v0.1.41

* Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1 * Bump gopkg.in/yaml.v2 from 2.2.7 to 2.2.8 * Bump github.com/containers/common from 0.0.7 to 0.1.4 * Remove the reference to openshift/api * vendor github.com/containers/image/v5@v5.2.0 * Manually update buildah to v1.13.1 * add specific authfile options to copy (and sync) command. * Bump github.com/containers/buildah from 1.11.6 to 1.12.0 * Add context to --encryption-key / --decryption-key processing failures * Bump github.com/containers/storage from 1.15.2 to 1.15.3 * Bump github.com/containers/buildah from 1.11.5 to 1.11.6 * remove direct reference on c/image/storage * Makefile: set GOBIN * Bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.7 * Bump github.com/containers/storage from 1.15.1 to 1.15.2 * Introduce the sync command * openshift cluster: remove .docker directory on teardown * Bump github.com/containers/storage from 1.14.0 to 1.15.1 * document installation via apk on alpine * Fix typos in doc for image encryption * Image encryption/decryption support in skopeo * make vendor-in-container * Bump github.com/containers/buildah from 1.11.4 to 1.11.5 * Travis: use go v1.13 * Use a Windows Nano Server image instead of Server Core for multi-arch testing * Increase test timeout to 15 minutes * Run the test-system container without --net=host * Mount /run/systemd/journal/socket into test-system containers * Don't unnecessarily filter out vendor from (go list ./...) output * Use -mod=vendor in (go {list,test,vet}) * Bump github.com/containers/buildah from 1.8.4 to 1.11.4 * Bump github.com/urfave/cli from 1.20.0 to 1.22.1 * skopeo: drop support for ostree * Don't critically fail on a 403 when listing tags * Revert "Temporarily work around auth.json location confusion" * Remove references to atomic * Remove references to storage.conf * Dockerfile: use golang-github-cpuguy83-go-md2man * bump version to v0.1.41-dev * systemtest: inspect container image different from current platform arch Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Bump github.com/containers/image/v5 from 5.2.0 to 5.2.1
2026-01-30 05:49:52 +00:00 · 2020-02-07 12:18:04 +01:00 · 2020-02-06 15:54:11 +01:00 · 2020-02-05 08:41:40 -05:00 · 2020-02-05 08:41:02 -05:00 · 2020-02-05 09:47:09 +01:00
2387 changed files with 634268 additions and 47108 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
-/skopeo
-/skopeo.1
+*.1
 /layers-*
+/skopeo
+
+# ignore JetBrains IDEs (GoLand) config folder
+.idea
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,10 +1,28 @@
-sudo: required
+language: go

-services:
-  - docker
+matrix:
+  include:
+  -  os: linux
+     sudo: required
+     services:
+       - docker
+  -  os: osx
+
+go:
+  - 1.13.x

 notifications:
  email: false

+install:
+  # NOTE: The (brew update) should not be necessary, and slows things down;
+  # we include it as a workaround for https://github.com/Homebrew/brew/issues/3299
+  # ideally Travis should bake the (brew update) into its images
+  # (https://github.com/travis-ci/travis-ci/issues/8552 ), but that’s only going
+  # to happen around November 2017 per https://blog.travis-ci.com/2017-10-16-a-new-default-os-x-image-is-coming .
+  # Remove the (brew update) at that time.
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew update && brew install gpgme ; fi
+
 script:
-  - make check
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]];   then hack/travis_osx.sh ; fi
+  - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then make vendor && ./hack/tree_status.sh && make check ; fi
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,173 @@
+# Contributing to Skopeo
+
+We'd love to have you join the community! Below summarizes the processes
+that we follow.
+
+## Topics
+
+* [Reporting Issues](#reporting-issues)
+* [Submitting Pull Requests](#submitting-pull-requests)
+* [Communications](#communications)
+<!--
+* [Becoming a Maintainer](#becoming-a-maintainer)
+-->
+
+## Reporting Issues
+
+Before reporting an issue, check our backlog of 
+[open issues](https://github.com/containers/skopeo/issues)
+to see if someone else has already reported it. If so, feel free to add
+your scenario, or additional information, to the discussion. Or simply 
+"subscribe" to it to be notified when it is updated.
+
+If you find a new issue with the project we'd love to hear about it! The most
+important aspect of a bug report is that it includes enough information for
+us to reproduce it. So, please include as much detail as possible and try
+to remove the extra stuff that doesn't really relate to the issue itself.
+The easier it is for us to reproduce it, the faster it'll be fixed!
+
+Please don't include any private/sensitive information in your issue!
+
+## Submitting Pull Requests
+
+No Pull Request (PR) is too small! Typos, additional comments in the code,
+new testcases, bug fixes, new features, more documentation, ... it's all 
+welcome!
+
+While bug fixes can first be identified via an "issue", that is not required.
+It's ok to just open up a PR with the fix, but make sure you include the same
+information you would have included in an issue - like how to reproduce it.
+
+PRs for new features should include some background on what use cases the
+new code is trying to address. When possible and when it makes sense, try to break-up
+larger PRs into smaller ones - it's easier to review smaller
+code changes. But only if those smaller ones make sense as stand-alone PRs.
+
+Regardless of the type of PR, all PRs should include:
+* well documented code changes
+* additional testcases. Ideally, they should fail w/o your code change applied
+* documentation changes
+
+Squash your commits into logical pieces of work that might want to be reviewed
+separate from the rest of the PRs. Ideally, each commit should implement a single
+idea, and the PR branch should pass the tests at every commit.  GitHub makes it easy
+to review the cumulative effect of many commits; so, when in doubt, use smaller commits.
+
+PRs that fix issues should include a reference like `Closes #XXXX` in the
+commit message so that github will automatically close the referenced issue
+when the PR is merged.
+
+<!--
+All PRs require at least two LGTMs (Looks Good To Me) from maintainers.
+-->
+
+### Sign your PRs
+
+The sign-off is a line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+### Dependencies management
+
+Make sure [`vndr`](https://github.com/LK4D4/vndr) is installed.
+
+In order to add a new dependency to this project:
+
+- add a new line to `vendor.conf` according to `vndr` rules (e.g. `github.com/pkg/errors master`)
+- run `make vendor`
+
+In order to update an existing dependency:
+
+- update the relevant dependency line in `vendor.conf`
+- run `make vendor`
+
+When new PRs for [containers/image](https://github.com/containers/image) break `skopeo` (i.e. `containers/image` tests fail in `make test-skopeo`):
+
+- create out a new branch in your `skopeo` checkout and switch to it
+- update `vendor.conf`. Find out the `containers/image` dependency; update it to vendor from your own branch and your own repository fork (e.g. `github.com/containers/image my-branch https://github.com/runcom/image`)
+- run `make vendor`
+- make any other necessary changes in the skopeo repo (e.g. add other dependencies now requied by `containers/image`, or update skopeo for changed `containers/image` API)
+- optionally add new integration tests to the skopeo repo
+- submit the resulting branch as a skopeo PR, marked “DO NOT MERGE”
+- iterate until tests pass and the PR is reviewed
+- then the original `containers/image` PR can be merged, disregarding its `make test-skopeo` failure
+- as soon as possible after that, in the skopeo PR, restore the `containers/image` line in `vendor.conf` to use `containers/image:master`
+- run `make vendor`
+- update the skopeo PR with the result, drop the “DO NOT MERGE” marking
+- after tests complete succcesfully again, merge the skopeo PR
+
+## Communications
+
+For general questions, or discussions, please use the 
+IRC group on `irc.freenode.net` called `container-projects`
+that has been setup.
+
+For discussions around issues/bugs and features, you can use the github
+[issues](https://github.com/containers/skopeo/issues)
+and
+[PRs](https://github.com/containers/skopeo/pulls)
+tracking system.
+
+<!--
+## Becoming a Maintainer
+
+To become a maintainer you must first be nominated by an existing maintainer.
+If a majority (>50%) of maintainers agree then the proposal is adopted and
+you will be added to the list.
+
+Removing a maintainer requires at least 75% of the remaining maintainers
+approval, or if the person requests to be removed then it is automatic.
+Normally, a maintainer will only be removed if they are considered to be
+inactive for a long period of time or are viewed as disruptive to the community.
+
+The current list of maintainers can be found in the 
+[MAINTAINERS](MAINTAINERS) file.
+-->
--- a/53
+++ b/53
@@ -1,25 +1,25 @@
 FROM fedora

-RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md2man \
+RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-md2man \
+	# storage deps
+	btrfs-progs-devel \
+	device-mapper-devel \
 	# gpgme bindings deps
 	libassuan-devel gpgme-devel \
 	gnupg \
-	# registry v1 deps
-	xz-devel \
-	python-devel \
-	python-pip \
-	swig \
-	redhat-rpm-config \
-	openssl-devel \
-	patch
+	# OpenShift deps
+	which tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
+        bats jq podman \
+	golint \
+	&& dnf clean all

-# Install three versions of the registry. The first is an older version that
+# Install two versions of the registry. The first is an older version that
 # only supports schema1 manifests. The second is a newer version that supports
 # both. This allows integration-cli tests to cover push/pull with both schema1
-# and schema2 manifests. Install registry v1 also.
-ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
-ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
+# and schema2 manifests.
 RUN set -x \
+	&& REGISTRY_COMMIT_SCHEMA1=ec87e9b6971d831f0eff752ddb54fb64693e51cd \
+	&& REGISTRY_COMMIT=47a064d4195a9b56133891bbb13620c3ac83a827 \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
 	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
@@ -28,22 +28,23 @@ RUN set -x \
 	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \
 	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
 		go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \
+	&& rm -rf "$GOPATH"
+
+RUN set -x \
+	&& export GOPATH=$(mktemp -d) \
+	&& git clone --depth 1 -b v1.5.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
+	# The sed edits out a "go < 1.5" check which works incorrectly with go ≥ 1.10. \
+	&& sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' "$GOPATH/src/github.com/openshift/origin/hack/common.sh" \
+	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
+	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
+	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
 	&& rm -rf "$GOPATH" \
-	&& export DRV1="$(mktemp -d)" \
-	&& git clone https://github.com/docker/docker-registry.git "$DRV1" \
-	# no need for setuptools since we have a version conflict with fedora
-	&& sed -i.bak s/setuptools==5.8//g "$DRV1/requirements/main.txt" \
-	&& sed -i.bak s/setuptools==5.8//g "$DRV1/depends/docker-registry-core/requirements/main.txt" \
-	&& pip install "$DRV1/depends/docker-registry-core" \
-	&& pip install file://"$DRV1#egg=docker-registry[bugsnag,newrelic,cors]" \
-	&& patch $(python -c 'import boto; import os; print os.path.dirname(boto.__file__)')/connection.py \
-		< "$DRV1/contrib/boto_header_patch.diff" \
-	&& dnf -y update && dnf install -y m2crypto
+	&& mkdir /registry

 ENV GOPATH /usr/share/gocode:/go
 ENV PATH $GOPATH/bin:/usr/share/gocode/bin:$PATH
-RUN go get github.com/golang/lint/golint
-WORKDIR /go/src/github.com/projectatomic/skopeo
-COPY . /go/src/github.com/projectatomic/skopeo
+RUN go version
+WORKDIR /go/src/github.com/containers/skopeo
+COPY . /go/src/github.com/containers/skopeo

 #ENTRYPOINT ["hack/dind"]
--- a/Dockerfile.build
+++ b/Dockerfile.build
@@ -0,0 +1,13 @@
+FROM ubuntu:18.10
+
+RUN apt-get update && apt-get install -y \
+    golang \
+    libbtrfs-dev \
+    git-core \
+    libdevmapper-dev \
+    libgpgme11-dev \
+    go-md2man \
+    libglib2.0-dev
+
+ENV GOPATH=/
+WORKDIR /src/github.com/containers/skopeo
--- a/468
+++ b/468
@@ -1,339 +1,189 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991

- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/

-                            Preamble
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
+   1. Definitions.

-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.

-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.

-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.

-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.

-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.

-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.

-  The precise terms and conditions for copying, distribution and
-modification follow.
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).

-                    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.

-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."

-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.

-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.

-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.

-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:

-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and

-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and

-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and

-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.

-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.

-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.

-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.

-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.

-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.

-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.

-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
+   END OF TERMS AND CONDITIONS

-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at

-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
+       https://www.apache.org/licenses/LICENSE-2.0

-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-                            NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/179
+++ b/179
@@ -1,70 +1,193 @@
-.PHONY: all binary build clean install install-binary shell test-integration
+.PHONY: all binary build-container docs docs-in-container build-local clean install install-binary install-completions shell test-integration .install.vndr vendor vendor-in-container

-export GO15VENDOREXPERIMENT=1
+export GOPROXY=https://proxy.golang.org

+ifeq ($(shell uname),Darwin)
+PREFIX ?= ${DESTDIR}/usr/local
+DARWIN_BUILD_TAG=
+# On macOS, (brew install gpgme) installs it within /usr/local, but /usr/local/include is not in the default search path.
+# Rather than hard-code this directory, use gpgme-config. Sadly that must be done at the top-level user
+# instead of locally in the gpgme subpackage, because cgo supports only pkg-config, not general shell scripts,
+# and gpgme does not install a pkg-config file.
+# If gpgme is not installed or gpgme-config can’t be found for other reasons, the error is silently ignored
+# (and the user will probably find out because the cgo compilation will fail).
+GPGME_ENV := CGO_CFLAGS="$(shell gpgme-config --cflags 2>/dev/null)" CGO_LDFLAGS="$(shell gpgme-config --libs 2>/dev/null)"
+else
 PREFIX ?= ${DESTDIR}/usr
+endif
+
 INSTALLDIR=${PREFIX}/bin
 MANINSTALLDIR=${PREFIX}/share/man
-# TODO(runcom)
-#BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
+REGISTRIESDDIR=${CONTAINERSSYSCONFIGDIR}/registries.d
+SIGSTOREDIR=${DESTDIR}/var/lib/containers/sigstore
+BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+
+GO ?= go
+GOBIN := $(shell $(GO) env GOBIN)
+ifeq ($(GOBIN),)
+GOBIN := $(GOPATH)/bin
+endif
+
+CONTAINER_RUNTIME := $(shell command -v podman 2> /dev/null || echo docker)
+GOMD2MAN ?= $(shell command -v go-md2man || echo '$(GOBIN)/go-md2man')
+
+# Go module support: set `-mod=vendor` to use the vendored sources.
+# See also hack/make.sh.
+ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
+  GO:=GO111MODULE=on $(GO)
+  MOD_VENDOR=-mod=vendor
+endif
+
+ifeq ($(DEBUG), 1)
+  override GOGCFLAGS += -N -l
+endif
+
+ifeq ($(shell $(GO) env GOOS), linux)
+  GO_DYN_FLAGS="-buildmode=pie"
+endif

 GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
-DOCKER_IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
+IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
 # set env like gobuildtag?
-DOCKER_FLAGS := docker run --rm -i #$(DOCKER_ENVS)
+CONTAINER_CMD := ${CONTAINER_RUNTIME} run --rm -i -e TESTFLAGS="$(TESTFLAGS)" #$(CONTAINER_ENVS)
 # if this session isn't interactive, then we don't want to allocate a
 # TTY, which would fail, but if it is interactive, we do want to attach
 # so that the user can send e.g. ^C through.
 INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
 ifeq ($(INTERACTIVE), 1)
-	DOCKER_FLAGS += -t
+	CONTAINER_CMD += -t
 endif
-DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
+CONTAINER_RUN := $(CONTAINER_CMD) "$(IMAGE)"

 GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)

-all: binary
+MANPAGES_MD = $(wildcard docs/*.md)
+MANPAGES ?= $(MANPAGES_MD:%.md=%)

-binary:
-	go build -ldflags "-X main.gitCommit=${GIT_COMMIT}" -o ${DEST}skopeo ./cmd/skopeo
+BTRFS_BUILD_TAG = $(shell hack/btrfs_tag.sh) $(shell hack/btrfs_installed_tag.sh)
+LIBDM_BUILD_TAG = $(shell hack/libdm_tag.sh)
+LOCAL_BUILD_TAGS = $(BTRFS_BUILD_TAG) $(LIBDM_BUILD_TAG) $(DARWIN_BUILD_TAG)
+BUILDTAGS += $(LOCAL_BUILD_TAGS)
+
+ifeq ($(DISABLE_CGO), 1)
+	override BUILDTAGS = exclude_graphdriver_devicemapper exclude_graphdriver_btrfs containers_image_openpgp
+endif
+
+#   make all DEBUG=1
+#     Note: Uses the -N -l go compiler options to disable compiler optimizations
+#           and inlining. Using these build options allows you to subsequently
+#           use source debugging tools like delve.
+all: binary docs-in-container
+
+help:
+	@echo "Usage: make <target>"
+	@echo
+	@echo " * 'install' - Install binaries and documents to system locations"
+	@echo " * 'binary' - Build skopeo with a container"
+	@echo " * 'binary-local' - Build skopeo locally"
+	@echo " * 'test-unit' - Execute unit tests"
+	@echo " * 'test-integration' - Execute integration tests"
+	@echo " * 'validate' - Verify whether there is no conflict and all Go source files have been formatted, linted and vetted"
+	@echo " * 'check' - Including above validate, test-integration and test-unit"
+	@echo " * 'shell' - Run the built image and attach to a shell"
+	@echo " * 'clean' - Clean artifacts"
+
+# Build a container image (skopeobuild) that has everything we need to build.
+# Then do the build and the output (skopeo) should appear in current dir
+binary: cmd/skopeo
+	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
+	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
+		skopeobuildimage make binary-local $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+
+binary-static: cmd/skopeo
+	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
+	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
+		skopeobuildimage make binary-local-static $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'
+
+# Build w/o using containers
+binary-local:
+	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) ${GO_DYN_FLAGS} -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo
+
+binary-local-static:
+	$(GPGME_ENV) $(GO) build $(MOD_VENDOR) -ldflags "-extldflags \"-static\" -X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -tags "$(BUILDTAGS)" -o skopeo ./cmd/skopeo

 build-container:
-	docker build ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" .
+	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -t "$(IMAGE)" .
+
+$(MANPAGES): %: %.md
+	@sed -e 's/\((skopeo.*\.md)\)//' -e 's/\[\(skopeo.*\)\]/\1/' $<  | $(GOMD2MAN) -in /dev/stdin -out $@
+
+docs: $(MANPAGES)
+
+docs-in-container:
+	${CONTAINER_RUNTIME} build ${BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
+	${CONTAINER_RUNTIME} run --rm --security-opt label=disable -v $$(pwd):/src/github.com/containers/skopeo \
+		skopeobuildimage make docs $(if $(DEBUG),DEBUG=$(DEBUG)) BUILDTAGS='$(BUILDTAGS)'

 clean:
-	rm -f skopeo
+	rm -f skopeo docs/*.1

-install: install-binary
-	install -m 644 man1/skopeo.1 ${MANINSTALLDIR}/man1/
-	# TODO(runcom)
-	#install -m 644 completion/bash/skopeo ${BASHINSTALLDIR}/
+install: install-binary install-docs install-completions
+	install -d -m 755 ${SIGSTOREDIR}
+	install -d -m 755 ${CONTAINERSSYSCONFIGDIR}
+	install -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
+	install -d -m 755 ${REGISTRIESDDIR}
+	install -m 644 default.yaml ${REGISTRIESDDIR}/default.yaml

-install-binary:
-	install -d -m 0755 ${INSTALLDIR}
-	install -m 755 skopeo ${INSTALLDIR}
+install-binary: ./skopeo
+	install -d -m 755 ${INSTALLDIR}
+	install -m 755 skopeo ${INSTALLDIR}/skopeo

+install-docs: docs
+	install -d -m 755 ${MANINSTALLDIR}/man1
+	install -m 644 docs/*.1 ${MANINSTALLDIR}/man1/
+
+install-completions:
+	install -m 755 -d ${BASHINSTALLDIR}
+	install -m 644 completions/bash/skopeo ${BASHINSTALLDIR}/skopeo

 shell: build-container
-	$(DOCKER_RUN_DOCKER) bash
+	$(CONTAINER_RUN) bash

-check: validate test-unit test-integration
+check: validate test-unit test-integration test-system

 # The tests can run out of entropy and block in containers, so replace /dev/random.
 test-integration: build-container
-	$(DOCKER_RUN_DOCKER) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; hack/make.sh test-integration'
+	$(CONTAINER_RUN) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-integration'
+
+# complicated set of options needed to run podman-in-podman
+test-system: build-container
+	DTEMP=$(shell mktemp -d --tmpdir=/var/tmp podman-tmp.XXXXXX); \
+	$(CONTAINER_CMD) --privileged \
+	    -v $$DTEMP:/var/lib/containers:Z -v /run/systemd/journal/socket:/run/systemd/journal/socket \
+            "$(IMAGE)" \
+            bash -c 'BUILDTAGS="$(BUILDTAGS)" hack/make.sh test-system'; \
+	rc=$$?; \
+	$(RM) -rf $$DTEMP; \
+	exit $$rc

 test-unit: build-container
-	# Just call (make test unit-local) here instead of worrying about environment differences, e.g. GO15VENDOREXPERIMENT.
-	$(DOCKER_RUN_DOCKER) make test-unit-local
+	# Just call (make test unit-local) here instead of worrying about environment differences
+	$(CONTAINER_RUN) make test-unit-local BUILDTAGS='$(BUILDTAGS)'

 validate: build-container
-	$(DOCKER_RUN_DOCKER) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+	$(CONTAINER_RUN) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet

-# This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing. 
+# This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
 test-all-local: validate-local test-unit-local

 validate-local:
 	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet

 test-unit-local:
-	go test $$(go list -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')
+	$(GPGME_ENV) $(GO) test $(MOD_VENDOR) -tags "$(BUILDTAGS)" $$($(GO) list $(MOD_VENDOR) -tags "$(BUILDTAGS)" -e ./... | grep -v '^github\.com/containers/skopeo/\(integration\|vendor/.*\)$$')
+
+vendor:
+	export GO111MODULE=on \
+		$(GO) mod tidy && \
+		$(GO) mod vendor && \
+		$(GO) mod verify
+
+vendor-in-container:
+	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.13 make vendor
--- a/README.md
+++ b/README.md
@@ -1,59 +1,120 @@
-skopeo [![Build Status](https://travis-ci.org/projectatomic/skopeo.svg?branch=master)](https://travis-ci.org/projectatomic/skopeo)
+skopeo [![Build Status](https://travis-ci.org/containers/skopeo.svg?branch=master)](https://travis-ci.org/containers/skopeo)
 =

-_Please be aware `skopeo` is still work in progress_
+<img src="https://cdn.rawgit.com/containers/skopeo/master/docs/skopeo.svg" width="250">

-`skopeo` is a command line utility which is able to _inspect_ a repository on a Docker registry and fetch images layers.  
-By _inspect_ I mean it fetches the repository's manifest and it is able to show you a `docker inspect`-like
+----
+
+`skopeo` is a command line utility that performs various operations on container images and image repositories.
+
+`skopeo` can work with [OCI images](https://github.com/opencontainers/image-spec) as well as the original Docker v2 images.
+
+Skopeo works with API V2 registries such as Docker registries, the Atomic registry, private registries, local directories and local OCI-layout directories.  Skopeo does not require a daemon to be running to perform these operations which consist of:
+
+ * Copying an image from and to various storage mechanisms.
+   For example you can copy images from one registry to another, without requiring privilege.
+ * Inspecting a remote image showing its properties including its layers, without requiring you to pull the image to the host.
+ * Deleting an image from an image repository.
+ * When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.
+
+ Skopeo operates on the following image and repository types:
+
+ * containers-storage:docker-reference
+         An image located in a local containers/storage image store.  Location and image store specified in /etc/containers/storage.conf
+
+ * dir:path
+         An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+ * docker://docker-reference
+         An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $HOME/.docker/config.json, which is set e.g. using (docker login).
+
+ * docker-archive:path[:docker-reference]
+         An image is stored in the `docker save` formated file.  docker-reference is only used when creating such a file, and it must not contain a digest.
+
+ * docker-daemon:docker-reference
+         An image docker-reference stored in the docker daemon internal storage.  docker-reference must contain either a tag or a digest.  Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
+
+ * oci:path:tag
+         An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
+
+Inspecting a repository
+-
+`skopeo` is able to _inspect_ a repository on a Docker registry and fetch images layers.
+The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
 json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about
-a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?
+a repository or a tag before pulling it (using disk space).  The inspect command can show you which tags are available for the given 
+repository, the labels the image has, the creation date and operating system of the image and more.  
+

 Examples:
 ```sh
-# show repository's labels of rhel7:latest
-$ skopeo inspect docker://registry.access.redhat.com/rhel7 | jq '.Config.Labels'
+# show properties of fedora:latest
+$ skopeo inspect docker://docker.io/fedora
 {
-  "Architecture": "x86_64",
-  "Authoritative_Registry": "registry.access.redhat.com",
-  "BZComponent": "rhel-server-docker",
-  "Build_Host": "rcm-img04.build.eng.bos.redhat.com",
-  "Name": "rhel7/rhel",
-  "Release": "38",
-  "Vendor": "Red Hat, Inc.",
-  "Version": "7.2"
+    "Name": "docker.io/library/fedora",
+    "Tag": "latest",
+    "Digest": "sha256:cfd8f071bf8da7a466748f522406f7ae5908d002af1b1a1c0dcf893e183e5b32",
+    "RepoTags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "heisenbug",
+        "latest",
+        "rawhide"
+    ],
+    "Created": "2016-03-04T18:40:02.92155334Z",
+    "DockerVersion": "1.9.1",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:236608c7b546e2f4e7223526c74fc71470ba06d46ec82aeb402e704bfdee02a2",
+        "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+    ]
 }

-# show repository's tags
-$ skopeo inspect docker://docker.io/fedora | jq '.RepoTags'
-[
-  "20",
-  "21",
-  "22",
-  "23",
-  "heisenbug",
-  "latest",
-  "rawhide"
-]
-
-# show image's digest
+# show unverifed image's digest
 $ skopeo inspect docker://docker.io/fedora:rawhide | jq '.Digest'
 "sha256:905b4846938c8aef94f52f3e41a11398ae5b40f5855fb0e40ed9c157e721d7f8"
+```

-# show image's label "Name"
-$ skopeo inspect docker://registry.access.redhat.com/rhel7 | jq '.Config.Labels.Name'
-"rhel7/rhel"
+Copying images
+-
+`skopeo` can copy container images between various storage mechanisms, including:
+* Docker distribution based registries
+
+  -  The Docker Hub, OpenShift, GCR, Artifactory, Quay ...
+
+* Container Storage backends
+
+  -  Docker daemon storage
+
+  -  github.com/containers/storage (Backend for CRI-O, Buildah and friends)
+
+* Local directories
+
+* Local OCI-layout directories
+
+```sh
+$ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
+$ skopeo copy docker://busybox:latest dir:existingemptydirectory
+$ skopeo copy docker://busybox:latest oci:busybox_ocilayout:latest
+```
+
+Deleting images
+-
+For example,
+```sh
+$ skopeo delete docker://localhost:5000/imagename:latest
 ```

 Private registries with authentication
 -
-When interacting with private registries, `skopeo` first looks for the Docker's cli config file (usually located at `$HOME/.docker/config.json`) to get the credentials needed to authenticate. When the file isn't available it falls back looking for `--username` and `--password` flags. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.
+When interacting with private registries, `skopeo` first looks for `--creds` (for `skopeo inspect|delete`) or `--src-creds|--dest-creds` (for `skopeo copy`) flags. If those aren't provided, it looks for the Docker's cli config file (usually located at `$HOME/.docker/config.json`) to get the credentials needed to authenticate. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.

