(c *check.C) {
+	c.Logf("oc login")
+	cmd := cluster.clusterCmd(nil, "oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines
+
+	outString := combinedOutputOfCommand(c, "oc", "new-project", "myns")
+	c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
+}
+
+// dockerLogin simulates (docker login) to the cluster, or terminates on failure.
+// We do not run (docker login) directly, because that requires a running daemon and a docker package.
+func (cluster *openshiftCluster) dockerLogin(c *check.C) {
+	dockerDir := filepath.Join(homedir.Get(), ".docker")
+	err := os.Mkdir(dockerDir, 0700)
+	c.Assert(err, check.IsNil)
+
+	out := combinedOutputOfCommand(c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
+	c.Logf("oc config value: %s", out)
+	authValue := base64.StdEncoding.EncodeToString([]byte("unused:" + out))
+	auths := []string{}
+	for _, port := range []int{5000, 5005, 5006} {
+		auths = append(auths, fmt.Sprintf(`"localhost:%d": {
+				"auth": "%s",
+				"email": "unused"
+			}`, port, authValue))
+	}
+	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
+	err = ioutil.WriteFile(filepath.Join(dockerDir, "config.json"), []byte(configJSON), 0600)
+	c.Assert(err, check.IsNil)
+}
+
+// relaxImageSignerPermissions opens up the system:image-signer permissions so that
+// anyone can work with signatures
+// FIXME: This also allows anyone to DoS anyone else; this design is really not all
+// that workable, but it is the best we can do for now.
+func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
+	cmd := cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n")
+}
+
+// tearDown stops the cluster services and deletes (only some!) of the state.
+func (cluster *openshiftCluster) tearDown(c *check.C) {
+	for i := len(cluster.processes) - 1; i >= 0; i-- {
+		cluster.processes[i].Process.Kill()
+	}
+	if cluster.workingDir != "" {
+		os.RemoveAll(cluster.workingDir)
+	}
+}

integration/openshift_shell_test.go

@@ -0,0 +1,40 @@
+// +build openshift_shell
+
+package main
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/go-check/check"
+)
+
+/*
+TestRunShell is not really a test; it is a convenient way to use the registry setup code
+in openshift.go and CopySuite to get an interactive environment for experimentation.
+
+To use it, run:
+	sudo make shell
+to start a container, then within the container:
+	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -check.v -check.vv -check.f='CopySuite.TestRunShell'
+
+An example of what can be done within the container:
+	cd ..; make binary-local install
+	./skopeo --tls-verify=false  copy --sign-by=personal@example.com docker://busybox:latest atomic:localhost:5000/myns/personal:personal
+	oc get istag personal:personal -o json
+	curl -L -v 'http://localhost:5000/v2/'
+	cat ~/.docker/config.json
+	curl -L -v 'http://localhost:5000/openshift/token&scope=repository:myns/personal:pull' --header 'Authorization: Basic $auth_from_docker'
+	curl -L -v 'http://localhost:5000/v2/myns/personal/manifests/personal' --header 'Authorization: Bearer $token_from_oauth'
+	curl -L -v 'http://localhost:5000/extensions/v2/myns/personal/signatures/$manifest_digest' --header 'Authorization: Bearer $token_from_oauth'
+*/
+func (s *CopySuite) TestRunShell(c *check.C) {
+	cmd := exec.Command("bash", "-i")
+	tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0)
+	c.Assert(err, check.IsNil)
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	err = cmd.Run()
+	c.Assert(err, check.IsNil)
+}

integration/registry.go

@@ -67,6 +67,8 @@ loglevel: debug
 storage:
     filesystem:
         rootdirectory: %s
+    delete:
+        enabled: true
 http:
     addr: %s
 %s`
@@ -107,6 +109,7 @@ http:
 	}
 
 	cmd := exec.Command(binary, confPath)
+	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
 		os.RemoveAll(tmp)
 		if os.IsNotExist(err) {

integration/signing_test.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/containers/image/signature"
+	"github.com/go-check/check"
+)
+
+const (
+	gpgBinary = "gpg"
+)
+
+func init() {
+	check.Suite(&SigningSuite{})
+}
+
+type SigningSuite struct {
+	gpgHome     string
+	fingerprint string
+}
+
+func findFingerprint(lineBytes []byte) (string, error) {
+	lines := string(lineBytes)
+	for _, line := range strings.Split(lines, "\n") {
+		fields := strings.Split(line, ":")
+		if len(fields) >= 10 && fields[0] == "fpr" {
+			return fields[9], nil
+		}
+	}
+	return "", errors.New("No fingerprint found")
+}
+
+func (s *SigningSuite) SetUpTest(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
+	_, err = exec.LookPath(skopeoBinary)
+	c.Assert(err, check.IsNil)
+
+	s.gpgHome, err = ioutil.TempDir("", "skopeo-gpg")
+	c.Assert(err, check.IsNil)
+	os.Setenv("GNUPGHOME", s.gpgHome)
+
+	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%commit\n", gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")
+
+	lines, err := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
+	c.Assert(err, check.IsNil)
+	s.fingerprint, err = findFingerprint(lines)
+	c.Assert(err, check.IsNil)
+}
+
+func (s *SigningSuite) TearDownTest(c *check.C) {
+	if s.gpgHome != "" {
+		err := os.RemoveAll(s.gpgHome)
+		c.Assert(err, check.IsNil)
+	}
+	s.gpgHome = ""
+
+	os.Unsetenv("GNUPGHOME")
+}
+
+func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
+	manifestPath := "fixtures/image.manifest.json"
+	dockerReference := "testing/smoketest"
+
+	sigOutput, err := ioutil.TempFile("", "sig")
+	c.Assert(err, check.IsNil)
+	defer os.Remove(sigOutput.Name())
+	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, s.fingerprint)
+
+	expected := fmt.Sprintf("^Signature verified, digest %s\n$", TestImageManifestDigest)
+	assertSkopeoSucceeds(c, expected, "standalone-verify", manifestPath,
+		dockerReference, s.fingerprint, sigOutput.Name())
+}

integration/utils.go

@@ -0,0 +1,176 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"net"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/go-check/check"
+)
+
+const skopeoBinary = "skopeo"
+
+// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
+func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
+	c.Assert(err, check.IsNil)
+	go func() {
+		defer func() {
+			f.Close()
+			c.Logf("Output %s: Closed", id)
+		}()
+		buf := make([]byte, 1024)
+		for {
+			c.Logf("Output %s: waiting", id)
+			n, err := f.Read(buf)
+			c.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
+			if n <= 0 {
+				break
+			}
+		}
+	}()
+}
+
+// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c
+func consumeAndLogOutputs(c *check.C, id string, cmd *exec.Cmd) {
+	stdout, err := cmd.StdoutPipe()
+	consumeAndLogOutputStream(c, id+" stdout", stdout, err)
+	stderr, err := cmd.StderrPipe()
+	consumeAndLogOutputStream(c, id+" stderr", stderr, err)
+}
+
+// combinedOutputOfCommand runs a command as if exec.Command().CombinedOutput(), verifies that the exit status is 0, and returns the output,
+// or terminates c on failure.
+func combinedOutputOfCommand(c *check.C, name string, args ...string) string {
+	c.Logf("Running %s %s", name, strings.Join(args, " "))
+	out, err := exec.Command(name, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	return string(out)
+}
+
+// assertSkopeoSucceeds runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and optionally that the output matches a multi-line regexp if it is nonempty;
+// or terminates c on failure
+func assertSkopeoSucceeds(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	if regexp != "" {
+		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	}
+}
+
+// assertSkopeoFails runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and that the output matches a multi-line regexp;
+// or terminates c on failure
+func assertSkopeoFails(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
+	c.Assert(err, check.NotNil, check.Commentf("%s", out))
+	c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+}
+
+// runCommandWithInput runs a command as if exec.Command(), sending it the input to stdin,
+// and verifies that the exit status is 0, or terminates c on failure.
+func runCommandWithInput(c *check.C, input string, name string, args ...string) {
+	cmd := exec.Command(name, args...)
+	runExecCmdWithInput(c, cmd, input)
+}
+
+// runExecCmdWithInput runs an exec.Cmd, sending it the input to stdin,
+// and verifies that the exit status is 0, or terminates c on failure.
+func runExecCmdWithInput(c *check.C, cmd *exec.Cmd, input string) {
+	c.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
+	consumeAndLogOutputs(c, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
+	stdin, err := cmd.StdinPipe()
+	c.Assert(err, check.IsNil)
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+	_, err = stdin.Write([]byte(input))
+	c.Assert(err, check.IsNil)
+	err = stdin.Close()
+	c.Assert(err, check.IsNil)
+	err = cmd.Wait()
+	c.Assert(err, check.IsNil)
+}
+
+// isPortOpen returns true iff the specified port on localhost is open.
+func isPortOpen(port int) bool {
+	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+	if err != nil {
+		return false
+	}
+	conn.Close()
+	return true
+}
+
+// newPortChecker sets up a portOpen channel which will receive true after the specified port is open.
+// The checking can be aborted by sending a value to the terminate channel, which the caller should
+// always do using
+// defer func() {terminate <- true}()
+func newPortChecker(c *check.C, port int) (portOpen <-chan bool, terminate chan<- bool) {
+	portOpenBidi := make(chan bool)
+	// Buffered, so that sending a terminate request after the goroutine has exited does not block.
+	terminateBidi := make(chan bool, 1)
+
+	go func() {
+		defer func() {
+			c.Logf("Port checker for port %d exiting", port)
+		}()
+		for {
+			c.Logf("Checking for port %d...", port)
+			if isPortOpen(port) {
+				c.Logf("Port %d open", port)
+				portOpenBidi <- true
+				return
+			}
+			c.Logf("Sleeping for port %d", port)
+			sleepChan := time.After(100 * time.Millisecond)
+			select {
+			case <-sleepChan: // Try again
+				c.Logf("Sleeping for port %d done, will retry", port)
+			case <-terminateBidi:
+				c.Logf("Check for port %d terminated", port)
+				return
+			}
+		}
+	}()
+	return portOpenBidi, terminateBidi
+}
+
+// modifyEnviron modifies os.Environ()-like list of name=value assignments to set name to value.
+func modifyEnviron(env []string, name, value string) []string {
+	prefix := name + "="
+	res := []string{}
+	for _, e := range env {
+		if !strings.HasPrefix(e, prefix) {
+			res = append(res, e)
+		}
+	}
+	return append(res, prefix+value)
+}
+
+// fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
+// Callers should defer os.Remove(the_returned_path)
+func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
+	contents, err := ioutil.ReadFile(inputPath)
+	c.Assert(err, check.IsNil)
+	for template, value := range edits {
+		updated := bytes.Replace(contents, []byte(template), []byte(value), -1)
+		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
+		contents = updated
+	}
+
+	file, err := ioutil.TempFile("", "policy.json")
+	c.Assert(err, check.IsNil)
+	path := file.Name()
+
+	_, err = file.Write(contents)
+	c.Assert(err, check.IsNil)
+	err = file.Close()
+	c.Assert(err, check.IsNil)
+	return path
+}

main.go

@@ -1,66 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/docker/docker/cliconfig"
-)
-
-const (
-	version = "0.1.10-dev"
-	usage   = "inspect images on a registry"
-)
-
-var inspectCmd = func(c *cli.Context) {
-	imgInspect, err := inspect(c)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-	out, err := json.Marshal(imgInspect)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-	fmt.Println(string(out))
-}
-
-func main() {
-	app := cli.NewApp()
-	app.Name = "skopeo"
-	app.Version = version
-	app.Usage = usage
-	app.Flags = []cli.Flag{
-		cli.BoolFlag{
-			Name:  "debug",
-			Usage: "enable debug output",
-		},
-		cli.StringFlag{
-			Name:  "username",
-			Value: "",
-			Usage: "registry username",
-		},
-		cli.StringFlag{
-			Name:  "password",
-			Value: "",
-			Usage: "registry password",
-		},
-		cli.StringFlag{
-			Name:  "docker-cfg",
-			Value: cliconfig.ConfigDir(),
-			Usage: "Docker's cli config for auth",
-		},
-	}
-	app.Before = func(c *cli.Context) error {
-		if c.GlobalBool("debug") {
-			logrus.SetLevel(logrus.DebugLevel)
-		}
-		return nil
-	}
-	app.Action = inspectCmd
-	if err := app.Run(os.Args); err != nil {
-		logrus.Fatal(err)
-	}
-}

man/skopeo.1.md

@@ -1,14 +0,0 @@
-% SKOPEO(1)
-% Antonio Murdaca
-% JANUARY 2016
-# NAME
-skopeo - Inspect Docker images and repositories on registries
-
-# SYNOPSIS
-
-# DESCRIPTION
-
-# ARGUMENTS
-
-# AUTHORS
-Antonio Murdaca <runcom@redhat.com>

types/types.go

@@ -1,19 +0,0 @@
-package types
-
-import (
-	containerTypes "github.com/docker/engine-api/types/container"
-)
-
-type ImageInspect struct {
-	Tag             string
-	Digest          string
-	RepoTags        []string
-	Comment         string
-	Created         string
-	ContainerConfig *containerTypes.Config
-	DockerVersion   string
-	Author          string
-	Config          *containerTypes.Config
-	Architecture    string
-	Os              string
-}

vendor.conf

@@ -0,0 +1,45 @@
+github.com/urfave/cli v1.17.0
+github.com/containers/image master
+github.com/opencontainers/go-digest master
+gopkg.in/cheggaaa/pb.v1 ad4efe000aa550bb54918c06ebbadc0ff17687b9 https://github.com/cheggaaa/pb
+github.com/containers/storage master
+github.com/Sirupsen/logrus v0.10.0
+github.com/go-check/check v1
+github.com/stretchr/testify v1.1.3
+github.com/davecgh/go-spew master
+github.com/pmezard/go-difflib master
+github.com/pkg/errors master
+golang.org/x/crypto master
+# docker deps from https://github.com/docker/docker/blob/v1.11.2/hack/vendor.sh
+github.com/docker/docker v1.13.0
+github.com/docker/go-connections 4ccf312bf1d35e5dbda654e57a9be4c3f3cd0366
+github.com/vbatts/tar-split v0.10.1
+github.com/gorilla/context 14f550f51a
+github.com/gorilla/mux e444e69cbd
+github.com/docker/go-units 8a7beacffa3009a9ac66bad506b18ffdd110cf97
+golang.org/x/net master
+# end docker deps
+golang.org/x/text master
+github.com/docker/distribution master
+github.com/docker/libtrust master
+github.com/opencontainers/runc master
+github.com/opencontainers/image-spec v1.0.0-rc5
+# -- start OCI image validation requirements.
+github.com/opencontainers/runtime-spec v1.0.0-rc4
+github.com/opencontainers/image-tools v0.1.0
+github.com/xeipuuv/gojsonschema master
+github.com/xeipuuv/gojsonreference master
+github.com/xeipuuv/gojsonpointer master
+go4.org master https://github.com/camlistore/go4
+# -- end OCI image validation requirements
+github.com/mtrmac/gpgme master
+# openshift/origin' k8s dependencies as of OpenShift v1.1.5
+github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
+k8s.io/client-go master
+github.com/ghodss/yaml 73d445a93680fa1a78ae23a5839bad48f32ba1ee
+gopkg.in/yaml.v2 d466437aa4adc35830964cffc5b5f262c63ddcb4
+github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
+# containers/storage's dependencies that aren't already being pulled in
+github.com/mistifyio/go-zfs 22c9b32c84eb0d0c6f4043b6e90fc94073de92fa
+github.com/pborman/uuid v1.0
+github.com/opencontainers/selinux master

vendor/github.com/Sirupsen/logrus/.gitignore

@@ -1 +0,0 @@
-logrus

vendor/github.com/Sirupsen/logrus/.travis.yml

@@ -1,8 +0,0 @@
-language: go
-go:
-  - 1.2
-  - 1.3
-  - 1.4
-  - tip
-install:
-  - go get -t ./...

vendor/github.com/Sirupsen/logrus/CHANGELOG.md

@@ -1,47 +0,0 @@
-# 0.8.7
-
-* logrus/core: fix possible race (#216)
-* logrus/doc: small typo fixes and doc improvements
-
-
-# 0.8.6
-
-* hooks/raven: allow passing an initialized client
-
-# 0.8.5
-
-* logrus/core: revert #208
-
-# 0.8.4
-
-* formatter/text: fix data race (#218)
-
-# 0.8.3
-
-* logrus/core: fix entry log level (#208)
-* logrus/core: improve performance of text formatter by 40%
-* logrus/core: expose `LevelHooks` type
-* logrus/core: add support for DragonflyBSD and NetBSD
-* formatter/text: print structs more verbosely
-
-# 0.8.2
-
-* logrus: fix more Fatal family functions
-
-# 0.8.1
-
-* logrus: fix not exiting on `Fatalf` and `Fatalln`
-
-# 0.8.0
-
-* logrus: defaults to stderr instead of stdout
-* hooks/sentry: add special field for `*http.Request`
-* formatter/text: ignore Windows for colors
-
-# 0.7.3
-
-* formatter/\*: allow configuration of timestamp layout
-
-# 0.7.2
-
-* formatter/text: Add configuration option for time format (#158)

vendor/github.com/Sirupsen/logrus/README.md

@@ -1,4 +1,4 @@
-# Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:"/>&nbsp;[![Build Status](https://travis-ci.org/Sirupsen/logrus.svg?branch=master)](https://travis-ci.org/Sirupsen/logrus)&nbsp;[![godoc reference](https://godoc.org/github.com/Sirupsen/logrus?status.png)][godoc]
+# Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:"/>&nbsp;[![Build Status](https://travis-ci.org/Sirupsen/logrus.svg?branch=master)](https://travis-ci.org/Sirupsen/logrus)&nbsp;[![GoDoc](https://godoc.org/github.com/Sirupsen/logrus?status.svg)](https://godoc.org/github.com/Sirupsen/logrus)
 