 Examples:
 ```sh
-# on my system
-$ skopeo --help | grep docker-cfg
-   --docker-cfg "/home/runcom/.docker"	Docker's cli config for auth
-
 $ cat /home/runcom/.docker/config.json
 {
 	"auths": {
@@ -69,68 +130,122 @@ $ skopeo inspect docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}

 # let's try now to fake a non existent Docker's config file
-$ skopeo --docker-cfg="" inspect docker://myregistrydomain.com:5000/busybox
-FATA[0000] Get https://myregistrydomain.com:5000/v2/busybox/manifests/latest: no basic auth credentials
+$ cat /home/runcom/.docker/config.json
+{}

-# passing --username and --password - we can see that everything goes fine
-$ skopeo --docker-cfg="" --username=testuser --password=testpassword inspect docker://myregistrydomain.com:5000/busybox
+$ skopeo inspect docker://myregistrydomain.com:5000/busybox
+FATA[0000] unauthorized: authentication required
+
+# passing --creds - we can see that everything goes fine
+$ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
+
+# skopeo copy example:
+$ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image
 ```
 If your cli config is found but it doesn't contain the necessary credentials for the queried registry
-you'll get an error. You can fix this by either logging in (via `docker login`) or providing `--username`
-and `--password`.
-Building
+you'll get an error. You can fix this by either logging in (via `docker login`) or providing `--creds` or `--src-creds|--dest-creds`.
+
+
+Obtaining skopeo
 -
-To build `skopeo` you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag. Also, make sure to clone the repository in your `GOPATH` - otherwise compilation fails.
+`skopeo` may already be packaged in your distribution, for example on Fedora 23 and later you can install it using
 ```sh
-$ cd $GOPATH/src
-$ mkdir -p github.com/projectatomic
-$ cd projectatomic
-$ git clone https://github.com/projectatomic/skopeo
-$ cd skopeo && make binary
+$ sudo dnf install skopeo
+```
+for openSUSE:
+```sh
+$ sudo zypper install skopeo
+```
+on alpine: 
+```sh
+$ sudo apk add skopeo
 ```

-You may need to install additional development packages: gpgme-devel and libassuan-devel
+
+Otherwise, read on for building and installing it from source:
+
+To build the `skopeo` binary you need at least Go 1.9.
+
+There are two ways to build skopeo: in a container, or locally without a container.  Choose the one which better matches your needs and environment.
+
+### Building without a container
+Building without a container requires a bit more manual work and setup in your environment, but it is more flexible:
+- It should work in more environments (e.g. for native macOS builds)
+- It does not require root privileges (after dependencies are installed)
+- It is faster, therefore more convenient for developing `skopeo`.
+
+Install the necessary dependencies:
 ```sh
-# dnf install gpgme-devel libassuan-devel
+# Fedora:
+sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel
+
+# Ubuntu (`libbtrfs-dev` requires Ubuntu 18.10 and above):
+sudo apt install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev
+
+# macOS:
+brew install gpgme
+
+# openSUSE
+sudo zypper install libgpgme-devel device-mapper-devel libbtrfs-devel glib2-devel
 ```

-Man:
-
-To build the man page you need [`go-md2man`](https://github.com/cpuguy83/go-md2man) available on your system, then:
+Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.
+
+```sh
+$ git clone https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo
+$ cd $GOPATH/src/github.com/containers/skopeo && make binary-local
 ```
-$ make man
+
+### Building in a container
+Building in a container is simpler, but more restrictive:
+- It requires the `docker` command and the ability to run Linux containers
+- The created executable is a Linux executable, and depends on dynamic libraries which may only be available only in a container of a similar Linux distribution.
+
+```sh
+$ make binary # Or (make all) to also build documentation, see below.
 ```
-Installing
-
-If you built from source:
+
+To build a pure-Go static binary (disables devicemapper, btrfs, and gpgme):
+
+```sh
+$ make binary-static DISABLE_CGO=1
+```
+
+### Building documentation
+To build the manual you will need go-md2man.
+```sh
+Debian$ sudo apt-get install go-md2man
+Fedora$ sudo dnf install go-md2man
+```
+Then
+```sh
+$ make docs
+```
+
+### Installation
+Finally, after the binary and documentation is built:
 ```sh
 $ sudo make install
 ```
-`skopeo` is also available from Fedora 23:
-```sh
-sudo dnf install skopeo
-```
-Tests
-
-_You need Docker installed on your system in order to run the test suite_
-```sh
-$ make test-integration
-```
+
 TODO
 -
- update README with `layers` command
 - list all images on registry?
 - registry v2 search?
- download layers in parallel and support docker load tar(s)
 - show repo tags via flag or when reference isn't tagged or digested
- add tests (integration with deployed registries in container - Docker-like)
 - support rkt/appc image spec

 NOT TODO
 -
 - provide a _format_ flag - just use the awesome [jq](https://stedolan.github.io/jq/)

+CONTRIBUTING
+-
+
+Please read the [contribution guide](CONTRIBUTING.md) if you want to collaborate in the project.
+
 License
 -
-GPLv2
+skopeo is licensed under the Apache License, Version 2.0. See
+[LICENSE](LICENSE) for the full license text.
--- a/cmd/skopeo/cgo_pthread_ordering_workaround.go
+++ b/cmd/skopeo/cgo_pthread_ordering_workaround.go
@@ -1,3 +1,5 @@
+// +build !containers_image_openpgp
+
 package main

 /*
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -1,120 +1,219 @@
 package main

 import (
-	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"strings"

-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/projectatomic/skopeo/docker/utils"
-	"github.com/projectatomic/skopeo/signature"
+	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
+
+	encconfig "github.com/containers/ocicrypt/config"
+	enchelpers "github.com/containers/ocicrypt/helpers"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/urfave/cli"
 )

-// FIXME: Also handle schema2, and put this elsewhere:
-// docker.go contains similar code, more sophisticated
-// (at the very least the deduplication should be reused from there).
-func manifestLayers(manifest []byte) ([]string, error) {
-	man := manifestSchema1{}
-	if err := json.Unmarshal(manifest, &man); err != nil {
-		return nil, err
-	}
-
-	layers := []string{}
-	for _, layer := range man.FSLayers {
-		layers = append(layers, layer.BlobSum)
-	}
-	return layers, nil
+type copyOptions struct {
+	global            *globalOptions
+	srcImage          *imageOptions
+	destImage         *imageDestOptions
+	additionalTags    cli.StringSlice // For docker-archive: destinations, in addition to the name:tag specified as destination, also add these
+	removeSignatures  bool            // Do not copy signatures from the source image
+	signByFingerprint string          // Sign the image using a GPG key with the specified fingerprint
+	format            optionalString  // Force conversion of the image to a specified format
+	quiet             bool            // Suppress output information when copying images
+	all               bool            // Copy all of the images if the source is a list
+	encryptionKeys    cli.StringSlice // Keys needed to encrypt the image
+	decryptionKeys    cli.StringSlice // Keys needed to decrypt the image
 }

-// FIXME: this is a copy from docker_image.go and does not belong here.
-type manifestSchema1 struct {
-	Name     string
-	Tag      string
-	FSLayers []struct {
-		BlobSum string `json:"blobSum"`
-	} `json:"fsLayers"`
-	History []struct {
-		V1Compatibility string `json:"v1Compatibility"`
-	} `json:"history"`
-	// TODO(runcom) verify the downloaded manifest
-	//Signature []byte `json:"signature"`
-}
-
-func copyHandler(context *cli.Context) {
-	if len(context.Args()) != 2 {
-		logrus.Fatal("Usage: copy source destination")
+func copyCmd(global *globalOptions) cli.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	srcFlags, srcOpts := imageFlags(global, sharedOpts, "src-", "screds")
+	destFlags, destOpts := imageDestFlags(global, sharedOpts, "dest-", "dcreds")
+	opts := copyOptions{global: global,
+		srcImage:  srcOpts,
+		destImage: destOpts,
 	}

-	src, err := parseImageSource(context, context.Args()[0])
-	if err != nil {
-		logrus.Fatalf("Error initializing %s: %s", context.Args()[0], err.Error())
-	}
+	return cli.Command{
+		Name:  "copy",
+		Usage: "Copy an IMAGE-NAME from one location to another",
+		Description: fmt.Sprintf(`

-	dest, err := parseImageDestination(context, context.Args()[1])
-	if err != nil {
-		logrus.Fatalf("Error initializing %s: %s", context.Args()[1], err.Error())
-	}
-	signBy := context.String("sign-by")
+	Container "IMAGE-NAME" uses a "transport":"details" format.

-	manifest, _, err := src.GetManifest([]string{utils.DockerV2Schema1MIMEType})
-	if err != nil {
-		logrus.Fatalf("Error reading manifest: %s", err.Error())
-	}
+	Supported transports:
+	%s

-	layers, err := manifestLayers(manifest)
-	if err != nil {
-		logrus.Fatalf("Error parsing manifest: %s", err.Error())
-	}
-	for _, layer := range layers {
-		stream, err := src.GetLayer(layer)
-		if err != nil {
-			logrus.Fatalf("Error reading layer %s: %s", layer, err.Error())
-		}
-		defer stream.Close()
-		if err := dest.PutLayer(layer, stream); err != nil {
-			logrus.Fatalf("Error writing layer: %s", err.Error())
-		}
-	}
-
-	sigs, err := src.GetSignatures()
-	if err != nil {
-		logrus.Fatalf("Error reading signatures: %s", err.Error())
-	}
-
-	if signBy != "" {
-		mech, err := signature.NewGPGSigningMechanism()
-		if err != nil {
-			logrus.Fatalf("Error initializing GPG: %s", err.Error())
-		}
-		dockerReference, err := dest.CanonicalDockerReference()
-		if err != nil {
-			logrus.Fatalf("Error determining canonical Docker reference: %s", err.Error())
-		}
-
-		newSig, err := signature.SignDockerManifest(manifest, dockerReference, mech, signBy)
-		if err != nil {
-			logrus.Fatalf("Error creating signature: %s", err.Error())
-		}
-		sigs = append(sigs, newSig)
-	}
-
-	if err := dest.PutSignatures(sigs); err != nil {
-		logrus.Fatalf("Error writing signatures: %s", err.Error())
-	}
-
-	// FIXME: We need to call PutManifest after PutLayer and PutSignatures. This seems ugly; move to a "set properties" + "commit" model?
-	if err := dest.PutManifest(manifest); err != nil {
-		logrus.Fatalf("Error writing manifest: %s", err.Error())
+	See skopeo(1) section "IMAGE NAMES" for the expected format
+	`, strings.Join(transports.ListNames(), ", ")),
+		ArgsUsage: "SOURCE-IMAGE DESTINATION-IMAGE",
+		Action:    commandAction(opts.run),
+		// FIXME: Do we need to namespace the GPG aspect?
+		Flags: append(append(append([]cli.Flag{
+			cli.StringSliceFlag{
+				Name:  "additional-tag",
+				Usage: "additional tags (supports docker-archive)",
+				Value: &opts.additionalTags, // Surprisingly StringSliceFlag does not support Destination:, but modifies Value: in place.
+			},
+			cli.BoolFlag{
+				Name:        "quiet, q",
+				Usage:       "Suppress output information when copying images",
+				Destination: &opts.quiet,
+			},
+			cli.BoolFlag{
+				Name:        "all, a",
+				Usage:       "Copy all images if SOURCE-IMAGE is a list",
+				Destination: &opts.all,
+			},
+			cli.BoolFlag{
+				Name:        "remove-signatures",
+				Usage:       "Do not copy signatures from SOURCE-IMAGE",
+				Destination: &opts.removeSignatures,
+			},
+			cli.StringFlag{
+				Name:        "sign-by",
+				Usage:       "Sign the image using a GPG key with the specified `FINGERPRINT`",
+				Destination: &opts.signByFingerprint,
+			},
+			cli.GenericFlag{
+				Name:  "format, f",
+				Usage: "`MANIFEST TYPE` (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)",
+				Value: newOptionalStringValue(&opts.format),
+			},
+			cli.StringSliceFlag{
+				Name:  "encryption-key",
+				Usage: "*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)",
+				Value: &opts.encryptionKeys,
+			},
+			cli.StringSliceFlag{
+				Name:  "decryption-key",
+				Usage: "*Experimental* key needed to decrypt the image",
+				Value: &opts.decryptionKeys,
+			},
+		}, sharedFlags...), srcFlags...), destFlags...),
 	}
 }

-var copyCmd = cli.Command{
-	Name:   "copy",
-	Action: copyHandler,
-	// FIXME: Do we need to namespace the GPG aspect?
-	Flags: []cli.Flag{
-		cli.StringFlag{
-			Name:  "sign-by",
-			Usage: "sign the image using a GPG key with the specified fingerprint",
-		},
-	},
+func (opts *copyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 2 {
+		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
+	}
+	imageNames := args
+
+	if err := reexecIfNecessaryForImages(imageNames...); err != nil {
+		return err
+	}
+
+	policyContext, err := opts.global.getPolicyContext()
+	if err != nil {
+		return fmt.Errorf("Error loading trust policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
+	srcRef, err := alltransports.ParseImageName(imageNames[0])
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", imageNames[0], err)
+	}
+	destRef, err := alltransports.ParseImageName(imageNames[1])
+	if err != nil {
+		return fmt.Errorf("Invalid destination name %s: %v", imageNames[1], err)
+	}
+
+	sourceCtx, err := opts.srcImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+	destinationCtx, err := opts.destImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	var manifestType string
+	if opts.format.present {
+		switch opts.format.value {
+		case "oci":
+			manifestType = imgspecv1.MediaTypeImageManifest
+		case "v2s1":
+			manifestType = manifest.DockerV2Schema1SignedMediaType
+		case "v2s2":
+			manifestType = manifest.DockerV2Schema2MediaType
+		default:
+			return fmt.Errorf("unknown format %q. Choose one of the supported formats: 'oci', 'v2s1', or 'v2s2'", opts.format.value)
+		}
+	}
+
+	for _, image := range opts.additionalTags {
+		ref, err := reference.ParseNormalizedNamed(image)
+		if err != nil {
+			return fmt.Errorf("error parsing additional-tag '%s': %v", image, err)
+		}
+		namedTagged, isNamedTagged := ref.(reference.NamedTagged)
+		if !isNamedTagged {
+			return fmt.Errorf("additional-tag '%s' must be a tagged reference", image)
+		}
+		destinationCtx.DockerArchiveAdditionalTags = append(destinationCtx.DockerArchiveAdditionalTags, namedTagged)
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	if opts.quiet {
+		stdout = nil
+	}
+	imageListSelection := copy.CopySystemImage
+	if opts.all {
+		imageListSelection = copy.CopyAllImages
+	}
+
+	if len(opts.encryptionKeys.Value()) > 0 && len(opts.decryptionKeys.Value()) > 0 {
+		return fmt.Errorf("--encryption-key and --decryption-key cannot be specified together")
+	}
+
+	var encLayers *[]int
+	var encConfig *encconfig.EncryptConfig
+	var decConfig *encconfig.DecryptConfig
+
+	if len(opts.encryptionKeys.Value()) > 0 {
+		// encryption
+		encLayers = &[]int{}
+		encryptionKeys := opts.encryptionKeys.Value()
+		ecc, err := enchelpers.CreateCryptoConfig(encryptionKeys, []string{})
+		if err != nil {
+			return fmt.Errorf("Invalid encryption keys: %v", err)
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{ecc})
+		encConfig = cc.EncryptConfig
+	}
+
+	if len(opts.decryptionKeys.Value()) > 0 {
+		// decryption
+		decryptionKeys := opts.decryptionKeys.Value()
+		dcc, err := enchelpers.CreateCryptoConfig([]string{}, decryptionKeys)
+		if err != nil {
+			return fmt.Errorf("Invalid decryption keys: %v", err)
+		}
+		cc := encconfig.CombineCryptoConfigs([]encconfig.CryptoConfig{dcc})
+		decConfig = cc.DecryptConfig
+	}
+
+	_, err = copy.Image(ctx, policyContext, destRef, srcRef, &copy.Options{
+		RemoveSignatures:      opts.removeSignatures,
+		SignBy:                opts.signByFingerprint,
+		ReportWriter:          stdout,
+		SourceCtx:             sourceCtx,
+		DestinationCtx:        destinationCtx,
+		ForceManifestMIMEType: manifestType,
+		ImageListSelection:    imageListSelection,
+		OciDecryptConfig:      decConfig,
+		OciEncryptLayers:      encLayers,
+		OciEncryptConfig:      encConfig,
+	})
+	return err
 }
--- a/cmd/skopeo/delete.go
+++ b/cmd/skopeo/delete.go
@@ -0,0 +1,66 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/urfave/cli"
+)
+
+type deleteOptions struct {
+	global *globalOptions
+	image  *imageOptions
+}
+
+func deleteCmd(global *globalOptions) cli.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, "", "")
+	opts := deleteOptions{
+		global: global,
+		image:  imageOpts,
+	}
+	return cli.Command{
+		Name:  "delete",
+		Usage: "Delete image IMAGE-NAME",
+		Description: fmt.Sprintf(`
+	Delete an "IMAGE_NAME" from a transport
+
+	Supported transports:
+	%s
+
+	See skopeo(1) section "IMAGE NAMES" for the expected format
+	`, strings.Join(transports.ListNames(), ", ")),
+		ArgsUsage: "IMAGE-NAME",
+		Action:    commandAction(opts.run),
+		Flags:     append(sharedFlags, imageFlags...),
+	}
+}
+
+func (opts *deleteOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 1 {
+		return errors.New("Usage: delete imageReference")
+	}
+	imageName := args[0]
+
+	if err := reexecIfNecessaryForImages(imageName); err != nil {
+		return err
+	}
+
+	ref, err := alltransports.ParseImageName(imageName)
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", imageName, err)
+	}
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+	return ref.DeleteImage(ctx, sys)
+}
--- a/cmd/skopeo/fixtures/.gitignore
+++ b/cmd/skopeo/fixtures/.gitignore
--- a/cmd/skopeo/fixtures/corrupt.signature
+++ b/cmd/skopeo/fixtures/corrupt.signature
--- a/cmd/skopeo/fixtures/image.manifest.json
+++ b/cmd/skopeo/fixtures/image.manifest.json
--- a/cmd/skopeo/fixtures/image.signature
+++ b/cmd/skopeo/fixtures/image.signature
--- a/cmd/skopeo/fixtures/pubring.gpg
+++ b/cmd/skopeo/fixtures/pubring.gpg
--- a/cmd/skopeo/fixtures/secring.gpg
+++ b/cmd/skopeo/fixtures/secring.gpg
--- a/cmd/skopeo/fixtures/trustdb.gpg
+++ b/cmd/skopeo/fixtures/trustdb.gpg
--- a/docker/utils/fixtures/v2s1-invalid-signatures.manifest.json
+++ b/docker/utils/fixtures/v2s1-invalid-signatures.manifest.json
--- a/cmd/skopeo/flag.go
+++ b/cmd/skopeo/flag.go
@@ -0,0 +1,109 @@
+package main
+
+import (
+	"strconv"
+
+	"github.com/urfave/cli"
+)
+
+// optionalBool is a boolean with a separate presence flag.
+type optionalBool struct {
+	present bool
+	value   bool
+}
+
+// optionalBool is a cli.Generic == flag.Value implementation equivalent to
+// the one underlying flag.Bool, except that it records whether the flag has been set.
+// This is distinct from optionalBool to (pretend to) force callers to use
+// newOptionalBool
+type optionalBoolValue optionalBool
+
+func newOptionalBoolValue(p *optionalBool) cli.Generic {
+	p.present = false
+	return (*optionalBoolValue)(p)
+}
+
+func (ob *optionalBoolValue) Set(s string) error {
+	v, err := strconv.ParseBool(s)
+	if err != nil {
+		return err
+	}
+	ob.value = v
+	ob.present = true
+	return nil
+}
+
+func (ob *optionalBoolValue) String() string {
+	if !ob.present {
+		return "" // This is, sadly, not round-trip safe: --flag is interpreted as --flag=true
+	}
+	return strconv.FormatBool(ob.value)
+}
+
+func (ob *optionalBoolValue) IsBoolFlag() bool {
+	return true
+}
+
+// optionalString is a string with a separate presence flag.
+type optionalString struct {
+	present bool
+	value   string
+}
+
+// optionalString is a cli.Generic == flag.Value implementation equivalent to
+// the one underlying flag.String, except that it records whether the flag has been set.
+// This is distinct from optionalString to (pretend to) force callers to use
+// newoptionalString
+type optionalStringValue optionalString
+
+func newOptionalStringValue(p *optionalString) cli.Generic {
+	p.present = false
+	return (*optionalStringValue)(p)
+}
+
+func (ob *optionalStringValue) Set(s string) error {
+	ob.value = s
+	ob.present = true
+	return nil
+}
+
+func (ob *optionalStringValue) String() string {
+	if !ob.present {
+		return "" // This is, sadly, not round-trip safe: --flag= is interpreted as {present:true, value:""}
+	}
+	return ob.value
+}
+
+// optionalInt is a int with a separate presence flag.
+type optionalInt struct {
+	present bool
+	value   int
+}
+
+// optionalInt is a cli.Generic == flag.Value implementation equivalent to
+// the one underlying flag.Int, except that it records whether the flag has been set.
+// This is distinct from optionalInt to (pretend to) force callers to use
+// newoptionalIntValue
+type optionalIntValue optionalInt
+
+func newOptionalIntValue(p *optionalInt) cli.Generic {
+	p.present = false
+	return (*optionalIntValue)(p)
+}
+
+func (ob *optionalIntValue) Set(s string) error {
+	v, err := strconv.ParseInt(s, 0, strconv.IntSize)
+	if err != nil {
+		return err
+	}
+	ob.value = int(v)
+	ob.present = true
+	return nil
+}
+
+func (ob *optionalIntValue) String() string {
+	if !ob.present {
+		return "" // If the value is not present, just return an empty string, any other value wouldn't make sense.
+	}
+	return strconv.Itoa(int(ob.value))
+}
--- a/cmd/skopeo/flag_test.go
+++ b/cmd/skopeo/flag_test.go
@@ -0,0 +1,239 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli"
+)
+
+func TestOptionalBoolSet(t *testing.T) {
+	for _, c := range []struct {
+		input    string
+		accepted bool
+		value    bool
+	}{
+		// Valid inputs documented for strconv.ParseBool == flag.BoolVar
+		{"1", true, true},
+		{"t", true, true},
+		{"T", true, true},
+		{"TRUE", true, true},
+		{"true", true, true},
+		{"True", true, true},
+		{"0", true, false},
+		{"f", true, false},
+		{"F", true, false},
+		{"FALSE", true, false},
+		{"false", true, false},
+		{"False", true, false},
+		// A few invalid inputs
+		{"", false, false},
+		{"yes", false, false},
+		{"no", false, false},
+		{"2", false, false},
+	} {
+		var ob optionalBool
+		v := newOptionalBoolValue(&ob)
+		require.False(t, ob.present)
+		err := v.Set(c.input)
+		if c.accepted {
+			assert.NoError(t, err, c.input)
+			assert.Equal(t, c.value, ob.value)
+		} else {
+			assert.Error(t, err, c.input)
+			assert.False(t, ob.present) // Just to be extra paranoid.
+		}
+	}
+
+	// Nothing actually explicitly says that .Set() is never called when the flag is not present on the command line;
+	// so, check that it is not being called, at least in the straightforward case (it's not possible to test that it
+	// is not called in any possible situation).
+	var globalOB, commandOB optionalBool
+	actionRun := false
+	app := cli.NewApp()
+	app.EnableBashCompletion = true
+	app.Flags = []cli.Flag{
+		cli.GenericFlag{
+			Name:  "global-OB",
+			Value: newOptionalBoolValue(&globalOB),
+		},
+	}
+	app.Commands = []cli.Command{{
+		Name: "cmd",
+		Flags: []cli.Flag{
+			cli.GenericFlag{
+				Name:  "command-OB",
+				Value: newOptionalBoolValue(&commandOB),
+			},
+		},
+		Action: func(*cli.Context) error {
+			assert.False(t, globalOB.present)
+			assert.False(t, commandOB.present)
+			actionRun = true
+			return nil
+		},
+	}}
+	err := app.Run([]string{"app", "cmd"})
+	require.NoError(t, err)
+	assert.True(t, actionRun)
+}
+
+func TestOptionalBoolString(t *testing.T) {
+	for _, c := range []struct {
+		input    optionalBool
+		expected string
+	}{
+		{optionalBool{present: true, value: true}, "true"},
+		{optionalBool{present: true, value: false}, "false"},
+		{optionalBool{present: false, value: true}, ""},
+		{optionalBool{present: false, value: false}, ""},
+	} {
+		var ob optionalBool
+		v := newOptionalBoolValue(&ob)
+		ob = c.input
+		res := v.String()
+		assert.Equal(t, c.expected, res)
+	}
+}
+
+func TestOptionalBoolIsBoolFlag(t *testing.T) {
+	// IsBoolFlag means that the argument value must either be part of the same argument, with =;
+	// if there is no =, the value is set to true.
+	// This differs form other flags, where the argument is required and may be either separated with = or supplied in the next argument.
+	for _, c := range []struct {
+		input        []string
+		expectedOB   optionalBool
+		expectedArgs []string
+	}{
+		{[]string{"1", "2"}, optionalBool{present: false}, []string{"1", "2"}},                                       // Flag not present
+		{[]string{"--OB=true", "1", "2"}, optionalBool{present: true, value: true}, []string{"1", "2"}},              // --OB=true
+		{[]string{"--OB=false", "1", "2"}, optionalBool{present: true, value: false}, []string{"1", "2"}},            // --OB=false
+		{[]string{"--OB", "true", "1", "2"}, optionalBool{present: true, value: true}, []string{"true", "1", "2"}},   // --OB true
+		{[]string{"--OB", "false", "1", "2"}, optionalBool{present: true, value: true}, []string{"false", "1", "2"}}, // --OB false
+	} {
+		var ob optionalBool
+		actionRun := false
+		app := cli.NewApp()
+		app.Commands = []cli.Command{{
+			Name: "cmd",
+			Flags: []cli.Flag{
+				cli.GenericFlag{
+					Name:  "OB",
+					Value: newOptionalBoolValue(&ob),
+				},
+			},
+			Action: func(ctx *cli.Context) error {
+				assert.Equal(t, c.expectedOB, ob)
+				assert.Equal(t, c.expectedArgs, ([]string)(ctx.Args()))
+				actionRun = true
+				return nil
+			},
+		}}
+		err := app.Run(append([]string{"app", "cmd"}, c.input...))
+		require.NoError(t, err)
+		assert.True(t, actionRun)
+	}
+}
+
+func TestOptionalStringSet(t *testing.T) {
+	// Really just a smoke test, but differentiating between not present and empty.
+	for _, c := range []string{"", "hello"} {
+		var os optionalString
+		v := newOptionalStringValue(&os)
+		require.False(t, os.present)
+		err := v.Set(c)
+		assert.NoError(t, err, c)
+		assert.Equal(t, c, os.value)
+	}
+
+	// Nothing actually explicitly says that .Set() is never called when the flag is not present on the command line;
+	// so, check that it is not being called, at least in the straightforward case (it's not possible to test that it
+	// is not called in any possible situation).
+	var globalOS, commandOS optionalString
+	actionRun := false
+	app := cli.NewApp()
+	app.EnableBashCompletion = true
+	app.Flags = []cli.Flag{
+		cli.GenericFlag{
+			Name:  "global-OS",
+			Value: newOptionalStringValue(&globalOS),
+		},
+	}
+	app.Commands = []cli.Command{{
+		Name: "cmd",
+		Flags: []cli.Flag{
+			cli.GenericFlag{
+				Name:  "command-OS",
+				Value: newOptionalStringValue(&commandOS),
+			},
+		},
+		Action: func(*cli.Context) error {
+			assert.False(t, globalOS.present)
+			assert.False(t, commandOS.present)
+			actionRun = true
+			return nil
+		},
+	}}
+	err := app.Run([]string{"app", "cmd"})
+	require.NoError(t, err)
+	assert.True(t, actionRun)
+}
+
+func TestOptionalStringString(t *testing.T) {
+	for _, c := range []struct {
+		input    optionalString
+		expected string
+	}{
+		{optionalString{present: true, value: "hello"}, "hello"},
+		{optionalString{present: true, value: ""}, ""},
+		{optionalString{present: false, value: "hello"}, ""},
+		{optionalString{present: false, value: ""}, ""},
+	} {
+		var os optionalString
+		v := newOptionalStringValue(&os)
+		os = c.input
+		res := v.String()
+		assert.Equal(t, c.expected, res)
+	}
+}
+
+func TestOptionalStringIsBoolFlag(t *testing.T) {
+	// NOTE: optionalStringValue does not implement IsBoolFlag!
+	// IsBoolFlag means that the argument value must either be part of the same argument, with =;
+	// if there is no =, the value is set to true.
+	// This differs form other flags, where the argument is required and may be either separated with = or supplied in the next argument.
+	for _, c := range []struct {
+		input        []string
+		expectedOS   optionalString
+		expectedArgs []string
+	}{
+		{[]string{"1", "2"}, optionalString{present: false}, []string{"1", "2"}},                                 // Flag not present
+		{[]string{"--OS=hello", "1", "2"}, optionalString{present: true, value: "hello"}, []string{"1", "2"}},    // --OS=true
+		{[]string{"--OS=", "1", "2"}, optionalString{present: true, value: ""}, []string{"1", "2"}},              // --OS=false
+		{[]string{"--OS", "hello", "1", "2"}, optionalString{present: true, value: "hello"}, []string{"1", "2"}}, // --OS true
+		{[]string{"--OS", "", "1", "2"}, optionalString{present: true, value: ""}, []string{"1", "2"}},           // --OS false
+	} {
+		var os optionalString
+		actionRun := false
+		app := cli.NewApp()
+		app.Commands = []cli.Command{{
+			Name: "cmd",
+			Flags: []cli.Flag{
+				cli.GenericFlag{
+					Name:  "OS",
+					Value: newOptionalStringValue(&os),
+				},
+			},
+			Action: func(ctx *cli.Context) error {
+				assert.Equal(t, c.expectedOS, os)
+				assert.Equal(t, c.expectedArgs, ([]string)(ctx.Args()))
+				actionRun = true
+				return nil
+			},
+		}}
+		err := app.Run(append([]string{"app", "cmd"}, c.input...))
+		require.NoError(t, err)
+		assert.True(t, actionRun)
+	}
+}
--- a/cmd/skopeo/inspect.go
+++ b/cmd/skopeo/inspect.go
@@ -3,77 +3,192 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+	"io"
+	"strings"
 	"time"

-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/projectatomic/skopeo/docker/utils"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/manifest"
+	"github.com/containers/image/v5/transports"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
 )

 // inspectOutput is the output format of (skopeo inspect), primarily so that we can format it with a simple json.MarshalIndent.
 type inspectOutput struct {
-	Name          string
-	Tag           string
-	Digest        string
+	Name          string `json:",omitempty"`
+	Tag           string `json:",omitempty"`
+	Digest        digest.Digest
 	RepoTags      []string
-	Created       time.Time
+	Created       *time.Time
 	DockerVersion string
 	Labels        map[string]string
 	Architecture  string
 	Os            string
 	Layers        []string
+	Env           []string
 }

-var inspectCmd = cli.Command{
-	Name:  "inspect",
-	Usage: "inspect images on a registry",
-	Flags: []cli.Flag{
-		cli.BoolFlag{
-			Name:  "raw",
-			Usage: "output raw manifest",
-		},
-	},
-	Action: func(c *cli.Context) {
-		img, err := parseImage(c)
-		if err != nil {
-			logrus.Fatal(err)
-		}
-		rawManifest, err := img.Manifest()
-		if err != nil {
-			logrus.Fatal(err)
-		}
-		if c.Bool("raw") {
-			fmt.Println(string(rawManifest))
-			return
-		}
-		imgInspect, err := img.Inspect()
-		if err != nil {
-			logrus.Fatal(err)
-		}
-		manifestDigest, err := utils.ManifestDigest(rawManifest)
-		if err != nil {
-			logrus.Fatalf("Error computing manifest digest: %s", err.Error())
-		}
-		repoTags, err := img.GetRepositoryTags()
-		if err != nil {
-			logrus.Fatalf("Error determining repository tags: %s", err.Error())
-		}
-		outputData := inspectOutput{
-			Name:          imgInspect.Name,
-			Tag:           imgInspect.Tag,
-			Digest:        manifestDigest,
-			RepoTags:      repoTags,
-			Created:       imgInspect.Created,
-			DockerVersion: imgInspect.DockerVersion,
-			Labels:        imgInspect.Labels,
-			Architecture:  imgInspect.Architecture,
-			Os:            imgInspect.Os,
-			Layers:        imgInspect.Layers,
-		}
-		out, err := json.MarshalIndent(outputData, "", "    ")
-		if err != nil {
-			logrus.Fatal(err)
-		}
-		fmt.Println(string(out))
-	},
+type inspectOptions struct {
+	global *globalOptions
+	image  *imageOptions
+	raw    bool // Output the raw manifest instead of parsing information about the image
+	config bool // Output the raw config blob instead of parsing information about the image
+}
+
+func inspectCmd(global *globalOptions) cli.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, "", "")
+	opts := inspectOptions{
+		global: global,
+		image:  imageOpts,
+	}
+	return cli.Command{
+		Name:  "inspect",
+		Usage: "Inspect image IMAGE-NAME",
+		Description: fmt.Sprintf(`
+	Return low-level information about "IMAGE-NAME" in a registry/transport
+
+	Supported transports:
+	%s
+
+	See skopeo(1) section "IMAGE NAMES" for the expected format
+	`, strings.Join(transports.ListNames(), ", ")),
+		ArgsUsage: "IMAGE-NAME",
+		Flags: append(append([]cli.Flag{
+			cli.BoolFlag{
+				Name:        "raw",
+				Usage:       "output raw manifest or configuration",
+				Destination: &opts.raw,
+			},
+			cli.BoolFlag{
+				Name:        "config",
+				Usage:       "output configuration",
+				Destination: &opts.config,
+			},
+		}, sharedFlags...), imageFlags...),
+		Action: commandAction(opts.run),
+	}
+}
+
+func (opts *inspectOptions) run(args []string, stdout io.Writer) (retErr error) {
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	if len(args) != 1 {
+		return errors.New("Exactly one argument expected")
+	}
+	imageName := args[0]
+
+	if err := reexecIfNecessaryForImages(imageName); err != nil {
+		return err
+	}
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	src, err := parseImageSource(ctx, opts.image, imageName)
+	if err != nil {
+		return fmt.Errorf("Error parsing image name %q: %v", imageName, err)
+	}
+
+	defer func() {
+		if err := src.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, fmt.Sprintf("(could not close image: %v) ", err))
+		}
+	}()
+
+	rawManifest, _, err := src.GetManifest(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("Error retrieving manifest for image: %v", err)
+	}
+
+	if opts.raw && !opts.config {
+		_, err := stdout.Write(rawManifest)
+		if err != nil {
+			return fmt.Errorf("Error writing manifest to standard output: %v", err)
+		}
+		return nil
+	}
+
+	img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, nil))
+	if err != nil {
+		return fmt.Errorf("Error parsing manifest for image: %v", err)
+	}
+
+	if opts.config && opts.raw {
+		configBlob, err := img.ConfigBlob(ctx)
+		if err != nil {
+			return fmt.Errorf("Error reading configuration blob: %v", err)
+		}
+		_, err = stdout.Write(configBlob)
+		if err != nil {
+			return fmt.Errorf("Error writing configuration blob to standard output: %v", err)
+		}
+		return nil
+	} else if opts.config {
+		config, err := img.OCIConfig(ctx)
+		if err != nil {
+			return fmt.Errorf("Error reading OCI-formatted configuration data: %v", err)
+		}
+		err = json.NewEncoder(stdout).Encode(config)
+		if err != nil {
+			return fmt.Errorf("Error writing OCI-formatted configuration data to standard output: %v", err)
+		}
+		return nil
+	}
+
+	imgInspect, err := img.Inspect(ctx)
+	if err != nil {
+		return err
+	}
+	outputData := inspectOutput{
+		Name: "", // Set below if DockerReference() is known
+		Tag:  imgInspect.Tag,
+		// Digest is set below.
+		RepoTags:      []string{}, // Possibly overriden for docker.Transport.
+		Created:       imgInspect.Created,
+		DockerVersion: imgInspect.DockerVersion,
+		Labels:        imgInspect.Labels,
+		Architecture:  imgInspect.Architecture,
+		Os:            imgInspect.Os,
+		Layers:        imgInspect.Layers,
+		Env:           imgInspect.Env,
+	}
+	outputData.Digest, err = manifest.Digest(rawManifest)
+	if err != nil {
+		return fmt.Errorf("Error computing manifest digest: %v", err)
+	}
+	if dockerRef := img.Reference().DockerReference(); dockerRef != nil {
+		outputData.Name = dockerRef.Name()
+	}
+	if img.Reference().Transport() == docker.Transport {
+		sys, err := opts.image.newSystemContext()
+		if err != nil {
+			return err
+		}
+		outputData.RepoTags, err = docker.GetRepositoryTags(ctx, sys, img.Reference())
+		if err != nil {
+			// some registries may decide to block the "list all tags" endpoint
+			// gracefully allow the inspect to continue in this case. Currently
+			// the IBM Bluemix container registry has this restriction.
+			// In addition, AWS ECR rejects it with 403 (Forbidden) if the "ecr:ListImages"
+			// action is not allowed.
+			if !strings.Contains(err.Error(), "401") && !strings.Contains(err.Error(), "403") {
+				return fmt.Errorf("Error determining repository tags: %v", err)
+			}
+			logrus.Warnf("Registry disallows tag list retrieval; skipping")
+		}
+	}
+	out, err := json.MarshalIndent(outputData, "", "    ")
+	if err != nil {
+		return err
+	}
+	fmt.Fprintf(stdout, "%s\n", string(out))
+	return nil
 }
--- a/cmd/skopeo/layers.go
+++ b/cmd/skopeo/layers.go
@@ -1,21 +1,150 @@
 package main

 import (
-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/image"
+	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli"
 )

-// TODO(runcom): document args and usage
-var layersCmd = cli.Command{
-	Name:  "layers",
-	Usage: "get images layers",
-	Action: func(c *cli.Context) {
-		img, err := parseImage(c)
-		if err != nil {
-			logrus.Fatal(err)
-		}
-		if err := img.Layers(c.Args().Tail()...); err != nil {
-			logrus.Fatal(err)
-		}
-	},
+type layersOptions struct {
+	global *globalOptions
+	image  *imageOptions
+}
+
+func layersCmd(global *globalOptions) cli.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(global, sharedOpts, "", "")
+	opts := layersOptions{
+		global: global,
+		image:  imageOpts,
+	}
+	return cli.Command{
+		Name:      "layers",
+		Usage:     "Get layers of IMAGE-NAME",
+		ArgsUsage: "IMAGE-NAME [LAYER...]",
+		Hidden:    true,
+		Action:    commandAction(opts.run),
+		Flags:     append(sharedFlags, imageFlags...),
+	}
+}
+
+func (opts *layersOptions) run(args []string, stdout io.Writer) (retErr error) {
+	fmt.Fprintln(os.Stderr, `DEPRECATED: skopeo layers is deprecated in favor of skopeo copy`)
+	if len(args) == 0 {
+		return errors.New("Usage: layers imageReference [layer...]")
+	}
+	imageName := args[0]
+
+	if err := reexecIfNecessaryForImages(imageName); err != nil {
+		return err
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	sys, err := opts.image.newSystemContext()
+	if err != nil {
+		return err
+	}
+	cache := blobinfocache.DefaultCache(sys)
+	rawSource, err := parseImageSource(ctx, opts.image, imageName)
+	if err != nil {
+		return err
+	}
+	src, err := image.FromSource(ctx, sys, rawSource)
+	if err != nil {
+		if closeErr := rawSource.Close(); closeErr != nil {
+			return errors.Wrapf(err, " (close error: %v)", closeErr)
+		}
+
+		return err
+	}
+	defer func() {
+		if err := src.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+		}
+	}()
+
+	type blobDigest struct {
+		digest   digest.Digest
+		isConfig bool
+	}
+	var blobDigests []blobDigest
+	for _, dString := range args[1:] {
+		if !strings.HasPrefix(dString, "sha256:") {
+			dString = "sha256:" + dString
+		}
+		d, err := digest.Parse(dString)
+		if err != nil {
+			return err
+		}
+		blobDigests = append(blobDigests, blobDigest{digest: d, isConfig: false})
+	}
+
+	if len(blobDigests) == 0 {
+		layers := src.LayerInfos()
+		seenLayers := map[digest.Digest]struct{}{}
+		for _, info := range layers {
+			if _, ok := seenLayers[info.Digest]; !ok {
+				blobDigests = append(blobDigests, blobDigest{digest: info.Digest, isConfig: false})
+				seenLayers[info.Digest] = struct{}{}
+			}
+		}
+		configInfo := src.ConfigInfo()
+		if configInfo.Digest != "" {
+			blobDigests = append(blobDigests, blobDigest{digest: configInfo.Digest, isConfig: true})
+		}
+	}
+
+	tmpDir, err := ioutil.TempDir(".", "layers-")
+	if err != nil {
+		return err
+	}
+	tmpDirRef, err := directory.NewReference(tmpDir)
+	if err != nil {
+		return err
+	}
+	dest, err := tmpDirRef.NewImageDestination(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err := dest.Close(); err != nil {
+			retErr = errors.Wrapf(retErr, " (close error: %v)", err)
+		}
+	}()
+
+	for _, bd := range blobDigests {
+		r, blobSize, err := rawSource.GetBlob(ctx, types.BlobInfo{Digest: bd.digest, Size: -1}, cache)
+		if err != nil {
+			return err
+		}
+		if _, err := dest.PutBlob(ctx, r, types.BlobInfo{Digest: bd.digest, Size: blobSize}, cache, bd.isConfig); err != nil {
+			if closeErr := r.Close(); closeErr != nil {
+				return errors.Wrapf(err, " (close error: %v)", closeErr)
+			}
+			return err
+		}
+	}
+
+	manifest, _, err := src.Manifest(ctx)
+	if err != nil {
+		return err
+	}
+	if err := dest.PutManifest(ctx, manifest, nil); err != nil {
+		return err
+	}
+
+	return dest.Commit(ctx, image.UnparsedInstance(rawSource, nil))
 }
--- a/cmd/skopeo/main.go
+++ b/cmd/skopeo/main.go
@@ -1,72 +1,156 @@
 package main

 import (
+	"context"
 	"fmt"
 	"os"
+	"time"

-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/projectatomic/skopeo/version"
+	"github.com/containers/image/v5/signature"
+	"github.com/containers/skopeo/version"
+	"github.com/containers/storage/pkg/reexec"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
 )

 // gitCommit will be the hash that the binary was built from
 // and will be populated by the Makefile
 var gitCommit = ""

-const (
-	usage = `interact with registries`
-)
+type globalOptions struct {
+	debug              bool          // Enable debug output
+	tlsVerify          optionalBool  // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	policyPath         string        // Path to a signature verification policy file
+	insecurePolicy     bool          // Use an "allow everything" signature verification policy
+	registriesDirPath  string        // Path to a "registries.d" registry configuration directory
+	overrideArch       string        // Architecture to use for choosing images, instead of the runtime one
+	overrideOS         string        // OS to use for choosing images, instead of the runtime one
+	commandTimeout     time.Duration // Timeout for the command execution
+	registriesConfPath string        // Path to the "registries.conf" file
+}
+
+// createApp returns a cli.App, and the underlying globalOptions object, to be run or tested.
+func createApp() (*cli.App, *globalOptions) {
+	opts := globalOptions{}

-func main() {
 	app := cli.NewApp()
+	app.EnableBashCompletion = true
 	app.Name = "skopeo"
 	if gitCommit != "" {
 		app.Version = fmt.Sprintf("%s commit: %s", version.Version, gitCommit)
 	} else {
 		app.Version = version.Version
 	}
-	app.Usage = usage
-	// TODO(runcom)
-	//app.EnableBashCompletion = true
+	app.Usage = "Various operations with container images and container image registries"
 	app.Flags = []cli.Flag{
 		cli.BoolFlag{
-			Name:  "debug",
-			Usage: "enable debug output",
+			Name:        "debug",
+			Usage:       "enable debug output",
+			Destination: &opts.debug,
+		},
+		cli.GenericFlag{
+			Name:   "tls-verify",
+			Usage:  "require HTTPS and verify certificates when talking to container registries (defaults to true)",
+			Hidden: true,
+			Value:  newOptionalBoolValue(&opts.tlsVerify),
 		},
 		cli.StringFlag{
-			Name:  "username",
-			Value: "",
-			Usage: "registry username",
-		},
-		cli.StringFlag{
-			Name:  "password",
-			Value: "",
-			Usage: "registry password",
-		},
-		cli.StringFlag{
-			Name:  "cert-path",
-			Value: "",
-			Usage: "Certificates path to connect to the given registry (cert.pem, key.pem)",
+			Name:        "policy",
+			Usage:       "Path to a trust policy file",
+			Destination: &opts.policyPath,
 		},
 		cli.BoolFlag{
-			Name:  "tls-verify",
-			Usage: "Whether to verify certificates or not",
+			Name:        "insecure-policy",
+			Usage:       "run the tool without any policy check",
+			Destination: &opts.insecurePolicy,
+		},
+		cli.StringFlag{
+			Name:        "registries.d",
+			Usage:       "use registry configuration files in `DIR` (e.g. for container signature storage)",
+			Destination: &opts.registriesDirPath,
+		},
+		cli.StringFlag{
+			Name:        "override-arch",
+			Usage:       "use `ARCH` instead of the architecture of the machine for choosing images",
+			Destination: &opts.overrideArch,
+		},
+		cli.StringFlag{
+			Name:        "override-os",
+			Usage:       "use `OS` instead of the running OS for choosing images",
+			Destination: &opts.overrideOS,
+		},
+		cli.DurationFlag{
+			Name:        "command-timeout",
+			Usage:       "timeout for the command execution",
+			Destination: &opts.commandTimeout,
+		},
+		cli.StringFlag{
+			Name:        "registries-conf",
+			Usage:       "path to the registries.conf file",
+			Destination: &opts.registriesConfPath,
+			Hidden:      true,
 		},
 	}
-	app.Before = func(c *cli.Context) error {
-		if c.GlobalBool("debug") {
-			logrus.SetLevel(logrus.DebugLevel)
-		}
-		return nil
-	}
+	app.Before = opts.before
 	app.Commands = []cli.Command{
-		copyCmd,
-		inspectCmd,
-		layersCmd,
-		standaloneSignCmd,
-		standaloneVerifyCmd,
+		copyCmd(&opts),
+		inspectCmd(&opts),
+		layersCmd(&opts),
+		deleteCmd(&opts),
+		manifestDigestCmd(),
+		syncCmd(&opts),
+		standaloneSignCmd(),
+		standaloneVerifyCmd(),
+		untrustedSignatureDumpCmd(),
 	}
+	return app, &opts
+}
+
+// before is run by the cli package for any command, before running the command-specific handler.
+func (opts *globalOptions) before(ctx *cli.Context) error {
+	if opts.debug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	if opts.tlsVerify.present {
+		logrus.Warn("'--tls-verify' is deprecated, please set this on the specific subcommand")
+	}
+	return nil
+}
+
+func main() {
+	if reexec.Init() {
+		return
+	}
+	app, _ := createApp()
 	if err := app.Run(os.Args); err != nil {
 		logrus.Fatal(err)
 	}
 }
+
+// getPolicyContext returns a *signature.PolicyContext based on opts.
+func (opts *globalOptions) getPolicyContext() (*signature.PolicyContext, error) {
+	var policy *signature.Policy // This could be cached across calls in opts.
+	var err error
+	if opts.insecurePolicy {
+		policy = &signature.Policy{Default: []signature.PolicyRequirement{signature.NewPRInsecureAcceptAnything()}}
+	} else if opts.policyPath == "" {
+		policy, err = signature.DefaultPolicy(nil)
+	} else {
+		policy, err = signature.NewPolicyFromFile(opts.policyPath)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return signature.NewPolicyContext(policy)
+}
+
+// commandTimeoutContext returns a context.Context and a cancellation callback based on opts.
+// The caller should usually "defer cancel()" immediately after calling this.
+func (opts *globalOptions) commandTimeoutContext() (context.Context, context.CancelFunc) {
+	ctx := context.Background()
+	var cancel context.CancelFunc = func() {}
+	if opts.commandTimeout > 0 {
+		ctx, cancel = context.WithTimeout(ctx, opts.commandTimeout)
+	}
+	return ctx, cancel
+}
--- a/cmd/skopeo/main_test.go
+++ b/cmd/skopeo/main_test.go
@@ -0,0 +1,14 @@
+package main
+
+import "bytes"
+
+// runSkopeo creates an app object and runs it with args, with an implied first "skopeo".
+// Returns output intended for stdout and the returned error, if any.
+func runSkopeo(args ...string) (string, error) {
+	app, _ := createApp()
+	stdout := bytes.Buffer{}
+	app.Writer = &stdout
+	args = append([]string{"skopeo"}, args...)
+	err := app.Run(args)
+	return stdout.String(), err
+}
--- a/cmd/skopeo/manifest.go
+++ b/cmd/skopeo/manifest.go
@@ -0,0 +1,42 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+
+	"github.com/containers/image/v5/manifest"
+	"github.com/urfave/cli"
+)
+
+type manifestDigestOptions struct {
+}
+
+func manifestDigestCmd() cli.Command {
+	opts := manifestDigestOptions{}
+	return cli.Command{
+		Name:      "manifest-digest",
+		Usage:     "Compute a manifest digest of a file",
+		ArgsUsage: "MANIFEST",
+		Action:    commandAction(opts.run),
+	}
+}
+
+func (opts *manifestDigestOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 1 {
+		return errors.New("Usage: skopeo manifest-digest manifest")
+	}
+	manifestPath := args[0]
+
+	man, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	digest, err := manifest.Digest(man)
+	if err != nil {
+		return fmt.Errorf("Error computing digest: %v", err)
+	}
+	fmt.Fprintf(stdout, "%s\n", digest)
+	return nil
+}
--- a/cmd/skopeo/manifest_test.go
+++ b/cmd/skopeo/manifest_test.go
@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestManifestDigest(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+	} {
+		out, err := runSkopeo(append([]string{"manifest-digest"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("manifest-digest", "/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error computing manifest
+	out, err = runSkopeo("manifest-digest", "fixtures/v2s1-invalid-signatures.manifest.json")
+	assertTestFailed(t, out, err, "computing digest")
+
+	// Success
+	out, err = runSkopeo("manifest-digest", "fixtures/image.manifest.json")
+	assert.NoError(t, err)
+	assert.Equal(t, fixturesTestImageManifestDigest.String()+"\n", out)
+}
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -1,86 +1,150 @@
 package main

 import (
+	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"

-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/projectatomic/skopeo/signature"
+	"github.com/containers/image/v5/signature"
+	"github.com/urfave/cli"
 )

-func standaloneSign(context *cli.Context) {
-	outputFile := context.String("output")
-	if len(context.Args()) != 3 || outputFile == "" {
-		logrus.Fatal("Usage: skopeo standalone-sign manifest docker-reference key-fingerprint -o signature")
+type standaloneSignOptions struct {
+	output string // Output file path
+}
+
+func standaloneSignCmd() cli.Command {
+	opts := standaloneSignOptions{}
+	return cli.Command{
+		Name:      "standalone-sign",
+		Usage:     "Create a signature using local files",
+		ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT",
+		Action:    commandAction(opts.run),
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:        "output, o",
+				Usage:       "output the signature to `SIGNATURE`",
+				Destination: &opts.output,
+			},
+		},
 	}
-	manifestPath := context.Args()[0]
-	dockerReference := context.Args()[1]
-	fingerprint := context.Args()[2]
+}
+
+func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 3 || opts.output == "" {
+		return errors.New("Usage: skopeo standalone-sign manifest docker-reference key-fingerprint -o signature")
+	}
+	manifestPath := args[0]
+	dockerReference := args[1]
+	fingerprint := args[2]

 	manifest, err := ioutil.ReadFile(manifestPath)
 	if err != nil {
-		logrus.Fatalf("Error reading %s: %s", manifestPath, err.Error())
+		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
 	}

 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
-		logrus.Fatalf("Error initializing GPG: %s", err.Error())
+		return fmt.Errorf("Error initializing GPG: %v", err)
 	}
+	defer mech.Close()
 	signature, err := signature.SignDockerManifest(manifest, dockerReference, mech, fingerprint)
 	if err != nil {
-		logrus.Fatalf("Error creating signature: %s", err.Error())
+		return fmt.Errorf("Error creating signature: %v", err)
 	}

-	if err := ioutil.WriteFile(outputFile, signature, 0644); err != nil {
-		logrus.Fatalf("Error writing signature to %s: %s", outputFile, err.Error())
+	if err := ioutil.WriteFile(opts.output, signature, 0644); err != nil {
+		return fmt.Errorf("Error writing signature to %s: %v", opts.output, err)
+	}
+	return nil
+}
+
+type standaloneVerifyOptions struct {
+}
+
+func standaloneVerifyCmd() cli.Command {
+	opts := standaloneVerifyOptions{}
+	return cli.Command{
+		Name:      "standalone-verify",
+		Usage:     "Verify a signature using local files",
+		ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+		Action:    commandAction(opts.run),
 	}
 }

-var standaloneSignCmd = cli.Command{
-	Name:   "standalone-sign",
-	Usage:  "Create a signature using local files",
-	Action: standaloneSign,
-	Flags: []cli.Flag{
-		cli.StringFlag{
-			Name:  "output, o",
-			Usage: "output signature file name",
-		},
-	},
-}
-
-func standaloneVerify(context *cli.Context) {
-	if len(context.Args()) != 4 {
-		logrus.Fatal("Usage: skopeo standalone-verify manifest docker-reference key-fingerprint signature")
+func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 4 {
+		return errors.New("Usage: skopeo standalone-verify manifest docker-reference key-fingerprint signature")
 	}
-	manifestPath := context.Args()[0]
-	expectedDockerReference := context.Args()[1]
-	expectedFingerprint := context.Args()[2]
-	signaturePath := context.Args()[3]
+	manifestPath := args[0]
+	expectedDockerReference := args[1]
+	expectedFingerprint := args[2]
+	signaturePath := args[3]

 	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
 	if err != nil {
-		logrus.Fatalf("Error reading manifest from %s: %s", signaturePath, err.Error())
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
 	}
 	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
 	if err != nil {
-		logrus.Fatalf("Error reading signature from %s: %s", signaturePath, err.Error())
+		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
 	}

 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
-		logrus.Fatalf("Error initializing GPG: %s", err.Error())
+		return fmt.Errorf("Error initializing GPG: %v", err)
 	}
+	defer mech.Close()
 	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
 	if err != nil {
-		logrus.Fatalf("Error verifying signature: %s", err.Error())
+		return fmt.Errorf("Error verifying signature: %v", err)
 	}

-	fmt.Printf("Signature verified, digest %s\n", sig.DockerManifestDigest)
+	fmt.Fprintf(stdout, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	return nil
 }