 Logrus is a structured logger for Go (golang), completely API compatible with
 the standard library logger. [Godoc][godoc]. **Please note the Logrus API is not
@@ -12,7 +12,7 @@ plain text):
 
 ![Colored](http://i.imgur.com/PY7qMwd.png)
 
-With `log.Formatter = new(logrus.JSONFormatter)`, for easy parsing by logstash
+With `log.SetFormatter(&log.JSONFormatter{})`, for easy parsing by logstash
 or Splunk:
 
 ```json
@@ -32,7 +32,7 @@ ocean","size":10,"time":"2014-03-10 19:57:38.562264131 -0400 EDT"}
 "time":"2014-03-10 19:57:38.562543128 -0400 EDT"}
 ```
 
-With the default `log.Formatter = new(&log.TextFormatter{})` when a TTY is not
+With the default `log.SetFormatter(&log.TextFormatter{})` when a TTY is not
 attached, the output is compatible with the
 [logfmt](http://godoc.org/github.com/kr/logfmt) format:
 
@@ -75,17 +75,12 @@ package main
 import (
   "os"
   log "github.com/Sirupsen/logrus"
-  "github.com/Sirupsen/logrus/hooks/airbrake"
 )
 
 func init() {
   // Log as JSON instead of the default ASCII formatter.
   log.SetFormatter(&log.JSONFormatter{})
 
-  // Use the Airbrake hook to report errors that have Error severity or above to
-  // an exception tracker. You can create custom hooks, see the Hooks section.
-  log.AddHook(airbrake.NewHook("https://example.com", "xyz", "development"))
-
   // Output to stderr instead of stdout, could also be a file.
   log.SetOutput(os.Stderr)
 
@@ -182,13 +177,16 @@ Logrus comes with [built-in hooks](hooks/). Add those, or your custom hook, in
 ```go
 import (
   log "github.com/Sirupsen/logrus"
-  "github.com/Sirupsen/logrus/hooks/airbrake"
+  "gopkg.in/gemnasium/logrus-airbrake-hook.v2" // the package is named "aibrake"
   logrus_syslog "github.com/Sirupsen/logrus/hooks/syslog"
   "log/syslog"
 )
 
 func init() {
-  log.AddHook(airbrake.NewHook("https://example.com", "xyz", "development"))
+
+  // Use the Airbrake hook to report errors that have Error severity or above to
+  // an exception tracker. You can create custom hooks, see the Hooks section.
+  log.AddHook(airbrake.NewHook(123, "xyz", "production"))
 
   hook, err := logrus_syslog.NewSyslogHook("udp", "localhost:514", syslog.LOG_INFO, "")
   if err != nil {
@@ -198,20 +196,21 @@ func init() {
   }
 }
 ```
-
+Note: Syslog hook also support connecting to local syslog (Ex. "/dev/log" or "/var/run/syslog" or "/var/run/log"). For the detail, please check the [syslog hook README](hooks/syslog/README.md).
 
 | Hook  | Description |
 | ----- | ----------- |
-| [Airbrake](https://github.com/Sirupsen/logrus/blob/master/hooks/airbrake/airbrake.go) | Send errors to an exception tracking service compatible with the Airbrake API. Uses [`airbrake-go`](https://github.com/tobi/airbrake-go) behind the scenes. |
-| [Papertrail](https://github.com/Sirupsen/logrus/blob/master/hooks/papertrail/papertrail.go) | Send errors to the Papertrail hosted logging service via UDP. |
+| [Airbrake](https://github.com/gemnasium/logrus-airbrake-hook) | Send errors to the Airbrake API V3. Uses the official [`gobrake`](https://github.com/airbrake/gobrake) behind the scenes. |
+| [Airbrake "legacy"](https://github.com/gemnasium/logrus-airbrake-legacy-hook) | Send errors to an exception tracking service compatible with the Airbrake API V2. Uses [`airbrake-go`](https://github.com/tobi/airbrake-go) behind the scenes. |
+| [Papertrail](https://github.com/polds/logrus-papertrail-hook) | Send errors to the [Papertrail](https://papertrailapp.com) hosted logging service via UDP. |
 | [Syslog](https://github.com/Sirupsen/logrus/blob/master/hooks/syslog/syslog.go) | Send errors to remote syslog server. Uses standard library `log/syslog` behind the scenes. |
-| [BugSnag](https://github.com/Sirupsen/logrus/blob/master/hooks/bugsnag/bugsnag.go) | Send errors to the Bugsnag exception tracking service. |
-| [Sentry](https://github.com/Sirupsen/logrus/blob/master/hooks/sentry/sentry.go) | Send errors to the Sentry error logging and aggregation service. |
+| [Bugsnag](https://github.com/Shopify/logrus-bugsnag/blob/master/bugsnag.go) | Send errors to the Bugsnag exception tracking service. |
+| [Sentry](https://github.com/evalphobia/logrus_sentry) | Send errors to the Sentry error logging and aggregation service. |
 | [Hiprus](https://github.com/nubo/hiprus) | Send errors to a channel in hipchat. |
 | [Logrusly](https://github.com/sebest/logrusly) | Send logs to [Loggly](https://www.loggly.com/) |
 | [Slackrus](https://github.com/johntdyer/slackrus) | Hook for Slack chat. |
 | [Journalhook](https://github.com/wercker/journalhook) | Hook for logging to `systemd-journald` |
-| [Graylog](https://github.com/gemnasium/logrus-hooks/tree/master/graylog) | Hook for logging to [Graylog](http://graylog2.org/) |
+| [Graylog](https://github.com/gemnasium/logrus-graylog-hook) | Hook for logging to [Graylog](http://graylog2.org/) |
 | [Raygun](https://github.com/squirkle/logrus-raygun-hook) | Hook for logging to [Raygun.io](http://raygun.io/) |
 | [LFShook](https://github.com/rifflock/lfshook) | Hook for logging to the local filesystem |
 | [Honeybadger](https://github.com/agonzalezro/logrus_honeybadger) | Hook for sending exceptions to Honeybadger |
@@ -219,6 +218,15 @@ func init() {
 | [Rollrus](https://github.com/heroku/rollrus) | Hook for sending errors to rollbar |
 | [Fluentd](https://github.com/evalphobia/logrus_fluent) | Hook for logging to fluentd |
 | [Mongodb](https://github.com/weekface/mgorus) | Hook for logging to mongodb |
+| [InfluxDB](https://github.com/Abramovic/logrus_influxdb) | Hook for logging to influxdb |
+| [Octokit](https://github.com/dorajistyle/logrus-octokit-hook) | Hook for logging to github via octokit |
+| [DeferPanic](https://github.com/deferpanic/dp-logrus) | Hook for logging to DeferPanic |
+| [Redis-Hook](https://github.com/rogierlommers/logrus-redis-hook) | Hook for logging to a ELK stack (through Redis) |
+| [Amqp-Hook](https://github.com/vladoatanasov/logrus_amqp) | Hook for logging to Amqp broker (Like RabbitMQ) |
+| [KafkaLogrus](https://github.com/goibibo/KafkaLogrus) | Hook for logging to kafka |
+| [Typetalk](https://github.com/dragon3/logrus-typetalk-hook) | Hook for logging to [Typetalk](https://www.typetalk.in/) |
+| [ElasticSearch](https://github.com/sohlich/elogrus) | Hook for logging to ElasticSearch|
+
 
 #### Level logging
 
@@ -296,15 +304,16 @@ The built-in logging formatters are:
     field to `true`.  To force no colored output even if there is a TTY  set the
     `DisableColors` field to `true`
 * `logrus.JSONFormatter`. Logs fields as JSON.
-* `logrus_logstash.LogstashFormatter`. Logs fields as Logstash Events (http://logstash.net).
+* `logrus/formatters/logstash.LogstashFormatter`. Logs fields as [Logstash](http://logstash.net) Events.
 
     ```go
-      logrus.SetFormatter(&logrus_logstash.LogstashFormatter{Type: “application_name"})
+      logrus.SetFormatter(&logstash.LogstashFormatter{Type: "application_name"})
     ```
 
 Third party logging formatters:
 
-* [`zalgo`](https://github.com/aybabtme/logzalgo): invoking the P͉̫o̳̼̊w̖͈̰͎e̬͔̭͂r͚̼̹̲ ̫͓͉̳͈ō̠͕͖̚f̝͍̠ ͕̲̞͖͑Z̖̫̤̫ͪa͉̬͈̗l͖͎g̳̥o̰̥̅!̣͔̲̻͊̄ ̙̘̦̹̦.
+* [`prefixed`](https://github.com/x-cray/logrus-prefixed-formatter). Displays log entry source along with alternative layout.
+* [`zalgo`](https://github.com/aybabtme/logzalgo). Invoking the P͉̫o̳̼̊w̖͈̰͎e̬͔̭͂r͚̼̹̲ ̫͓͉̳͈ō̠͕͖̚f̝͍̠ ͕̲̞͖͑Z̖̫̤̫ͪa͉̬͈̗l͖͎g̳̥o̰̥̅!̣͔̲̻͊̄ ̙̘̦̹̦.
 
 You can define your formatter by implementing the `Formatter` interface,
 requiring a `Format` method. `Format` takes an `*Entry`. `entry.Data` is a
@@ -353,5 +362,27 @@ Log rotation is not provided with Logrus. Log rotation should be done by an
 external program (like `logrotate(8)`) that can compress and delete old log
 entries. It should not be a feature of the application-level logger.
 
+#### Tools
 
-[godoc]: https://godoc.org/github.com/Sirupsen/logrus
+| Tool | Description |
+| ---- | ----------- |
+|[Logrus Mate](https://github.com/gogap/logrus_mate)|Logrus mate is a tool for Logrus to manage loggers, you can initial logger's level, hook and formatter by config file, the logger will generated with different config at different environment.|
+
+#### Testing
+
+Logrus has a built in facility for asserting the presence of log messages. This is implemented through the `test` hook and provides:
+
+* decorators for existing logger (`test.NewLocal` and `test.NewGlobal`) which basically just add the `test` hook
+* a test logger (`test.NewNullLogger`) that just records log messages (and does not output any):
+
+```go
+logger, hook := NewNullLogger()
+logger.Error("Hello error")
+
+assert.Equal(1, len(hook.Entries))
+assert.Equal(logrus.ErrorLevel, hook.LastEntry().Level)
+assert.Equal("Hello error", hook.LastEntry().Message)
+
+hook.Reset()
+assert.Nil(hook.LastEntry())
+```

vendor/github.com/Sirupsen/logrus/entry.go

@@ -68,7 +68,7 @@ func (entry *Entry) WithField(key string, value interface{}) *Entry {
 
 // Add a map of fields to the Entry.
 func (entry *Entry) WithFields(fields Fields) *Entry {
-	data := Fields{}
+	data := make(Fields, len(entry.Data)+len(fields))
 	for k, v := range entry.Data {
 		data[k] = v
 	}

vendor/github.com/Sirupsen/logrus/logger.go

@@ -64,6 +64,12 @@ func (logger *Logger) WithFields(fields Fields) *Entry {
 	return NewEntry(logger).WithFields(fields)
 }
 
+// Add an error as single field to the log entry.  All it does is call
+// `WithError` for the given `error`.
+func (logger *Logger) WithError(err error) *Entry {
+	return NewEntry(logger).WithError(err)
+}
+
 func (logger *Logger) Debugf(format string, args ...interface{}) {
 	if logger.Level >= DebugLevel {
 		NewEntry(logger).Debugf(format, args...)

vendor/github.com/Sirupsen/logrus/logrus.go

@@ -3,6 +3,7 @@ package logrus
 import (
 	"fmt"
 	"log"
+	"strings"
 )
 
 // Fields type, used to pass to `WithFields`.
@@ -33,7 +34,7 @@ func (level Level) String() string {
 
 // ParseLevel takes a string level and returns the Logrus log level constant.
 func ParseLevel(lvl string) (Level, error) {
-	switch lvl {
+	switch strings.ToLower(lvl) {
 	case "panic":
 		return PanicLevel, nil
 	case "fatal":
@@ -52,6 +53,16 @@ func ParseLevel(lvl string) (Level, error) {
 	return l, fmt.Errorf("not a valid logrus Level: %q", lvl)
 }
 
+// A constant exposing all logging levels
+var AllLevels = []Level{
+	PanicLevel,
+	FatalLevel,
+	ErrorLevel,
+	WarnLevel,
+	InfoLevel,
+	DebugLevel,
+}
+
 // These are the different logging levels. You can set the logging level to log
 // on your instance of logger, obtained with `logrus.New()`.
 const (
@@ -96,3 +107,37 @@ type StdLogger interface {
 	Panicf(string, ...interface{})
 	Panicln(...interface{})
 }
+
+// The FieldLogger interface generalizes the Entry and Logger types
+type FieldLogger interface {
+	WithField(key string, value interface{}) *Entry
+	WithFields(fields Fields) *Entry
+	WithError(err error) *Entry
+
+	Debugf(format string, args ...interface{})
+	Infof(format string, args ...interface{})
+	Printf(format string, args ...interface{})
+	Warnf(format string, args ...interface{})
+	Warningf(format string, args ...interface{})
+	Errorf(format string, args ...interface{})
+	Fatalf(format string, args ...interface{})
+	Panicf(format string, args ...interface{})
+
+	Debug(args ...interface{})
+	Info(args ...interface{})
+	Print(args ...interface{})
+	Warn(args ...interface{})
+	Warning(args ...interface{})
+	Error(args ...interface{})
+	Fatal(args ...interface{})
+	Panic(args ...interface{})
+
+	Debugln(args ...interface{})
+	Infoln(args ...interface{})
+	Println(args ...interface{})
+	Warnln(args ...interface{})
+	Warningln(args ...interface{})
+	Errorln(args ...interface{})
+	Fatalln(args ...interface{})
+	Panicln(args ...interface{})
+}

vendor/github.com/Sirupsen/logrus/terminal_notwindows.go

@@ -12,9 +12,9 @@ import (
 	"unsafe"
 )
 
-// IsTerminal returns true if the given file descriptor is a terminal.
+// IsTerminal returns true if stderr's file descriptor is a terminal.
 func IsTerminal() bool {
-	fd := syscall.Stdout
+	fd := syscall.Stderr
 	var termios Termios
 	_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
 	return err == 0

vendor/github.com/Sirupsen/logrus/terminal_solaris.go

@@ -0,0 +1,15 @@
+// +build solaris
+
+package logrus
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// IsTerminal returns true if the given file descriptor is a terminal.
+func IsTerminal() bool {
+	_, err := unix.IoctlGetTermios(int(os.Stdout.Fd()), unix.TCGETA)
+	return err == nil
+}

vendor/github.com/Sirupsen/logrus/terminal_windows.go

@@ -18,9 +18,9 @@ var (
 	procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
 )
 
-// IsTerminal returns true if the given file descriptor is a terminal.
+// IsTerminal returns true if stderr's file descriptor is a terminal.
 func IsTerminal() bool {
-	fd := syscall.Stdout
+	fd := syscall.Stderr
 	var st uint32
 	r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(fd), uintptr(unsafe.Pointer(&st)), 0)
 	return r != 0 && e == 0

vendor/github.com/Sirupsen/logrus/text_formatter.go

@@ -84,7 +84,9 @@ func (f *TextFormatter) Format(entry *Entry) ([]byte, error) {
 			f.appendKeyValue(b, "time", entry.Time.Format(timestampFormat))
 		}
 		f.appendKeyValue(b, "level", entry.Level.String())
-		f.appendKeyValue(b, "msg", entry.Message)
+		if entry.Message != "" {
+			f.appendKeyValue(b, "msg", entry.Message)
+		}
 		for _, key := range keys {
 			f.appendKeyValue(b, key, entry.Data[key])
 		}

vendor/github.com/codegangsta/cli/.travis.yml

@@ -1,6 +0,0 @@
-language: go
-go: 1.1
-
-script:
-- go vet ./...
-- go test -v ./...

vendor/github.com/codegangsta/cli/README.md

@@ -1,280 +0,0 @@
-[![Build Status](https://travis-ci.org/codegangsta/cli.png?branch=master)](https://travis-ci.org/codegangsta/cli)
-
-# cli.go
-cli.go is simple, fast, and fun package for building command line apps in Go. The goal is to enable developers to write fast and distributable command line applications in an expressive way.
-
-You can view the API docs here:
-http://godoc.org/github.com/codegangsta/cli
-
-## Overview
-Command line apps are usually so tiny that there is absolutely no reason why your code should *not* be self-documenting. Things like generating help text and parsing command flags/options should not hinder productivity when writing a command line app.
-
-This is where cli.go comes into play. cli.go makes command line programming fun, organized, and expressive!
-
-## Installation
-Make sure you have a working Go environment (go 1.1 is *required*). [See the install instructions](http://golang.org/doc/install.html).
-
-To install cli.go, simply run:
-```
-$ go get github.com/codegangsta/cli
-```
-
-Make sure your PATH includes to the `$GOPATH/bin` directory so your commands can be easily used:
-```
-export PATH=$PATH:$GOPATH/bin
-```
-
-## Getting Started
-One of the philosophies behind cli.go is that an API should be playful and full of discovery. So a cli.go app can be as little as one line of code in `main()`. 
-
-``` go
-package main
-
-import (
-  "os"
-  "github.com/codegangsta/cli"
-)
-
-func main() {
-  cli.NewApp().Run(os.Args)
-}
-```
-
-This app will run and show help text, but is not very useful. Let's give an action to execute and some help documentation:
-
-``` go
-package main
-
-import (
-  "os"
-  "github.com/codegangsta/cli"
-)
-
-func main() {
-  app := cli.NewApp()
-  app.Name = "boom"
-  app.Usage = "make an explosive entrance"
-  app.Action = func(c *cli.Context) {
-    println("boom! I say!")
-  }
-  
-  app.Run(os.Args)
-}
-```
-
-Running this already gives you a ton of functionality, plus support for things like subcommands and flags, which are covered below.
-
-## Example
-
-Being a programmer can be a lonely job. Thankfully by the power of automation that is not the case! Let's create a greeter app to fend off our demons of loneliness!
-
-``` go
-/* greet.go */
-package main
-
-import (
-  "os"
-  "github.com/codegangsta/cli"
-)
-
-func main() {
-  app := cli.NewApp()
-  app.Name = "greet"
-  app.Usage = "fight the loneliness!"
-  app.Action = func(c *cli.Context) {
-    println("Hello friend!")
-  }
-  
-  app.Run(os.Args)
-}
-```
-
-Install our command to the `$GOPATH/bin` directory:
-
-```
-$ go install
-```
-
-Finally run our new command:
-
-```
-$ greet
-Hello friend!
-```
-
-cli.go also generates some bitchass help text:
-```
-$ greet help
-NAME:
-    greet - fight the loneliness!
-
-USAGE:
-    greet [global options] command [command options] [arguments...]
-
-VERSION:
-    0.0.0
-
-COMMANDS:
-    help, h  Shows a list of commands or help for one command
-
-GLOBAL OPTIONS
-    --version	Shows version information
-```
-
-### Arguments
-You can lookup arguments by calling the `Args` function on cli.Context.
-
-``` go
-...
-app.Action = func(c *cli.Context) {
-  println("Hello", c.Args()[0])
-}
-...
-```
-
-### Flags
-Setting and querying flags is simple.
-``` go
-...
-app.Flags = []cli.Flag {
-  cli.StringFlag{
-    Name: "lang",
-    Value: "english",
-    Usage: "language for the greeting",
-  },
-}
-app.Action = func(c *cli.Context) {
-  name := "someone"
-  if len(c.Args()) > 0 {
-    name = c.Args()[0]
-  }
-  if c.String("lang") == "spanish" {
-    println("Hola", name)
-  } else {
-    println("Hello", name)
-  }
-}
-...
-```
-
-#### Alternate Names
-
-You can set alternate (or short) names for flags by providing a comma-delimited list for the Name. e.g.
-
-``` go
-app.Flags = []cli.Flag {
-  cli.StringFlag{
-    Name: "lang, l",
-    Value: "english",
-    Usage: "language for the greeting",
-  },
-}
-```
-
-#### Values from the Environment
-
-You can also have the default value set from the environment via EnvVar.  e.g.
-
-``` go
-app.Flags = []cli.Flag {
-  cli.StringFlag{
-    Name: "lang, l",
-    Value: "english",
-    Usage: "language for the greeting",
-    EnvVar: "APP_LANG",
-  },
-}
-```
-
-That flag can then be set with `--lang spanish` or `-l spanish`. Note that giving two different forms of the same flag in the same command invocation is an error.
-
-### Subcommands
-
-Subcommands can be defined for a more git-like command line app.
-```go
-...
-app.Commands = []cli.Command{
-  {
-    Name:      "add",
-    ShortName: "a",
-    Usage:     "add a task to the list",
-    Action: func(c *cli.Context) {
-      println("added task: ", c.Args().First())
-    },
-  },
-  {
-    Name:      "complete",
-    ShortName: "c",
-    Usage:     "complete a task on the list",
-    Action: func(c *cli.Context) {
-      println("completed task: ", c.Args().First())
-    },
-  },
-  {
-    Name:      "template",
-    ShortName: "r",
-    Usage:     "options for task templates",
-    Subcommands: []cli.Command{
-      {
-        Name:  "add",
-        Usage: "add a new template",
-        Action: func(c *cli.Context) {
-            println("new task template: ", c.Args().First())
-        },
-      },
-      {
-        Name:  "remove",
-        Usage: "remove an existing template",
-        Action: func(c *cli.Context) {
-          println("removed task template: ", c.Args().First())
-        },
-      },
-    },
-  },     
-}
-...
-```
-
-### Bash Completion
-
-You can enable completion commands by setting the EnableBashCompletion
-flag on the App object.  By default, this setting will only auto-complete to
-show an app's subcommands, but you can write your own completion methods for
-the App or its subcommands.
-```go
-...
-var tasks = []string{"cook", "clean", "laundry", "eat", "sleep", "code"}
-app := cli.NewApp()
-app.EnableBashCompletion = true
-app.Commands = []cli.Command{
-  {
-    Name: "complete",
-    ShortName: "c",
-    Usage: "complete a task on the list",
-    Action: func(c *cli.Context) {
-       println("completed task: ", c.Args().First())
-    },
-    BashComplete: func(c *cli.Context) {
-      // This will complete if no args are passed
-      if len(c.Args()) > 0 {
-        return
-      }
-      for _, t := range tasks {
-        println(t)
-      }
-    },
-  }
-}
-...
-```
-
-#### To Enable
-
-Source the autocomplete/bash_autocomplete file in your .bashrc file while
-setting the PROG variable to the name of your program:
-
-`PROG=myprogram source /.../cli/autocomplete/bash_autocomplete`
-
-
-## About
-cli.go is written by none other than the [Code Gangsta](http://codegangsta.io)

vendor/github.com/codegangsta/cli/app.go

@@ -1,248 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"time"
-)
-
-// App is the main structure of a cli application. It is recomended that
-// and app be created with the cli.NewApp() function
-type App struct {
-	// The name of the program. Defaults to os.Args[0]
-	Name string
-	// Description of the program.
-	Usage string
-	// Version of the program
-	Version string
-	// List of commands to execute
-	Commands []Command
-	// List of flags to parse
-	Flags []Flag
-	// Boolean to enable bash completion commands
-	EnableBashCompletion bool
-	// Boolean to hide built-in help command
-	HideHelp bool
-	// An action to execute when the bash-completion flag is set
-	BashComplete func(context *Context)
-	// An action to execute before any subcommands are run, but after the context is ready
-	// If a non-nil error is returned, no subcommands are run
-	Before func(context *Context) error
-	// The action to execute when no subcommands are specified
-	Action func(context *Context)
-	// Execute this function if the proper command cannot be found
-	CommandNotFound func(context *Context, command string)
-	// Compilation date
-	Compiled time.Time
-	// Author
-	Author string
-	// Author e-mail
-	Email string
-}
-
-// Tries to find out when this binary was compiled.
-// Returns the current time if it fails to find it.
-func compileTime() time.Time {
-	info, err := os.Stat(os.Args[0])
-	if err != nil {
-		return time.Now()
-	}
-	return info.ModTime()
-}
-
-// Creates a new cli Application with some reasonable defaults for Name, Usage, Version and Action.
-func NewApp() *App {
-	return &App{
-		Name:         os.Args[0],
-		Usage:        "A new cli application",
-		Version:      "0.0.0",
-		BashComplete: DefaultAppComplete,
-		Action:       helpCommand.Action,
-		Compiled:     compileTime(),
-		Author:       "Author",
-		Email:        "unknown@email",
-	}
-}
-
-// Entry point to the cli app. Parses the arguments slice and routes to the proper flag/args combination
-func (a *App) Run(arguments []string) error {
-	// append help to commands
-	if a.Command(helpCommand.Name) == nil && !a.HideHelp {
-		a.Commands = append(a.Commands, helpCommand)
-		a.appendFlag(HelpFlag)
-	}
-
-	//append version/help flags
-	if a.EnableBashCompletion {
-		a.appendFlag(BashCompletionFlag)
-	}
-	a.appendFlag(VersionFlag)
-
-	// parse flags
-	set := flagSet(a.Name, a.Flags)
-	set.SetOutput(ioutil.Discard)
-	err := set.Parse(arguments[1:])
-	nerr := normalizeFlags(a.Flags, set)
-	if nerr != nil {
-		fmt.Println(nerr)
-		context := NewContext(a, set, set)
-		ShowAppHelp(context)
-		fmt.Println("")
-		return nerr
-	}
-	context := NewContext(a, set, set)
-
-	if err != nil {
-		fmt.Printf("Incorrect Usage.\n\n")
-		ShowAppHelp(context)
-		fmt.Println("")
-		return err
-	}
-
-	if checkCompletions(context) {
-		return nil
-	}
-
-	if checkHelp(context) {
-		return nil
-	}
-
-	if checkVersion(context) {
-		return nil
-	}
-
-	if a.Before != nil {
-		err := a.Before(context)
-		if err != nil {
-			return err
-		}
-	}
-
-	args := context.Args()
-	if args.Present() {
-		name := args.First()
-		c := a.Command(name)
-		if c != nil {
-			return c.Run(context)
-		}
-	}
-
-	// Run default Action
-	a.Action(context)
-	return nil
-}
-
-// Another entry point to the cli app, takes care of passing arguments and error handling
-func (a *App) RunAndExitOnError() {
-	if err := a.Run(os.Args); err != nil {
-		os.Stderr.WriteString(fmt.Sprintln(err))
-		os.Exit(1)
-	}
-}
-
-// Invokes the subcommand given the context, parses ctx.Args() to generate command-specific flags
-func (a *App) RunAsSubcommand(ctx *Context) error {
-	// append help to commands
-	if len(a.Commands) > 0 {
-		if a.Command(helpCommand.Name) == nil && !a.HideHelp {
-			a.Commands = append(a.Commands, helpCommand)
-			a.appendFlag(HelpFlag)
-		}
-	}
-
-	// append flags
-	if a.EnableBashCompletion {
-		a.appendFlag(BashCompletionFlag)
-	}
-
-	// parse flags
-	set := flagSet(a.Name, a.Flags)
-	set.SetOutput(ioutil.Discard)
-	err := set.Parse(ctx.Args().Tail())
-	nerr := normalizeFlags(a.Flags, set)
-	context := NewContext(a, set, ctx.globalSet)
-
-	if nerr != nil {
-		fmt.Println(nerr)
-		if len(a.Commands) > 0 {
-			ShowSubcommandHelp(context)
-		} else {
-			ShowCommandHelp(ctx, context.Args().First())
-		}
-		fmt.Println("")
-		return nerr
-	}
-
-	if err != nil {
-		fmt.Printf("Incorrect Usage.\n\n")
-		ShowSubcommandHelp(context)
-		return err
-	}
-
-	if checkCompletions(context) {
-		return nil
-	}
-
-	if len(a.Commands) > 0 {
-		if checkSubcommandHelp(context) {
-			return nil
-		}
-	} else {
-		if checkCommandHelp(ctx, context.Args().First()) {
-			return nil
-		}
-	}
-
-	if a.Before != nil {
-		err := a.Before(context)
-		if err != nil {
-			return err
-		}
-	}
-
-	args := context.Args()
-	if args.Present() {
-		name := args.First()
-		c := a.Command(name)
-		if c != nil {
-			return c.Run(context)
-		}
-	}
-
-	// Run default Action
-	if len(a.Commands) > 0 {
-		a.Action(context)
-	} else {
-		a.Action(ctx)
-	}
-
-	return nil
-}
-
-// Returns the named command on App. Returns nil if the command does not exist
-func (a *App) Command(name string) *Command {
-	for _, c := range a.Commands {
-		if c.HasName(name) {
-			return &c
-		}
-	}
-
-	return nil
-}
-
-func (a *App) hasFlag(flag Flag) bool {
-	for _, f := range a.Flags {
-		if flag == f {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (a *App) appendFlag(flag Flag) {
-	if !a.hasFlag(flag) {
-		a.Flags = append(a.Flags, flag)
-	}
-}

vendor/github.com/codegangsta/cli/command.go

@@ -1,141 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"io/ioutil"
-	"strings"
-)
-
-// Command is a subcommand for a cli.App.
-type Command struct {
-	// The name of the command
-	Name string
-	// short name of the command. Typically one character
-	ShortName string
-	// A short description of the usage of this command
-	Usage string
-	// A longer explanation of how the command works
-	Description string
-	// The function to call when checking for bash command completions
-	BashComplete func(context *Context)
-	// An action to execute before any sub-subcommands are run, but after the context is ready
-	// If a non-nil error is returned, no sub-subcommands are run
-	Before func(context *Context) error
-	// The function to call when this command is invoked
-	Action func(context *Context)
-	// List of child commands
-	Subcommands []Command
-	// List of flags to parse
-	Flags []Flag
-	// Treat all flags as normal arguments if true
-	SkipFlagParsing bool
-	// Boolean to hide built-in help command
-	HideHelp bool
-}
-
-// Invokes the command given the context, parses ctx.Args() to generate command-specific flags
-func (c Command) Run(ctx *Context) error {
-
-	if len(c.Subcommands) > 0 || c.Before != nil {
-		return c.startApp(ctx)
-	}
-
-	if !c.HideHelp {
-		// append help to flags
-		c.Flags = append(
-			c.Flags,
-			HelpFlag,
-		)
-	}
-
-	if ctx.App.EnableBashCompletion {
-		c.Flags = append(c.Flags, BashCompletionFlag)
-	}
-
-	set := flagSet(c.Name, c.Flags)
-	set.SetOutput(ioutil.Discard)
-
-	firstFlagIndex := -1
-	for index, arg := range ctx.Args() {
-		if strings.HasPrefix(arg, "-") {
-			firstFlagIndex = index
-			break
-		}
-	}
-
-	var err error
-	if firstFlagIndex > -1 && !c.SkipFlagParsing {
-		args := ctx.Args()
-		regularArgs := args[1:firstFlagIndex]
-		flagArgs := args[firstFlagIndex:]
-		err = set.Parse(append(flagArgs, regularArgs...))
-	} else {
-		err = set.Parse(ctx.Args().Tail())
-	}
-
-	if err != nil {
-		fmt.Printf("Incorrect Usage.\n\n")
-		ShowCommandHelp(ctx, c.Name)
-		fmt.Println("")
-		return err
-	}
-
-	nerr := normalizeFlags(c.Flags, set)
-	if nerr != nil {
-		fmt.Println(nerr)
-		fmt.Println("")
-		ShowCommandHelp(ctx, c.Name)
-		fmt.Println("")
-		return nerr
-	}
-	context := NewContext(ctx.App, set, ctx.globalSet)
-
-	if checkCommandCompletions(context, c.Name) {
-		return nil
-	}
-
-	if checkCommandHelp(context, c.Name) {
-		return nil
-	}
-	context.Command = c
-	c.Action(context)
-	return nil
-}
-
-// Returns true if Command.Name or Command.ShortName matches given name
-func (c Command) HasName(name string) bool {
-	return c.Name == name || c.ShortName == name
-}
-
-func (c Command) startApp(ctx *Context) error {
-	app := NewApp()
-
-	// set the name and usage
-	app.Name = fmt.Sprintf("%s %s", ctx.App.Name, c.Name)
-	if c.Description != "" {
-		app.Usage = c.Description
-	} else {
-		app.Usage = c.Usage
-	}
-
-	// set the flags and commands
-	app.Commands = c.Subcommands
-	app.Flags = c.Flags
-	app.HideHelp = c.HideHelp
-
-	// bash completion
-	app.EnableBashCompletion = ctx.App.EnableBashCompletion
-	if c.BashComplete != nil {
-		app.BashComplete = c.BashComplete
-	}
-
-	// set the actions
-	app.Before = c.Before
-	if c.Action != nil {
-		app.Action = c.Action
-	} else {
-		app.Action = helpSubcommand.Action
-	}
-
-	return app.RunAsSubcommand(ctx)
-}