-var standaloneVerifyCmd = cli.Command{
-	Name:   "standalone-verify",
-	Usage:  "Verify a signature using local files",
-	Action: standaloneVerify,
+// WARNING: Do not use the contents of this for ANY security decisions,
+// and be VERY CAREFUL about showing this information to humans in any way which suggest that these values “are probably” reliable.
+// There is NO REASON to expect the values to be correct, or not intentionally misleading
+// (including things like “✅ Verified by $authority”)
+//
+// The subcommand is undocumented, and it may be renamed or entirely disappear in the future.
+type untrustedSignatureDumpOptions struct {
+}
+
+func untrustedSignatureDumpCmd() cli.Command {
+	opts := untrustedSignatureDumpOptions{}
+	return cli.Command{
+		Name:      "untrusted-signature-dump-without-verification",
+		Usage:     "Dump contents of a signature WITHOUT VERIFYING IT",
+		ArgsUsage: "SIGNATURE",
+		Hidden:    true,
+		Action:    commandAction(opts.run),
+	}
+}
+
+func (opts *untrustedSignatureDumpOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 1 {
+		return errors.New("Usage: skopeo untrusted-signature-dump-without-verification signature")
+	}
+	untrustedSignaturePath := args[0]
+
+	untrustedSignature, err := ioutil.ReadFile(untrustedSignaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading untrusted signature from %s: %v", untrustedSignaturePath, err)
+	}
+
+	untrustedInfo, err := signature.GetUntrustedSignatureInformationWithoutVerifying(untrustedSignature)
+	if err != nil {
+		return fmt.Errorf("Error decoding untrusted signature: %v", err)
+	}
+	untrustedOut, err := json.MarshalIndent(untrustedInfo, "", "    ")
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(stdout, string(untrustedOut))
+	return nil
 }
--- a/cmd/skopeo/signing_test.go
+++ b/cmd/skopeo/signing_test.go
@@ -0,0 +1,178 @@
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/containers/image/v5/signature"
+	"github.com/opencontainers/go-digest"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	// fixturesTestImageManifestDigest is the Docker manifest digest of "image.manifest.json"
+	fixturesTestImageManifestDigest = digest.Digest("sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55")
+	// fixturesTestKeyFingerprint is the fingerprint of the private key.
+	fixturesTestKeyFingerprint = "1D8230F6CDB6A06716E414C1DB72F2188BB46CC8"
+	// fixturesTestKeyFingerprint is the key ID of the private key.
+	fixturesTestKeyShortID = "DB72F2188BB46CC8"
+)
+
+// Test that results of runSkopeo failed with nothing on stdout, and substring
+// within the error message.
+func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
+	assert.Error(t, err)
+	assert.Empty(t, stdout)
+	assert.Contains(t, err.Error(), substring)
+}
+
+func TestStandaloneSign(t *testing.T) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	require.NoError(t, err)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil {
+		t.Skipf("Signing not supported: %v", err)
+	}
+
+	manifestPath := "fixtures/image.manifest.json"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4"},
+		{"-o", "o", "a1", "a2"},
+		{"-o", "o", "a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-sign"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-sign", "-o", "/dev/null",
+		"/this/doesnt/exist", dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Invalid Docker reference
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, "" /* empty reference */, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "empty signature content")
+
+	// Unknown key.
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, dockerReference, "UNKNOWN GPG FINGERPRINT")
+	assert.Error(t, err)
+	assert.Empty(t, out)
+
+	// Error writing output
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/full",
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/dev/full")
+
+	// Success
+	sigOutput, err := ioutil.TempFile("", "sig")
+	require.NoError(t, err)
+	defer os.Remove(sigOutput.Name())
+	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	require.NoError(t, err)
+	assert.Empty(t, out)
+
+	sig, err := ioutil.ReadFile(sigOutput.Name())
+	require.NoError(t, err)
+	manifest, err := ioutil.ReadFile(manifestPath)
+	require.NoError(t, err)
+	mech, err = signature.NewGPGSigningMechanism()
+	require.NoError(t, err)
+	defer mech.Close()
+	verified, err := signature.VerifyDockerManifestSignature(sig, manifest, dockerReference, mech, fixturesTestKeyFingerprint)
+	require.NoError(t, err)
+	assert.Equal(t, dockerReference, verified.DockerReference)
+	assert.Equal(t, fixturesTestImageManifestDigest, verified.DockerManifestDigest)
+}
+
+func TestStandaloneVerify(t *testing.T) {
+	manifestPath := "fixtures/image.manifest.json"
+	signaturePath := "fixtures/image.signature"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4", "a5"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-verify"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-verify", "/this/doesnt/exist",
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error reading signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error verifying signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
+	assertTestFailed(t, out, err, "Error verifying signature")
+
+	// Success
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest.String()+"\n", out)
+}
+
+func TestUntrustedSignatureDump(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"untrusted-signature-dump-without-verification"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("untrusted-signature-dump-without-verification",
+		"/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error reading signature (input is not a signature)
+	out, err = runSkopeo("untrusted-signature-dump-without-verification", "fixtures/image.manifest.json")
+	assertTestFailed(t, out, err, "Error decoding untrusted signature")
+
+	// Success
+	for _, path := range []string{"fixtures/image.signature", "fixtures/corrupt.signature"} {
+		// Success
+		out, err = runSkopeo("untrusted-signature-dump-without-verification", path)
+		require.NoError(t, err)
+
+		var info signature.UntrustedSignatureInformation
+		err := json.Unmarshal([]byte(out), &info)
+		require.NoError(t, err)
+		assert.Equal(t, fixturesTestImageManifestDigest, info.UntrustedDockerManifestDigest)
+		assert.Equal(t, "testing/manifest", info.UntrustedDockerReference)
+		assert.NotNil(t, info.UntrustedCreatorID)
+		assert.Equal(t, "atomic ", *info.UntrustedCreatorID)
+		assert.NotNil(t, info.UntrustedTimestamp)
+		assert.True(t, time.Unix(1458239713, 0).Equal(*info.UntrustedTimestamp))
+		assert.Equal(t, fixturesTestKeyShortID, info.UntrustedShortKeyIdentifier)
+	}
+}
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -0,0 +1,549 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/transports"
+	"github.com/containers/image/v5/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli"
+	"gopkg.in/yaml.v2"
+)
+
+// syncOptions contains information retrieved from the skopeo sync command line.
+type syncOptions struct {
+	global            *globalOptions    // Global (not command dependant) skopeo options
+	srcImage          *imageOptions     // Source image options
+	destImage         *imageDestOptions // Destination image options
+	removeSignatures  bool              // Do not copy signatures from the source image
+	signByFingerprint string            // Sign the image using a GPG key with the specified fingerprint
+	source            string            // Source repository name
+	destination       string            // Destination registry name
+	scoped            bool              // When true, namespace copied images at destination using the source repository name
+}
+
+// repoDescriptor contains information of a single repository used as a sync source.
+type repoDescriptor struct {
+	DirBasePath  string                 // base path when source is 'dir'
+	TaggedImages []types.ImageReference // List of tagged image found for the repository
+	Context      *types.SystemContext   // SystemContext for the sync command
+}
+
+// tlsVerify is an implementation of the Unmarshaler interface, used to
+// customize the unmarshaling behaviour of the tls-verify YAML key.
+type tlsVerifyConfig struct {
+	skip types.OptionalBool // skip TLS verification check (false by default)
+}
+
+// registrySyncConfig contains information about a single registry, read from
+// the source YAML file
+type registrySyncConfig struct {
+	Images      map[string][]string    // Images map images name to slices with the images' tags
+	Credentials types.DockerAuthConfig // Username and password used to authenticate with the registry
+	TLSVerify   tlsVerifyConfig        `yaml:"tls-verify"` // TLS verification mode (enabled by default)
+	CertDir     string                 `yaml:"cert-dir"`   // Path to the TLS certificates of the registry
+}
+
+// sourceConfig contains all registries information read from the source YAML file
+type sourceConfig map[string]registrySyncConfig
+
+func syncCmd(global *globalOptions) cli.Command {
+	sharedFlags, sharedOpts := sharedImageFlags()
+	srcFlags, srcOpts := dockerImageFlags(global, sharedOpts, "src-", "screds")
+	destFlags, destOpts := dockerImageFlags(global, sharedOpts, "dest-", "dcreds")
+
+	opts := syncOptions{
+		global:    global,
+		srcImage:  srcOpts,
+		destImage: &imageDestOptions{imageOptions: destOpts},
+	}
+
+	return cli.Command{
+		Name:  "sync",
+		Usage: "Synchronize one or more images from one location to another",
+		Description: fmt.Sprint(`
+
+	Copy all the images from a SOURCE to a DESTINATION.
+
+	Allowed SOURCE transports (specified with --src): docker, dir, yaml.
+	Allowed DESTINATION transports (specified with --dest): docker, dir.
+
+	See skopeo-sync(1) for details.
+	`),
+		ArgsUsage: "--src SOURCE-LOCATION --dest DESTINATION-LOCATION SOURCE DESTINATION",
+		Action:    commandAction(opts.run),
+		// FIXME: Do we need to namespace the GPG aspect?
+		Flags: append(append(append([]cli.Flag{
+			cli.BoolFlag{
+				Name:        "remove-signatures",
+				Usage:       "Do not copy signatures from SOURCE images",
+				Destination: &opts.removeSignatures,
+			},
+			cli.StringFlag{
+				Name:        "sign-by",
+				Usage:       "Sign the image using a GPG key with the specified `FINGERPRINT`",
+				Destination: &opts.signByFingerprint,
+			},
+			cli.StringFlag{
+				Name:        "src, s",
+				Usage:       "SOURCE transport type",
+				Destination: &opts.source,
+			},
+			cli.StringFlag{
+				Name:        "dest, d",
+				Usage:       "DESTINATION transport type",
+				Destination: &opts.destination,
+			},
+			cli.BoolFlag{
+				Name:        "scoped",
+				Usage:       "Images at DESTINATION are prefix using the full source image path as scope",
+				Destination: &opts.scoped,
+			},
+		}, sharedFlags...), srcFlags...), destFlags...),
+	}
+}
+
+// unmarshalYAML is the implementation of the Unmarshaler interface method
+// method for the tlsVerifyConfig type.
+// It unmarshals the 'tls-verify' YAML key so that, when they key is not
+// specified, tls verification is enforced.
+func (tls *tlsVerifyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var verify bool
+	if err := unmarshal(&verify); err != nil {
+		return err
+	}
+
+	tls.skip = types.NewOptionalBool(!verify)
+	return nil
+}
+
+// newSourceConfig unmarshals the provided YAML file path to the sourceConfig type.
+// It returns a new unmarshaled sourceConfig object and any error encountered.
+func newSourceConfig(yamlFile string) (sourceConfig, error) {
+	var cfg sourceConfig
+	source, err := ioutil.ReadFile(yamlFile)
+	if err != nil {
+		return cfg, err
+	}
+	err = yaml.Unmarshal(source, &cfg)
+	if err != nil {
+		return cfg, errors.Wrapf(err, "Failed to unmarshal %q", yamlFile)
+	}
+	return cfg, nil
+}
+
+// destinationReference creates an image reference using the provided transport.
+// It returns a image reference to be used as destination of an image copy and
+// any error encountered.
+func destinationReference(destination string, transport string) (types.ImageReference, error) {
+	var imageTransport types.ImageTransport
+
+	switch transport {
+	case docker.Transport.Name():
+		destination = fmt.Sprintf("//%s", destination)
+		imageTransport = docker.Transport
+	case directory.Transport.Name():
+		_, err := os.Stat(destination)
+		if err == nil {
+			return nil, errors.Errorf(fmt.Sprintf("Refusing to overwrite destination directory %q", destination))
+		}
+		if !os.IsNotExist(err) {
+			return nil, errors.Wrap(err, "Destination directory could not be used")
+		}
+		// the directory holding the image must be created here
+		if err = os.MkdirAll(destination, 0755); err != nil {
+			return nil, errors.Wrapf(err, fmt.Sprintf("Error creating directory for image %s",
+				destination))
+		}
+		imageTransport = directory.Transport
+	default:
+		return nil, errors.Errorf("%q is not a valid destination transport", transport)
+	}
+	logrus.Debugf("Destination for transport %q: %s", transport, destination)
+
+	destRef, err := imageTransport.ParseReference(destination)
+	if err != nil {
+		return nil, errors.Wrapf(err, fmt.Sprintf("Cannot obtain a valid image reference for transport %q and reference %q", imageTransport.Name(), destination))
+	}
+
+	return destRef, nil
+}
+
+// getImageTags retrieves all the tags associated to an image hosted on a
+// container registry.
+// It returns a string slice of tags and any error encountered.
+func getImageTags(ctx context.Context, sysCtx *types.SystemContext, imgRef types.ImageReference) ([]string, error) {
+	name := imgRef.DockerReference().Name()
+	logrus.WithFields(logrus.Fields{
+		"image": name,
+	}).Info("Getting tags")
+	tags, err := docker.GetRepositoryTags(ctx, sysCtx, imgRef)
+
+	switch err := err.(type) {
+	case nil:
+		break
+	case docker.ErrUnauthorizedForCredentials:
+		// Some registries may decide to block the "list all tags" endpoint.
+		// Gracefully allow the sync to continue in this case.
+		logrus.Warnf("Registry disallows tag list retrieval: %s", err)
+		break
+	default:
+		return tags, errors.Wrapf(err, fmt.Sprintf("Error determining repository tags for image %s", name))
+	}
+
+	return tags, nil
+}
+
+// isTagSpecified checks if an image name includes a tag and returns any errors
+// encountered.
+func isTagSpecified(imageName string) (bool, error) {
+	normNamed, err := reference.ParseNormalizedNamed(imageName)
+	if err != nil {
+		return false, err
+	}
+
+	tagged := !reference.IsNameOnly(normNamed)
+	logrus.WithFields(logrus.Fields{
+		"imagename": imageName,
+		"tagged":    tagged,
+	}).Info("Tag presence check")
+	return tagged, nil
+}
+
+// imagesTopCopyFromRepo builds a list of image references from the tags
+// found in the source repository.
+// It returns an image reference slice with as many elements as the tags found
+// and any error encountered.
+func imagesToCopyFromRepo(repoReference types.ImageReference, repoName string, sourceCtx *types.SystemContext) ([]types.ImageReference, error) {
+	var sourceReferences []types.ImageReference
+	tags, err := getImageTags(context.Background(), sourceCtx, repoReference)
+	if err != nil {
+		return sourceReferences, err
+	}
+
+	for _, tag := range tags {
+		imageAndTag := fmt.Sprintf("%s:%s", repoName, tag)
+		ref, err := docker.ParseReference(imageAndTag)
+		if err != nil {
+			return nil, errors.Wrapf(err, fmt.Sprintf("Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), imageAndTag))
+		}
+		sourceReferences = append(sourceReferences, ref)
+	}
+	return sourceReferences, nil
+}
+
+// imagesTopCopyFromDir builds a list of image references from the images found
+// in the source directory.
+// It returns an image reference slice with as many elements as the images found
+// and any error encountered.
+func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
+	var sourceReferences []types.ImageReference
+	err := filepath.Walk(dirPath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() && info.Name() == "manifest.json" {
+			dirname := filepath.Dir(path)
+			ref, err := directory.Transport.ParseReference(dirname)
+			if err != nil {
+				return errors.Wrapf(err, fmt.Sprintf("Cannot obtain a valid image reference for transport %q and reference %q", directory.Transport.Name(), dirname))
+			}
+			sourceReferences = append(sourceReferences, ref)
+			return filepath.SkipDir
+		}
+		return nil
+	})
+
+	if err != nil {
+		return sourceReferences,
+			errors.Wrapf(err, fmt.Sprintf("Error walking the path %q", dirPath))
+	}
+
+	return sourceReferences, nil
+}
+
+// imagesTopCopyFromDir builds a list of repository descriptors from the images
+// in a registry configuration.
+// It returns a repository descriptors slice with as many elements as the images
+// found and any error encountered. Each element of the slice is a list of
+// tagged image references, to be used as sync source.
+func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourceCtx types.SystemContext) ([]repoDescriptor, error) {
+	var repoDescList []repoDescriptor
+	for imageName, tags := range cfg.Images {
+		repoName := fmt.Sprintf("//%s", path.Join(registryName, imageName))
+		logrus.WithFields(logrus.Fields{
+			"repo":     imageName,
+			"registry": registryName,
+		}).Info("Processing repo")
+
+		serverCtx := &sourceCtx
+		// override ctx with per-registryName options
+		serverCtx.DockerCertPath = cfg.CertDir
+		serverCtx.DockerDaemonCertPath = cfg.CertDir
+		serverCtx.DockerDaemonInsecureSkipTLSVerify = (cfg.TLSVerify.skip == types.OptionalBoolTrue)
+		serverCtx.DockerInsecureSkipTLSVerify = cfg.TLSVerify.skip
+		serverCtx.DockerAuthConfig = &cfg.Credentials
+
+		var sourceReferences []types.ImageReference
+		for _, tag := range tags {
+			source := fmt.Sprintf("%s:%s", repoName, tag)
+
+			imageRef, err := docker.ParseReference(source)
+			if err != nil {
+				logrus.WithFields(logrus.Fields{
+					"tag": source,
+				}).Error("Error processing tag, skipping")
+				logrus.Errorf("Error getting image reference: %s", err)
+				continue
+			}
+			sourceReferences = append(sourceReferences, imageRef)
+		}
+
+		if len(tags) == 0 {
+			logrus.WithFields(logrus.Fields{
+				"repo":     imageName,
+				"registry": registryName,
+			}).Info("Querying registry for image tags")
+
+			imageRef, err := docker.ParseReference(repoName)
+			if err != nil {
+				logrus.WithFields(logrus.Fields{
+					"repo":     imageName,
+					"registry": registryName,
+				}).Error("Error processing repo, skipping")
+				logrus.Error(err)
+				continue
+			}
+
+			sourceReferences, err = imagesToCopyFromRepo(imageRef, repoName, serverCtx)
+			if err != nil {
+				logrus.WithFields(logrus.Fields{
+					"repo":     imageName,
+					"registry": registryName,
+				}).Error("Error processing repo, skipping")
+				logrus.Error(err)
+				continue
+			}
+		}
+
+		if len(sourceReferences) == 0 {
+			logrus.WithFields(logrus.Fields{
+				"repo":     imageName,
+				"registry": registryName,
+			}).Warnf("No tags to sync found")
+			continue
+		}
+		repoDescList = append(repoDescList, repoDescriptor{
+			TaggedImages: sourceReferences,
+			Context:      serverCtx})
+	}
+
+	return repoDescList, nil
+}
+
+// imagesToCopy retrieves all the images to copy from a specified sync source
+// and transport.
+// It returns a slice of repository descriptors, where each descriptor is a
+// list of tagged image references to be used as sync source, and any error
+// encountered.
+func imagesToCopy(source string, transport string, sourceCtx *types.SystemContext) ([]repoDescriptor, error) {
+	var descriptors []repoDescriptor
+
+	switch transport {
+	case docker.Transport.Name():
+		desc := repoDescriptor{
+			Context: sourceCtx,
+		}
+		refName := fmt.Sprintf("//%s", source)
+		srcRef, err := docker.ParseReference(refName)
+		if err != nil {
+			return nil, errors.Wrapf(err, fmt.Sprintf("Cannot obtain a valid image reference for transport %q and reference %q", docker.Transport.Name(), refName))
+		}
+		imageTagged, err := isTagSpecified(source)
+		if err != nil {
+			return descriptors, err
+		}
+
+		if imageTagged {
+			desc.TaggedImages = append(desc.TaggedImages, srcRef)
+			descriptors = append(descriptors, desc)
+			break
+		}
+
+		desc.TaggedImages, err = imagesToCopyFromRepo(
+			srcRef,
+			fmt.Sprintf("//%s", source),
+			sourceCtx)
+
+		if err != nil {
+			return descriptors, err
+		}
+		if len(desc.TaggedImages) == 0 {
+			return descriptors, errors.Errorf("No images to sync found in %q", source)
+		}
+		descriptors = append(descriptors, desc)
+
+	case directory.Transport.Name():
+		desc := repoDescriptor{
+			Context: sourceCtx,
+		}
+
+		if _, err := os.Stat(source); err != nil {
+			return descriptors, errors.Wrap(err, "Invalid source directory specified")
+		}
+		desc.DirBasePath = source
+		var err error
+		desc.TaggedImages, err = imagesToCopyFromDir(source)
+		if err != nil {
+			return descriptors, err
+		}
+		if len(desc.TaggedImages) == 0 {
+			return descriptors, errors.Errorf("No images to sync found in %q", source)
+		}
+		descriptors = append(descriptors, desc)
+
+	case "yaml":
+		cfg, err := newSourceConfig(source)
+		if err != nil {
+			return descriptors, err
+		}
+		for registryName, registryConfig := range cfg {
+			if len(registryConfig.Images) == 0 {
+				logrus.WithFields(logrus.Fields{
+					"registry": registryName,
+				}).Warn("No images specified for registry")
+				continue
+			}
+
+			descs, err := imagesToCopyFromRegistry(registryName, registryConfig, *sourceCtx)
+			if err != nil {
+				return descriptors, errors.Wrapf(err, "Failed to retrieve list of images from registry %q", registryName)
+			}
+			descriptors = append(descriptors, descs...)
+		}
+	}
+
+	return descriptors, nil
+}
+
+func (opts *syncOptions) run(args []string, stdout io.Writer) error {
+	if len(args) != 2 {
+		return errorShouldDisplayUsage{errors.New("Exactly two arguments expected")}
+	}
+
+	policyContext, err := opts.global.getPolicyContext()
+	if err != nil {
+		return errors.Wrapf(err, "Error loading trust policy")
+	}
+	defer policyContext.Destroy()
+
+	// validate source and destination options
+	contains := func(val string, list []string) (_ bool) {
+		for _, l := range list {
+			if l == val {
+				return true
+			}
+		}
+		return
+	}
+
+	if len(opts.source) == 0 {
+		return errors.New("A source transport must be specified")
+	}
+	if !contains(opts.source, []string{docker.Transport.Name(), directory.Transport.Name(), "yaml"}) {
+		return errors.Errorf("%q is not a valid source transport", opts.source)
+	}
+
+	if len(opts.destination) == 0 {
+		return errors.New("A destination transport must be specified")
+	}
+	if !contains(opts.destination, []string{docker.Transport.Name(), directory.Transport.Name()}) {
+		return errors.Errorf("%q is not a valid destination transport", opts.destination)
+	}
+
+	if opts.source == opts.destination && opts.source == directory.Transport.Name() {
+		return errors.New("sync from 'dir' to 'dir' not implemented, consider using rsync instead")
+	}
+
+	sourceCtx, err := opts.srcImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	sourceArg := args[0]
+	srcRepoList, err := imagesToCopy(sourceArg, opts.source, sourceCtx)
+	if err != nil {
+		return err
+	}
+
+	destination := args[1]
+	destinationCtx, err := opts.destImage.newSystemContext()
+	if err != nil {
+		return err
+	}
+
+	ctx, cancel := opts.global.commandTimeoutContext()
+	defer cancel()
+
+	imagesNumber := 0
+	options := copy.Options{
+		RemoveSignatures: opts.removeSignatures,
+		SignBy:           opts.signByFingerprint,
+		ReportWriter:     os.Stdout,
+		DestinationCtx:   destinationCtx,
+	}
+
+	for _, srcRepo := range srcRepoList {
+		options.SourceCtx = srcRepo.Context
+		for counter, ref := range srcRepo.TaggedImages {
+			var destSuffix string
+			switch ref.Transport() {
+			case docker.Transport:
+				// docker -> dir or docker -> docker
+				destSuffix = ref.DockerReference().String()
+			case directory.Transport:
+				// dir -> docker (we don't allow `dir` -> `dir` sync operations)
+				destSuffix = strings.TrimPrefix(ref.StringWithinTransport(), srcRepo.DirBasePath)
+				if destSuffix == "" {
+					// if source is a full path to an image, have destPath scoped to repo:tag
+					destSuffix = path.Base(srcRepo.DirBasePath)
+				}
+			}
+
+			if !opts.scoped {
+				destSuffix = path.Base(destSuffix)
+			}
+
+			destRef, err := destinationReference(path.Join(destination, destSuffix), opts.destination)
+			if err != nil {
+				return err
+			}
+
+			logrus.WithFields(logrus.Fields{
+				"from": transports.ImageName(ref),
+				"to":   transports.ImageName(destRef),
+			}).Infof("Copying image tag %d/%d", counter+1, len(srcRepo.TaggedImages))
+
+			_, err = copy.Image(ctx, policyContext, destRef, ref, &options)
+			if err != nil {
+				return errors.Wrapf(err, fmt.Sprintf("Error copying tag %q", transports.ImageName(ref)))
+			}
+			imagesNumber++
+		}
+	}
+
+	logrus.Infof("Synced %d images from %d sources", imagesNumber, len(srcRepoList))
+	return nil
+}
--- a/cmd/skopeo/unshare.go
+++ b/cmd/skopeo/unshare.go
@@ -0,0 +1,11 @@
+// +build !linux
+
+package main
+
+func maybeReexec() error {
+	return nil
+}
+
+func reexecIfNecessaryForImages(inputImageNames ...string) error {
+	return nil
+}
--- a/cmd/skopeo/unshare_linux.go
+++ b/cmd/skopeo/unshare_linux.go
@@ -0,0 +1,48 @@
+package main
+
+import (
+	"github.com/containers/common/pkg/unshare"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/pkg/errors"
+	"github.com/syndtr/gocapability/capability"
+)
+
+var neededCapabilities = []capability.Cap{
+	capability.CAP_CHOWN,
+	capability.CAP_DAC_OVERRIDE,
+	capability.CAP_FOWNER,
+	capability.CAP_FSETID,
+	capability.CAP_MKNOD,
+	capability.CAP_SETFCAP,
+}
+
+func maybeReexec() error {
+	// With Skopeo we need only the subset of the root capabilities necessary
+	// for pulling an image to the storage.  Do not attempt to create a namespace
+	// if we already have the capabilities we need.
+	capabilities, err := capability.NewPid(0)
+	if err != nil {
+		return errors.Wrapf(err, "error reading the current capabilities sets")
+	}
+	for _, cap := range neededCapabilities {
+		if !capabilities.Get(capability.EFFECTIVE, cap) {
+			// We miss a capability we need, create a user namespaces
+			unshare.MaybeReexecUsingUserNamespace(true)
+			return nil
+		}
+	}
+	return nil
+}
+
+func reexecIfNecessaryForImages(imageNames ...string) error {
+	// Check if container-storage is used before doing unshare
+	for _, imageName := range imageNames {
+		transport := alltransports.TransportFromImageName(imageName)
+		// Hard-code the storage name to avoid a reference on c/image/storage.
+		// See https://github.com/containers/skopeo/issues/771#issuecomment-563125006.
+		if transport != nil && transport.Name() == "containers-storage" {
+			return maybeReexec()
+		}
+	}
+	return nil
+}
--- a/cmd/skopeo/utils.go
+++ b/cmd/skopeo/utils.go
@@ -1,71 +1,301 @@
 package main

 import (
-	"fmt"
+	"context"
+	"io"
 	"strings"

-	"github.com/codegangsta/cli"
-	"github.com/projectatomic/skopeo/directory"
-	"github.com/projectatomic/skopeo/docker"
-	"github.com/projectatomic/skopeo/openshift"
-	"github.com/projectatomic/skopeo/types"
+	"github.com/containers/image/v5/pkg/compression"
+	"github.com/containers/image/v5/transports/alltransports"
+	"github.com/containers/image/v5/types"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli"
 )

-const (
-	// atomicPrefix is the URL-like schema prefix used for Atomic registry image references.
-	atomicPrefix = "atomic:"
-	// dockerPrefix is the URL-like schema prefix used for Docker image references.
-	dockerPrefix = "docker://"
-	// directoryPrefix is the URL-like schema prefix used for local directories (for debugging)
-	directoryPrefix = "dir:"
-)
+// errorShouldDisplayUsage is a subtype of error used by command handlers to indicate that cli.ShowSubcommandHelp should be called.
+type errorShouldDisplayUsage struct {
+	error
+}