vendor/github.com/codegangsta/cli/context.go

@@ -1,280 +0,0 @@
-package cli
-
-import (
-	"errors"
-	"flag"
-	"strconv"
-	"strings"
-)
-
-// Context is a type that is passed through to
-// each Handler action in a cli application. Context
-// can be used to retrieve context-specific Args and
-// parsed command-line options.
-type Context struct {
-	App       *App
-	Command   Command
-	flagSet   *flag.FlagSet
-	globalSet *flag.FlagSet
-	setFlags  map[string]bool
-}
-
-// Creates a new context. For use in when invoking an App or Command action.
-func NewContext(app *App, set *flag.FlagSet, globalSet *flag.FlagSet) *Context {
-	return &Context{App: app, flagSet: set, globalSet: globalSet}
-}
-
-// Looks up the value of a local int flag, returns 0 if no int flag exists
-func (c *Context) Int(name string) int {
-	return lookupInt(name, c.flagSet)
-}
-
-// Looks up the value of a local float64 flag, returns 0 if no float64 flag exists
-func (c *Context) Float64(name string) float64 {
-	return lookupFloat64(name, c.flagSet)
-}
-
-// Looks up the value of a local bool flag, returns false if no bool flag exists
-func (c *Context) Bool(name string) bool {
-	return lookupBool(name, c.flagSet)
-}
-
-// Looks up the value of a local boolT flag, returns false if no bool flag exists
-func (c *Context) BoolT(name string) bool {
-	return lookupBoolT(name, c.flagSet)
-}
-
-// Looks up the value of a local string flag, returns "" if no string flag exists
-func (c *Context) String(name string) string {
-	return lookupString(name, c.flagSet)
-}
-
-// Looks up the value of a local string slice flag, returns nil if no string slice flag exists
-func (c *Context) StringSlice(name string) []string {
-	return lookupStringSlice(name, c.flagSet)
-}
-
-// Looks up the value of a local int slice flag, returns nil if no int slice flag exists
-func (c *Context) IntSlice(name string) []int {
-	return lookupIntSlice(name, c.flagSet)
-}
-
-// Looks up the value of a local generic flag, returns nil if no generic flag exists
-func (c *Context) Generic(name string) interface{} {
-	return lookupGeneric(name, c.flagSet)
-}
-
-// Looks up the value of a global int flag, returns 0 if no int flag exists
-func (c *Context) GlobalInt(name string) int {
-	return lookupInt(name, c.globalSet)
-}
-
-// Looks up the value of a global bool flag, returns false if no bool flag exists
-func (c *Context) GlobalBool(name string) bool {
-	return lookupBool(name, c.globalSet)
-}
-
-// Looks up the value of a global string flag, returns "" if no string flag exists
-func (c *Context) GlobalString(name string) string {
-	return lookupString(name, c.globalSet)
-}
-
-// Looks up the value of a global string slice flag, returns nil if no string slice flag exists
-func (c *Context) GlobalStringSlice(name string) []string {
-	return lookupStringSlice(name, c.globalSet)
-}
-
-// Looks up the value of a global int slice flag, returns nil if no int slice flag exists
-func (c *Context) GlobalIntSlice(name string) []int {
-	return lookupIntSlice(name, c.globalSet)
-}
-
-// Looks up the value of a global generic flag, returns nil if no generic flag exists
-func (c *Context) GlobalGeneric(name string) interface{} {
-	return lookupGeneric(name, c.globalSet)
-}
-
-// Determines if the flag was actually set exists
-func (c *Context) IsSet(name string) bool {
-	if c.setFlags == nil {
-		c.setFlags = make(map[string]bool)
-		c.flagSet.Visit(func(f *flag.Flag) {
-			c.setFlags[f.Name] = true
-		})
-	}
-	return c.setFlags[name] == true
-}
-
-type Args []string
-
-// Returns the command line arguments associated with the context.
-func (c *Context) Args() Args {
-	args := Args(c.flagSet.Args())
-	return args
-}
-
-// Returns the nth argument, or else a blank string
-func (a Args) Get(n int) string {
-	if len(a) > n {
-		return a[n]
-	}
-	return ""
-}
-
-// Returns the first argument, or else a blank string
-func (a Args) First() string {
-	return a.Get(0)
-}
-
-// Return the rest of the arguments (not the first one)
-// or else an empty string slice
-func (a Args) Tail() []string {
-	if len(a) >= 2 {
-		return []string(a)[1:]
-	}
-	return []string{}
-}
-
-// Checks if there are any arguments present
-func (a Args) Present() bool {
-	return len(a) != 0
-}
-
-// Swaps arguments at the given indexes
-func (a Args) Swap(from, to int) error {
-	if from >= len(a) || to >= len(a) {
-		return errors.New("index out of range")
-	}
-	a[from], a[to] = a[to], a[from]
-	return nil
-}
-
-func lookupInt(name string, set *flag.FlagSet) int {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.Atoi(f.Value.String())
-		if err != nil {
-			return 0
-		}
-		return val
-	}
-
-	return 0
-}
-
-func lookupFloat64(name string, set *flag.FlagSet) float64 {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.ParseFloat(f.Value.String(), 64)
-		if err != nil {
-			return 0
-		}
-		return val
-	}
-
-	return 0
-}
-
-func lookupString(name string, set *flag.FlagSet) string {
-	f := set.Lookup(name)
-	if f != nil {
-		return f.Value.String()
-	}
-
-	return ""
-}
-
-func lookupStringSlice(name string, set *flag.FlagSet) []string {
-	f := set.Lookup(name)
-	if f != nil {
-		return (f.Value.(*StringSlice)).Value()
-
-	}
-
-	return nil
-}
-
-func lookupIntSlice(name string, set *flag.FlagSet) []int {
-	f := set.Lookup(name)
-	if f != nil {
-		return (f.Value.(*IntSlice)).Value()
-
-	}
-
-	return nil
-}
-
-func lookupGeneric(name string, set *flag.FlagSet) interface{} {
-	f := set.Lookup(name)
-	if f != nil {
-		return f.Value
-	}
-	return nil
-}
-
-func lookupBool(name string, set *flag.FlagSet) bool {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.ParseBool(f.Value.String())
-		if err != nil {
-			return false
-		}
-		return val
-	}
-
-	return false
-}
-
-func lookupBoolT(name string, set *flag.FlagSet) bool {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.ParseBool(f.Value.String())
-		if err != nil {
-			return true
-		}
-		return val
-	}
-
-	return false
-}
-
-func copyFlag(name string, ff *flag.Flag, set *flag.FlagSet) {
-	switch ff.Value.(type) {
-	case *StringSlice:
-	default:
-		set.Set(name, ff.Value.String())
-	}
-}
-
-func normalizeFlags(flags []Flag, set *flag.FlagSet) error {
-	visited := make(map[string]bool)
-	set.Visit(func(f *flag.Flag) {
-		visited[f.Name] = true
-	})
-	for _, f := range flags {
-		parts := strings.Split(f.getName(), ",")
-		if len(parts) == 1 {
-			continue
-		}
-		var ff *flag.Flag
-		for _, name := range parts {
-			name = strings.Trim(name, " ")
-			if visited[name] {
-				if ff != nil {
-					return errors.New("Cannot use two forms of the same flag: " + name + " " + ff.Name)
-				}
-				ff = set.Lookup(name)
-			}
-		}
-		if ff == nil {
-			continue
-		}
-		for _, name := range parts {
-			name = strings.Trim(name, " ")
-			if !visited[name] {
-				copyFlag(name, ff, set)
-			}
-		}
-	}
-	return nil
-}

vendor/github.com/codegangsta/cli/flag.go

@@ -1,379 +0,0 @@
-package cli
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-)
-
-// This flag enables bash-completion for all commands and subcommands
-var BashCompletionFlag = BoolFlag{
-	Name: "generate-bash-completion",
-}
-
-// This flag prints the version for the application
-var VersionFlag = BoolFlag{
-	Name:  "version, v",
-	Usage: "print the version",
-}
-
-// This flag prints the help for all commands and subcommands
-var HelpFlag = BoolFlag{
-	Name:  "help, h",
-	Usage: "show help",
-}
-
-// Flag is a common interface related to parsing flags in cli.
-// For more advanced flag parsing techniques, it is recomended that
-// this interface be implemented.
-type Flag interface {
-	fmt.Stringer
-	// Apply Flag settings to the given flag set
-	Apply(*flag.FlagSet)
-	getName() string
-}
-
-func flagSet(name string, flags []Flag) *flag.FlagSet {
-	set := flag.NewFlagSet(name, flag.ContinueOnError)
-
-	for _, f := range flags {
-		f.Apply(set)
-	}
-	return set
-}
-
-func eachName(longName string, fn func(string)) {
-	parts := strings.Split(longName, ",")
-	for _, name := range parts {
-		name = strings.Trim(name, " ")
-		fn(name)
-	}
-}
-
-// Generic is a generic parseable type identified by a specific flag
-type Generic interface {
-	Set(value string) error
-	String() string
-}
-
-// GenericFlag is the flag type for types implementing Generic
-type GenericFlag struct {
-	Name   string
-	Value  Generic
-	Usage  string
-	EnvVar string
-}
-
-func (f GenericFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s%s %v\t`%v` %s", prefixFor(f.Name), f.Name, f.Value, "-"+f.Name+" option -"+f.Name+" option", f.Usage))
-}
-
-func (f GenericFlag) Apply(set *flag.FlagSet) {
-	val := f.Value
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			val.Set(envVal)
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Var(f.Value, name, f.Usage)
-	})
-}
-
-func (f GenericFlag) getName() string {
-	return f.Name
-}
-
-type StringSlice []string
-
-func (f *StringSlice) Set(value string) error {
-	*f = append(*f, value)
-	return nil
-}
-
-func (f *StringSlice) String() string {
-	return fmt.Sprintf("%s", *f)
-}
-
-func (f *StringSlice) Value() []string {
-	return *f
-}
-
-type StringSliceFlag struct {
-	Name   string
-	Value  *StringSlice
-	Usage  string
-	EnvVar string
-}
-
-func (f StringSliceFlag) String() string {
-	firstName := strings.Trim(strings.Split(f.Name, ",")[0], " ")
-	pref := prefixFor(firstName)
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), pref+firstName+" option "+pref+firstName+" option", f.Usage))
-}
-
-func (f StringSliceFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			newVal := &StringSlice{}
-			for _, s := range strings.Split(envVal, ",") {
-				newVal.Set(s)
-			}
-			f.Value = newVal
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Var(f.Value, name, f.Usage)
-	})
-}
-
-func (f StringSliceFlag) getName() string {
-	return f.Name
-}
-
-type IntSlice []int
-
-func (f *IntSlice) Set(value string) error {
-
-	tmp, err := strconv.Atoi(value)
-	if err != nil {
-		return err
-	} else {
-		*f = append(*f, tmp)
-	}
-	return nil
-}
-
-func (f *IntSlice) String() string {
-	return fmt.Sprintf("%d", *f)
-}
-
-func (f *IntSlice) Value() []int {
-	return *f
-}
-
-type IntSliceFlag struct {
-	Name   string
-	Value  *IntSlice
-	Usage  string
-	EnvVar string
-}
-
-func (f IntSliceFlag) String() string {
-	firstName := strings.Trim(strings.Split(f.Name, ",")[0], " ")
-	pref := prefixFor(firstName)
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), pref+firstName+" option "+pref+firstName+" option", f.Usage))
-}
-
-func (f IntSliceFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			newVal := &IntSlice{}
-			for _, s := range strings.Split(envVal, ",") {
-				err := newVal.Set(s)
-				if err != nil {
-					fmt.Fprintf(os.Stderr, err.Error())
-				}
-			}
-			f.Value = newVal
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Var(f.Value, name, f.Usage)
-	})
-}
-
-func (f IntSliceFlag) getName() string {
-	return f.Name
-}
-
-type BoolFlag struct {
-	Name   string
-	Usage  string
-	EnvVar string
-}
-
-func (f BoolFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s\t%v", prefixedNames(f.Name), f.Usage))
-}
-
-func (f BoolFlag) Apply(set *flag.FlagSet) {
-	val := false
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValBool, err := strconv.ParseBool(envVal)
-			if err == nil {
-				val = envValBool
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Bool(name, val, f.Usage)
-	})
-}
-
-func (f BoolFlag) getName() string {
-	return f.Name
-}
-
-type BoolTFlag struct {
-	Name   string
-	Usage  string
-	EnvVar string
-}
-
-func (f BoolTFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s\t%v", prefixedNames(f.Name), f.Usage))
-}
-
-func (f BoolTFlag) Apply(set *flag.FlagSet) {
-	val := true
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValBool, err := strconv.ParseBool(envVal)
-			if err == nil {
-				val = envValBool
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Bool(name, val, f.Usage)
-	})
-}
-
-func (f BoolTFlag) getName() string {
-	return f.Name
-}
-
-type StringFlag struct {
-	Name   string
-	Value  string
-	Usage  string
-	EnvVar string
-}
-
-func (f StringFlag) String() string {
-	var fmtString string
-	fmtString = "%s %v\t%v"
-
-	if len(f.Value) > 0 {
-		fmtString = "%s '%v'\t%v"
-	} else {
-		fmtString = "%s %v\t%v"
-	}
-
-	return withEnvHint(f.EnvVar, fmt.Sprintf(fmtString, prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-func (f StringFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			f.Value = envVal
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.String(name, f.Value, f.Usage)
-	})
-}
-
-func (f StringFlag) getName() string {
-	return f.Name
-}
-
-type IntFlag struct {
-	Name   string
-	Value  int
-	Usage  string
-	EnvVar string
-}
-
-func (f IntFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-func (f IntFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValInt, err := strconv.ParseUint(envVal, 10, 64)
-			if err == nil {
-				f.Value = int(envValInt)
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Int(name, f.Value, f.Usage)
-	})
-}
-
-func (f IntFlag) getName() string {
-	return f.Name
-}
-
-type Float64Flag struct {
-	Name   string
-	Value  float64
-	Usage  string
-	EnvVar string
-}
-
-func (f Float64Flag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-func (f Float64Flag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValFloat, err := strconv.ParseFloat(envVal, 10)
-			if err == nil {
-				f.Value = float64(envValFloat)
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Float64(name, f.Value, f.Usage)
-	})
-}
-
-func (f Float64Flag) getName() string {
-	return f.Name
-}
-
-func prefixFor(name string) (prefix string) {
-	if len(name) == 1 {
-		prefix = "-"
-	} else {
-		prefix = "--"
-	}
-
-	return
-}
-
-func prefixedNames(fullName string) (prefixed string) {
-	parts := strings.Split(fullName, ",")
-	for i, name := range parts {
-		name = strings.Trim(name, " ")
-		prefixed += prefixFor(name) + name
-		if i < len(parts)-1 {
-			prefixed += ", "
-		}
-	}
-	return
-}
-
-func withEnvHint(envVar, str string) string {
-	envText := ""
-	if envVar != "" {
-		envText = fmt.Sprintf(" [$%s]", envVar)
-	}
-	return str + envText
-}

vendor/github.com/codegangsta/cli/help.go

@@ -1,213 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"os"
-	"text/tabwriter"
-	"text/template"
-)
-
-// The text template for the Default help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var AppHelpTemplate = `NAME:
-   {{.Name}} - {{.Usage}}
-
-USAGE:
-   {{.Name}} {{ if .Flags }}[global options] {{ end }}command{{ if .Flags }} [command options]{{ end }} [arguments...]
-
-VERSION:
-   {{.Version}}
-
-COMMANDS:
-   {{range .Commands}}{{.Name}}{{with .ShortName}}, {{.}}{{end}}{{ "\t" }}{{.Usage}}
-   {{end}}{{ if .Flags }}
-GLOBAL OPTIONS:
-   {{range .Flags}}{{.}}
-   {{end}}{{ end }}
-`
-
-// The text template for the command help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var CommandHelpTemplate = `NAME:
-   {{.Name}} - {{.Usage}}
-
-USAGE:
-   command {{.Name}}{{ if .Flags }} [command options]{{ end }} [arguments...]
-
-DESCRIPTION:
-   {{.Description}}{{ if .Flags }}
-
-OPTIONS:
-   {{range .Flags}}{{.}}
-   {{end}}{{ end }}
-`
-
-// The text template for the subcommand help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var SubcommandHelpTemplate = `NAME:
-   {{.Name}} - {{.Usage}}
-
-USAGE:
-   {{.Name}} command{{ if .Flags }} [command options]{{ end }} [arguments...]
-
-COMMANDS:
-   {{range .Commands}}{{.Name}}{{with .ShortName}}, {{.}}{{end}}{{ "\t" }}{{.Usage}}
-   {{end}}{{ if .Flags }}
-OPTIONS:
-   {{range .Flags}}{{.}}
-   {{end}}{{ end }}
-`
-
-var helpCommand = Command{
-	Name:      "help",
-	ShortName: "h",
-	Usage:     "Shows a list of commands or help for one command",
-	Action: func(c *Context) {
-		args := c.Args()
-		if args.Present() {
-			ShowCommandHelp(c, args.First())
-		} else {
-			ShowAppHelp(c)
-		}
-	},
-}
-
-var helpSubcommand = Command{
-	Name:      "help",
-	ShortName: "h",
-	Usage:     "Shows a list of commands or help for one command",
-	Action: func(c *Context) {
-		args := c.Args()
-		if args.Present() {
-			ShowCommandHelp(c, args.First())
-		} else {
-			ShowSubcommandHelp(c)
-		}
-	},
-}
-
-// Prints help for the App
-var HelpPrinter = printHelp
-
-func ShowAppHelp(c *Context) {
-	HelpPrinter(AppHelpTemplate, c.App)
-}
-
-// Prints the list of subcommands as the default app completion method
-func DefaultAppComplete(c *Context) {
-	for _, command := range c.App.Commands {
-		fmt.Println(command.Name)
-		if command.ShortName != "" {
-			fmt.Println(command.ShortName)
-		}
-	}
-}
-
-// Prints help for the given command
-func ShowCommandHelp(c *Context, command string) {
-	for _, c := range c.App.Commands {
-		if c.HasName(command) {
-			HelpPrinter(CommandHelpTemplate, c)
-			return
-		}
-	}
-
-	if c.App.CommandNotFound != nil {
-		c.App.CommandNotFound(c, command)
-	} else {
-		fmt.Printf("No help topic for '%v'\n", command)
-	}
-}
-
-// Prints help for the given subcommand
-func ShowSubcommandHelp(c *Context) {
-	HelpPrinter(SubcommandHelpTemplate, c.App)
-}
-
-// Prints the version number of the App
-func ShowVersion(c *Context) {
-	fmt.Printf("%v version %v\n", c.App.Name, c.App.Version)
-}
-
-// Prints the lists of commands within a given context
-func ShowCompletions(c *Context) {
-	a := c.App
-	if a != nil && a.BashComplete != nil {
-		a.BashComplete(c)
-	}
-}
-
-// Prints the custom completions for a given command
-func ShowCommandCompletions(ctx *Context, command string) {
-	c := ctx.App.Command(command)
-	if c != nil && c.BashComplete != nil {
-		c.BashComplete(ctx)
-	}
-}
-
-func printHelp(templ string, data interface{}) {
-	w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
-	t := template.Must(template.New("help").Parse(templ))
-	err := t.Execute(w, data)
-	if err != nil {
-		panic(err)
-	}
-	w.Flush()
-}
-
-func checkVersion(c *Context) bool {
-	if c.GlobalBool("version") {
-		ShowVersion(c)
-		return true
-	}
-
-	return false
-}
-
-func checkHelp(c *Context) bool {
-	if c.GlobalBool("h") || c.GlobalBool("help") {
-		ShowAppHelp(c)
-		return true
-	}
-
-	return false
-}
-
-func checkCommandHelp(c *Context, name string) bool {
-	if c.Bool("h") || c.Bool("help") {
-		ShowCommandHelp(c, name)
-		return true
-	}
-
-	return false
-}
-
-func checkSubcommandHelp(c *Context) bool {
-	if c.GlobalBool("h") || c.GlobalBool("help") {
-		ShowSubcommandHelp(c)
-		return true
-	}
-
-	return false
-}
-
-func checkCompletions(c *Context) bool {
-	if c.GlobalBool(BashCompletionFlag.Name) && c.App.EnableBashCompletion {
-		ShowCompletions(c)
-		return true
-	}
-
-	return false
-}
-
-func checkCommandCompletions(c *Context, name string) bool {
-	if c.Bool(BashCompletionFlag.Name) && c.App.EnableBashCompletion {
-		ShowCommandCompletions(c, name)
-		return true
-	}
-
-	return false
-}

vendor/github.com/containers/image/LICENSE

@@ -0,0 +1,189 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/containers/image/README.md

@@ -0,0 +1,52 @@
+[![GoDoc](https://godoc.org/github.com/containers/image?status.svg)](https://godoc.org/github.com/containers/image) [![Build Status](https://travis-ci.org/containers/image.svg?branch=master)](https://travis-ci.org/containers/image)
+=
+
+`image` is a set of Go libraries aimed at working in various way with
+containers' images and container image registries.
+
+The containers/image library allows application to pull and push images from
+container image registries, like the upstream docker registry. It also
+implements "simple image signing".
+
+The containers/image library also allows you to inspect a repository on a
+container registry without pulling down the image. This means it fetches the
+repository's manifest and it is able to show you a `docker inspect`-like json
+output about a whole repository or a tag. This library, in contrast to `docker
+inspect`, helps you gather useful information about a repository or a tag
+without requiring you to run `docker pull`.
+
+The containers/image library also allows you to translate from one image format
+to another, for example docker container images to OCI images. It also allows
+you to copy container images between various registries, possibly converting
+them as necessary, and to sign and verify images.
+
+The [skopeo](https://github.com/projectatomic/skopeo) tool uses the
+containers/image library and takes advantage of its many features.
+
+## Dependencies
+
+Dependencies that this library prefers will not be found in the `vendor`
+directory. This is so you can make well-informed decisions about which
+libraries you should use with this package in your own projects.
+
+What this project tests against dependencies-wise is located
+[here](https://github.com/containers/image/blob/master/vendor.conf).
+
+## Building
+
+For ordinary use, `go build ./...` is sufficient.
+
+When developing this library, please use `make` to take advantage of the tests and validation.
+
+Optionally, you can use the `containers_image_openpgp` build tag (using `go build -tags …`, or `make … BUILDTAGS=…`).
+This will use a Golang-only OpenPGP implementation for signature verification instead of the default cgo/gpgme-based implementation;
+the primary downside is that creating new signatures with the Golang-only implementation is not supported.
+
+## License
+
+ASL 2.0
+
+## Contact
+
+- Mailing list: [containers-dev](https://groups.google.com/forum/?hl=en#!forum/containers-dev)
+- IRC: #[container-projects](irc://irc.freenode.net:6667/#container-projects) on freenode.net