-// ParseImage converts image URL-like string to an initialized handler for that image.
-func parseImage(c *cli.Context) (types.Image, error) {
-	var (
-		imgName   = c.Args().First()
-		certPath  = c.GlobalString("cert-path")
-		tlsVerify = c.GlobalBool("tls-verify")
-	)
-	switch {
-	case strings.HasPrefix(imgName, dockerPrefix):
-		return docker.NewDockerImage(strings.TrimPrefix(imgName, dockerPrefix), certPath, tlsVerify)
-		//case strings.HasPrefix(img, appcPrefix):
-		//
+// commandAction intermediates between the cli.ActionFunc interface and the real handler,
+// primarily to ensure that cli.Context is not available to the handler, which in turn
+// makes sure that the cli.String() etc. flag access functions are not used,
+// and everything is done using the *Options structures and the Destination: members of cli.Flag.
+// handler may return errorShouldDisplayUsage to cause cli.ShowSubcommandHelp to be called.
+func commandAction(handler func(args []string, stdout io.Writer) error) cli.ActionFunc {
+	return func(c *cli.Context) error {
+		err := handler(([]string)(c.Args()), c.App.Writer)
+		if _, ok := err.(errorShouldDisplayUsage); ok {
+			cli.ShowSubcommandHelp(c)
+		}
+		return err
 	}
-	return nil, fmt.Errorf("no valid prefix provided")
+}
+
+// sharedImageOptions collects CLI flags which are image-related, but do not change across images.
+// This really should be a part of globalOptions, but that would break existing users of (skopeo copy --authfile=).
+type sharedImageOptions struct {
+	authFilePath string // Path to a */containers/auth.json
+}
+
+// imageFlags prepares a collection of CLI flags writing into sharedImageOptions, and the managed sharedImageOptions structure.
+func sharedImageFlags() ([]cli.Flag, *sharedImageOptions) {
+	opts := sharedImageOptions{}
+	return []cli.Flag{
+		cli.StringFlag{
+			Name:        "authfile",
+			Usage:       "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+			Destination: &opts.authFilePath,
+		},
+	}, &opts
+}
+
+// imageOptions collects CLI flags specific to the "docker" transport, which are
+// the same across subcommands, but may be different for each image
+// (e.g. may differ between the source and destination of a copy)
+type dockerImageOptions struct {
+	global         *globalOptions      // May be shared across several imageOptions instances.
+	shared         *sharedImageOptions // May be shared across several imageOptions instances.
+	authFilePath   optionalString      // Path to a */containers/auth.json (prefixed version to override shared image option).
+	credsOption    optionalString      // username[:password] for accessing a registry
+	dockerCertPath string              // A directory using Docker-like *.{crt,cert,key} files for connecting to a registry or a daemon
+	tlsVerify      optionalBool        // Require HTTPS and verify certificates (for docker: and docker-daemon:)
+	noCreds        bool                // Access the registry anonymously
+}
+
+// imageOptions collects CLI flags which are the same across subcommands, but may be different for each image
+// (e.g. may differ between the source and destination of a copy)
+type imageOptions struct {
+	dockerImageOptions
+	sharedBlobDir    string // A directory to use for OCI blobs, shared across repositories
+	dockerDaemonHost string // docker-daemon: host to connect to
+}
+
+// dockerImageFlags prepares a collection of docker-transport specific CLI flags
+// writing into imageOptions, and the managed imageOptions structure.
+func dockerImageFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, credsOptionAlias string) ([]cli.Flag, *imageOptions) {
+	opts := imageOptions{
+		dockerImageOptions: dockerImageOptions{
+			global: global,
+			shared: shared,
+		},
+	}
+
+	// This is horribly ugly, but we need to support the old option forms of (skopeo copy) for compatibility.
+	// Don't add any more cases like this.
+	credsOptionExtra := ""
+	if credsOptionAlias != "" {
+		credsOptionExtra += "," + credsOptionAlias
+	}
+
+	var flags []cli.Flag
+	if flagPrefix != "" {
+		// the non-prefixed flag is handled by a shared flag.
+		flags = append(flags,
+			cli.GenericFlag{
+				Name:  flagPrefix + "authfile",
+				Usage: "path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json",
+				Value: newOptionalStringValue(&opts.authFilePath),
+			},
+		)
+	}
+	flags = append(flags,
+		cli.GenericFlag{
+			Name:  flagPrefix + "creds" + credsOptionExtra,
+			Usage: "Use `USERNAME[:PASSWORD]` for accessing the registry",
+			Value: newOptionalStringValue(&opts.credsOption),
+		},
+		cli.StringFlag{
+			Name:        flagPrefix + "cert-dir",
+			Usage:       "use certificates at `PATH` (*.crt, *.cert, *.key) to connect to the registry or daemon",
+			Destination: &opts.dockerCertPath,
+		},
+		cli.GenericFlag{
+			Name:  flagPrefix + "tls-verify",
+			Usage: "require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true)",
+			Value: newOptionalBoolValue(&opts.tlsVerify),
+		},
+		cli.BoolFlag{
+			Name:        flagPrefix + "no-creds",
+			Usage:       "Access the registry anonymously",
+			Destination: &opts.noCreds,
+		},
+	)
+	return flags, &opts
+}
+
+// imageFlags prepares a collection of CLI flags writing into imageOptions, and the managed imageOptions structure.
+func imageFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, credsOptionAlias string) ([]cli.Flag, *imageOptions) {
+	dockerFlags, opts := dockerImageFlags(global, shared, flagPrefix, credsOptionAlias)
+
+	return append(dockerFlags, []cli.Flag{
+		cli.StringFlag{
+			Name:        flagPrefix + "shared-blob-dir",
+			Usage:       "`DIRECTORY` to use to share blobs across OCI repositories",
+			Destination: &opts.sharedBlobDir,
+		},
+		cli.StringFlag{
+			Name:        flagPrefix + "daemon-host",
+			Usage:       "use docker daemon host at `HOST` (docker-daemon: only)",
+			Destination: &opts.dockerDaemonHost,
+		},
+	}...), opts
+}
+
+// newSystemContext returns a *types.SystemContext corresponding to opts.
+// It is guaranteed to return a fresh instance, so it is safe to make additional updates to it.
+func (opts *imageOptions) newSystemContext() (*types.SystemContext, error) {
+	ctx := &types.SystemContext{
+		RegistriesDirPath:        opts.global.registriesDirPath,
+		ArchitectureChoice:       opts.global.overrideArch,
+		OSChoice:                 opts.global.overrideOS,
+		DockerCertPath:           opts.dockerCertPath,
+		OCISharedBlobDirPath:     opts.sharedBlobDir,
+		AuthFilePath:             opts.shared.authFilePath,
+		DockerDaemonHost:         opts.dockerDaemonHost,
+		DockerDaemonCertPath:     opts.dockerCertPath,
+		SystemRegistriesConfPath: opts.global.registriesConfPath,
+	}
+	if opts.dockerImageOptions.authFilePath.present {
+		ctx.AuthFilePath = opts.dockerImageOptions.authFilePath.value
+	}
+	if opts.tlsVerify.present {
+		ctx.DockerDaemonInsecureSkipTLSVerify = !opts.tlsVerify.value
+	}
+	// DEPRECATED: We support this for backward compatibility, but override it if a per-image flag is provided.
+	if opts.global.tlsVerify.present {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.global.tlsVerify.value)
+	}
+	if opts.tlsVerify.present {
+		ctx.DockerInsecureSkipTLSVerify = types.NewOptionalBool(!opts.tlsVerify.value)
+	}
+	if opts.credsOption.present && opts.noCreds {
+		return nil, errors.New("creds and no-creds cannot be specified at the same time")
+	}
+	if opts.credsOption.present {
+		var err error
+		ctx.DockerAuthConfig, err = getDockerAuth(opts.credsOption.value)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if opts.noCreds {
+		ctx.DockerAuthConfig = &types.DockerAuthConfig{}
+	}
+
+	return ctx, nil
+}
+
+// imageDestOptions is a superset of imageOptions specialized for iamge destinations.
+type imageDestOptions struct {
+	*imageOptions
+	dirForceCompression         bool        // Compress layers when saving to the dir: transport
+	ociAcceptUncompressedLayers bool        // Whether to accept uncompressed layers in the oci: transport
+	compressionFormat           string      // Format to use for the compression
+	compressionLevel            optionalInt // Level to use for the compression
+}
+
+// imageDestFlags prepares a collection of CLI flags writing into imageDestOptions, and the managed imageDestOptions structure.
+func imageDestFlags(global *globalOptions, shared *sharedImageOptions, flagPrefix, credsOptionAlias string) ([]cli.Flag, *imageDestOptions) {
+	genericFlags, genericOptions := imageFlags(global, shared, flagPrefix, credsOptionAlias)
+	opts := imageDestOptions{imageOptions: genericOptions}
+
+	return append(genericFlags, []cli.Flag{
+		cli.BoolFlag{
+			Name:        flagPrefix + "compress",
+			Usage:       "Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)",
+			Destination: &opts.dirForceCompression,
+		},
+		cli.BoolFlag{
+			Name:        flagPrefix + "oci-accept-uncompressed-layers",
+			Usage:       "Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)",
+			Destination: &opts.ociAcceptUncompressedLayers,
+		},
+		cli.StringFlag{
+			Name:        flagPrefix + "compress-format",
+			Usage:       "`FORMAT` to use for the compression",
+			Destination: &opts.compressionFormat,
+		},
+		cli.GenericFlag{
+			Name:  flagPrefix + "compress-level",
+			Usage: "`LEVEL` to use for the compression",
+			Value: newOptionalIntValue(&opts.compressionLevel),
+		},
+	}...), &opts
+}
+
+// newSystemContext returns a *types.SystemContext corresponding to opts.
+// It is guaranteed to return a fresh instance, so it is safe to make additional updates to it.
+func (opts *imageDestOptions) newSystemContext() (*types.SystemContext, error) {
+	ctx, err := opts.imageOptions.newSystemContext()
+	if err != nil {
+		return nil, err
+	}
+
+	ctx.DirForceCompress = opts.dirForceCompression
+	ctx.OCIAcceptUncompressedLayers = opts.ociAcceptUncompressedLayers
+	if opts.compressionFormat != "" {
+		cf, err := compression.AlgorithmByName(opts.compressionFormat)
+		if err != nil {
+			return nil, err
+		}
+		ctx.CompressionFormat = &cf
+	}
+	if opts.compressionLevel.present {
+		ctx.CompressionLevel = &opts.compressionLevel.value
+	}
+	return ctx, err
+}
+
+func parseCreds(creds string) (string, string, error) {
+	if creds == "" {
+		return "", "", errors.New("credentials can't be empty")
+	}
+	up := strings.SplitN(creds, ":", 2)
+	if len(up) == 1 {
+		return up[0], "", nil
+	}
+	if up[0] == "" {
+		return "", "", errors.New("username can't be empty")
+	}
+	return up[0], up[1], nil
+}
+
+func getDockerAuth(creds string) (*types.DockerAuthConfig, error) {
+	username, password, err := parseCreds(creds)
+	if err != nil {
+		return nil, err
+	}
+	return &types.DockerAuthConfig{
+		Username: username,
+		Password: password,
+	}, nil
+}
+
+// parseImage converts image URL-like string to an initialized handler for that image.
+// The caller must call .Close() on the returned ImageCloser.
+func parseImage(ctx context.Context, opts *imageOptions, name string) (types.ImageCloser, error) {
+	ref, err := alltransports.ParseImageName(name)
+	if err != nil {
+		return nil, err
+	}
+	sys, err := opts.newSystemContext()
+	if err != nil {
+		return nil, err
+	}
+	return ref.NewImage(ctx, sys)
 }