vendor/github.com/containers/image/copy/copy.go

@@ -0,0 +1,641 @@
+package copy
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"reflect"
+	"strings"
+	"time"
+
+	pb "gopkg.in/cheggaaa/pb.v1"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/image"
+	"github.com/containers/image/pkg/compression"
+	"github.com/containers/image/signature"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type digestingReader struct {
+	source           io.Reader
+	digester         digest.Digester
+	expectedDigest   digest.Digest
+	validationFailed bool
+}
+
+// imageCopier allows us to keep track of diffID values for blobs, and other
+// data, that we're copying between images, and cache other information that
+// might allow us to take some shortcuts
+type imageCopier struct {
+	copiedBlobs       map[digest.Digest]digest.Digest
+	cachedDiffIDs     map[digest.Digest]digest.Digest
+	manifestUpdates   *types.ManifestUpdateOptions
+	dest              types.ImageDestination
+	src               types.Image
+	rawSource         types.ImageSource
+	diffIDsAreNeeded  bool
+	canModifyManifest bool
+	reportWriter      io.Writer
+	progressInterval  time.Duration
+	progress          chan types.ProgressProperties
+}
+
+// newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
+// and set validationFailed to true if the source stream does not match expectedDigest.
+func newDigestingReader(source io.Reader, expectedDigest digest.Digest) (*digestingReader, error) {
+	if err := expectedDigest.Validate(); err != nil {
+		return nil, errors.Errorf("Invalid digest specification %s", expectedDigest)
+	}
+	digestAlgorithm := expectedDigest.Algorithm()
+	if !digestAlgorithm.Available() {
+		return nil, errors.Errorf("Invalid digest specification %s: unsupported digest algorithm %s", expectedDigest, digestAlgorithm)
+	}
+	return &digestingReader{
+		source:           source,
+		digester:         digestAlgorithm.Digester(),
+		expectedDigest:   expectedDigest,
+		validationFailed: false,
+	}, nil
+}
+
+func (d *digestingReader) Read(p []byte) (int, error) {
+	n, err := d.source.Read(p)
+	if n > 0 {
+		if n2, err := d.digester.Hash().Write(p[:n]); n2 != n || err != nil {
+			// Coverage: This should not happen, the hash.Hash interface requires
+			// d.digest.Write to never return an error, and the io.Writer interface
+			// requires n2 == len(input) if no error is returned.
+			return 0, errors.Wrapf(err, "Error updating digest during verification: %d vs. %d", n2, n)
+		}
+	}
+	if err == io.EOF {
+		actualDigest := d.digester.Digest()
+		if actualDigest != d.expectedDigest {
+			d.validationFailed = true
+			return 0, errors.Errorf("Digest did not match, expected %s, got %s", d.expectedDigest, actualDigest)
+		}
+	}
+	return n, err
+}
+
+// Options allows supplying non-default configuration modifying the behavior of CopyImage.
+type Options struct {
+	RemoveSignatures bool   // Remove any pre-existing signatures. SignBy will still add a new signature.
+	SignBy           string // If non-empty, asks for a signature to be added during the copy, and specifies a key ID, as accepted by signature.NewGPGSigningMechanism().SignDockerManifest(),
+	ReportWriter     io.Writer
+	SourceCtx        *types.SystemContext
+	DestinationCtx   *types.SystemContext
+	ProgressInterval time.Duration                 // time to wait between reports to signal the progress channel
+	Progress         chan types.ProgressProperties // Reported to when ProgressInterval has arrived for a single artifact+offset.
+}
+
+// Image copies image from srcRef to destRef, using policyContext to validate
+// source image admissibility.
+func Image(policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) (retErr error) {
+	// NOTE this function uses an output parameter for the error return value.
+	// Setting this and returning is the ideal way to return an error.
+	//
+	// the defers in this routine will wrap the error return with its own errors
+	// which can be valuable context in the middle of a multi-streamed copy.
+	if options == nil {
+		options = &Options{}
+	}
+
+	reportWriter := ioutil.Discard
+
+	if options.ReportWriter != nil {
+		reportWriter = options.ReportWriter
+	}
+
+	writeReport := func(f string, a ...interface{}) {
+		fmt.Fprintf(reportWriter, f, a...)
+	}
+
+	dest, err := destRef.NewImageDestination(options.DestinationCtx)
+	if err != nil {
+		return errors.Wrapf(err, "Error initializing destination %s", transports.ImageName(destRef))
+	}
+	defer func() {
+		if err := dest.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (dest: %v)", err)
+		}
+	}()
+
+	destSupportedManifestMIMETypes := dest.SupportedManifestMIMETypes()
+
+	rawSource, err := srcRef.NewImageSource(options.SourceCtx, destSupportedManifestMIMETypes)
+	if err != nil {
+		return errors.Wrapf(err, "Error initializing source %s", transports.ImageName(srcRef))
+	}
+	unparsedImage := image.UnparsedFromSource(rawSource)
+	defer func() {
+		if unparsedImage != nil {
+			if err := unparsedImage.Close(); err != nil {
+				retErr = errors.Wrapf(retErr, " (unparsed: %v)", err)
+			}
+		}
+	}()
+
+	// Please keep this policy check BEFORE reading any other information about the image.
+	if allowed, err := policyContext.IsRunningImageAllowed(unparsedImage); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
+		return errors.Wrap(err, "Source image rejected")
+	}
+	src, err := image.FromUnparsedImage(unparsedImage)
+	if err != nil {
+		return errors.Wrapf(err, "Error initializing image from source %s", transports.ImageName(srcRef))
+	}
+	unparsedImage = nil
+	defer func() {
+		if err := src.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (source: %v)", err)
+		}
+	}()
+
+	if src.IsMultiImage() {
+		return errors.Errorf("can not copy %s: manifest contains multiple images", transports.ImageName(srcRef))
+	}
+
+	var sigs [][]byte
+	if options.RemoveSignatures {
+		sigs = [][]byte{}
+	} else {
+		writeReport("Getting image source signatures\n")
+		s, err := src.Signatures()
+		if err != nil {
+			return errors.Wrap(err, "Error reading signatures")
+		}
+		sigs = s
+	}
+	if len(sigs) != 0 {
+		writeReport("Checking if image destination supports signatures\n")
+		if err := dest.SupportsSignatures(); err != nil {
+			return errors.Wrap(err, "Can not copy signatures")
+		}
+	}
+
+	canModifyManifest := len(sigs) == 0
+	manifestUpdates := types.ManifestUpdateOptions{}
+	manifestUpdates.InformationOnly.Destination = dest
+
+	if err := updateEmbeddedDockerReference(&manifestUpdates, dest, src, canModifyManifest); err != nil {
+		return err
+	}
+
+	// We compute preferredManifestMIMEType only to show it in error messages.
+	// Without having to add this context in an error message, we would be happy enough to know only that no conversion is needed.
+	preferredManifestMIMEType, otherManifestMIMETypeCandidates, err := determineManifestConversion(&manifestUpdates, src, destSupportedManifestMIMETypes, canModifyManifest)
+	if err != nil {
+		return err
+	}
+
+	// If src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates) will be true, it needs to be true by the time we get here.
+	ic := imageCopier{
+		copiedBlobs:       make(map[digest.Digest]digest.Digest),
+		cachedDiffIDs:     make(map[digest.Digest]digest.Digest),
+		manifestUpdates:   &manifestUpdates,
+		dest:              dest,
+		src:               src,
+		rawSource:         rawSource,
+		diffIDsAreNeeded:  src.UpdatedImageNeedsLayerDiffIDs(manifestUpdates),
+		canModifyManifest: canModifyManifest,
+		reportWriter:      reportWriter,
+		progressInterval:  options.ProgressInterval,
+		progress:          options.Progress,
+	}
+
+	if err := ic.copyLayers(); err != nil {
+		return err
+	}
+
+	// With docker/distribution registries we do not know whether the registry accepts schema2 or schema1 only;
+	// and at least with the OpenShift registry "acceptschema2" option, there is no way to detect the support
+	// without actually trying to upload something and getting a types.ManifestTypeRejectedError.
+	// So, try the preferred manifest MIME type. If the process succeeds, fine…
+	manifest, err := ic.copyUpdatedConfigAndManifest()
+	if err != nil {
+		logrus.Debugf("Writing manifest using preferred type %s failed: %v", preferredManifestMIMEType, err)
+		// … if it fails, _and_ the failure is because the manifest is rejected, we may have other options.
+		if _, isManifestRejected := errors.Cause(err).(types.ManifestTypeRejectedError); !isManifestRejected || len(otherManifestMIMETypeCandidates) == 0 {
+			// We don’t have other options.
+			// In principle the code below would handle this as well, but the resulting  error message is fairly ugly.
+			// Don’t bother the user with MIME types if we have no choice.
+			return err
+		}
+		// If the original MIME type is acceptable, determineManifestConversion always uses it as preferredManifestMIMEType.
+		// So if we are here, we will definitely be trying to convert the manifest.
+		// With !canModifyManifest, that would just be a string of repeated failures for the same reason,
+		// so let’s bail out early and with a better error message.
+		if !canModifyManifest {
+			return errors.Wrap(err, "Writing manifest failed (and converting it is not possible)")
+		}
+
+		// errs is a list of errors when trying various manifest types. Also serves as an "upload succeeded" flag when set to nil.
+		errs := []string{fmt.Sprintf("%s(%v)", preferredManifestMIMEType, err)}
+		for _, manifestMIMEType := range otherManifestMIMETypeCandidates {
+			logrus.Debugf("Trying to use manifest type %s…", manifestMIMEType)
+			manifestUpdates.ManifestMIMEType = manifestMIMEType
+			attemptedManifest, err := ic.copyUpdatedConfigAndManifest()
+			if err != nil {
+				logrus.Debugf("Upload of manifest type %s failed: %v", manifestMIMEType, err)
+				errs = append(errs, fmt.Sprintf("%s(%v)", manifestMIMEType, err))
+				continue
+			}
+
+			// We have successfully uploaded a manifest.
+			manifest = attemptedManifest
+			errs = nil // Mark this as a success so that we don't abort below.
+			break
+		}
+		if errs != nil {
+			return fmt.Errorf("Uploading manifest failed, attempted the following formats: %s", strings.Join(errs, ", "))
+		}
+	}
+
+	if options.SignBy != "" {
+		newSig, err := createSignature(dest, manifest, options.SignBy, reportWriter)
+		if err != nil {
+			return err
+		}
+		sigs = append(sigs, newSig)
+	}
+
+	writeReport("Storing signatures\n")
+	if err := dest.PutSignatures(sigs); err != nil {
+		return errors.Wrap(err, "Error writing signatures")
+	}
+
+	if err := dest.Commit(); err != nil {
+		return errors.Wrap(err, "Error committing the finished image")
+	}
+
+	return nil
+}
+
+// updateEmbeddedDockerReference handles the Docker reference embedded in Docker schema1 manifests.
+func updateEmbeddedDockerReference(manifestUpdates *types.ManifestUpdateOptions, dest types.ImageDestination, src types.Image, canModifyManifest bool) error {
+	destRef := dest.Reference().DockerReference()
+	if destRef == nil {
+		return nil // Destination does not care about Docker references
+	}
+	if !src.EmbeddedDockerReferenceConflicts(destRef) {
+		return nil // No reference embedded in the manifest, or it matches destRef already.
+	}
+
+	if !canModifyManifest {
+		return errors.Errorf("Copying a schema1 image with an embedded Docker reference to %s (Docker reference %s) would invalidate existing signatures. Explicitly enable signature removal to proceed anyway",
+			transports.ImageName(dest.Reference()), destRef.String())
+	}
+	manifestUpdates.EmbeddedDockerReference = destRef
+	return nil
+}
+
+// copyLayers copies layers from src/rawSource to dest, using and updating ic.manifestUpdates if necessary and ic.canModifyManifest.
+func (ic *imageCopier) copyLayers() error {
+	srcInfos := ic.src.LayerInfos()
+	destInfos := []types.BlobInfo{}
+	diffIDs := []digest.Digest{}
+	for _, srcLayer := range srcInfos {
+		var (
+			destInfo types.BlobInfo
+			diffID   digest.Digest
+			err      error
+		)
+		if ic.dest.AcceptsForeignLayerURLs() && len(srcLayer.URLs) != 0 {
+			// DiffIDs are, currently, needed only when converting from schema1.
+			// In which case src.LayerInfos will not have URLs because schema1
+			// does not support them.
+			if ic.diffIDsAreNeeded {
+				return errors.New("getting DiffID for foreign layers is unimplemented")
+			}
+			destInfo = srcLayer
+			fmt.Fprintf(ic.reportWriter, "Skipping foreign layer %q copy to %s\n", destInfo.Digest, ic.dest.Reference().Transport().Name())
+		} else {
+			destInfo, diffID, err = ic.copyLayer(srcLayer)
+			if err != nil {
+				return err
+			}
+		}
+		destInfos = append(destInfos, destInfo)
+		diffIDs = append(diffIDs, diffID)
+	}
+	ic.manifestUpdates.InformationOnly.LayerInfos = destInfos
+	if ic.diffIDsAreNeeded {
+		ic.manifestUpdates.InformationOnly.LayerDiffIDs = diffIDs
+	}
+	if layerDigestsDiffer(srcInfos, destInfos) {
+		ic.manifestUpdates.LayerInfos = destInfos
+	}
+	return nil
+}
+
+// layerDigestsDiffer return true iff the digests in a and b differ (ignoring sizes and possible other fields)
+func layerDigestsDiffer(a, b []types.BlobInfo) bool {
+	if len(a) != len(b) {
+		return true
+	}
+	for i := range a {
+		if a[i].Digest != b[i].Digest {
+			return true
+		}
+	}
+	return false
+}
+
+// copyUpdatedConfigAndManifest updates the image per ic.manifestUpdates, if necessary,
+// stores the resulting config and manifest to the destination, and returns the stored manifest.
+func (ic *imageCopier) copyUpdatedConfigAndManifest() ([]byte, error) {
+	pendingImage := ic.src
+	if !reflect.DeepEqual(*ic.manifestUpdates, types.ManifestUpdateOptions{InformationOnly: ic.manifestUpdates.InformationOnly}) {
+		if !ic.canModifyManifest {
+			return nil, errors.Errorf("Internal error: copy needs an updated manifest but that was known to be forbidden")
+		}
+		if !ic.diffIDsAreNeeded && ic.src.UpdatedImageNeedsLayerDiffIDs(*ic.manifestUpdates) {
+			// We have set ic.diffIDsAreNeeded based on the preferred MIME type returned by determineManifestConversion.
+			// So, this can only happen if we are trying to upload using one of the other MIME type candidates.
+			// Because UpdatedImageNeedsLayerDiffIDs is true only when converting from s1 to s2, this case should only arise
+			// when ic.dest.SupportedManifestMIMETypes() includes both s1 and s2, the upload using s1 failed, and we are now trying s2.
+			// Supposedly s2-only registries do not exist or are extremely rare, so failing with this error message is good enough for now.
+			// If handling such registries turns out to be necessary, we could compute ic.diffIDsAreNeeded based on the full list of manifest MIME type candidates.
+			return nil, errors.Errorf("Can not convert image to %s, preparing DiffIDs for this case is not supported", ic.manifestUpdates.ManifestMIMEType)
+		}
+		pi, err := ic.src.UpdatedImage(*ic.manifestUpdates)
+		if err != nil {
+			return nil, errors.Wrap(err, "Error creating an updated image manifest")
+		}
+		pendingImage = pi
+	}
+	manifest, _, err := pendingImage.Manifest()
+	if err != nil {
+		return nil, errors.Wrap(err, "Error reading manifest")
+	}
+
+	if err := ic.copyConfig(pendingImage); err != nil {
+		return nil, err
+	}
+
+	fmt.Fprintf(ic.reportWriter, "Writing manifest to image destination\n")
+	if err := ic.dest.PutManifest(manifest); err != nil {
+		return nil, errors.Wrap(err, "Error writing manifest")
+	}
+	return manifest, nil
+}
+
+// copyConfig copies config.json, if any, from src to dest.
+func (ic *imageCopier) copyConfig(src types.Image) error {
+	srcInfo := src.ConfigInfo()
+	if srcInfo.Digest != "" {
+		fmt.Fprintf(ic.reportWriter, "Copying config %s\n", srcInfo.Digest)
+		configBlob, err := src.ConfigBlob()
+		if err != nil {
+			return errors.Wrapf(err, "Error reading config blob %s", srcInfo.Digest)
+		}
+		destInfo, err := ic.copyBlobFromStream(bytes.NewReader(configBlob), srcInfo, nil, false)
+		if err != nil {
+			return err
+		}
+		if destInfo.Digest != srcInfo.Digest {
+			return errors.Errorf("Internal error: copying uncompressed config blob %s changed digest to %s", srcInfo.Digest, destInfo.Digest)
+		}
+	}
+	return nil
+}
+
+// diffIDResult contains both a digest value and an error from diffIDComputationGoroutine.
+// We could also send the error through the pipeReader, but this more cleanly separates the copying of the layer and the DiffID computation.
+type diffIDResult struct {
+	digest digest.Digest
+	err    error
+}
+
+// copyLayer copies a layer with srcInfo (with known Digest and possibly known Size) in src to dest, perhaps compressing it if canCompress,
+// and returns a complete blobInfo of the copied layer, and a value for LayerDiffIDs if diffIDIsNeeded
+func (ic *imageCopier) copyLayer(srcInfo types.BlobInfo) (types.BlobInfo, digest.Digest, error) {
+	// Check if we already have a blob with this digest
+	haveBlob, extantBlobSize, err := ic.dest.HasBlob(srcInfo)
+	if err != nil {
+		return types.BlobInfo{}, "", errors.Wrapf(err, "Error checking for blob %s at destination", srcInfo.Digest)
+	}
+	// If we already have a cached diffID for this blob, we don't need to compute it
+	diffIDIsNeeded := ic.diffIDsAreNeeded && (ic.cachedDiffIDs[srcInfo.Digest] == "")
+	// If we already have the blob, and we don't need to recompute the diffID, then we might be able to avoid reading it again
+	if haveBlob && !diffIDIsNeeded {
+		// Check the blob sizes match, if we were given a size this time
+		if srcInfo.Size != -1 && srcInfo.Size != extantBlobSize {
+			return types.BlobInfo{}, "", errors.Errorf("Error: blob %s is already present, but with size %d instead of %d", srcInfo.Digest, extantBlobSize, srcInfo.Size)
+		}
+		srcInfo.Size = extantBlobSize
+		// Tell the image destination that this blob's delta is being applied again.  For some image destinations, this can be faster than using GetBlob/PutBlob
+		blobinfo, err := ic.dest.ReapplyBlob(srcInfo)
+		if err != nil {
+			return types.BlobInfo{}, "", errors.Wrapf(err, "Error reapplying blob %s at destination", srcInfo.Digest)
+		}
+		fmt.Fprintf(ic.reportWriter, "Skipping fetch of repeat blob %s\n", srcInfo.Digest)
+		return blobinfo, ic.cachedDiffIDs[srcInfo.Digest], err
+	}
+
+	// Fallback: copy the layer, computing the diffID if we need to do so
+	fmt.Fprintf(ic.reportWriter, "Copying blob %s\n", srcInfo.Digest)
+	srcStream, srcBlobSize, err := ic.rawSource.GetBlob(srcInfo)
+	if err != nil {
+		return types.BlobInfo{}, "", errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
+	}
+	defer srcStream.Close()
+
+	blobInfo, diffIDChan, err := ic.copyLayerFromStream(srcStream, types.BlobInfo{Digest: srcInfo.Digest, Size: srcBlobSize},
+		diffIDIsNeeded)
+	if err != nil {
+		return types.BlobInfo{}, "", err
+	}
+	var diffIDResult diffIDResult // = {digest:""}
+	if diffIDIsNeeded {
+		diffIDResult = <-diffIDChan
+		if diffIDResult.err != nil {
+			return types.BlobInfo{}, "", errors.Wrap(diffIDResult.err, "Error computing layer DiffID")
+		}
+		logrus.Debugf("Computed DiffID %s for layer %s", diffIDResult.digest, srcInfo.Digest)
+		ic.cachedDiffIDs[srcInfo.Digest] = diffIDResult.digest
+	}
+	return blobInfo, diffIDResult.digest, nil
+}
+
+// copyLayerFromStream is an implementation detail of copyLayer; mostly providing a separate “defer” scope.
+// it copies a blob with srcInfo (with known Digest and possibly known Size) from srcStream to dest,
+// perhaps compressing the stream if canCompress,
+// and returns a complete blobInfo of the copied blob and perhaps a <-chan diffIDResult if diffIDIsNeeded, to be read by the caller.
+func (ic *imageCopier) copyLayerFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+	diffIDIsNeeded bool) (types.BlobInfo, <-chan diffIDResult, error) {
+	var getDiffIDRecorder func(compression.DecompressorFunc) io.Writer // = nil
+	var diffIDChan chan diffIDResult
+
+	err := errors.New("Internal error: unexpected panic in copyLayer") // For pipeWriter.CloseWithError below
+	if diffIDIsNeeded {
+		diffIDChan = make(chan diffIDResult, 1) // Buffered, so that sending a value after this or our caller has failed and exited does not block.
+		pipeReader, pipeWriter := io.Pipe()
+		defer func() { // Note that this is not the same as {defer pipeWriter.CloseWithError(err)}; we need err to be evaluated lazily.
+			pipeWriter.CloseWithError(err) // CloseWithError(nil) is equivalent to Close()
+		}()
+
+		getDiffIDRecorder = func(decompressor compression.DecompressorFunc) io.Writer {
+			// If this fails, e.g. because we have exited and due to pipeWriter.CloseWithError() above further
+			// reading from the pipe has failed, we don’t really care.
+			// We only read from diffIDChan if the rest of the flow has succeeded, and when we do read from it,
+			// the return value includes an error indication, which we do check.
+			//
+			// If this gets never called, pipeReader will not be used anywhere, but pipeWriter will only be
+			// closed above, so we are happy enough with both pipeReader and pipeWriter to just get collected by GC.
+			go diffIDComputationGoroutine(diffIDChan, pipeReader, decompressor) // Closes pipeReader
+			return pipeWriter
+		}
+	}
+	blobInfo, err := ic.copyBlobFromStream(srcStream, srcInfo, getDiffIDRecorder, ic.canModifyManifest) // Sets err to nil on success
+	return blobInfo, diffIDChan, err
+	// We need the defer … pipeWriter.CloseWithError() to happen HERE so that the caller can block on reading from diffIDChan
+}
+
+// diffIDComputationGoroutine reads all input from layerStream, uncompresses using decompressor if necessary, and sends its digest, and status, if any, to dest.
+func diffIDComputationGoroutine(dest chan<- diffIDResult, layerStream io.ReadCloser, decompressor compression.DecompressorFunc) {
+	result := diffIDResult{
+		digest: "",
+		err:    errors.New("Internal error: unexpected panic in diffIDComputationGoroutine"),
+	}
+	defer func() { dest <- result }()
+	defer layerStream.Close() // We do not care to bother the other end of the pipe with other failures; we send them to dest instead.
+
+	result.digest, result.err = computeDiffID(layerStream, decompressor)
+}
+
+// computeDiffID reads all input from layerStream, uncompresses it using decompressor if necessary, and returns its digest.
+func computeDiffID(stream io.Reader, decompressor compression.DecompressorFunc) (digest.Digest, error) {
+	if decompressor != nil {
+		s, err := decompressor(stream)
+		if err != nil {
+			return "", err
+		}
+		stream = s
+	}
+
+	return digest.Canonical.FromReader(stream)
+}
+
+// copyBlobFromStream copies a blob with srcInfo (with known Digest and possibly known Size) from srcStream to dest,
+// perhaps sending a copy to an io.Writer if getOriginalLayerCopyWriter != nil,
+// perhaps compressing it if canCompress,
+// and returns a complete blobInfo of the copied blob.
+func (ic *imageCopier) copyBlobFromStream(srcStream io.Reader, srcInfo types.BlobInfo,
+	getOriginalLayerCopyWriter func(decompressor compression.DecompressorFunc) io.Writer,
+	canCompress bool) (types.BlobInfo, error) {
+	// The copying happens through a pipeline of connected io.Readers.
+	// === Input: srcStream
+
+	// === Process input through digestingReader to validate against the expected digest.
+	// Be paranoid; in case PutBlob somehow managed to ignore an error from digestingReader,
+	// use a separate validation failure indicator.
+	// Note that we don't use a stronger "validationSucceeded" indicator, because
+	// dest.PutBlob may detect that the layer already exists, in which case we don't
+	// read stream to the end, and validation does not happen.
+	digestingReader, err := newDigestingReader(srcStream, srcInfo.Digest)
+	if err != nil {
+		return types.BlobInfo{}, errors.Wrapf(err, "Error preparing to verify blob %s", srcInfo.Digest)
+	}
+	var destStream io.Reader = digestingReader
+
+	// === Detect compression of the input stream.
+	// This requires us to “peek ahead” into the stream to read the initial part, which requires us to chain through another io.Reader returned by DetectCompression.
+	decompressor, destStream, err := compression.DetectCompression(destStream) // We could skip this in some cases, but let's keep the code path uniform
+	if err != nil {
+		return types.BlobInfo{}, errors.Wrapf(err, "Error reading blob %s", srcInfo.Digest)
+	}
+	isCompressed := decompressor != nil
+
+	// === Report progress using a pb.Reader.
+	bar := pb.New(int(srcInfo.Size)).SetUnits(pb.U_BYTES)
+	bar.Output = ic.reportWriter
+	bar.SetMaxWidth(80)
+	bar.ShowTimeLeft = false
+	bar.ShowPercent = false
+	bar.Start()
+	destStream = bar.NewProxyReader(destStream)
+	defer fmt.Fprint(ic.reportWriter, "\n")
+
+	// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
+	var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
+	if getOriginalLayerCopyWriter != nil {
+		destStream = io.TeeReader(destStream, getOriginalLayerCopyWriter(decompressor))
+		originalLayerReader = destStream
+	}
+
+	// === Compress the layer if it is uncompressed and compression is desired
+	var inputInfo types.BlobInfo
+	if !canCompress || isCompressed || !ic.dest.ShouldCompressLayers() {
+		logrus.Debugf("Using original blob without modification")
+		inputInfo = srcInfo
+	} else {
+		logrus.Debugf("Compressing blob on the fly")
+		pipeReader, pipeWriter := io.Pipe()
+		defer pipeReader.Close()
+
+		// If this fails while writing data, it will do pipeWriter.CloseWithError(); if it fails otherwise,
+		// e.g. because we have exited and due to pipeReader.Close() above further writing to the pipe has failed,
+		// we don’t care.
+		go compressGoroutine(pipeWriter, destStream) // Closes pipeWriter
+		destStream = pipeReader
+		inputInfo.Digest = ""
+		inputInfo.Size = -1
+	}
+
+	// === Report progress using the ic.progress channel, if required.
+	if ic.progress != nil && ic.progressInterval > 0 {
+		destStream = &progressReader{
+			source:   destStream,
+			channel:  ic.progress,
+			interval: ic.progressInterval,
+			artifact: srcInfo,
+			lastTime: time.Now(),
+		}
+	}
+
+	// === Finally, send the layer stream to dest.
+	uploadedInfo, err := ic.dest.PutBlob(destStream, inputInfo)
+	if err != nil {
+		return types.BlobInfo{}, errors.Wrap(err, "Error writing blob")
+	}
+
+	// This is fairly horrible: the writer from getOriginalLayerCopyWriter wants to consumer
+	// all of the input (to compute DiffIDs), even if dest.PutBlob does not need it.
+	// So, read everything from originalLayerReader, which will cause the rest to be
+	// sent there if we are not already at EOF.
+	if getOriginalLayerCopyWriter != nil {
+		logrus.Debugf("Consuming rest of the original blob to satisfy getOriginalLayerCopyWriter")
+		_, err := io.Copy(ioutil.Discard, originalLayerReader)
+		if err != nil {
+			return types.BlobInfo{}, errors.Wrapf(err, "Error reading input blob %s", srcInfo.Digest)
+		}
+	}
+
+	if digestingReader.validationFailed { // Coverage: This should never happen.
+		return types.BlobInfo{}, errors.Errorf("Internal error writing blob %s, digest verification failed but was ignored", srcInfo.Digest)
+	}
+	if inputInfo.Digest != "" && uploadedInfo.Digest != inputInfo.Digest {
+		return types.BlobInfo{}, errors.Errorf("Internal error writing blob %s, blob with digest %s saved with digest %s", srcInfo.Digest, inputInfo.Digest, uploadedInfo.Digest)
+	}
+	return uploadedInfo, nil
+}
+
+// compressGoroutine reads all input from src and writes its compressed equivalent to dest.
+func compressGoroutine(dest *io.PipeWriter, src io.Reader) {
+	err := errors.New("Internal error: unexpected panic in compressGoroutine")
+	defer func() { // Note that this is not the same as {defer dest.CloseWithError(err)}; we need err to be evaluated lazily.
+		dest.CloseWithError(err) // CloseWithError(nil) is equivalent to Close()
+	}()
+
+	zipper := gzip.NewWriter(dest)
+	defer zipper.Close()
+
+	_, err = io.Copy(zipper, src) // Sets err to nil, i.e. causes dest.Close()
+}

vendor/github.com/containers/image/copy/manifest.go

@@ -0,0 +1,102 @@
+package copy
+
+import (
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+// preferredManifestMIMETypes lists manifest MIME types in order of our preference, if we can't use the original manifest and need to convert.
+// Prefer v2s2 to v2s1 because v2s2 does not need to be changed when uploading to a different location.
+// Include v2s1 signed but not v2s1 unsigned, because docker/distribution requires a signature even if the unsigned MIME type is used.
+var preferredManifestMIMETypes = []string{manifest.DockerV2Schema2MediaType, manifest.DockerV2Schema1SignedMediaType}
+
+// orderedSet is a list of strings (MIME types in our case), with each string appearing at most once.
+type orderedSet struct {
+	list     []string
+	included map[string]struct{}
+}
+
+// newOrderedSet creates a correctly initialized orderedSet.
+// [Sometimes it would be really nice if Golang had constructors…]
+func newOrderedSet() *orderedSet {
+	return &orderedSet{
+		list:     []string{},
+		included: map[string]struct{}{},
+	}
+}
+
+// append adds s to the end of os, only if it is not included already.
+func (os *orderedSet) append(s string) {
+	if _, ok := os.included[s]; !ok {
+		os.list = append(os.list, s)
+		os.included[s] = struct{}{}
+	}
+}
+
+// determineManifestConversion updates manifestUpdates to convert manifest to a supported MIME type, if necessary and canModifyManifest.
+// Note that the conversion will only happen later, through src.UpdatedImage
+// Returns the preferred manifest MIME type (whether we are converting to it or using it unmodified),
+// and a list of other possible alternatives, in order.
+func determineManifestConversion(manifestUpdates *types.ManifestUpdateOptions, src types.Image, destSupportedManifestMIMETypes []string, canModifyManifest bool) (string, []string, error) {
+	_, srcType, err := src.Manifest()
+	if err != nil { // This should have been cached?!
+		return "", nil, errors.Wrap(err, "Error reading manifest")
+	}
+
+	if len(destSupportedManifestMIMETypes) == 0 {
+		return srcType, []string{}, nil // Anything goes; just use the original as is, do not try any conversions.
+	}
+	supportedByDest := map[string]struct{}{}
+	for _, t := range destSupportedManifestMIMETypes {
+		supportedByDest[t] = struct{}{}
+	}
+
+	// destSupportedManifestMIMETypes is a static guess; a particular registry may still only support a subset of the types.
+	// So, build a list of types to try in order of decreasing preference.
+	// FIXME? This treats manifest.DockerV2Schema1SignedMediaType and manifest.DockerV2Schema1MediaType as distinct,
+	// although we are not really making any conversion, and it is very unlikely that a destination would support one but not the other.
+	// In practice, schema1 is probably the lowest common denominator, so we would expect to try the first one of the MIME types
+	// and never attempt the other one.
+	prioritizedTypes := newOrderedSet()
+
+	// First of all, prefer to keep the original manifest unmodified.
+	if _, ok := supportedByDest[srcType]; ok {
+		prioritizedTypes.append(srcType)
+	}
+	if !canModifyManifest {
+		// We could also drop the !canModifyManifest parameter and have the caller
+		// make the choice; it is already doing that to an extent, to improve error
+		// messages.  But it is nice to hide the “if !canModifyManifest, do no conversion”
+		// special case in here; the caller can then worry (or not) only about a good UI.
+		logrus.Debugf("We can't modify the manifest, hoping for the best...")
+		return srcType, []string{}, nil // Take our chances - FIXME? Or should we fail without trying?
+	}
+
+	// Then use our list of preferred types.
+	for _, t := range preferredManifestMIMETypes {
+		if _, ok := supportedByDest[t]; ok {
+			prioritizedTypes.append(t)
+		}
+	}
+
+	// Finally, try anything else the destination supports.
+	for _, t := range destSupportedManifestMIMETypes {
+		prioritizedTypes.append(t)
+	}
+
+	logrus.Debugf("Manifest has MIME type %s, ordered candidate list [%s]", srcType, strings.Join(prioritizedTypes.list, ", "))
+	if len(prioritizedTypes.list) == 0 { // Coverage: destSupportedManifestMIMETypes is not empty (or we would have exited in the “Anything goes” case above), so this should never happen.
+		return "", nil, errors.New("Internal error: no candidate MIME types")
+	}
+	preferredType := prioritizedTypes.list[0]
+	if preferredType != srcType {
+		manifestUpdates.ManifestMIMEType = preferredType
+	} else {
+		logrus.Debugf("... will first try using the original manifest unmodified")
+	}
+	return preferredType, prioritizedTypes.list[1:], nil
+}

vendor/github.com/containers/image/copy/progress_reader.go

@@ -0,0 +1,28 @@
+package copy
+
+import (
+	"io"
+	"time"
+
+	"github.com/containers/image/types"
+)
+
+// progressReader is a reader that reports its progress on an interval.
+type progressReader struct {
+	source   io.Reader
+	channel  chan types.ProgressProperties
+	interval time.Duration
+	artifact types.BlobInfo
+	lastTime time.Time
+	offset   uint64
+}
+
+func (r *progressReader) Read(p []byte) (int, error) {
+	n, err := r.source.Read(p)
+	r.offset += uint64(n)
+	if time.Since(r.lastTime) > r.interval {
+		r.channel <- types.ProgressProperties{Artifact: r.artifact, Offset: r.offset}
+		r.lastTime = time.Now()
+	}
+	return n, err
+}

vendor/github.com/containers/image/copy/sign.go

@@ -0,0 +1,35 @@
+package copy
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/containers/image/signature"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+// createSignature creates a new signature of manifest at (identified by) dest using keyIdentity.
+func createSignature(dest types.ImageDestination, manifest []byte, keyIdentity string, reportWriter io.Writer) ([]byte, error) {
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return nil, errors.Wrap(err, "Error initializing GPG")
+	}
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil {
+		return nil, errors.Wrap(err, "Signing not supported")
+	}
+
+	dockerReference := dest.Reference().DockerReference()
+	if dockerReference == nil {
+		return nil, errors.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))
+	}
+
+	fmt.Fprintf(reportWriter, "Signing manifest\n")
+	newSig, err := signature.SignDockerManifest(manifest, dockerReference.String(), mech, keyIdentity)
+	if err != nil {
+		return nil, errors.Wrap(err, "Error creating signature")
+	}
+	return newSig, nil
+}

vendor/github.com/containers/image/directory/directory_dest.go

@@ -0,0 +1,144 @@
+package directory
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type dirImageDestination struct {
+	ref dirReference
+}
+
+// newImageDestination returns an ImageDestination for writing to an existing directory.
+func newImageDestination(ref dirReference) types.ImageDestination {
+	return &dirImageDestination{ref}
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *dirImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *dirImageDestination) Close() error {
+	return nil
+}
+
+func (d *dirImageDestination) SupportedManifestMIMETypes() []string {
+	return nil
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
+// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
+func (d *dirImageDestination) SupportsSignatures() error {
+	return nil
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
+func (d *dirImageDestination) ShouldCompressLayers() bool {
+	return false
+}
+
+// AcceptsForeignLayerURLs returns false iff foreign layers in manifest should be actually
+// uploaded to the image destination, true otherwise.
+func (d *dirImageDestination) AcceptsForeignLayerURLs() bool {
+	return false
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
+// to any other readers for download using the supplied digest.
+// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
+func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	blobFile, err := ioutil.TempFile(d.ref.path, "dir-put-blob")
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	succeeded := false
+	defer func() {
+		blobFile.Close()
+		if !succeeded {
+			os.Remove(blobFile.Name())
+		}
+	}()
+
+	digester := digest.Canonical.Digester()
+	tee := io.TeeReader(stream, digester.Hash())
+
+	size, err := io.Copy(blobFile, tee)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	computedDigest := digester.Digest()
+	if inputInfo.Size != -1 && size != inputInfo.Size {
+		return types.BlobInfo{}, errors.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
+	}
+	if err := blobFile.Sync(); err != nil {
+		return types.BlobInfo{}, err
+	}
+	if err := blobFile.Chmod(0644); err != nil {
+		return types.BlobInfo{}, err
+	}
+	blobPath := d.ref.layerPath(computedDigest)
+	if err := os.Rename(blobFile.Name(), blobPath); err != nil {
+		return types.BlobInfo{}, err
+	}
+	succeeded = true
+	return types.BlobInfo{Digest: computedDigest, Size: size}, nil
+}
+
+// HasBlob returns true iff the image destination already contains a blob with the matching digest which can be reapplied using ReapplyBlob.
+// Unlike PutBlob, the digest can not be empty.  If HasBlob returns true, the size of the blob must also be returned.
+// If the destination does not contain the blob, or it is unknown, HasBlob ordinarily returns (false, -1, nil);
+// it returns a non-nil error only on an unexpected failure.
+func (d *dirImageDestination) HasBlob(info types.BlobInfo) (bool, int64, error) {
+	if info.Digest == "" {
+		return false, -1, errors.Errorf(`"Can not check for a blob with unknown digest`)
+	}
+	blobPath := d.ref.layerPath(info.Digest)
+	finfo, err := os.Stat(blobPath)
+	if err != nil && os.IsNotExist(err) {
+		return false, -1, nil
+	}
+	if err != nil {
+		return false, -1, err
+	}
+	return true, finfo.Size(), nil
+}
+
+func (d *dirImageDestination) ReapplyBlob(info types.BlobInfo) (types.BlobInfo, error) {
+	return info, nil
+}
+
+// PutManifest writes manifest to the destination.
+// FIXME? This should also receive a MIME type if known, to differentiate between schema versions.
+// If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
+// but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
+func (d *dirImageDestination) PutManifest(manifest []byte) error {
+	return ioutil.WriteFile(d.ref.manifestPath(), manifest, 0644)
+}
+
+func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
+	for i, sig := range signatures {
+		if err := ioutil.WriteFile(d.ref.signaturePath(i), sig, 0644); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *dirImageDestination) Commit() error {
+	return nil
+}

vendor/github.com/containers/image/directory/directory_src.go

@@ -0,0 +1,75 @@
+package directory
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type dirImageSource struct {
+	ref dirReference
+}
+
+// newImageSource returns an ImageSource reading from an existing directory.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSource(ref dirReference) types.ImageSource {
+	return &dirImageSource{ref}
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *dirImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *dirImageSource) Close() error {
+	return nil
+}
+
+// GetManifest returns the image's manifest along with its MIME type (which may be empty when it can't be determined but the manifest is available).
+// It may use a remote (= slow) service.
+func (s *dirImageSource) GetManifest() ([]byte, string, error) {
+	m, err := ioutil.ReadFile(s.ref.manifestPath())
+	if err != nil {
+		return nil, "", err
+	}
+	return m, manifest.GuessMIMEType(m), err
+}
+
+func (s *dirImageSource) GetTargetManifest(digest digest.Digest) ([]byte, string, error) {
+	return nil, "", errors.Errorf(`Getting target manifest not supported by "dir:"`)
+}
+
+// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
+func (s *dirImageSource) GetBlob(info types.BlobInfo) (io.ReadCloser, int64, error) {
+	r, err := os.Open(s.ref.layerPath(info.Digest))
+	if err != nil {
+		return nil, 0, nil
+	}
+	fi, err := r.Stat()
+	if err != nil {
+		return nil, 0, nil
+	}
+	return r, fi.Size(), nil
+}
+
+func (s *dirImageSource) GetSignatures() ([][]byte, error) {
+	signatures := [][]byte{}
+	for i := 0; ; i++ {
+		signature, err := ioutil.ReadFile(s.ref.signaturePath(i))
+		if err != nil {
+			if os.IsNotExist(err) {
+				break
+			}
+			return nil, err
+		}
+		signatures = append(signatures, signature)
+	}
+	return signatures, nil
+}

vendor/github.com/containers/image/directory/directory_transport.go

@@ -0,0 +1,179 @@
+package directory
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"github.com/containers/image/directory/explicitfilepath"
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/image"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+)
+
+func init() {
+	transports.Register(Transport)
+}
+
+// Transport is an ImageTransport for directory paths.
+var Transport = dirTransport{}
+
+type dirTransport struct{}
+
+func (t dirTransport) Name() string {
+	return "dir"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t dirTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return NewReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t dirTransport) ValidatePolicyConfigurationScope(scope string) error {
+	if !strings.HasPrefix(scope, "/") {
+		return errors.Errorf("Invalid scope %s: Must be an absolute path", scope)
+	}
+	// Refuse also "/", otherwise "/" and "" would have the same semantics,
+	// and "" could be unexpectedly shadowed by the "/" entry.
+	if scope == "/" {
+		return errors.New(`Invalid scope "/": Use the generic default scope ""`)
+	}
+	cleaned := filepath.Clean(scope)
+	if cleaned != scope {
+		return errors.Errorf(`Invalid scope %s: Uses non-canonical format, perhaps try %s`, scope, cleaned)
+	}
+	return nil
+}
+
+// dirReference is an ImageReference for directory paths.
+type dirReference struct {
+	// Note that the interpretation of paths below depends on the underlying filesystem state, which may change under us at any time!
+	// Either of the paths may point to a different, or no, inode over time.  resolvedPath may contain symbolic links, and so on.
+
+	// Generally we follow the intent of the user, and use the "path" member for filesystem operations (e.g. the user can use a relative path to avoid
+	// being exposed to symlinks and renames in the parent directories to the working directory).
+	// (But in general, we make no attempt to be completely safe against concurrent hostile filesystem modifications.)
+	path         string // As specified by the user. May be relative, contain symlinks, etc.
+	resolvedPath string // Absolute path with no symlinks, at least at the time of its creation. Primarily used for policy namespaces.
+}
+
+// There is no directory.ParseReference because it is rather pointless.
+// Callers who need a transport-independent interface will go through
+// dirTransport.ParseReference; callers who intentionally deal with directories
+// can use directory.NewReference.
+
+// NewReference returns a directory reference for a specified path.
+//
+// We do not expose an API supplying the resolvedPath; we could, but recomputing it
+// is generally cheap enough that we prefer being confident about the properties of resolvedPath.
+func NewReference(path string) (types.ImageReference, error) {
+	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(path)
+	if err != nil {
+		return nil, err
+	}
+	return dirReference{path: path, resolvedPath: resolved}, nil
+}
+
+func (ref dirReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref dirReference) StringWithinTransport() string {
+	return ref.path
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref dirReference) DockerReference() reference.Named {
+	return nil
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref dirReference) PolicyConfigurationIdentity() string {
+	return ref.resolvedPath
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref dirReference) PolicyConfigurationNamespaces() []string {
+	res := []string{}
+	path := ref.resolvedPath
+	for {
+		lastSlash := strings.LastIndex(path, "/")
+		if lastSlash == -1 || lastSlash == 0 {
+			break
+		}
+		path = path[:lastSlash]
+		res = append(res, path)
+	}
+	// Note that we do not include "/"; it is redundant with the default "" global default,
+	// and rejected by dirTransport.ValidatePolicyConfigurationScope above.
+	return res
+}
+
+// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned Image.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+func (ref dirReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src := newImageSource(ref)
+	return image.FromSource(src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref dirReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return newImageSource(ref), nil
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref dirReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ref), nil
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref dirReference) DeleteImage(ctx *types.SystemContext) error {
+	return errors.Errorf("Deleting images not implemented for dir: images")
+}
+
+// manifestPath returns a path for the manifest within a directory using our conventions.
+func (ref dirReference) manifestPath() string {
+	return filepath.Join(ref.path, "manifest.json")
+}
+
+// layerPath returns a path for a layer tarball within a directory using our conventions.
+func (ref dirReference) layerPath(digest digest.Digest) string {
+	// FIXME: Should we keep the digest identification?
+	return filepath.Join(ref.path, digest.Hex()+".tar")
+}
+
+// signaturePath returns a path for a signature within a directory using our conventions.
+func (ref dirReference) signaturePath(index int) string {
+	return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1))
+}

vendor/github.com/containers/image/directory/explicitfilepath/path.go

@@ -0,0 +1,56 @@
+package explicitfilepath
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+)
+
+// ResolvePathToFullyExplicit returns the input path converted to an absolute, no-symlinks, cleaned up path.
+// To do so, all elements of the input path must exist; as a special case, the final component may be
+// a non-existent name (but not a symlink pointing to a non-existent name)
+// This is intended as a a helper for implementations of types.ImageReference.PolicyConfigurationIdentity etc.
+func ResolvePathToFullyExplicit(path string) (string, error) {
+	switch _, err := os.Lstat(path); {
+	case err == nil:
+		return resolveExistingPathToFullyExplicit(path)
+	case os.IsNotExist(err):
+		parent, file := filepath.Split(path)
+		resolvedParent, err := resolveExistingPathToFullyExplicit(parent)
+		if err != nil {
+			return "", err
+		}
+		if file == "." || file == ".." {
+			// Coverage: This can happen, but very rarely: if we have successfully resolved the parent, both "." and ".." in it should have been resolved as well.
+			// This can still happen if there is a filesystem race condition, causing the Lstat() above to fail but the later resolution to succeed.
+			// We do not care to promise anything if such filesystem race conditions can happen, but we definitely don't want to return "."/".." components
+			// in the resulting path, and especially not at the end.
+			return "", errors.Errorf("Unexpectedly missing special filename component in %s", path)
+		}
+		resolvedPath := filepath.Join(resolvedParent, file)
+		// As a sanity check, ensure that there are no "." or ".." components.
+		cleanedResolvedPath := filepath.Clean(resolvedPath)
+		if cleanedResolvedPath != resolvedPath {
+			// Coverage: This should never happen.
+			return "", errors.Errorf("Internal inconsistency: Path %s resolved to %s still cleaned up to %s", path, resolvedPath, cleanedResolvedPath)
+		}
+		return resolvedPath, nil
+	default: // err != nil, unrecognized
+		return "", err
+	}
+}
+
+// resolveExistingPathToFullyExplicit is the same as ResolvePathToFullyExplicit,
+// but without the special case for missing final component.
+func resolveExistingPathToFullyExplicit(path string) (string, error) {
+	resolved, err := filepath.Abs(path)
+	if err != nil {
+		return "", err // Coverage: This can fail only if os.Getwd() fails.
+	}
+	resolved, err = filepath.EvalSymlinks(resolved)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Clean(resolved), nil
+}

vendor/github.com/containers/image/docker/archive/dest.go

@@ -0,0 +1,57 @@
+package archive
+
+import (
+	"io"
+	"os"
+
+	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+type archiveImageDestination struct {
+	*tarfile.Destination // Implements most of types.ImageDestination
+	ref                  archiveReference
+	writer               io.Closer
+}
+
+func newImageDestination(ctx *types.SystemContext, ref archiveReference) (types.ImageDestination, error) {
+	if ref.destinationRef == nil {
+		return nil, errors.Errorf("docker-archive: destination reference not supplied (must be of form <path>:<reference:tag>)")
+	}
+	fh, err := os.OpenFile(ref.path, os.O_WRONLY|os.O_EXCL|os.O_CREATE, 0644)
+	if err != nil {
+		// FIXME: It should be possible to modify archives, but the only really
+		//        sane way of doing it is to create a copy of the image, modify
+		//        it and then do a rename(2).
+		if os.IsExist(err) {
+			err = errors.New("docker-archive doesn't support modifying existing images")
+		}
+		return nil, err
+	}
+
+	return &archiveImageDestination{
+		Destination: tarfile.NewDestination(fh, ref.destinationRef),
+		ref:         ref,
+		writer:      fh,
+	}, nil
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *archiveImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *archiveImageDestination) Close() error {
+	return d.writer.Close()
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *archiveImageDestination) Commit() error {
+	return d.Destination.Commit()
+}