 // parseImageSource converts image URL-like string to an ImageSource.
-func parseImageSource(c *cli.Context, name string) (types.ImageSource, error) {
-	var (
-		certPath  = c.GlobalString("cert-path")
-		tlsVerify = c.GlobalBool("tls-verify") // FIXME!! defaults to false?
-	)
-	switch {
-	case strings.HasPrefix(name, dockerPrefix):
-		return docker.NewDockerImageSource(strings.TrimPrefix(name, dockerPrefix), certPath, tlsVerify)
-	case strings.HasPrefix(name, atomicPrefix):
-		return openshift.NewOpenshiftImageSource(strings.TrimPrefix(name, atomicPrefix), certPath, tlsVerify)
-	case strings.HasPrefix(name, directoryPrefix):
-		return directory.NewDirImageSource(strings.TrimPrefix(name, directoryPrefix)), nil
+// The caller must call .Close() on the returned ImageSource.
+func parseImageSource(ctx context.Context, opts *imageOptions, name string) (types.ImageSource, error) {
+	ref, err := alltransports.ParseImageName(name)
+	if err != nil {
+		return nil, err
 	}
-	return nil, fmt.Errorf("Unrecognized image reference %s", name)
-}
-
-// parseImageDestination converts image URL-like string to an ImageDestination.
-func parseImageDestination(c *cli.Context, name string) (types.ImageDestination, error) {
-	var (
-		certPath  = c.GlobalString("cert-path")
-		tlsVerify = c.GlobalBool("tls-verify") // FIXME!! defaults to false?
-	)
-	switch {
-	case strings.HasPrefix(name, dockerPrefix):
-		return docker.NewDockerImageDestination(strings.TrimPrefix(name, dockerPrefix), certPath, tlsVerify)
-	case strings.HasPrefix(name, atomicPrefix):
-		return openshift.NewOpenshiftImageDestination(strings.TrimPrefix(name, atomicPrefix), certPath, tlsVerify)
-	case strings.HasPrefix(name, directoryPrefix):
-		return directory.NewDirImageDestination(strings.TrimPrefix(name, directoryPrefix)), nil
+	sys, err := opts.newSystemContext()
+	if err != nil {
+		return nil, err
 	}
-	return nil, fmt.Errorf("Unrecognized image reference %s", name)
+	return ref.NewImageSource(ctx, sys)
 }
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -0,0 +1,227 @@
+package main
+
+import (
+	"flag"
+	"testing"
+
+	"github.com/containers/image/v5/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// fakeGlobalOptions creates globalOptions and sets it according to flags.
+// NOTE: This is QUITE FAKE; none of the urfave/cli normalization and the like happens.
+func fakeGlobalOptions(t *testing.T, flags []string) *globalOptions {
+	app, opts := createApp()
+
+	flagSet := flag.NewFlagSet(app.Name, flag.ContinueOnError)
+	for _, f := range app.Flags {
+		f.Apply(flagSet)
+	}
+	err := flagSet.Parse(flags)
+	require.NoError(t, err)
+
+	return opts
+}
+
+// fakeImageOptions creates imageOptions and sets it according to globalFlags/cmdFlags.
+// NOTE: This is QUITE FAKE; none of the urfave/cli normalization and the like happens.
+func fakeImageOptions(t *testing.T, flagPrefix string, globalFlags []string, cmdFlags []string) *imageOptions {
+	globalOpts := fakeGlobalOptions(t, globalFlags)
+
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageFlags(globalOpts, sharedOpts, flagPrefix, "")
+	flagSet := flag.NewFlagSet("fakeImageOptions", flag.ContinueOnError)
+	for _, f := range append(sharedFlags, imageFlags...) {
+		f.Apply(flagSet)
+	}
+	err := flagSet.Parse(cmdFlags)
+	require.NoError(t, err)
+	return imageOpts
+}
+
+func TestImageOptionsNewSystemContext(t *testing.T) {
+	// Default state
+	opts := fakeImageOptions(t, "dest-", []string{}, []string{})
+	res, err := opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{}, res)
+
+	// Set everything to non-default values.
+	opts = fakeImageOptions(t, "dest-", []string{
+		"--registries.d", "/srv/registries.d",
+		"--override-arch", "overridden-arch",
+		"--override-os", "overridden-os",
+	}, []string{
+		"--authfile", "/srv/authfile",
+		"--dest-authfile", "/srv/dest-authfile",
+		"--dest-cert-dir", "/srv/cert-dir",
+		"--dest-shared-blob-dir", "/srv/shared-blob-dir",
+		"--dest-daemon-host", "daemon-host.example.com",
+		"--dest-tls-verify=false",
+		"--dest-creds", "creds-user:creds-password",
+	})
+	res, err = opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		RegistriesDirPath:                 "/srv/registries.d",
+		AuthFilePath:                      "/srv/dest-authfile",
+		ArchitectureChoice:                "overridden-arch",
+		OSChoice:                          "overridden-os",
+		OCISharedBlobDirPath:              "/srv/shared-blob-dir",
+		DockerCertPath:                    "/srv/cert-dir",
+		DockerInsecureSkipTLSVerify:       types.OptionalBoolTrue,
+		DockerAuthConfig:                  &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
+		DockerDaemonCertPath:              "/srv/cert-dir",
+		DockerDaemonHost:                  "daemon-host.example.com",
+		DockerDaemonInsecureSkipTLSVerify: true,
+	}, res)
+
+	// Global/per-command tlsVerify behavior
+	for _, c := range []struct {
+		global, cmd          string
+		expectedDocker       types.OptionalBool
+		expectedDockerDaemon bool
+	}{
+		{"", "", types.OptionalBoolUndefined, false},
+		{"", "false", types.OptionalBoolTrue, true},
+		{"", "true", types.OptionalBoolFalse, false},
+		{"false", "", types.OptionalBoolTrue, false},
+		{"false", "false", types.OptionalBoolTrue, true},
+		{"false", "true", types.OptionalBoolFalse, false},
+		{"true", "", types.OptionalBoolFalse, false},
+		{"true", "false", types.OptionalBoolTrue, true},
+		{"true", "true", types.OptionalBoolFalse, false},
+	} {
+		globalFlags := []string{}
+		if c.global != "" {
+			globalFlags = append(globalFlags, "--tls-verify="+c.global)
+		}
+		cmdFlags := []string{}
+		if c.cmd != "" {
+			cmdFlags = append(cmdFlags, "--dest-tls-verify="+c.cmd)
+		}
+		opts := fakeImageOptions(t, "dest-", globalFlags, cmdFlags)
+		res, err = opts.newSystemContext()
+		require.NoError(t, err)
+		assert.Equal(t, c.expectedDocker, res.DockerInsecureSkipTLSVerify, "%#v", c)
+		assert.Equal(t, c.expectedDockerDaemon, res.DockerDaemonInsecureSkipTLSVerify, "%#v", c)
+	}
+
+	// Invalid option values
+	opts = fakeImageOptions(t, "dest-", []string{}, []string{"--dest-creds", ""})
+	_, err = opts.newSystemContext()
+	assert.Error(t, err)
+}
+
+// fakeImageDestOptions creates imageDestOptions and sets it according to globalFlags/cmdFlags.
+// NOTE: This is QUITE FAKE; none of the urfave/cli normalization and the like happens.
+func fakeImageDestOptions(t *testing.T, flagPrefix string, globalFlags []string, cmdFlags []string) *imageDestOptions {
+	globalOpts := fakeGlobalOptions(t, globalFlags)
+
+	sharedFlags, sharedOpts := sharedImageFlags()
+	imageFlags, imageOpts := imageDestFlags(globalOpts, sharedOpts, flagPrefix, "")
+	flagSet := flag.NewFlagSet("fakeImageDestOptions", flag.ContinueOnError)
+	for _, f := range append(sharedFlags, imageFlags...) {
+		f.Apply(flagSet)
+	}
+	err := flagSet.Parse(cmdFlags)
+	require.NoError(t, err)
+	return imageOpts
+}
+
+func TestImageDestOptionsNewSystemContext(t *testing.T) {
+	// Default state
+	opts := fakeImageDestOptions(t, "dest-", []string{}, []string{})
+	res, err := opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{}, res)
+
+	// Explicitly set everything to default, except for when the default is “not present”
+	opts = fakeImageDestOptions(t, "dest-", []string{}, []string{
+		"--dest-compress=false",
+	})
+	res, err = opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{}, res)
+
+	// Set everything to non-default values.
+	opts = fakeImageDestOptions(t, "dest-", []string{
+		"--registries.d", "/srv/registries.d",
+		"--override-arch", "overridden-arch",
+		"--override-os", "overridden-os",
+	}, []string{
+		"--authfile", "/srv/authfile",
+		"--dest-cert-dir", "/srv/cert-dir",
+		"--dest-shared-blob-dir", "/srv/shared-blob-dir",
+		"--dest-compress=true",
+		"--dest-daemon-host", "daemon-host.example.com",
+		"--dest-tls-verify=false",
+		"--dest-creds", "creds-user:creds-password",
+	})
+	res, err = opts.newSystemContext()
+	require.NoError(t, err)
+	assert.Equal(t, &types.SystemContext{
+		RegistriesDirPath:                 "/srv/registries.d",
+		AuthFilePath:                      "/srv/authfile",
+		ArchitectureChoice:                "overridden-arch",
+		OSChoice:                          "overridden-os",
+		OCISharedBlobDirPath:              "/srv/shared-blob-dir",
+		DockerCertPath:                    "/srv/cert-dir",
+		DockerInsecureSkipTLSVerify:       types.OptionalBoolTrue,
+		DockerAuthConfig:                  &types.DockerAuthConfig{Username: "creds-user", Password: "creds-password"},
+		DockerDaemonCertPath:              "/srv/cert-dir",
+		DockerDaemonHost:                  "daemon-host.example.com",
+		DockerDaemonInsecureSkipTLSVerify: true,
+		DirForceCompress:                  true,
+	}, res)
+
+	// Invalid option values in imageOptions
+	opts = fakeImageDestOptions(t, "dest-", []string{}, []string{"--dest-creds", ""})
+	_, err = opts.newSystemContext()
+	assert.Error(t, err)
+}
+
+// since there is a shared authfile image option and a non-shared (prefixed) one, make sure the override logic
+// works correctly.
+func TestImageOptionsAuthfileOverride(t *testing.T) {
+
+	for _, testCase := range []struct {
+		flagPrefix           string
+		cmdFlags             []string
+		expectedAuthfilePath string
+	}{
+		// if there is no prefix, only authfile is allowed.
+		{"",
+			[]string{
+				"--authfile", "/srv/authfile",
+			}, "/srv/authfile"},
+		// if authfile and dest-authfile is provided, dest-authfile wins
+		{"dest-",
+			[]string{
+				"--authfile", "/srv/authfile",
+				"--dest-authfile", "/srv/dest-authfile",
+			}, "/srv/dest-authfile",
+		},
+		// if only the shared authfile is provided, authfile must be present in system context
+		{"dest-",
+			[]string{
+				"--authfile", "/srv/authfile",
+			}, "/srv/authfile",
+		},
+		// if only the dest authfile is provided, dest-authfile must be present in system context
+		{"dest-",
+			[]string{
+				"--dest-authfile", "/srv/dest-authfile",
+			}, "/srv/dest-authfile",
+		},
+	} {
+		opts := fakeImageOptions(t, testCase.flagPrefix, []string{}, testCase.cmdFlags)
+		res, err := opts.newSystemContext()
+		require.NoError(t, err)
+
+		assert.Equal(t, &types.SystemContext{
+			AuthFilePath: testCase.expectedAuthfilePath,
+		}, res)
+	}
+}
--- a/completions/bash/skopeo
+++ b/completions/bash/skopeo
@@ -0,0 +1,213 @@
+#! /bin/bash
+
+_complete_() {
+    local options_with_args=$1
+    local boolean_options="$2 -h --help"
+    local transports=$3
+
+    local option_with_args
+    for option_with_args in $options_with_args $transports
+    do
+        if [ "$option_with_args" == "$prev" ] || [ "$option_with_args" == "$cur" ]
+        then
+            return
+        fi
+    done
+
+    case "$cur" in
+        -*)
+            while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
+            ;;
+        *)
+            if [ -n "$transports" ]
+            then
+                compopt -o nospace
+                while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$transports" -- "$cur")
+            fi
+            ;;
+    esac
+}
+
+_skopeo_supported_transports() {
+    local subcommand=$1
+
+    skopeo "$subcommand" --help | grep "Supported transports" -A 1 | tail -n 1 | sed -e 's/,/:/g' -e 's/$/:/'
+}
+
+_skopeo_copy() {
+    local options_with_args="
+    --authfile
+    --src-authfile
+    --dest-authfile
+    --format -f
+    --sign-by
+    --src-creds --screds
+    --src-cert-dir
+    --src-tls-verify
+    --dest-creds --dcreds
+    --dest-cert-dir
+    --dest-tls-verify
+    --src-daemon-host
+    --dest-daemon-host
+    "
+
+    local boolean_options="
+    --all
+    --dest-compress
+    --remove-signatures
+    --src-no-creds
+    --dest-no-creds
+    --dest-oci-accept-uncompressed-layers
+    "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_inspect() {
+     local options_with_args="
+     --authfile
+     --creds
+     --cert-dir
+     "
+     local boolean_options="
+     --config
+     --raw
+     --tls-verify
+     --no-creds
+    "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_standalone_sign() {
+     local options_with_args="
+       -o --output
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_standalone_verify() {
+     local options_with_args="
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_manifest_digest() {
+     local options_with_args="
+     "
+     local boolean_options="
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_delete() {
+     local options_with_args="
+     --authfile
+     --creds
+     --cert-dir
+     "
+     local boolean_options="
+     --tls-verify
+     --no-creds
+     "
+
+    local transports
+    transports="
+    $(_skopeo_supported_transports "${FUNCNAME//"_skopeo_"/}")
+    "
+
+    _complete_ "$options_with_args" "$boolean_options" "$transports"
+}
+
+_skopeo_layers() {
+     local options_with_args="
+       --creds
+       --cert-dir
+     "
+     local boolean_options="
+       --tls-verify
+     "
+    _complete_ "$options_with_args" "$boolean_options"
+}
+
+_skopeo_skopeo() {
+     # XXX: Changes here need to be refleceted in the manually expanded
+     # string in the `case` statement below as well.
+     local options_with_args="
+       --policy
+       --registries.d
+       --override-arch
+       --override-os
+       --command-timeout
+     "
+     local boolean_options="
+       --insecure-policy
+       --debug
+       --version -v
+       --help -h
+     "
+
+     case "$prev" in
+         # XXX: Changes here need to be refleceted in $options_with_args as well.
+         --policy|--registries.d|--override-arch|--override-os|--command-timeout)
+             return
+             ;;
+     esac
+
+     case "$cur" in
+         -*)
+             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$boolean_options $options_with_args" -- "$cur")
+             ;;
+         *)
+             commands=$( "${COMP_WORDS[@]:0:$COMP_CWORD}" --generate-bash-completion )
+
+             while IFS='' read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "${commands[*]} help" -- "$cur")
+             ;;
+     esac
+}
+
+_cli_bash_autocomplete() {
+     local cur
+
+     COMPREPLY=()
+     cur="${COMP_WORDS[COMP_CWORD]}"
+     COMPREPLY=()
+     local cur prev words cword
+
+     _get_comp_words_by_ref -n : cur prev words cword
+
+     local command="skopeo" cpos=0
+     local counter=1
+     while [ $counter -lt "$cword" ]; do
+         case "${words[$counter]}" in
+             skopeo|copy|inspect|delete|manifest-digest|standalone-sign|standalone-verify|help|h)
+                 command="${words[$counter]//-/_}"
+                 cpos=$counter
+                 (( cpos++ ))
+                 break
+                 ;;
+         esac
+         (( counter++ ))
+     done
+
+     local completions_func=_skopeo_${command}
+     declare -F "$completions_func" >/dev/null && $completions_func
+
+     return 0
+}
+
+ complete -F _cli_bash_autocomplete skopeo
--- a/default-policy.json
+++ b/default-policy.json
@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}
--- a/default.yaml
+++ b/default.yaml
@@ -0,0 +1,26 @@
+# This is a default registries.d configuration file.  You may
+# add to this file or create additional files in registries.d/.
+#
+# sigstore: indicates a location that is read and write
+# sigstore-staging: indicates a location that is only for write
+#
+# sigstore and sigstore-staging take a value of the following:
+#   sigstore:  {schema}://location
+#
+# For reading signatures, schema may be http, https, or file.
+# For writing signatures, schema may only be file.
+
+# This is the default signature write location for docker registries.
+default-docker:
+#  sigstore: file:///var/lib/containers/sigstore
+  sigstore-staging: file:///var/lib/containers/sigstore
+
+# The 'docker' indicator here is the start of the configuration
+# for docker registries.
+#
+# docker:
+#
+#   privateregistry.com:
+#    sigstore: http://privateregistry.com/sigstore/
+#    sigstore-staging: /mnt/nfs/privateregistry/sigstore
+
--- a/directory/directory.go
+++ b/directory/directory.go
@@ -1,113 +0,0 @@
-package directory
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/projectatomic/skopeo/types"
-)
-
-// manifestPath returns a path for the manifest within a directory using our conventions.
-func manifestPath(dir string) string {
-	return filepath.Join(dir, "manifest.json")
-}
-
-// manifestPath returns a path for a layer tarball within a directory using our conventions.
-func layerPath(dir string, digest string) string {
-	// FIXME: Should we keep the digest identification?
-	return filepath.Join(dir, strings.TrimPrefix(digest, "sha256:")+".tar")
-}
-
-// manifestPath returns a path for a signature within a directory using our conventions.
-func signaturePath(dir string, index int) string {
-	return filepath.Join(dir, fmt.Sprintf("signature-%d", index+1))
-}
-
-type dirImageDestination struct {
-	dir string
-}
-
-// NewDirImageDestination returns an ImageDestination for writing to an existing directory.
-func NewDirImageDestination(dir string) types.ImageDestination {
-	return &dirImageDestination{dir}
-}
-
-func (d *dirImageDestination) CanonicalDockerReference() (string, error) {
-	return "", fmt.Errorf("Can not determine canonical Docker reference for a local directory")
-}
-
-func (d *dirImageDestination) PutManifest(manifest []byte) error {
-	return ioutil.WriteFile(manifestPath(d.dir), manifest, 0644)
-}
-
-func (d *dirImageDestination) PutLayer(digest string, stream io.Reader) error {
-	layerFile, err := os.Create(layerPath(d.dir, digest))
-	if err != nil {
-		return err
-	}
-	defer layerFile.Close()
-	if _, err := io.Copy(layerFile, stream); err != nil {
-		return err
-	}
-	if err := layerFile.Sync(); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
-	for i, sig := range signatures {
-		if err := ioutil.WriteFile(signaturePath(d.dir, i), sig, 0644); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-type dirImageSource struct {
-	dir string
-}
-
-// NewDirImageSource returns an ImageSource reading from an existing directory.
-func NewDirImageSource(dir string) types.ImageSource {
-	return &dirImageSource{dir}
-}
-
-// IntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
-// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
-// May be "" if unknown.
-func (s *dirImageSource) IntendedDockerReference() string {
-	return ""
-}
-
-// it's up to the caller to determine the MIME type of the returned manifest's bytes
-func (s *dirImageSource) GetManifest(_ []string) ([]byte, string, error) {
-	m, err := ioutil.ReadFile(manifestPath(s.dir))
-	if err != nil {
-		return nil, "", err
-	}
-	return m, "", err
-}
-
-func (s *dirImageSource) GetLayer(digest string) (io.ReadCloser, error) {
-	return os.Open(layerPath(s.dir, digest))
-}
-
-func (s *dirImageSource) GetSignatures() ([][]byte, error) {
-	signatures := [][]byte{}
-	for i := 0; ; i++ {
-		signature, err := ioutil.ReadFile(signaturePath(s.dir, i))
-		if err != nil {
-			if os.IsNotExist(err) {
-				break
-			}
-			return nil, err
-		}
-		signatures = append(signatures, signature)
-	}
-	return signatures, nil
-}
--- a/doc.go
+++ b/doc.go
@@ -1,24 +0,0 @@
-// Package skopeo provides libraries and commands to interact with containers images.
-//
-//    package main
-//
-//    import (
-//    	"fmt"
-//
-//    	"github.com/projectatomic/skopeo/docker"
-//    )
-//
-//    func main() {
-//    	img, err := docker.NewDockerImage("fedora", "", false)
-//    	if err != nil {
-//    		panic(err)
-//    	}
-//    	b, err := img.Manifest()
-//    	if err != nil {
-//    		panic(err)
-//    	}
-//    	fmt.Printf("%s", string(b))
-//    }
-//
-// TODO(runcom)
-package skopeo
--- a/docker/docker_client.go
+++ b/docker/docker_client.go
@@ -1,362 +0,0 @@
-package docker
-
-import (
-	"crypto/tls"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/docker/pkg/homedir"
-)
-
-const (
-	dockerHostname     = "docker.io"
-	dockerRegistry     = "registry-1.docker.io"
-	dockerAuthRegistry = "https://index.docker.io/v1/"
-
-	dockerCfg         = ".docker"
-	dockerCfgFileName = "config.json"
-	dockerCfgObsolete = ".dockercfg"
-
-	baseURL       = "%s://%s/v2/"
-	tagsURL       = "%s/tags/list"
-	manifestURL   = "%s/manifests/%s"
-	blobsURL      = "%s/blobs/%s"
-	blobUploadURL = "%s/blobs/uploads/?digest=%s"
-)
-
-// dockerClient is configuration for dealing with a single Docker registry.
-type dockerClient struct {
-	registry        string
-	username        string
-	password        string
-	wwwAuthenticate string // Cache of a value set by ping() if scheme is not empty
-	scheme          string // Cache of a value returned by a successful ping() if not empty
-	transport       *http.Transport
-}
-
-// newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
-func newDockerClient(refHostname, certPath string, tlsVerify bool) (*dockerClient, error) {
-	var registry string
-	if refHostname == dockerHostname {
-		registry = dockerRegistry
-	} else {
-		registry = refHostname
-	}
-	username, password, err := getAuth(refHostname)
-	if err != nil {
-		return nil, err
-	}
-	var tr *http.Transport
-	if certPath != "" || !tlsVerify {
-		tlsc := &tls.Config{}
-
-		if certPath != "" {
-			cert, err := tls.LoadX509KeyPair(filepath.Join(certPath, "cert.pem"), filepath.Join(certPath, "key.pem"))
-			if err != nil {
-				return nil, fmt.Errorf("Error loading x509 key pair: %s", err)
-			}
-			tlsc.Certificates = append(tlsc.Certificates, cert)
-		}
-		tlsc.InsecureSkipVerify = !tlsVerify
-		tr = &http.Transport{
-			TLSClientConfig: tlsc,
-		}
-	}
-	return &dockerClient{
-		registry:  registry,
-		username:  username,
-		password:  password,
-		transport: tr,
-	}, nil
-}
-
-func (c *dockerClient) makeRequest(method, url string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
-	if c.scheme == "" {
-		pr, err := c.ping()
-		if err != nil {
-			return nil, err
-		}
-		c.wwwAuthenticate = pr.WWWAuthenticate
-		c.scheme = pr.scheme
-	}
-
-	url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url
-	req, err := http.NewRequest(method, url, stream)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Docker-Distribution-API-Version", "registry/2.0")
-	for n, h := range headers {
-		for _, hh := range h {
-			req.Header.Add(n, hh)
-		}
-	}
-	if c.wwwAuthenticate != "" {
-		if err := c.setupRequestAuth(req); err != nil {
-			return nil, err
-		}
-	}
-	client := &http.Client{}
-	if c.transport != nil {
-		client.Transport = c.transport
-	}
-	logrus.Debugf("%s %s", method, url)
-	res, err := client.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	return res, nil
-}
-
-func (c *dockerClient) setupRequestAuth(req *http.Request) error {
-	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
-	if len(tokens) != 2 {
-		return fmt.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
-	}
-	switch tokens[0] {
-	case "Basic":
-		req.SetBasicAuth(c.username, c.password)
-		return nil
-	case "Bearer":
-		client := &http.Client{}
-		if c.transport != nil {
-			client.Transport = c.transport
-		}
-		res, err := client.Do(req)
-		if err != nil {
-			return err
-		}
-		hdr := res.Header.Get("WWW-Authenticate")
-		if hdr == "" || res.StatusCode != http.StatusUnauthorized {
-			// no need for bearer? wtf?
-			return nil
-		}
-		tokens = strings.Split(hdr, " ")
-		tokens = strings.Split(tokens[1], ",")
-		var realm, service, scope string
-		for _, token := range tokens {
-			if strings.HasPrefix(token, "realm") {
-				realm = strings.Trim(token[len("realm="):], "\"")
-			}
-			if strings.HasPrefix(token, "service") {
-				service = strings.Trim(token[len("service="):], "\"")
-			}
-			if strings.HasPrefix(token, "scope") {
-				scope = strings.Trim(token[len("scope="):], "\"")
-			}
-		}
-
-		if realm == "" {
-			return fmt.Errorf("missing realm in bearer auth challenge")
-		}
-		if service == "" {
-			return fmt.Errorf("missing service in bearer auth challenge")
-		}
-		// The scope can be empty if we're not getting a token for a specific repo
-		//if scope == "" && repo != "" {
-		if scope == "" {
-			return fmt.Errorf("missing scope in bearer auth challenge")
-		}
-		token, err := c.getBearerToken(realm, service, scope)
-		if err != nil {
-			return err
-		}
-		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-		return nil
-	}
-	return fmt.Errorf("no handler for %s authentication", tokens[0])
-	// support docker bearer with authconfig's Auth string? see docker2aci
-}
-
-func (c *dockerClient) getBearerToken(realm, service, scope string) (string, error) {
-	authReq, err := http.NewRequest("GET", realm, nil)
-	if err != nil {
-		return "", err
-	}
-	getParams := authReq.URL.Query()
-	getParams.Add("service", service)
-	if scope != "" {
-		getParams.Add("scope", scope)
-	}
-	authReq.URL.RawQuery = getParams.Encode()
-	if c.username != "" && c.password != "" {
-		authReq.SetBasicAuth(c.username, c.password)
-	}
-	// insecure for now to contact the external token service
-	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
-	client := &http.Client{Transport: tr}
-	res, err := client.Do(authReq)
-	if err != nil {
-		return "", err
-	}
-	defer res.Body.Close()
-	switch res.StatusCode {
-	case http.StatusUnauthorized:
-		return "", fmt.Errorf("unable to retrieve auth token: 401 unauthorized")
-	case http.StatusOK:
-		break
-	default:
-		return "", fmt.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
-	}
-	tokenBlob, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return "", err
-	}
-	tokenStruct := struct {
-		Token string `json:"token"`
-	}{}
-	if err := json.Unmarshal(tokenBlob, &tokenStruct); err != nil {
-		return "", err
-	}
-	// TODO(runcom): reuse tokens?
-	//hostAuthTokens, ok = rb.hostsV2AuthTokens[req.URL.Host]
-	//if !ok {
-	//hostAuthTokens = make(map[string]string)
-	//rb.hostsV2AuthTokens[req.URL.Host] = hostAuthTokens
-	//}
-	//hostAuthTokens[repo] = tokenStruct.Token
-	return tokenStruct.Token, nil
-}
-
-func getAuth(hostname string) (string, string, error) {
-	// TODO(runcom): get this from *cli.Context somehow
-	//if username != "" && password != "" {
-	//return username, password, nil
-	//}
-	if hostname == dockerHostname {
-		hostname = dockerAuthRegistry
-	}
-	dockerCfgPath := filepath.Join(getDefaultConfigDir(".docker"), dockerCfgFileName)
-	if _, err := os.Stat(dockerCfgPath); err == nil {
-		j, err := ioutil.ReadFile(dockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		var dockerAuth dockerConfigFile
-		if err := json.Unmarshal(j, &dockerAuth); err != nil {
-			return "", "", err
-		}
-		// try the normal case
-		if c, ok := dockerAuth.AuthConfigs[hostname]; ok {
-			return decodeDockerAuth(c.Auth)
-		}
-	} else if os.IsNotExist(err) {
-		oldDockerCfgPath := filepath.Join(getDefaultConfigDir(dockerCfgObsolete))
-		if _, err := os.Stat(oldDockerCfgPath); err != nil {
-			return "", "", nil //missing file is not an error
-		}
-		j, err := ioutil.ReadFile(oldDockerCfgPath)
-		if err != nil {
-			return "", "", err
-		}
-		var dockerAuthOld map[string]dockerAuthConfigObsolete
-		if err := json.Unmarshal(j, &dockerAuthOld); err != nil {
-			return "", "", err
-		}
-		if c, ok := dockerAuthOld[hostname]; ok {
-			return decodeDockerAuth(c.Auth)
-		}
-	} else {
-		// if file is there but we can't stat it for any reason other
-		// than it doesn't exist then stop
-		return "", "", fmt.Errorf("%s - %v", dockerCfgPath, err)
-	}
-	return "", "", nil
-}
-
-type apiErr struct {
-	Code    string
-	Message string
-	Detail  interface{}
-}
-
-type pingResponse struct {
-	WWWAuthenticate string
-	APIVersion      string
-	scheme          string
-	errors          []apiErr
-}
-
-func (c *dockerClient) ping() (*pingResponse, error) {
-	client := &http.Client{}
-	if c.transport != nil {
-		client.Transport = c.transport
-	}
-	ping := func(scheme string) (*pingResponse, error) {
-		url := fmt.Sprintf(baseURL, scheme, c.registry)
-		resp, err := client.Get(url)
-		logrus.Debugf("Ping %s err %#v", url, err)
-		if err != nil {
-			return nil, err
-		}
-		defer resp.Body.Close()
-		logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode)
-		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
-			return nil, fmt.Errorf("error pinging repository, response code %d", resp.StatusCode)
-		}
-		pr := &pingResponse{}
-		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
-		pr.APIVersion = resp.Header.Get("Docker-Distribution-Api-Version")
-		pr.scheme = scheme
-		if resp.StatusCode == http.StatusUnauthorized {
-			type APIErrors struct {
-				Errors []apiErr
-			}
-			errs := &APIErrors{}
-			if err := json.NewDecoder(resp.Body).Decode(errs); err != nil {
-				return nil, err
-			}
-			pr.errors = errs.Errors
-		}
-		return pr, nil
-	}
-	scheme := "https"
-	pr, err := ping(scheme)
-	if err != nil {
-		scheme = "http"
-		pr, err = ping(scheme)
-		if err == nil {
-			return pr, nil
-		}
-	}
-	return pr, err
-}
-
-func getDefaultConfigDir(confPath string) string {
-	return filepath.Join(homedir.Get(), confPath)
-}
-
-type dockerAuthConfigObsolete struct {
-	Auth string `json:"auth"`
-}
-
-type dockerAuthConfig struct {
-	Auth string `json:"auth,omitempty"`
-}
-
-type dockerConfigFile struct {
-	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
-}
-
-func decodeDockerAuth(s string) (string, string, error) {
-	decoded, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return "", "", err
-	}
-	parts := strings.SplitN(string(decoded), ":", 2)
-	if len(parts) != 2 {
-		// if it's invalid just skip, as docker does
-		return "", "", nil
-	}
-	user := parts[0]
-	password := strings.Trim(parts[1], "\x00")
-	return user, password, nil
-}
--- a/docker/docker_image.go
+++ b/docker/docker_image.go
@@ -1,286 +0,0 @@
-package docker
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"regexp"
-	"strings"
-	"time"
-
-	"github.com/projectatomic/skopeo/directory"
-	"github.com/projectatomic/skopeo/docker/utils"
-	"github.com/projectatomic/skopeo/types"
-)
-
-var (
-	validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
-)
-
-type dockerImage struct {
-	src              *dockerImageSource
-	cachedManifest   []byte   // Private cache for Manifest(); nil if not yet known.
-	cachedSignatures [][]byte // Private cache for Signatures(); nil if not yet known.
-}
-
-// NewDockerImage returns a new Image interface type after setting up
-// a client to the registry hosting the given image.
-func NewDockerImage(img, certPath string, tlsVerify bool) (types.Image, error) {
-	s, err := newDockerImageSource(img, certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-	return &dockerImage{src: s}, nil
-}
-
-// IntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
-// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
-// May be "" if unknown.
-func (i *dockerImage) IntendedDockerReference() string {
-	return i.src.IntendedDockerReference()
-}
-
-// Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
-func (i *dockerImage) Manifest() ([]byte, error) {
-	if i.cachedManifest == nil {
-		m, _, err := i.src.GetManifest([]string{utils.DockerV2Schema1MIMEType})
-		if err != nil {
-			return nil, err
-		}
-		i.cachedManifest = m
-	}
-	return i.cachedManifest, nil
-}
-
-// Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
-func (i *dockerImage) Signatures() ([][]byte, error) {
-	if i.cachedSignatures == nil {
-		sigs, err := i.src.GetSignatures()
-		if err != nil {
-			return nil, err
-		}
-		i.cachedSignatures = sigs
-	}
-	return i.cachedSignatures, nil
-}
-
-func (i *dockerImage) Inspect() (*types.ImageInspectInfo, error) {
-	// TODO(runcom): unused version param for now, default to docker v2-1
-	m, err := i.getSchema1Manifest()
-	if err != nil {
-		return nil, err
-	}
-	ms1, ok := m.(*manifestSchema1)
-	if !ok {
-		return nil, fmt.Errorf("error retrivieng manifest schema1")
-	}
-	v1 := &v1Image{}
-	if err := json.Unmarshal([]byte(ms1.History[0].V1Compatibility), v1); err != nil {
-		return nil, err
-	}
-	return &types.ImageInspectInfo{
-		Name:          i.src.ref.FullName(),
-		Tag:           ms1.Tag,
-		DockerVersion: v1.DockerVersion,
-		Created:       v1.Created,
-		Labels:        v1.Config.Labels,
-		Architecture:  v1.Architecture,
-		Os:            v1.OS,
-		Layers:        ms1.GetLayers(),
-	}, nil
-}
-
-// GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
-func (i *dockerImage) GetRepositoryTags() ([]string, error) {
-	// FIXME? Breaking the abstraction.
-	url := fmt.Sprintf(tagsURL, i.src.ref.RemoteName())
-	res, err := i.src.c.makeRequest("GET", url, nil, nil)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		// print url also
-		return nil, fmt.Errorf("Invalid status code returned when fetching tags list %d", res.StatusCode)
-	}
-	type tagsRes struct {
-		Tags []string
-	}
-	tags := &tagsRes{}
-	if err := json.NewDecoder(res.Body).Decode(tags); err != nil {
-		return nil, err
-	}
-	return tags.Tags, nil
-}
-
-type config struct {
-	Labels map[string]string
-}
-
-type v1Image struct {
-	// Config is the configuration of the container received from the client
-	Config *config `json:"config,omitempty"`
-	// DockerVersion specifies version on which image is built
-	DockerVersion string `json:"docker_version,omitempty"`
-	// Created timestamp when image was created
-	Created time.Time `json:"created"`
-	// Architecture is the hardware that the image is build and runs on
-	Architecture string `json:"architecture,omitempty"`
-	// OS is the operating system used to build and run the image
-	OS string `json:"os,omitempty"`
-}
-
-// TODO(runcom)
-func (i *dockerImage) DockerTar() ([]byte, error) {
-	return nil, nil
-}
-
-// will support v1 one day...
-type manifest interface {
-	String() string
-	GetLayers() []string
-}
-
-type manifestSchema1 struct {
-	Name     string
-	Tag      string
-	FSLayers []struct {
-		BlobSum string `json:"blobSum"`
-	} `json:"fsLayers"`
-	History []struct {
-		V1Compatibility string `json:"v1Compatibility"`
-	} `json:"history"`
-	// TODO(runcom) verify the downloaded manifest
-	//Signature []byte `json:"signature"`
-}
-
-func (m *manifestSchema1) GetLayers() []string {
-	layers := make([]string, len(m.FSLayers))
-	for i, layer := range m.FSLayers {
-		layers[i] = layer.BlobSum
-	}
-	return layers
-}
-
-func (m *manifestSchema1) String() string {
-	return fmt.Sprintf("%s-%s", sanitize(m.Name), sanitize(m.Tag))
-}
-
-func sanitize(s string) string {
-	return strings.Replace(s, "/", "-", -1)
-}
-
-func (i *dockerImage) getSchema1Manifest() (manifest, error) {
-	manblob, err := i.Manifest()
-	if err != nil {
-		return nil, err
-	}
-	mschema1 := &manifestSchema1{}
-	if err := json.Unmarshal(manblob, mschema1); err != nil {
-		return nil, err
-	}
-	if err := fixManifestLayers(mschema1); err != nil {
-		return nil, err
-	}
-	// TODO(runcom): verify manifest schema 1, 2 etc
-	//if len(m.FSLayers) != len(m.History) {
-	//return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
-	//}
-	//if len(m.FSLayers) == 0 {
-	//return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
-	//}
-	return mschema1, nil
-}
-
-func (i *dockerImage) Layers(layers ...string) error {
-	m, err := i.getSchema1Manifest()
-	if err != nil {
-		return err
-	}
-	tmpDir, err := ioutil.TempDir(".", "layers-"+m.String()+"-")
-	if err != nil {
-		return err
-	}
-	dest := directory.NewDirImageDestination(tmpDir)
-	data, err := json.Marshal(m)
-	if err != nil {
-		return err
-	}
-	if err := dest.PutManifest(data); err != nil {
-		return err
-	}
-	if len(layers) == 0 {
-		layers = m.GetLayers()
-	}
-	for _, l := range layers {
-		if !strings.HasPrefix(l, "sha256:") {
-			l = "sha256:" + l
-		}
-		if err := i.getLayer(dest, l); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (i *dockerImage) getLayer(dest types.ImageDestination, digest string) error {
-	stream, err := i.src.GetLayer(digest)
-	if err != nil {
-		return err
-	}
-	defer stream.Close()
-	return dest.PutLayer(digest, stream)
-}
-
-func fixManifestLayers(manifest *manifestSchema1) error {
-	type imageV1 struct {
-		ID     string
-		Parent string
-	}
-	imgs := make([]*imageV1, len(manifest.FSLayers))
-	for i := range manifest.FSLayers {
-		img := &imageV1{}
-
-		if err := json.Unmarshal([]byte(manifest.History[i].V1Compatibility), img); err != nil {
-			return err
-		}
-
-		imgs[i] = img
-		if err := validateV1ID(img.ID); err != nil {
-			return err
-		}
-	}
-	if imgs[len(imgs)-1].Parent != "" {
-		return errors.New("Invalid parent ID in the base layer of the image.")
-	}
-	// check general duplicates to error instead of a deadlock
-	idmap := make(map[string]struct{})
-	var lastID string
-	for _, img := range imgs {
-		// skip IDs that appear after each other, we handle those later
-		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
-		}
-		lastID = img.ID