vendor/github.com/containers/image/docker/archive/src.go

@@ -0,0 +1,36 @@
+package archive
+
+import (
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/types"
+)
+
+type archiveImageSource struct {
+	*tarfile.Source // Implements most of types.ImageSource
+	ref             archiveReference
+}
+
+// newImageSource returns a types.ImageSource for the specified image reference.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSource(ctx *types.SystemContext, ref archiveReference) types.ImageSource {
+	if ref.destinationRef != nil {
+		logrus.Warnf("docker-archive: references are not supported for sources (ignoring)")
+	}
+	src := tarfile.NewSource(ref.path)
+	return &archiveImageSource{
+		Source: src,
+		ref:    ref,
+	}
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *archiveImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *archiveImageSource) Close() error {
+	return nil
+}

vendor/github.com/containers/image/docker/archive/transport.go

@@ -0,0 +1,155 @@
+package archive
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/containers/image/docker/reference"
+	ctrImage "github.com/containers/image/image"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/pkg/errors"
+)
+
+func init() {
+	transports.Register(Transport)
+}
+
+// Transport is an ImageTransport for local Docker archives.
+var Transport = archiveTransport{}
+
+type archiveTransport struct{}
+
+func (t archiveTransport) Name() string {
+	return "docker-archive"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t archiveTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t archiveTransport) ValidatePolicyConfigurationScope(scope string) error {
+	// See the explanation in archiveReference.PolicyConfigurationIdentity.
+	return errors.New(`docker-archive: does not support any scopes except the default "" one`)
+}
+
+// archiveReference is an ImageReference for Docker images.
+type archiveReference struct {
+	destinationRef reference.NamedTagged // only used for destinations
+	path           string
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an Docker ImageReference.
+func ParseReference(refString string) (types.ImageReference, error) {
+	if refString == "" {
+		return nil, errors.Errorf("docker-archive reference %s isn't of the form <path>[:<reference>]", refString)
+	}
+
+	parts := strings.SplitN(refString, ":", 2)
+	path := parts[0]
+	var destinationRef reference.NamedTagged
+
+	// A :tag was specified, which is only necessary for destinations.
+	if len(parts) == 2 {
+		ref, err := reference.ParseNormalizedNamed(parts[1])
+		if err != nil {
+			return nil, errors.Wrapf(err, "docker-archive parsing reference")
+		}
+		ref = reference.TagNameOnly(ref)
+
+		if _, isDigest := ref.(reference.Canonical); isDigest {
+			return nil, errors.Errorf("docker-archive doesn't support digest references: %s", refString)
+		}
+
+		refTagged, isTagged := ref.(reference.NamedTagged)
+		if !isTagged {
+			// Really shouldn't be hit...
+			return nil, errors.Errorf("internal error: reference is not tagged even after reference.TagNameOnly: %s", refString)
+		}
+		destinationRef = refTagged
+	}
+
+	return archiveReference{
+		destinationRef: destinationRef,
+		path:           path,
+	}, nil
+}
+
+func (ref archiveReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref archiveReference) StringWithinTransport() string {
+	if ref.destinationRef == nil {
+		return ref.path
+	}
+	return fmt.Sprintf("%s:%s", ref.path, ref.destinationRef.String())
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref archiveReference) DockerReference() reference.Named {
+	return ref.destinationRef
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref archiveReference) PolicyConfigurationIdentity() string {
+	// Punt, the justification is similar to dockerReference.PolicyConfigurationIdentity.
+	return ""
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref archiveReference) PolicyConfigurationNamespaces() []string {
+	// TODO
+	return []string{}
+}
+
+// NewImage returns a types.Image for this reference, possibly specialized for this ImageTransport.
+// The caller must call .Close() on the returned Image.
+// NOTE: If any kind of signature verification should happen, build an UnparsedImage from the value returned by NewImageSource,
+// verify that UnparsedImage, and convert it into a real Image via image.FromUnparsedImage.
+func (ref archiveReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src := newImageSource(ctx, ref)
+	return ctrImage.FromSource(src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref archiveReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return newImageSource(ctx, ref), nil
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref archiveReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref archiveReference) DeleteImage(ctx *types.SystemContext) error {
+	// Not really supported, for safety reasons.
+	return errors.New("Deleting images not implemented for docker-archive: images")
+}

vendor/github.com/containers/image/docker/daemon/daemon_dest.go

@@ -0,0 +1,123 @@
+package daemon
+
+import (
+	"io"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"golang.org/x/net/context"
+)
+
+type daemonImageDestination struct {
+	ref                  daemonReference
+	*tarfile.Destination // Implements most of types.ImageDestination
+	// For talking to imageLoadGoroutine
+	goroutineCancel context.CancelFunc
+	statusChannel   <-chan error
+	writer          *io.PipeWriter
+	// Other state
+	committed bool // writer has been closed
+}
+
+// newImageDestination returns a types.ImageDestination for the specified image reference.
+func newImageDestination(systemCtx *types.SystemContext, ref daemonReference) (types.ImageDestination, error) {
+	if ref.ref == nil {
+		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
+	}
+	namedTaggedRef, ok := ref.ref.(reference.NamedTagged)
+	if !ok {
+		return nil, errors.Errorf("Invalid destination docker-daemon:%s: a destination must be a name:tag", ref.StringWithinTransport())
+	}
+
+	c, err := client.NewClient(client.DefaultDockerHost, "1.22", nil, nil) // FIXME: overridable host
+	if err != nil {
+		return nil, errors.Wrap(err, "Error initializing docker engine client")
+	}
+
+	reader, writer := io.Pipe()
+	// Commit() may never be called, so we may never read from this channel; so, make this buffered to allow imageLoadGoroutine to write status and terminate even if we never read it.
+	statusChannel := make(chan error, 1)
+
+	ctx, goroutineCancel := context.WithCancel(context.Background())
+	go imageLoadGoroutine(ctx, c, reader, statusChannel)
+
+	return &daemonImageDestination{
+		ref:             ref,
+		Destination:     tarfile.NewDestination(writer, namedTaggedRef),
+		goroutineCancel: goroutineCancel,
+		statusChannel:   statusChannel,
+		writer:          writer,
+		committed:       false,
+	}, nil
+}
+
+// imageLoadGoroutine accepts tar stream on reader, sends it to c, and reports error or success by writing to statusChannel
+func imageLoadGoroutine(ctx context.Context, c *client.Client, reader *io.PipeReader, statusChannel chan<- error) {
+	err := errors.New("Internal error: unexpected panic in imageLoadGoroutine")
+	defer func() {
+		logrus.Debugf("docker-daemon: sending done, status %v", err)
+		statusChannel <- err
+	}()
+	defer func() {
+		if err == nil {
+			reader.Close()
+		} else {
+			reader.CloseWithError(err)
+		}
+	}()
+
+	resp, err := c.ImageLoad(ctx, reader, true)
+	if err != nil {
+		err = errors.Wrap(err, "Error saving image to docker engine")
+		return
+	}
+	defer resp.Body.Close()
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *daemonImageDestination) Close() error {
+	if !d.committed {
+		logrus.Debugf("docker-daemon: Closing tar stream to abort loading")
+		// In principle, goroutineCancel() should abort the HTTP request and stop the process from continuing.
+		// In practice, though, various HTTP implementations used by client.Client.ImageLoad() (including
+		// https://github.com/golang/net/blob/master/context/ctxhttp/ctxhttp_pre17.go and the
+		// net/http version with native Context support in Go 1.7) do not always actually immediately cancel
+		// the operation: they may process the HTTP request, or a part of it, to completion in a goroutine, and
+		// return early if the context is canceled without terminating the goroutine at all.
+		// So we need this CloseWithError to terminate sending the HTTP request Body
+		// immediately, and hopefully, through terminating the sending which uses "Transfer-Encoding: chunked"" without sending
+		// the terminating zero-length chunk, prevent the docker daemon from processing the tar stream at all.
+		// Whether that works or not, closing the PipeWriter seems desirable in any case.
+		d.writer.CloseWithError(errors.New("Aborting upload, daemonImageDestination closed without a previous .Commit()"))
+	}
+	d.goroutineCancel()
+
+	return nil
+}
+
+func (d *daemonImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *daemonImageDestination) Commit() error {
+	logrus.Debugf("docker-daemon: Closing tar stream")
+	if err := d.Destination.Commit(); err != nil {
+		return err
+	}
+	if err := d.writer.Close(); err != nil {
+		return err
+	}
+	d.committed = true // We may still fail, but we are done sending to imageLoadGoroutine.
+
+	logrus.Debugf("docker-daemon: Waiting for status")
+	err := <-d.statusChannel
+	return err
+}

vendor/github.com/containers/image/docker/daemon/daemon_src.go

@@ -0,0 +1,85 @@
+package daemon
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/containers/image/docker/tarfile"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"golang.org/x/net/context"
+)
+
+const temporaryDirectoryForBigFiles = "/var/tmp" // Do not use the system default of os.TempDir(), usually /tmp, because with systemd it could be a tmpfs.
+
+type daemonImageSource struct {
+	ref             daemonReference
+	*tarfile.Source // Implements most of types.ImageSource
+	tarCopyPath     string
+}
+
+type layerInfo struct {
+	path string
+	size int64
+}
+
+// newImageSource returns a types.ImageSource for the specified image reference.
+// The caller must call .Close() on the returned ImageSource.
+//
+// It would be great if we were able to stream the input tar as it is being
+// sent; but Docker sends the top-level manifest, which determines which paths
+// to look for, at the end, so in we will need to seek back and re-read, several times.
+// (We could, perhaps, expect an exact sequence, assume that the first plaintext file
+// is the config, and that the following len(RootFS) files are the layers, but that feels
+// way too brittle.)
+func newImageSource(ctx *types.SystemContext, ref daemonReference) (types.ImageSource, error) {
+	c, err := client.NewClient(client.DefaultDockerHost, "1.22", nil, nil) // FIXME: overridable host
+	if err != nil {
+		return nil, errors.Wrap(err, "Error initializing docker engine client")
+	}
+	// Per NewReference(), ref.StringWithinTransport() is either an image ID (config digest), or a !reference.NameOnly() reference.
+	// Either way ImageSave should create a tarball with exactly one image.
+	inputStream, err := c.ImageSave(context.TODO(), []string{ref.StringWithinTransport()})
+	if err != nil {
+		return nil, errors.Wrap(err, "Error loading image from docker engine")
+	}
+	defer inputStream.Close()
+
+	// FIXME: use SystemContext here.
+	tarCopyFile, err := ioutil.TempFile(temporaryDirectoryForBigFiles, "docker-daemon-tar")
+	if err != nil {
+		return nil, err
+	}
+	defer tarCopyFile.Close()
+
+	succeeded := false
+	defer func() {
+		if !succeeded {
+			os.Remove(tarCopyFile.Name())
+		}
+	}()
+
+	if _, err := io.Copy(tarCopyFile, inputStream); err != nil {
+		return nil, err
+	}
+
+	succeeded = true
+	return &daemonImageSource{
+		ref:         ref,
+		Source:      tarfile.NewSource(tarCopyFile.Name()),
+		tarCopyPath: tarCopyFile.Name(),
+	}, nil
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *daemonImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *daemonImageSource) Close() error {
+	return os.Remove(s.tarCopyPath)
+}

vendor/github.com/containers/image/docker/daemon/daemon_transport.go

@@ -0,0 +1,184 @@
+package daemon
+
+import (
+	"github.com/pkg/errors"
+
+	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/image"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/opencontainers/go-digest"
+)
+
+func init() {
+	transports.Register(Transport)
+}
+
+// Transport is an ImageTransport for images managed by a local Docker daemon.
+var Transport = daemonTransport{}
+
+type daemonTransport struct{}
+
+// Name returns the name of the transport, which must be unique among other transports.
+func (t daemonTransport) Name() string {
+	return "docker-daemon"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t daemonTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t daemonTransport) ValidatePolicyConfigurationScope(scope string) error {
+	// See the explanation in daemonReference.PolicyConfigurationIdentity.
+	return errors.New(`docker-daemon: does not support any scopes except the default "" one`)
+}
+
+// daemonReference is an ImageReference for images managed by a local Docker daemon
+// Exactly one of id and ref can be set.
+// For daemonImageSource, both id and ref are acceptable, ref must not be a NameOnly (interpreted as all tags in that repository by the daemon)
+// For daemonImageDestination, it must be a ref, which is NamedTagged.
+// (We could, in principle, also allow storing images without tagging them, and the user would have to refer to them using the docker image ID = config digest.
+//  Using the config digest requires the caller to parse the manifest themselves, which is very cumbersome; so, for now, we don’t bother.)
+type daemonReference struct {
+	id  digest.Digest
+	ref reference.Named // !reference.IsNameOnly
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func ParseReference(refString string) (types.ImageReference, error) {
+	// This is intended to be compatible with reference.ParseAnyReference, but more strict about refusing some of the ambiguous cases.
+	// In particular, this rejects unprefixed digest values (64 hex chars), and sha256 digest prefixes (sha256:fewer-than-64-hex-chars).
+
+	// digest:hexstring is structurally the same as a reponame:tag (meaning docker.io/library/reponame:tag).
+	// reference.ParseAnyReference interprets such strings as digests.
+	if dgst, err := digest.Parse(refString); err == nil {
+		// The daemon explicitly refuses to tag images with a reponame equal to digest.Canonical - but _only_ this digest name.
+		// Other digest references are ambiguous, so refuse them.
+		if dgst.Algorithm() != digest.Canonical {
+			return nil, errors.Errorf("Invalid docker-daemon: reference %s: only digest algorithm %s accepted", refString, digest.Canonical)
+		}
+		return NewReference(dgst, nil)
+	}
+
+	ref, err := reference.ParseNormalizedNamed(refString) // This also rejects unprefixed digest values
+	if err != nil {
+		return nil, err
+	}
+	if reference.FamiliarName(ref) == digest.Canonical.String() {
+		return nil, errors.Errorf("Invalid docker-daemon: reference %s: The %s repository name is reserved for (non-shortened) digest references", refString, digest.Canonical)
+	}
+	return NewReference("", ref)
+}
+
+// NewReference returns a docker-daemon reference for either the supplied image ID (config digest) or the supplied reference (which must satisfy !reference.IsNameOnly)
+func NewReference(id digest.Digest, ref reference.Named) (types.ImageReference, error) {
+	if id != "" && ref != nil {
+		return nil, errors.New("docker-daemon: reference must not have an image ID and a reference string specified at the same time")
+	}
+	if ref != nil {
+		if reference.IsNameOnly(ref) {
+			return nil, errors.Errorf("docker-daemon: reference %s has neither a tag nor a digest", reference.FamiliarString(ref))
+		}
+		// A github.com/distribution/reference value can have a tag and a digest at the same time!
+		// Most versions of docker/reference do not handle that (ignoring the tag), so reject such input.
+		// This MAY be accepted in the future.
+		_, isTagged := ref.(reference.NamedTagged)
+		_, isDigested := ref.(reference.Canonical)
+		if isTagged && isDigested {
+			return nil, errors.Errorf("docker-daemon: references with both a tag and digest are currently not supported")
+		}
+	}
+	return daemonReference{
+		id:  id,
+		ref: ref,
+	}, nil
+}
+
+func (ref daemonReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix;
+// instead, see transports.ImageName().
+func (ref daemonReference) StringWithinTransport() string {
+	switch {
+	case ref.id != "":
+		return ref.id.String()
+	case ref.ref != nil:
+		return reference.FamiliarString(ref.ref)
+	default: // Coverage: Should never happen, NewReference above should refuse such values.
+		panic("Internal inconsistency: daemonReference has empty id and nil ref")
+	}
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref daemonReference) DockerReference() reference.Named {
+	return ref.ref // May be nil
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref daemonReference) PolicyConfigurationIdentity() string {
+	// We must allow referring to images in the daemon by image ID, otherwise untagged images would not be accessible.
+	// But the existence of image IDs means that we can’t truly well namespace the input; the untagged images would have to fall into the default policy,
+	// which can be unexpected.  So, punt.
+	return "" // This still allows using the default "" scope to define a policy for this transport.
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref daemonReference) PolicyConfigurationNamespaces() []string {
+	// See the explanation in daemonReference.PolicyConfigurationIdentity.
+	return []string{}
+}
+
+// NewImage returns a types.Image for this reference.
+// The caller must call .Close() on the returned Image.
+func (ref daemonReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src, err := newImageSource(ctx, ref)
+	if err != nil {
+		return nil, err
+	}
+	return image.FromSource(src)
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref daemonReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return newImageSource(ctx, ref)
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref daemonReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref daemonReference) DeleteImage(ctx *types.SystemContext) error {
+	// Should this just untag the image? Should this stop running containers?
+	// The semantics is not quite as clear as for remote repositories.
+	// The user can run (docker rmi) directly anyway, so, for now(?), punt instead of trying to guess what the user meant.
+	return errors.Errorf("Deleting images not implemented for docker-daemon: images")
+}