-		idmap[lastID] = struct{}{}
-	}
-	// backwards loop so that we keep the remaining indexes after removing items
-	for i := len(imgs) - 2; i >= 0; i-- {
-		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
-			manifest.FSLayers = append(manifest.FSLayers[:i], manifest.FSLayers[i+1:]...)
-			manifest.History = append(manifest.History[:i], manifest.History[i+1:]...)
-		} else if imgs[i].Parent != imgs[i+1].ID {
-			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
-		}
-	}
-	return nil
-}
-
-func validateV1ID(id string) error {
-	if ok := validHex.MatchString(id); !ok {
-		return fmt.Errorf("image ID %q is invalid", id)
-	}
-	return nil
-}
--- a/docker/docker_image_dest.go
+++ b/docker/docker_image_dest.go
@@ -1,110 +0,0 @@
-package docker
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/projectatomic/skopeo/docker/utils"
-	"github.com/projectatomic/skopeo/reference"
-	"github.com/projectatomic/skopeo/types"
-)
-
-type dockerImageDestination struct {
-	ref reference.Named
-	tag string
-	c   *dockerClient
-}
-
-// NewDockerImageDestination creates a new ImageDestination for the specified image and connection specification.
-func NewDockerImageDestination(img, certPath string, tlsVerify bool) (types.ImageDestination, error) {
-	ref, tag, err := parseDockerImageName(img)
-	if err != nil {
-		return nil, err
-	}
-	c, err := newDockerClient(ref.Hostname(), certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-	return &dockerImageDestination{
-		ref: ref,
-		tag: tag,
-		c:   c,
-	}, nil
-}
-
-func (d *dockerImageDestination) CanonicalDockerReference() (string, error) {
-	return fmt.Sprintf("%s:%s", d.ref.Name(), d.tag), nil
-}
-
-func (d *dockerImageDestination) PutManifest(manifest []byte) error {
-	// FIXME: This only allows upload by digest, not creating a tag.  See the
-	// corresponding comment in NewOpenshiftImageDestination.
-	digest, err := utils.ManifestDigest(manifest)
-	if err != nil {
-		return err
-	}
-	url := fmt.Sprintf(manifestURL, d.ref.RemoteName(), digest)
-
-	headers := map[string][]string{}
-	mimeType := utils.GuessManifestMIMEType(manifest)
-	if mimeType != "" {
-		headers["Content-Type"] = []string{mimeType}
-	}
-	res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(manifest))
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
-		body, err := ioutil.ReadAll(res.Body)
-		if err == nil {
-			logrus.Debugf("Error body %s", string(body))
-		}
-		logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res)
-		return fmt.Errorf("Error uploading manifest to %s, status %d", url, res.StatusCode)
-	}
-	return nil
-}
-
-func (d *dockerImageDestination) PutLayer(digest string, stream io.Reader) error {
-	checkURL := fmt.Sprintf(blobsURL, d.ref.RemoteName(), digest)
-
-	logrus.Debugf("Checking %s", checkURL)
-	res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode == http.StatusOK && res.Header.Get("Docker-Content-Digest") == digest {
-		logrus.Debugf("... already exists, not uploading")
-		return nil
-	}
-	logrus.Debugf("... failed, status %d", res.StatusCode)
-
-	// FIXME? Chunked upload, progress reporting, etc.
-	uploadURL := fmt.Sprintf(blobUploadURL, d.ref.RemoteName(), digest)
-	logrus.Debugf("Uploading %s", uploadURL)
-	// FIXME: Set Content-Length?
-	res, err = d.c.makeRequest("POST", uploadURL, map[string][]string{"Content-Type": {"application/octet-stream"}}, stream)
-	if err != nil {
-		return err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
-		logrus.Debugf("Error uploading, status %d", res.StatusCode)
-		return fmt.Errorf("Error uploading to %s, status %d", uploadURL, res.StatusCode)
-	}
-
-	return nil
-}
-
-func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
-	if len(signatures) != 0 {
-		return fmt.Errorf("Pushing signatures to a Docker Registry is not supported")
-	}
-	return nil
-}
--- a/docker/docker_image_src.go
+++ b/docker/docker_image_src.go
@@ -1,96 +0,0 @@
-package docker
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/projectatomic/skopeo/reference"
-	"github.com/projectatomic/skopeo/types"
-)
-
-type errFetchManifest struct {
-	statusCode int
-	body       []byte
-}
-
-func (e errFetchManifest) Error() string {
-	return fmt.Sprintf("error fetching manifest: status code: %d, body: %s", e.statusCode, string(e.body))
-}
-
-type dockerImageSource struct {
-	ref reference.Named
-	tag string
-	c   *dockerClient
-}
-
-// newDockerImageSource is the same as NewDockerImageSource, only it returns the more specific *dockerImageSource type.
-func newDockerImageSource(img, certPath string, tlsVerify bool) (*dockerImageSource, error) {
-	ref, tag, err := parseDockerImageName(img)
-	if err != nil {
-		return nil, err
-	}
-	c, err := newDockerClient(ref.Hostname(), certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-	return &dockerImageSource{
-		ref: ref,
-		tag: tag,
-		c:   c,
-	}, nil
-}
-
-// NewDockerImageSource creates a new ImageSource for the specified image and connection specification.
-func NewDockerImageSource(img, certPath string, tlsVerify bool) (types.ImageSource, error) {
-	return newDockerImageSource(img, certPath, tlsVerify)
-}
-
-// IntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
-// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
-// May be "" if unknown.
-func (s *dockerImageSource) IntendedDockerReference() string {
-	return fmt.Sprintf("%s:%s", s.ref.Name(), s.tag)
-}
-
-func (s *dockerImageSource) GetManifest(mimetypes []string) ([]byte, string, error) {
-	url := fmt.Sprintf(manifestURL, s.ref.RemoteName(), s.tag)
-	// TODO(runcom) set manifest version header! schema1 for now - then schema2 etc etc and v1
-	// TODO(runcom) NO, switch on the resulter manifest like Docker is doing
-	headers := make(map[string][]string)
-	headers["Accept"] = mimetypes
-	res, err := s.c.makeRequest("GET", url, headers, nil)
-	if err != nil {
-		return nil, "", err
-	}
-	defer res.Body.Close()
-	manblob, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, "", err
-	}
-	if res.StatusCode != http.StatusOK {
-		return nil, "", errFetchManifest{res.StatusCode, manblob}
-	}
-	// We might validate manblob against the Docker-Content-Digest header here to protect against transport errors.
-	return manblob, res.Header.Get("Content-Type"), nil
-}
-
-func (s *dockerImageSource) GetLayer(digest string) (io.ReadCloser, error) {
-	url := fmt.Sprintf(blobsURL, s.ref.RemoteName(), digest)
-	logrus.Infof("Downloading %s", url)
-	res, err := s.c.makeRequest("GET", url, nil, nil)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusOK {
-		// print url also
-		return nil, fmt.Errorf("Invalid status code returned when fetching blob %d", res.StatusCode)
-	}
-	return res.Body, nil
-}
-
-func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
-	return [][]byte{}, nil
-}
--- a/docker/docker_utils.go
+++ b/docker/docker_utils.go
@@ -1,20 +0,0 @@
-package docker
-
-import "github.com/projectatomic/skopeo/reference"
-
-// parseDockerImageName converts a string into a reference and tag value.
-func parseDockerImageName(img string) (reference.Named, string, error) {
-	ref, err := reference.ParseNamed(img)
-	if err != nil {
-		return nil, "", err
-	}
-	ref = reference.WithDefaultTag(ref)
-	var tag string
-	switch x := ref.(type) {
-	case reference.Canonical:
-		tag = x.Digest().String()
-	case reference.NamedTagged:
-		tag = x.Tag()
-	}
-	return ref, tag, nil
-}
--- a/docker/utils/fixtures/non-json.manifest.json
+++ b/docker/utils/fixtures/non-json.manifest.json
--- a/docker/utils/fixtures/unknown-version.manifest.json
+++ b/docker/utils/fixtures/unknown-version.manifest.json
@@ -1,5 +0,0 @@
-{
-   "schemaVersion": 99999,
-   "name": "mitr/noversion-nonsense",
-   "tag": "latest"
-}
--- a/docker/utils/fixtures/v2list.manifest.json
+++ b/docker/utils/fixtures/v2list.manifest.json
@@ -1,56 +0,0 @@
-{
-   "schemaVersion": 2,
-   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
-   "manifests": [
-      {
-         "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
-         "size": 2094,
-         "digest": "sha256:7820f9a86d4ad15a2c4f0c0e5479298df2aa7c2f6871288e2ef8546f3e7b6783",
-         "platform": {
-            "architecture": "ppc64le",
-            "os": "linux"
-         }
-      },
-      {
-         "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
-         "size": 1922,
-         "digest": "sha256:ae1b0e06e8ade3a11267564a26e750585ba2259c0ecab59ab165ad1af41d1bdd",
-         "platform": {
-            "architecture": "amd64",
-            "os": "linux",
-            "features": [
-               "sse"
-            ]
-         }
-      },
-      {
-         "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
-         "size": 2084,
-         "digest": "sha256:e4c0df75810b953d6717b8f8f28298d73870e8aa2a0d5e77b8391f16fdfbbbe2",
-         "platform": {
-            "architecture": "s390x",
-            "os": "linux"
-         }
-      },
-      {
-         "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
-         "size": 2084,
-         "digest": "sha256:07ebe243465ef4a667b78154ae6c3ea46fdb1582936aac3ac899ea311a701b40",
-         "platform": {
-            "architecture": "arm",
-            "os": "linux",
-            "variant": "armv7"
-         }
-      },
-      {
-         "mediaType": "application/vnd.docker.distribution.manifest.v1+json",
-         "size": 2090,
-         "digest": "sha256:fb2fc0707b86dafa9959fe3d29e66af8787aee4d9a23581714be65db4265ad8a",
-         "platform": {
-            "architecture": "arm64",
-            "os": "linux",
-            "variant": "armv8"
-         }
-      }
-   ]
-}
--- a/docker/utils/fixtures/v2s1.manifest.json
+++ b/docker/utils/fixtures/v2s1.manifest.json
@@ -1,44 +0,0 @@
-{
-   "schemaVersion": 1,
-   "name": "mitr/buxybox",
-   "tag": "latest",
-   "architecture": "amd64",
-   "fsLayers": [
-      {
-         "blobSum": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
-      },
-      {
-         "blobSum": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
-      },
-      {
-         "blobSum": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
-      }
-   ],
-   "history": [
-      {
-         "v1Compatibility": "{\"id\":\"f1b5eb0a1215f663765d509b6cdf3841bc2bcff0922346abb943d1342d469a97\",\"parent\":\"594075be8d003f784074cc639d970d1fa091a8197850baaae5052c01564ac535\",\"created\":\"2016-03-03T11:29:44.222098366Z\",\"container\":\"c0924f5b281a1992127d0afc065e59548ded8880b08aea4debd56d4497acb17a\",\"container_config\":{\"Hostname\":\"56f0fe1dfc95\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":null,\"PublishService\":\"\",\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) LABEL Checksum=4fef81d30f31f9213c642881357e6662846a0f884c2366c13ebad807b4031368  ./tests/test-images/Dockerfile.2\"],\"Image\":\"594075be8d003f784074cc639d970d1fa091a8197850baaae5052c01564ac535\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{\"Checksum\":\"4fef81d30f31f9213c642881357e6662846a0f884c2366c13ebad807b4031368  ./tests/test-images/Dockerfile.2\",\"Name\":\"atomic-test-2\"}},\"docker_version\":\"1.8.2-fc22\",\"author\":\"\\\"William Temple \\u003cwtemple at redhat dot com\\u003e\\\"\",\"config\":{\"Hostname\":\"56f0fe1dfc95\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":null,\"PublishService\":\"\",\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"594075be8d003f784074cc639d970d1fa091a8197850baaae5052c01564ac535\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{\"Checksum\":\"4fef81d30f31f9213c642881357e6662846a0f884c2366c13ebad807b4031368  ./tests/test-images/Dockerfile.2\",\"Name\":\"atomic-test-2\"}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"
-      },
-      {
-         "v1Compatibility": "{\"id\":\"594075be8d003f784074cc639d970d1fa091a8197850baaae5052c01564ac535\",\"parent\":\"03dfa1cd1abe452bc2b69b8eb2362fa6beebc20893e65437906318954f6276d4\",\"created\":\"2016-03-03T11:29:38.563048924Z\",\"container\":\"fd4cf54dcd239fbae9bdade9db48e41880b436d27cb5313f60952a46ab04deff\",\"container_config\":{\"Hostname\":\"56f0fe1dfc95\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":null,\"PublishService\":\"\",\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) LABEL Name=atomic-test-2\"],\"Image\":\"03dfa1cd1abe452bc2b69b8eb2362fa6beebc20893e65437906318954f6276d4\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{\"Name\":\"atomic-test-2\"}},\"docker_version\":\"1.8.2-fc22\",\"author\":\"\\\"William Temple \\u003cwtemple at redhat dot com\\u003e\\\"\",\"config\":{\"Hostname\":\"56f0fe1dfc95\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":null,\"PublishService\":\"\",\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"03dfa1cd1abe452bc2b69b8eb2362fa6beebc20893e65437906318954f6276d4\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{\"Name\":\"atomic-test-2\"}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"
-      },
-      {
-         "v1Compatibility": "{\"id\":\"03dfa1cd1abe452bc2b69b8eb2362fa6beebc20893e65437906318954f6276d4\",\"created\":\"2016-03-03T11:29:32.948089874Z\",\"container\":\"56f0fe1dfc95755dd6cda10f7215c9937a8d9c6348d079c581a261fd4c2f3a5f\",\"container_config\":{\"Hostname\":\"56f0fe1dfc95\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":null,\"PublishService\":\"\",\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) MAINTAINER \\\"William Temple \\u003cwtemple at redhat dot com\\u003e\\\"\"],\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"docker_version\":\"1.8.2-fc22\",\"author\":\"\\\"William Temple \\u003cwtemple at redhat dot com\\u003e\\\"\",\"config\":{\"Hostname\":\"56f0fe1dfc95\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"ExposedPorts\":null,\"PublishService\":\"\",\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"
-      }
-   ],
-   "signatures": [
-      {
-         "header": {
-            "jwk": {
-               "crv": "P-256",
-               "kid": "OZ45:U3IG:TDOI:PMBD:NGP2:LDIW:II2U:PSBI:MMCZ:YZUP:TUUO:XPZT",
-               "kty": "EC",
-               "x": "ReC5c0J9tgXSdUL4_xzEt5RsD8kFt2wWSgJcpAcOQx8",
-               "y": "3sBGEqQ3ZMeqPKwQBAadN2toOUEASha18xa0WwsDF-M"
-            },
-            "alg": "ES256"
-         },
-         "signature": "dV1paJ3Ck1Ph4FcEhg_frjqxdlGdI6-ywRamk6CvMOcaOEUdCWCpCPQeBQpD2N6tGjkoG1BbstkFNflllfenCw",
-         "protected": "eyJmb3JtYXRMZW5ndGgiOjU0NzgsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNi0wNC0xOFQyMDo1NDo0MloifQ"
-      }
-   ]
-}
--- a/docker/utils/fixtures/v2s2.manifest.json
+++ b/docker/utils/fixtures/v2s2.manifest.json
@@ -1,26 +0,0 @@
-{
-    "schemaVersion": 2,
-    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
-    "config": {
-        "mediaType": "application/vnd.docker.container.image.v1+json",
-        "size": 7023,
-        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
-    },
-    "layers": [
-        {
-            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-            "size": 32654,
-            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
-        },
-        {
-            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-            "size": 16724,
-            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
-        },
-        {
-            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-            "size": 73109,
-            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
-        }
-    ]
-}
--- a/docker/utils/fixtures/v2s2nomime.manifest.json
+++ b/docker/utils/fixtures/v2s2nomime.manifest.json
@@ -1,10 +0,0 @@
-{
-    "schemaVersion": 2,
-    "config": {
-        "mediaType": "application/vnd.docker.container.image.v1+json",
-        "size": 7023,
-        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
-    },
-    "layers": [
-    ]
-}
--- a/docker/utils/fixtures_info_test.go
+++ b/docker/utils/fixtures_info_test.go
@@ -1,8 +0,0 @@
-package utils
-
-const (
-	// TestV2S2ManifestDigest is the Docker manifest digest of "v2s2.manifest.json"
-	TestV2S2ManifestDigest = "sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55"
-	// TestV2S1ManifestDigest is the Docker manifest digest of "v2s1.manifest.json"
-	TestV2S1ManifestDigest = "sha256:077594da70fc17ec2c93cfa4e6ed1fcc26992851fb2c71861338aaf4aa9e41b1"
-)
--- a/docker/utils/manifest.go
+++ b/docker/utils/manifest.go
@@ -1,75 +0,0 @@
-package utils
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-
-	"github.com/docker/libtrust"
-)
-
-// FIXME: Should we just use docker/distribution and docker/docker implementations directly?
-
-// ManifestMIMETypes returns a slice of supported MIME types
-func ManifestMIMETypes() []string {
-	return []string{
-		DockerV2Schema1MIMEType,
-		DockerV2Schema2MIMEType,
-		DockerV2ListMIMEType,
-	}
-}
-
-const (
-	// DockerV2Schema1MIMEType MIME type represents Docker manifest schema 1
-	DockerV2Schema1MIMEType = "application/vnd.docker.distribution.manifest.v1+json"
-	// DockerV2Schema2MIMEType MIME type represents Docker manifest schema 2
-	DockerV2Schema2MIMEType = "application/vnd.docker.distribution.manifest.v2+json"
-	// DockerV2ListMIMEType MIME type represents Docker manifest schema 2 list
-	DockerV2ListMIMEType = "application/vnd.docker.distribution.manifest.list.v2+json"
-)
-
-// GuessManifestMIMEType guesses MIME type of a manifest and returns it _if it is recognized_, or "" if unknown or unrecognized.
-// FIXME? We should, in general, prefer out-of-band MIME type instead of blindly parsing the manifest,
-// but we may not have such metadata available (e.g. when the manifest is a local file).
-func GuessManifestMIMEType(manifest []byte) string {
-	// A subset of manifest fields; the rest is silently ignored by json.Unmarshal.
-	// Also docker/distribution/manifest.Versioned.
-	meta := struct {
-		MediaType     string `json:"mediaType"`
-		SchemaVersion int    `json:"schemaVersion"`
-	}{}
-	if err := json.Unmarshal(manifest, &meta); err != nil {
-		return ""
-	}
-
-	switch meta.MediaType {
-	case DockerV2Schema2MIMEType, DockerV2ListMIMEType: // A recognized type.
-		return meta.MediaType
-	}
-	switch meta.SchemaVersion {
-	case 1:
-		return DockerV2Schema1MIMEType
-	case 2: // Really should not happen, meta.MediaType should have been set. But given the data, this is our best guess.
-		return DockerV2Schema2MIMEType
-	}
-	return ""
-}
-
-// ManifestDigest returns the a digest of a docker manifest, with any necessary implied transformations like stripping v1s1 signatures.
-func ManifestDigest(manifest []byte) (string, error) {
-	if GuessManifestMIMEType(manifest) == DockerV2Schema1MIMEType {
-		sig, err := libtrust.ParsePrettySignature(manifest, "signatures")
-		if err != nil {
-			return "", err
-		}
-		manifest, err = sig.Payload()
-		if err != nil {
-			// Coverage: This should never happen, libtrust's Payload() can fail only if joseBase64UrlDecode() fails, on a string
-			// that libtrust itself has josebase64UrlEncode()d
-			return "", err
-		}
-	}
-
-	hash := sha256.Sum256(manifest)
-	return "sha256:" + hex.EncodeToString(hash[:]), nil
-}
--- a/docker/utils/manifest_test.go
+++ b/docker/utils/manifest_test.go
@@ -1,58 +0,0 @@
-package utils
-
-import (
-	"io/ioutil"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestGuessManifestMIMEType(t *testing.T) {
-	cases := []struct {
-		path     string
-		mimeType string
-	}{
-		{"v2s2.manifest.json", DockerV2Schema2MIMEType},
-		{"v2list.manifest.json", DockerV2ListMIMEType},
-		{"v2s1.manifest.json", DockerV2Schema1MIMEType},
-		{"v2s1-invalid-signatures.manifest.json", DockerV2Schema1MIMEType},
-		{"v2s2nomime.manifest.json", DockerV2Schema2MIMEType}, // It is unclear whether this one is legal, but we should guess v2s2 if anything at all.
-		{"unknown-version.manifest.json", ""},
-		{"non-json.manifest.json", ""}, // Not a manifest (nor JSON) at all
-	}
-
-	for _, c := range cases {
-		manifest, err := ioutil.ReadFile(filepath.Join("fixtures", c.path))
-		require.NoError(t, err)
-		mimeType := GuessManifestMIMEType(manifest)
-		assert.Equal(t, c.mimeType, mimeType)
-	}
-}
-
-func TestManifestDigest(t *testing.T) {
-	cases := []struct {
-		path   string
-		digest string
-	}{
-		{"v2s2.manifest.json", TestV2S2ManifestDigest},
-		{"v2s1.manifest.json", TestV2S1ManifestDigest},
-	}
-	for _, c := range cases {
-		manifest, err := ioutil.ReadFile(filepath.Join("fixtures", c.path))
-		require.NoError(t, err)
-		digest, err := ManifestDigest(manifest)
-		require.NoError(t, err)
-		assert.Equal(t, c.digest, digest)
-	}
-
-	manifest, err := ioutil.ReadFile("fixtures/v2s1-invalid-signatures.manifest.json")
-	require.NoError(t, err)
-	digest, err := ManifestDigest(manifest)
-	assert.Error(t, err)
-
-	digest, err = ManifestDigest([]byte{})
-	require.NoError(t, err)
-	assert.Equal(t, "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", digest)
-}
--- a/docs/skopeo-copy.1.md
+++ b/docs/skopeo-copy.1.md
@@ -0,0 +1,129 @@
+% skopeo-copy(1)
+
+## NAME
+skopeo\-copy - Copy an image (manifest, filesystem layers, signatures) from one location to another.
+
+## SYNOPSIS
+**skopeo copy** [**--sign-by=**_key-ID_] _source-image destination-image_
+
+## DESCRIPTION
+Copy an image (manifest, filesystem layers, signatures) from one location to another.
+
+Uses the system's trust policy to validate images, rejects images not trusted by the policy.
+
+  _source-image_ use the "image name" format described above
+
+  _destination-image_ use the "image name" format described above
+
+## OPTIONS
+
+**--all**
+
+If _source-image_ refers to a list of images, instead of copying just the image which matches the current OS and
+architecture (subject to the use of the global --override-os and --override-arch options), attempt to copy all of
+the images in the list, and the list itself.
+
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--src-authfile** _path_
+
+Path of the authentication file for the source registry. Uses path given by `--authfile`, if not provided.
+
+**--dest-authfile** _path_
+
+Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.
+
+**--format, -f** _manifest-type_ Manifest type (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
+
+**--quiet, -q** suppress output information when copying images
+
+**--remove-signatures** do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
+
+**--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_
+
+**--encryption-key** _Key_ a reference prefixed with the encryption protocol to use. The supported protocols are JWE, PGP and PKCS7. For instance, jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file. This feature is still *experimental*.
+
+**--decryption-key** _Key_ a reference required to perform decryption of container images. This should point to files which represent keys and/or certificates that can be used for decryption. Decryption will be tried with all keys. This feature is still *experimental*.
+
+**--src-creds** _username[:password]_ for accessing the source registry
+
+**--dest-compress** _bool-value_ Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)
+
+**--dest-oci-accept-uncompressed-layers** _bool-value_ Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)
+
+**--dest-creds** _username[:password]_ for accessing the destination registry
+
+**--src-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the source registry or daemon
+
+**--src-no-creds** _bool-value_ Access the registry anonymously.
+
+**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true)
+
+**--dest-cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the destination registry or daemon
+
+**--dest-no-creds** _bool-value_  Access the registry anonymously.
+
+**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true)
+
+**--src-daemon-host** _host_ Copy from docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+
+**--dest-daemon-host** _host_ Copy to docker daemon at _host_. If _host_ starts with `tcp://`, HTTPS is enabled by default. To use plain HTTP, use the form `http://` (default is `unix:///var/run/docker.sock`).
+
+Existing signatures, if any, are preserved as well.
+
+**--dest-compress-format** _format_ Specifies the compression format to use.  Supported values are: `gzip` and `zstd`.
+
+**--dest-compress-level** _format_ Specifies the compression level to use.  The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
+
+## EXAMPLES
+
+To copy the layers of the docker.io busybox image to a local directory:
+```sh
+$ mkdir -p /var/lib/images/busybox
+$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
+$ ls /var/lib/images/busybox/*
+  /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
+  /tmp/busybox/manifest.json
+  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
+```
+
+To copy and sign an image:
+
+```sh
+# skopeo copy --sign-by dev@example.com container-storage:example/busybox:streaming docker://example/busybox:gold
+```
+
+To encrypt an image:
+```sh
+skopeo copy docker://docker.io/library/nginx:latest oci:local_nginx:latest
+
+openssl genrsa -out private.key 1024
+openssl rsa -in private.key -pubout > public.key
+
+skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:latest oci:try-encrypt:encrypted
+```
+
+To decrypt an image:
+```sh
+skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```
+
+To copy encrypted image without decryption:
+```sh
+skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
+```
+
+To decrypt an image that requires more than one key:
+```sh
+skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
+```
+## SEE ALSO
+skopeo(1), podman-login(1), docker-login(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+
--- a/docs/skopeo-delete.1.md
+++ b/docs/skopeo-delete.1.md
@@ -0,0 +1,52 @@
+% skopeo-delete(1)
+
+## NAME
+skopeo\-delete - Mark _image-name_ for deletion.
+
+## SYNOPSIS
+**skopeo delete** _image-name_
+
+Mark _image-name_ for deletion.  To release the allocated disk space, you must login to the container registry server and execute the container registry garbage collector. E.g.,
+
+```
+/usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+
+Note: sometimes the config.yml is stored in /etc/docker/registry/config.yml
+
+If you are running the container registry inside of a container you would execute something like:
+
+$ docker exec -it registry /usr/bin/registry garbage-collect /etc/docker-distribution/registry/config.yml
+
+```
+
+**--authfile** _path_
+
+  Path of the authentication file. Default is ${XDG_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
+  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--creds** _username[:password]_ for accessing the registry
+
+**--cert-dir** _path_ Use certificates at _path_ (*.crt, *.cert, *.key) to connect to the registry
+
+**--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true)
+
+**--no-creds** _bool-value_ Access the registry anonymously.
+
+Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.
+
+## EXAMPLES
+
+Mark image example/pause for deletion from the registry.example.com registry:
+```sh
+$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```
+See above for additional details on using the command **delete**.
+
+
+## SEE ALSO
+skopeo(1), podman-login(1), docker-login(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+
--- a/docs/skopeo-inspect.1.md
+++ b/docs/skopeo-inspect.1.md
@@ -0,0 +1,71 @@
+% skopeo-inspect(1)
+
+## NAME
+skopeo\-inspect - Return low-level information about _image-name_ in a registry
+
+## SYNOPSIS
+**skopeo inspect** [**--raw**] [**--config**] _image-name_
+
+Return low-level information about _image-name_ in a registry
+
+  **--raw** output raw manifest, default is to format in JSON
+
+  _image-name_ name of image to retrieve information about
+
+  **--config** output configuration in OCI format, default is to format in JSON
+
+  _image-name_ name of image to retrieve configuration for
+
+  **--config** **--raw** output configuration in raw format
+
+  _image-name_ name of image to retrieve configuration for
+
+  **--authfile** _path_
+
+  Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
+  If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+  **--creds** _username[:password]_ for accessing the registry
+
+  **--cert-dir** _path_ Use certificates at _path_ (\*.crt, \*.cert, \*.key) to connect to the registry
+
+  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to container registries (defaults to true)
+
+  **--no-creds** _bool-value_ Access the registry anonymously.
+
+## EXAMPLES
+
+To review information for the image fedora from the docker.io registry:
+```sh
+$ skopeo inspect docker://docker.io/fedora
+{
+    "Name": "docker.io/library/fedora",
+    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "RepoTags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "24",
+        "heisenbug",
+        "latest",
+        "rawhide"
+    ],
+    "Created": "2016-06-20T19:33:43.220526898Z",
+    "DockerVersion": "1.10.3",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+    ]
+}
+```
+
+# SEE ALSO
+skopeo(1), podman-login(1), docker-login(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+
--- a/docs/skopeo-manifest-digest.1.md
+++ b/docs/skopeo-manifest-digest.1.md
@@ -0,0 +1,26 @@
+% skopeo-manifest-digest(1)
+
+## NAME
+skopeo\-manifest\-digest -Compute a manifest digest of manifest-file and write it to standard output.
+
+## SYNOPSIS
+**skopeo manifest-digest** _manifest-file_
+
+## DESCRIPTION
+
+Compute a manifest digest of _manifest-file_ and write it to standard output.
+
+## EXAMPLES
+
+```sh
+$ skopeo manifest-digest manifest.json
+sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
+```
+
+## SEE ALSO
+skopeo(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+
--- a/docs/skopeo-standalone-sign.1.md
+++ b/docs/skopeo-standalone-sign.1.md
@@ -0,0 +1,34 @@
+% skopeo-standalone-sign(1)
+
+## NAME
+skopeo\-standalone-sign - Simple Sign an image
+
+## SYNOPSIS
+**skopeo standalone-sign** _manifest docker-reference key-fingerprint_ **--output**|**-o** _signature_
+
+## DESCRIPTION
+This is primarily a debugging tool, or useful for special cases,
+and usually should not be a part of your normal operational workflow; use `skopeo copy --sign-by` instead to publish and sign an image in one step.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference to identify the image with
+
+  _key-fingerprint_ Key identity to use for signing
+
+  **--output**|**-o** output file
+
+## EXAMPLES
+
+```sh
+$ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
+$
+```
+
+## SEE ALSO
+skopeo(1), skopeo-copy(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+
--- a/docs/skopeo-standalone-verify.1.md
+++ b/docs/skopeo-standalone-verify.1.md
@@ -0,0 +1,36 @@
+% skopeo-standalone-verify(1)
+
+## NAME
+skopeo\-standalone\-verify - Verify an image signature
+
+## SYNOPSIS
+**skopeo standalone-verify** _manifest docker-reference key-fingerprint signature_
+
+## DESCRIPTION
+
+Verify a signature using local files, digest will be printed on success.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference expected to identify the image in the signature
+
+  _key-fingerprint_ Expected identity of the signing key
+
+  _signature_ Path to signature file
+
+**Note:** If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.
+
+## EXAMPLES
+
+```sh
+$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
+Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
+```
+
+## SEE ALSO
+skopeo(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+
--- a/docs/skopeo-sync.1.md
+++ b/docs/skopeo-sync.1.md
@@ -0,0 +1,150 @@
+% skopeo-sync(1)
+
+## NAME
+skopeo\-sync - Synchronize images between container registries and local directories.
+
+
+## SYNOPSIS
+**skopeo sync** --src _transport_ --dest _transport_ _source_ _destination_
+
+## DESCRIPTION
+Synchronize images between container registries and local directories.
+The synchronization is achieved by copying all the images found at _source_ to _destination_.
+
+Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
+
+Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from _source_ and _destination_.
+One of the problems of prefixing a destination with its transport is that, the registry `docker://hostname:port` would be wrongly interpreted as an image reference at a non-fully qualified registry, with `hostname` and `port` the image name and tag.
+
+Available _source_ transports:
+ - _docker_ (i.e. `--src docker`): _source_ is a repository hosted on a container registry (e.g.: `registry.example.com/busybox`).
+ If no image tag is specified, skopeo sync copies all the tags found in that repository.
+ - _dir_ (i.e. `--src dir`): _source_ is a local directory path (e.g.: `/media/usb/`). Refer to skopeo(1) **dir:**_path_ for the local image format.
+ - _yaml_ (i.e. `--src yaml`): _source_ is local YAML file path.
+ The YAML file should specify the list of images copied from different container registries (local directories are not supported). Refer to EXAMPLES for the file format.
+
+Available _destination_ transports:
+ - _docker_ (i.e. `--dest docker`): _destination_ is a container registry (e.g.: `my-registry.local.lan`).
+ - _dir_ (i.e. `--dest dir`): _destination_ is a local directory path (e.g.: `/media/usb/`).
+ One directory per source 'image:tag' is created for each copied image.
+
+When the `--scoped` option is specified, images are prefixed with the source image path so that multiple images with the same
+name can be stored at _destination_.
+
+## OPTIONS
+**--authfile** _path_
+
+Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `podman login`.
+If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
+
+**--src-authfile** _path_
+
+Path of the authentication file for the source registry. Uses path given by `--authfile`, if not provided.
+
+**--dest-authfile** _path_
+
+Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.
+
+**--src** _transport_ Transport for the source repository.
+
+**--dest** _transport_ Destination transport.
+
+**--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.
+
+**--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.
+
+**--sign-by=**_key-id_ Add a signature using that key ID for an image name corresponding to _destination-image_.
+
+**--src-creds** _username[:password]_ for accessing the source registry.
+
+**--dest-creds** _username[:password]_ for accessing the destination registry.
+
+**--src-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the source registry or daemon.
+
+**--src-no-creds** _bool-value_ Access the registry anonymously.
+
+**--src-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container source registry or daemon (defaults to true).
+
+**--dest-cert-dir** _path_ Use certificates (*.crt, *.cert, *.key) at _path_ to connect to the destination registry or daemon.
+
+**--dest-no-creds** _bool-value_  Access the registry anonymously.
+
+**--dest-tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true).
+
+## EXAMPLES
+
+### Synchronizing to a local directory
+```
+$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
+```
+Images are located at:
+```
+/media/usb/busybox:1-glibc
+/media/usb/busybox:1-musl
+/media/usb/busybox:1-ubuntu
+...
+/media/usb/busybox:latest
+```
+
+### Synchronizing to a local directory, scoped
+```
+$ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
+```
+Images are located at:
+```
+/media/usb/registry.example.com/busybox:1-glibc
+/media/usb/registry.example.com/busybox:1-musl
+/media/usb/registry.example.com/busybox:1-ubuntu
+...
+/media/usb/registry.example.com/busybox:latest
+```
+
+### Synchronizing to a container registry
+```
+skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
+```
+Destination registry content:
+```
+REPO                           TAGS
+registry.example.com/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
+```
+
+### YAML file content (used _source_ for `**--src yaml**`)
+
+```yaml
+registry.example.com:
+    images:
+        busybox: []
+        redis:
+            - "1.0"
+            - "2.0"
+    credentials:
+        username: john
+        password: this is a secret
+    tls-verify: true
+    cert-dir: /home/john/certs
+quay.io:
+    tls-verify: false
+    images:
+        coreos/etcd:
+            - latest
+```
+
+This will copy the following images:
+- Repository `registry.example.com/busybox`: all images, as no tags are specified.
+- Repository `registry.example.com/redis`: images tagged "1.0" and "2.0".
+- Repository `quay.io/coreos/etcd`: images tagged "latest".
+
+For the registry `registry.example.com`, the "john"/"this is a secret" credentials are used, with server TLS certificates located at `/home/john/certs`.
+
+TLS verification is normally enabled, and it can be disabled setting `tls-verify` to `true`.
+In the above example, TLS verification is enabled for `reigstry.example.com`, while is
+disabled for `quay.io`.
+
+## SEE ALSO
+skopeo(1), podman-login(1), docker-login(1)
+
+## AUTHORS
+
+Flavio Castelli <fcastelli@suse.com>, Marco Vedovati <mvedovati@suse.com>
+
--- a/docs/skopeo.1.md
+++ b/docs/skopeo.1.md
@@ -0,0 +1,93 @@
+% SKOPEO(1) Skopeo Man Pages
+% Jhon Honce
+% August 2016
+## NAME
+skopeo -- Command line utility used to interact with local and remote container images and container image registries
+
+## SYNOPSIS
+**skopeo** [_global options_] _command_ [_command options_]
+
+## DESCRIPTION
+`skopeo` is a command line utility providing various operations with container images and container image registries.
+
+`skopeo` can copy container images between various containers image stores, converting them as necessary.  For example you can use `skopeo` to copy container images from one container registry to another.
+
+`skopeo` can convert a Docker schema 2 or schema 1 container image to an OCI image.
+
+`skopeo` can inspect a repository on a container registry without needlessly pulling the image. Pulling an image from a repository, especially a remote repository, is an expensive network and storage operation. Skopeo fetches the repository's manifest and displays a `docker inspect`-like json output about the repository or a tag. `skopeo`, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - Which tags are available for the given repository? Which labels does the image have?
+
+`skopeo` can sign and verify container images.
+
+`skopeo` can delete container images from a remote container registry.
+
+Note: `skopeo` does not require any container runtimes to be running, to do most of
+its functionality.  It also does not require root, unless you are copying images into a container runtime storage backend, like the docker daemon or github.com/containers/storage.
+
+## IMAGE NAMES
+Most commands refer to container images, using a _transport_`:`_details_ format. The following formats are supported:
+
+  **containers-storage:**_docker-reference_
+  An image located in a local containers/storage image store.  Location and image store specified in /etc/containers/storage.conf
+
+  **dir:**_path_
+  An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
+
+  **docker://**_docker-reference_
+  An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(podman login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
+
+  **docker-archive:**_path_[**:**_docker-reference_]
+  An image is stored in the `docker save` formatted file.  _docker-reference_ is only used when creating such a file, and it must not contain a digest.
+
+  **docker-daemon:**_docker-reference_
+  An image _docker-reference_ stored in the docker daemon internal storage.  _docker-reference_ must contain either a tag or a digest.  Alternatively, when reading images, the format can be docker-daemon:algo:digest (an image ID).
+
+  **oci:**_path_**:**_tag_
+  An image _tag_ in a directory compliant with "Open Container Image Layout Specification" at _path_.
+
+## OPTIONS
+
+  **--debug** enable debug output
+
+  **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
+
+  **--insecure-policy** Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.
+
+  **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for container signature storage), overriding the default path.
+
+  **--override-arch** _arch_ Use _arch_ instead of the architecture of the machine for choosing images.
+
+  **--override-os** _OS_ Use _OS_ instead of the running OS for choosing images.
+
+  **--command-timeout** _duration_ Timeout for the command execution.
+
+  **--help**|**-h** Show help
+
+  **--version**|**-v** print the version number
+
+## COMMANDS
+
+| Command                                   | Description                                                                    |
+| ----------------------------------------- | ------------------------------------------------------------------------------ |
+| [skopeo-copy(1)](skopeo-copy.1.md)        | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
+| [skopeo-delete(1)](skopeo-delete.1.md)    | Mark image-name for deletion.                                                  |
+| [skopeo-inspect(1)](skopeo-inspect.1.md)  | Return low-level information about image-name in a registry.                   |
+| [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md)    | Compute a manifest digest of manifest-file and write it to standard output.|
+| [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md)    | Sign an image.                                               |
+| [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Verify an image.                                             |
+| [skopeo-sync(1)](skopeo-sync.1.md)| Copy images from one or more repositories to a user specified destination.             |
+
+## FILES
+  **/etc/containers/policy.json**
+  Default trust policy file, if **--policy** is not specified.
+  The policy format is documented in https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md .
+
+  **/etc/containers/registries.d**
+  Default directory containing registry configuration, if **--registries.d** is not specified.
+  The contents of this directory are documented in https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md .
+
+## SEE ALSO
+podman-login(1), docker-login(1)
+
+## AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
--- a/docs/skopeo.svg
+++ b/docs/skopeo.svg
@@ -0,0 +1,546 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="480.61456"
+   height="472.66098"
+   viewBox="0 0 127.1626 125.05822"
+   version="1.1"
+   id="svg8"
+   inkscape:version="0.92.2 5c3e80d, 2017-08-06"
+   sodipodi:docname="skopeo.svg"
+   inkscape:export-filename="/home/duffy/Documents/Projects/Favors/skopeo-logo/skopeo.color.png"
+   inkscape:export-xdpi="90"
+   inkscape:export-ydpi="90">
+  <defs
+     id="defs2">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84477">
+      <stop
+         style="stop-color:#0093d9;stop-opacity:1"
+         offset="0"
+         id="stop84473" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1"
+         id="stop84475" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84469">
+      <stop
+         style="stop-color:#f6e6c8;stop-opacity:1"
+         offset="0"
+         id="stop84465" />
+      <stop
+         style="stop-color:#dc9f2e;stop-opacity:1"
+         offset="1"
+         id="stop84467" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84461">
+      <stop
+         style="stop-color:#bfdce8;stop-opacity:1;"
+         offset="0"
+         id="stop84457" />
+      <stop
+         style="stop-color:#2a72ac;stop-opacity:1"
+         offset="1"
+         id="stop84459" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84420">
+      <stop
+         style="stop-color:#a7a9ac;stop-opacity:1;"
+         offset="0"
+         id="stop84416" />
+      <stop
+         style="stop-color:#e7e8e9;stop-opacity:1"
+         offset="1"
+         id="stop84418" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84347">
+      <stop
+         style="stop-color:#2c2d2f;stop-opacity:1;"
+         offset="0"
+         id="stop84343" />
+      <stop
+         style="stop-color:#000000;stop-opacity:1"
+         offset="1"
+         id="stop84345" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84339">
+      <stop
+         style="stop-color:#002442;stop-opacity:1;"
+         offset="0"
+         id="stop84335" />
+      <stop
+         style="stop-color:#151617;stop-opacity:1"
+         offset="1"
+         id="stop84337" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84331">
+      <stop
+         style="stop-color:#003d6e;stop-opacity:1;"
+         offset="0"
+         id="stop84327" />
+      <stop
+         style="stop-color:#59b5ff;stop-opacity:1"
+         offset="1"
+         id="stop84329" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient84323">
+      <stop
+         style="stop-color:#dc9f2e;stop-opacity:1;"
+         offset="0"
+         id="stop84319" />
+      <stop
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1"
+         id="stop84321" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84325"
+       x1="221.5741"
+       y1="250.235"
+       x2="219.20772"
+       y2="221.99771"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84331"
+       id="linearGradient84333"
+       x1="223.23239"
+       y1="212.83418"
+       x2="245.52328"
+       y2="129.64345"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84339"
+       id="linearGradient84341"
+       x1="190.36137"
+       y1="217.8925"
+       x2="205.20828"
+       y2="209.32063"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84347"
+       id="linearGradient84349"
+       x1="212.05453"
+       y1="215.20055"
+       x2="237.73705"
+       y2="230.02835"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84363"
+       x1="193.61516"
+       y1="225.045"
+       x2="224.08698"
+       y2="223.54327"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84323"
+       id="linearGradient84377"
+       x1="182.72513"
+       y1="222.54439"
+       x2="184.01024"
+       y2="210.35291"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84408"
+       x1="211.73801"
+       y1="225.48302"
+       x2="204.24324"
+       y2="238.46432"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84422"
+       x1="190.931"
+       y1="221.83777"
+       x2="187.53873"
+       y2="229.26593"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84339"
+       id="linearGradient84425"
+       gradientUnits="userSpaceOnUse"
+       x1="190.36137"
+       y1="217.8925"
+       x2="205.20828"
+       y2="209.32063"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84441"
+       x1="169.95944"
+       y1="215.77036"
+       x2="174.0289"
+       y2="207.81528"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84420"
+       id="linearGradient84455"
+       x1="234.08092"
+       y1="252.39755"
+       x2="245.88477"
+       y2="251.21777"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84461"
+       id="radialGradient84463"
+       cx="213.19594"
+       cy="223.40646"
+       fx="214.12064"
+       fy="217.34077"
+       r="33.39888"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(2.6813748,0.05304973,-0.0423372,2.1399146,-349.74924,-255.6421)" />
+    <radialGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84469"
+       id="radialGradient84471"
+       cx="207.18298"
+       cy="211.06483"
+       fx="207.18298"
+       fy="211.06483"
+       r="2.77954"
+       gradientTransform="matrix(1.4407627,0.18685239,-0.24637721,1.8997405,-38.989952,-218.98841)"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient84477"
+       id="linearGradient84479"
+       x1="241.60336"
+       y1="255.46982"
+       x2="244.45177"
+       y2="250.4846"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0,10.583333)" />
+  </defs>
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="1"
+     inkscape:cx="517.27113"
+     inkscape:cy="314.79773"
+     inkscape:document-units="mm"
+     inkscape:current-layer="layer1"
+     inkscape:document-rotation="0"
+     showgrid="false"
+     units="px"
+     inkscape:snap-global="false"
+     inkscape:window-width="2560"
+     inkscape:window-height="1376"
+     inkscape:window-x="0"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1"
+     fit-margin-top="0"
+     fit-margin-left="0"
+     fit-margin-right="0"
+     fit-margin-bottom="0" />
+  <metadata
+     id="metadata5">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-149.15784,-175.92614)">
+    <g
+       id="g84497"
+       style="stroke-width:1.32291663;stroke-miterlimit:4;stroke-dasharray:none"
+       transform="translate(0,10.583333)">
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84485"
+         width="31.605196"
+         height="19.16976"
+         x="299.48376"
+         y="87.963303"
+         transform="rotate(30)" />
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84487"
+         width="16.725054"
+         height="9.8947001"
+         x="258.07639"
+         y="92.60083"
+         transform="rotate(30)" />
+      <rect
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         id="rect84489"
+         width="4.8383565"
+         height="11.503917"
+         x="253.2236"
+         y="91.796227"
+         transform="rotate(30)" />
+      <rect
+         y="86.859642"
+         x="331.21924"
+         height="21.377089"
+         width="4.521956"
+         id="rect84491"
+         style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+         transform="rotate(30)" />
+    </g>
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
+       id="path84483"
+       inkscape:connector-curvature="0" />
+    <path
+       sodipodi:nodetypes="cccccc"
+       inkscape:connector-curvature="0"
+       id="path84481"
+       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <circle
+       style="fill:#ffffff;stroke:#000000;stroke-width:1.32291663;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="path84224"
+       cx="213.64427"
+       cy="234.18927"
+       r="35.482784" />
+    <circle
+       r="33.39888"
+       cy="234.18927"
+       cx="213.64427"
+       id="circle84226"
+       style="fill:url(#radialGradient84463);fill-opacity:1;stroke:none;stroke-width:0.52916664;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84114"
+       width="31.605196"
+       height="19.16976"
+       x="304.77545"
+       y="97.128738"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84116"
+       width="4.521956"
+       height="21.377089"
+       x="300.27435"
+       y="96.025078"
+       transform="rotate(30)" />
+    <rect
+       y="99.087395"
+       x="283.71848"
+       height="15.252436"
+       width="16.459545"
+       id="rect84118"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <rect
+       y="98.190086"
+       x="280.00021"
+       height="17.047071"
+       width="3.617183"
+       id="rect84120"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84122"
+       width="16.725054"
+       height="9.8947001"
+       x="263.36807"
+       y="101.76627"
+       transform="rotate(30)" />
+    <rect
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       id="rect84124"
+       width="4.8383565"
+       height="11.503917"
+       x="258.51526"
+       y="100.96166"
+       transform="rotate(30)" />
+    <rect
+       y="96.025078"
+       x="336.51093"
+       height="21.377089"
+       width="4.521956"
+       id="rect84126"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       transform="rotate(30)" />
+    <path
+       style="fill:url(#linearGradient84325);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 207.24023,252.71811 25.53907,14.74414 8.52539,-14.76953 -25.53711,-14.74415 z"
+       id="rect84313"
+       inkscape:connector-curvature="0" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84128"
+       d="m 215.3335,241.36799 22.49734,12.98884"
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84130"
+       d="m 246.61693,255.0795 -9.11198,15.78242 a 2.6351497,9.1643514 30 0 0 6.60453,-6.7032 2.6351497,9.1643514 30 0 0 2.50745,-9.07922 z"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952" />
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 195.97877,212.80238 46.0456,26.61429 -3.50256,6.07342 -46.0456,-26.61429 z"
+       id="path84134"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccccc" />
+    <path
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 202.36709,199.05917 26.65552,8.43269 21.69622,19.51455 -8.68507,12.39398 -46.04559,-26.61429 z"
+       id="path84136"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cccccc" />
+    <path
+       style="fill:url(#linearGradient84422);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 186.31445,239.41146 1.30078,0.75 7.46485,-12.92968 -1.30078,-0.75 z"
+       id="rect84410"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84349);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 193.92188,218.48568 44.21289,25.55469 2.44335,-4.23242 -44.21289,-25.55664 z"
+       id="path84284"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84363);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 189.98438,240.4935 12.42187,7.16992 6.56641,-11.375 -12.42188,-7.16992 z"
+       id="rect84351"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84377);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 173.69727,227.99936 12.65234,7.30273 3.88867,-6.73633 -12.65234,-7.30273 z"
+       id="rect84365"
+       inkscape:connector-curvature="0" />
+    <path
+       sodipodi:nodetypes="ccccc"
+       inkscape:connector-curvature="0"
+       id="path84138"
+       d="m 192.47621,218.8758 -11.1013,8.29627 c 0,0 6.16202,4.57403 15.2798,4.67656 9.1178,0.1025 11.46925,-3.93799 11.46925,-3.93799 z"
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#000000;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <ellipse
+       cy="223.01579"
+       cx="207.08998"
+       id="circle84140"
+       style="fill:#ffffff;stroke:#000000;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       rx="3.8395541"
+       ry="3.8438656" />
+    <path
+       style="fill:url(#linearGradient84333);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:round;stroke-dashoffset:5.99999952"
+       d="m 197.35938,212.35287 44.36523,25.64453 7.58984,-10.83203 -20.82617,-18.73242 -25.55078,-8.08399 z"
+       id="path84272"
+       inkscape:connector-curvature="0" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84142"
+       d="m 200.6837,212.37603 11.49279,-6.98413 -8.11935,-2.73742"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
+    <path
+       inkscape:connector-curvature="0"
+       id="path84144"
+       d="m 241.31895,235.3047 -8.04514,-4.75769 10.057,-4.72299"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       sodipodi:nodetypes="ccc" />
+    <path
+       sodipodi:nodetypes="ccc"
+       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.52899998;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 241.06868,235.79543 -8.9307,-5.38071 10.81942,-5.07707"
+       id="path84280"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#2a72ac;stroke-width:0.5291667;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 200.60886,211.70589 10.37702,-6.1817 -7.12581,-2.30459"
+       id="path84290"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ccc" />
+    <path
+       style="fill:url(#radialGradient84471);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 206.89258,220.23959 -0.29297,0.0352 -0.23633,0.0527 -0.26953,0.0898 -0.2793,0.125 -0.23437,0.13477 -0.20508,0.14648 -0.2207,0.19532 -0.18946,0.20117 -0.006,0.008 0.004,-0.008 -0.006,0.01 -0.008,0.01 -0.004,0.004 -0.006,0.006 -0.12109,0.1582 -0.002,0.004 -0.002,0.002 -0.16406,0.26758 -0.12109,0.24804 -0.0996,0.28125 -0.0645,0.24219 -0.0371,0.26367 -0.0176,0.31641 0.008,0.18164 0.0332,0.28711 0.0527,0.23437 0.004,0.0117 0.0937,0.28516 0.11133,0.24805 0.13086,0.23046 0.16992,0.23829 0.1836,0.20898 0.21093,0.19727 0.19532,0.14843 0.25586,0.15625 0.24218,0.11719 0.26172,0.0977 0.27344,0.0684 0.27344,0.043 0.29297,0.0137 0.18164,-0.008 0.29687,-0.0351 0.24024,-0.0547 0.27539,-0.0898 0.24218,-0.10938 0.25,-0.14453 0.23047,-0.16406 0.20899,-0.1836 0.20508,-0.21875 0.125,-0.16406 0.004,-0.006 0.1582,-0.25781 0.004,-0.008 0.12695,-0.26172 0.0996,-0.27344 0.002,-0.006 0.0586,-0.24023 0.0391,-0.26563 0.0176,-0.3125 -0.008,-0.17968 -0.0332,-0.28711 -0.0527,-0.23438 -0.004,-0.0117 -0.0937,-0.28515 -0.11132,-0.24805 -0.13086,-0.23047 -0.16993,-0.23828 -0.18554,-0.20899 -0.19922,-0.18945 -0.21875,-0.16406 -0.23828,-0.14844 -0.26563,-0.12695 -0.01,-0.004 -0.21875,-0.0801 -0.28516,-0.0723 -0.27344,-0.043 -0.29492,-0.0137 z"
+       id="ellipse84292"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84425);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.79374999;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 183.23633,227.10092 c 5.59753,3.20336 12.36881,4.51528 18.71366,3.17108 1.59516,-0.38 3.17489,-0.99021 4.44874,-2.04739 -0.73893,-0.64617 -1.68301,-0.99544 -2.49844,-1.53493 -3.78032,-2.18293 -7.56064,-4.36587 -11.34096,-6.5488 -3.10767,2.32001 -6.21533,4.64003 -9.323,6.96004 z"
+       id="path84298"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="cccccc" />
+    <path
+       style="fill:url(#linearGradient84479);fill-opacity:1;stroke:none;stroke-width:0.79375005;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 238.62695,269.97787 0.006,-0.002 0.39453,-0.27735 0.41797,-0.34179 0.002,-0.002 0.45703,-0.42382 0.47851,-0.49219 0.0156,-0.0176 0.47656,-0.53711 0.002,-0.002 0.0117,-0.0137 0.48438,-0.5918 0.0117,-0.0156 0.49023,-0.64257 0.01,-0.0137 0.49609,-0.69726 0.48047,-0.71875 0.01,-0.0137 0.46485,-0.74805 0.004,-0.008 0.002,-0.002 0.30468,-0.51562 0.008,-0.0117 0.4375,-0.78711 0.40625,-0.77734 0.008,-0.0137 0.37109,-0.77149 0.008,-0.0156 0.33789,-0.75977 0.006,-0.0156 0.30078,-0.73829 0.27148,-0.74609 0.21289,-0.66602 0.17969,-0.66796 v -0.002 l 0.12305,-0.58203 0.002,-0.0137 0.0723,-0.51562 0.0176,-0.31836 z"
+       id="path84379"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84408);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 202.78906,251.42318 2.08399,1.20118 9.6289,-16.67969 -2.08203,-1.20117 z"
+       id="rect84396"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84441);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 169.0918,226.26889 2.35937,1.36133 4.69336,-8.13086 -2.35937,-1.36133 z"
+       id="rect84429"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:url(#linearGradient84455);fill-opacity:1;stroke:none;stroke-width:0.79374999;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:5.99999952"
+       d="m 234.17188,269.53842 2.08203,1.20312 9.63086,-16.67773 -2.08399,-1.20313 z"
+       id="rect84443"
+       inkscape:connector-curvature="0" />
+    <path
+       style="fill:#ffffff;fill-rule:evenodd;stroke:#f8ead2;stroke-width:0.52916664;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 215.55025,240.82707 22.49734,12.98884"
+       id="path84521"
+       inkscape:connector-curvature="0" />
+  </g>
+</svg>
--- a/go.mod
+++ b/go.mod
@@ -0,0 +1,27 @@
+module github.com/containers/skopeo
+
+go 1.12
+
+require (
+	github.com/containers/buildah v1.13.1 // indirect
+	github.com/containers/common v0.1.4
+	github.com/containers/image/v5 v5.2.1
+	github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741
+	github.com/containers/storage v1.15.8
+	github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23
+	github.com/dsnet/compress v0.0.1 // indirect
+	github.com/go-check/check v0.0.0-20180628173108-788fd7840127
+	github.com/opencontainers/go-digest v1.0.0-rc1
+	github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
+	github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d
+	github.com/opencontainers/runtime-spec v1.0.0 // indirect
+	github.com/pkg/errors v0.9.1
+	github.com/russross/blackfriday v2.0.0+incompatible // indirect
+	github.com/sirupsen/logrus v1.4.2
+	github.com/stretchr/testify v1.4.0
+	github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
+	github.com/urfave/cli v1.22.1
+	github.com/vbauerster/mpb v3.4.0+incompatible // indirect
+	go4.org v0.0.0-20190218023631-ce4c26f7be8e // indirect
+	gopkg.in/yaml.v2 v2.2.8
+)
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,593 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774 h1:SCbEWT58NSt7d2mcFdvxC9uyrdcTfvBbPLThhkDmXzg=
+github.com/14rcole/gopopulate v0.0.0-20180821133914-b175b219e774/go.mod h1:6/0dYRLLXyJjbkIPeeGyoJ/eKOSI0eU6eTlCBYibgd0=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
+github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DataDog/zstd v1.4.0/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
+github.com/Microsoft/go-winio v0.4.12/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA=
+github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
+github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
+github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/Microsoft/hcsshim v0.8.7-0.20191101173118-65519b62243c h1:YMP6olTU903X3gxQJckdmiP8/zkSMq4kN3uipsU9XjU=
+github.com/Microsoft/hcsshim v0.8.7-0.20191101173118-65519b62243c/go.mod h1:7xhjOwRV2+0HXGmM0jxaEu+ZiXJFoVZOTfL/dmqbrD8=
+github.com/Microsoft/hcsshim v0.8.7 h1:ptnOoufxGSzauVTsdE+wMYnCWA301PdoN4xg5oRdZpg=
+github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
+github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs=
+github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f h1:tSNMc+rJDfmYntojat8lljbt1mgKNpTxUZJsSzJ9Y1s=
+github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
+github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
+github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.3.0 h1:xjvXQWABwS2uiv3TWgQt5Uth60Gu86LTGZXMJkjc7rY=
+github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20180216233310-d8fb8589b0e8/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
+github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
+github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containernetworking/cni v0.7.1 h1:fE3r16wpSEyaqY4Z4oFrLMmIGfBYIKpPrHK31EJ9FzE=
+github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/containers/buildah v1.11.5 h1:bVpkaVlvA7G+1mBDAcX6yf7jNZJ/ZrrAHDt4WCx2i8E=
+github.com/containers/buildah v1.11.5/go.mod h1:bfNPqLO8GnI0qMPmI6MHSpQNK+a3TH9syYsRg+iqhRw=
+github.com/containers/buildah v1.11.6 h1:PhlF++LAezRtOKHfKhBlo8DLvpMQIvU/K2VfAhknadE=
+github.com/containers/buildah v1.11.6/go.mod h1:02+o3ZTICaPyP0QcQFoQd07obLMdAecSnFN2kDhcqNo=
+github.com/containers/buildah v1.12.0 h1:bi/8ACl8qobazwfYgNze5y+aRuBIG+R7lMStFbnDOxE=
+github.com/containers/buildah v1.12.0/go.mod h1:yzPuQ/mJTPsfSLCyBPbeaoXgBLanjnf36M2cDzyckMg=
+github.com/containers/buildah v1.13.1 h1:EdhllQxXmOZ56mGFf68AkrpIj9XtEkkGq0WaPWFuGM0=
+github.com/containers/buildah v1.13.1/go.mod h1:U0LcOzSqoYdyQC5L2hMeLbtCDuCCLxmZV1eb+SWY4GA=
+github.com/containers/common v0.0.3 h1:C2Zshb0w720FqPa42MCRuiGfbW0kwbURRwvK1EWIC5I=
+github.com/containers/common v0.0.3/go.mod h1:CaOgMRiwi2JJHISMZ6VPPZhQYFUDRv3YYVss2RqUCMg=
+github.com/containers/common v0.0.7 h1:eKYZLKfJ2d/RNDgecLDFv45cHb4imYzIcrQHx1Y029M=
+github.com/containers/common v0.0.7/go.mod h1:lhWV3MLhO1+KGE2x6v9+K38MxpjXGso+edmpkFnCOqI=
+github.com/containers/common v0.1.4 h1:6tizbvX9BJTnJ0S3pe65Vcu8gJagbm6oFBCmwUIiOE4=
+github.com/containers/common v0.1.4/go.mod h1:ss8uGpUsaDE4DPmaVFOjzKrlgf5eUnSAWL+d/PYGaoM=
+github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
+github.com/containers/image/v5 v5.0.1-0.20191126085826-502848a1358b h1:xUXa/0+KWQY1PAGuvfqXh1U18qTRYvHzhiys/BpZG4c=
+github.com/containers/image/v5 v5.0.1-0.20191126085826-502848a1358b/go.mod h1:NNGElTgKPvARdKeiJIE/IF+ddvHmNwaLPBupsoZI8eI=
+github.com/containers/image/v5 v5.1.0 h1:5FjAvPJniamuNNIQHkh4PnsL+n+xzs6Aonzaz5dqTEo=
+github.com/containers/image/v5 v5.1.0/go.mod h1:BKlMD34WxRo1ruGHHEOrPQP0Qci7SWoPwU6fS7arsCU=
+github.com/containers/image/v5 v5.2.0 h1:DowY5OII5x9Pb6Pt76vnHU79BgG4/jdwhZjeAj2R+t8=
+github.com/containers/image/v5 v5.2.0/go.mod h1:IAub4gDGvXoxaIAdNy4e3FbVTDPVNMv9F0UfVVFbYCU=
+github.com/containers/image/v5 v5.2.1 h1:rQR6QSUneWBoW1bTFpP9EJJTevQFv27YsKYQVJIzg+s=
+github.com/containers/image/v5 v5.2.1/go.mod h1:TfhmLwH+v1/HBVPIWH7diLs8XwcOkP3c7t7JFgqaUEc=
+github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
+github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741 h1:8tQkOcednLJtUcZgK7sPglscXtxvMOnFOa6wd09VWLM=
+github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
+github.com/containers/storage v1.13.2/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA=
+github.com/containers/storage v1.13.4/go.mod h1:6D8nK2sU9V7nEmAraINRs88ZEscM5C5DK+8Npp27GeA=
+github.com/containers/storage v1.13.5 h1:/SUzGeOP2HDijpF7Yur21Ch6WTZC1BNeZF917CWcp5c=
+github.com/containers/storage v1.13.5/go.mod h1:HELz8Sn+UVbPaUZMI8RvIG9doD4y4z6Gtg4k7xdd2ZY=
+github.com/containers/storage v1.14.0 h1:LbX6WZaDmkXt4DT4xWIg3YXAWd6oA4K9Fi6/KG1xt84=
+github.com/containers/storage v1.14.0/go.mod h1:qGPsti/qC1xxX+xcpHfiTMT+8ThVE2Jf83wFHHqkDAY=
+github.com/containers/storage v1.15.1 h1:yE0lkMG/sIj+dvc/FDGT9KmPi/wXTKGqoLJnNy1tL/c=
+github.com/containers/storage v1.15.1/go.mod h1:6BYP6xBTstj0E9dY6mYFgn3BRBRPRSVqfhAqKIWkGpE=
+github.com/containers/storage v1.15.2 h1:hLgafU4tuyQk/smMkXZfHTS8FtAQsqQvfWCp4bsgjuw=
+github.com/containers/storage v1.15.2/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8=
+github.com/containers/storage v1.15.3 h1:+lFSQZnnKUFyUEtguIgdoQLJfWSuYz+j/wg5GxLtsN4=
+github.com/containers/storage v1.15.3/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8=
+github.com/containers/storage v1.15.5 h1:dBZx9yRFHod9c8FVaXlVtRqr2cmlAhpl+9rt87cE7J4=
+github.com/containers/storage v1.15.5/go.mod h1:v0lq/3f+cXH3Y/HiDaFYRR0zilwDve7I4W7U5xQxvF8=
+github.com/containers/storage v1.15.8 h1:ef7OfUMTpyq0PIVAhV7qfufEI92gAldk25nItrip+6Q=
+github.com/containers/storage v1.15.8/go.mod h1:zhvjIIl/fR6wt/lgqQAC+xanHQ+8gUQ0GBVeXYN81qI=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f h1:JOrtw2xFKzlg+cbHpyrpLDmnN1HqhBfnX7WDiW7eG2c=
+github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk=
+github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
+github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
+github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v0.0.0-20171019062838-86f080cff091/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v0.0.0-20180522102801-da99009bbb11/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23 h1:oqgGT9O61YAYvI41EBsLePOr+LE6roB0xY4gpkZuFSE=
+github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.6.0/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/docker-credential-helpers v0.6.1 h1:Dq4iIfcM7cNtddhLVWe9h4QDjsi4OER3Z8voPu/I52g=
+github.com/docker/docker-credential-helpers v0.6.1/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
+github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/go-connections v0.0.0-20180212134524-7beb39f0b969/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
+github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/libnetwork v0.8.0-dev.2.0.20190625141545-5a177b73e316 h1:moehPjPiGUaWdwgOl92xRyFHJyaqXDHcCyW9M6nmCK4=
+github.com/docker/libnetwork v0.8.0-dev.2.0.20190625141545-5a177b73e316/go.mod h1:93m0aTqz6z+g32wla4l4WxTrdtvBRmVzYRkYvasA5Z8=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
+github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
+github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
+github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/etcd-io/bbolt v1.3.3 h1:gSJmxrs37LgTqR/oyJBWok6k6SvXEUerFTbltIhXkBM=
+github.com/etcd-io/bbolt v1.3.3/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsouza/go-dockerclient v1.6.0 h1:f7j+AX94143JL1H3TiqSMkM4EcLDI0De1qD4GGn3Hig=
+github.com/fsouza/go-dockerclient v1.6.0/go.mod h1:YWwtNPuL4XTX1SKJQk86cWPmmqwx+4np9qfPbb+znGc=
+github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU=
+github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
+github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v0.0.0-20161207003320-04f313413ffd/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-check/check v0.0.0-20180628173108-788fd7840127 h1:0gkP6mzaMqkmpcJYCFOLkIBwI7xFExG03bbkOkCvUPI=
+github.com/go-check/check v0.0.0-20180628173108-788fd7840127/go.mod h1:9ES+weclKsC9YodN5RgxqK/VD9HM9JsCSh7rNhMZE98=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
+github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
+github.com/gogo/protobuf v0.0.0-20170815085658-fcdc5011193f/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gnostic v0.0.0-20170426233943-68f4ded48ba9/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v0.0.0-20170217192616-94e7d24fd285/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
+github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
+github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
+github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/ishidawataru/sctp v0.0.0-20180918013207-6e2cb1366111 h1:NAAiV9ass6VReWFjuxqrMIq12WKlSULI6Gs3PxQghLA=
+github.com/ishidawataru/sctp v0.0.0-20180918013207-6e2cb1366111/go.mod h1:DM4VvS+hD/kDi1U1QsX2fnZowwBhqD0Dk3bRPKF/Oc8=
+github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.7.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.8.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.9.2 h1:LfVyl+ZlLlLDeQ/d2AqfGIIH4qEDu0Ed2S5GyhCWIWY=
+github.com/klauspost/compress v1.9.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.9.3 h1:hkFELABwacUEgBfiguNeQydKv3M9pawBq8o24Ypw9+M=
+github.com/klauspost/compress v1.9.3/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.9.4 h1:xhvAeUPQ2drNUhKtrGdTGNvV9nNafHMUkRyLkzxJoB4=
+github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.9.8 h1:VMAMUUOh+gaxKTMk+zqbjsSjsIcUcL/LF4o63i82QyA=
+github.com/klauspost/compress v1.9.8/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w=
+github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/pgzip v1.2.1 h1:oIPZROsWuPHpOdMVWLuJZXwgjhrW8r1yEX8UqMyeNHM=
+github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lumjjb/image/v5 v5.0.0-20191125184705-a298da5c535d h1:H050B1puFO2G3eZP0is6JjpH7OZf2A+2QmtqpTk4Gd0=
+github.com/lumjjb/image/v5 v5.0.0-20191125184705-a298da5c535d/go.mod h1:NNGElTgKPvARdKeiJIE/IF+ddvHmNwaLPBupsoZI8eI=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
+github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-shellwords v1.0.5/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
+github.com/mattn/go-shellwords v1.0.6 h1:9Jok5pILi5S1MnDirGVTufYGtksUs/V2BWUP3ZkeUUI=
+github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
+github.com/mattn/go-shellwords v1.0.9 h1:eaB5JspOwiKKcHdqcjbfe5lA9cNn/4NRRtddXJCimqk=
+github.com/mattn/go-shellwords v1.0.9/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
+github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mistifyio/go-zfs v2.1.1+incompatible h1:gAMO1HM9xBRONLHHYnu5iFsOJUiJdNZo6oqSENd4eW8=
+github.com/mistifyio/go-zfs v2.1.1+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c h1:xa+eQWKuJ9MbB9FBL/eoNvDFvveAkz2LQoz8PzX7Q/4=
+github.com/mtrmac/gpgme v0.0.0-20170102180018-b2432428689c/go.mod h1:GhAqVMEWnTcW2dxoD/SO3n2enrgWl3y6Dnx4m59GvcA=
+github.com/mtrmac/gpgme v0.1.1 h1:a5ISnvahzTzBH0m/klhehN68N+9+/jLwhpPFtH3oPAQ=
+github.com/mtrmac/gpgme v0.1.1/go.mod h1:GYYHnGSuS7HK3zVS2n3y73y0okK/BeKzwnn5jgiVFNI=
+github.com/mtrmac/gpgme v0.1.2 h1:dNOmvYmsrakgW7LcgiprD0yfRuQQe8/C8F6Z+zogO3s=
+github.com/mtrmac/gpgme v0.1.2/go.mod h1:GYYHnGSuS7HK3zVS2n3y73y0okK/BeKzwnn5jgiVFNI=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
+github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
+github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 h1:yN8BPXVwMBAm3Cuvh1L5XE8XpvYRMdsVLd82ILprhUU=
+github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d h1:X9WSFjjZNqYRqO2MenUgqE2nj/oydcfIzXJ0R/SVnnA=
+github.com/opencontainers/image-tools v0.0.0-20170926011501-6d941547fa1d/go.mod h1:A9btVpZLzttF4iFaKNychhPyrhfOjJ1OF5KrA8GcLj4=
+github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc8/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158 h1:/A6bAdnSZoTQmKml3MdHAnSEPnBAQeigNBl4sxnfaaQ=
+github.com/opencontainers/runc v1.0.0-rc8.0.20190827142921-dd075602f158/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runc v1.0.0-rc9 h1:/k06BMULKF5hidyoZymkoDCzdJzltZpz/UU4LguQVtc=
+github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.0 h1:O6L965K88AilqnxeYPks/75HLpp4IG+FjeSCI3cVdRg=
+github.com/opencontainers/runtime-spec v1.0.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
+github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU=
+github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
+github.com/opencontainers/selinux v1.2.2/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/opencontainers/selinux v1.3.0 h1:xsI95WzPZu5exzA6JzkLSfdr/DilzOhCJOqGe5TgR0g=
+github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
+github.com/opencontainers/selinux v1.3.1 h1:dn2Rc3wTEvTB6iVqoFrKKeMb0uZ38ZheeyMu2h5C1TI=
+github.com/opencontainers/selinux v1.3.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=
+github.com/openshift/api v0.0.0-20200106203948-7ab22a2c8316/go.mod h1:dv+J0b/HWai0QnMVb37/H0v36klkLBi2TNpPeWDxX10=
+github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible h1:s55wx8JIG/CKnewev892HifTBrtKzMdvgB3rm4rxC2s=
+github.com/openshift/api v3.9.1-0.20190810003144-27fb16909b15+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY=
+github.com/openshift/imagebuilder v1.1.1 h1:KAUR31p8UBJdfVO42azWgb+LeMAed2zaKQ19e0C0X2I=
+github.com/openshift/imagebuilder v1.1.1/go.mod h1:9aJRczxCH0mvT6XQ+5STAQaPWz7OsWcU5/mRkt8IWeo=
+github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913 h1:TnbXhKzrTOyuvWrjI8W6pcoI9XPbLHFXCdN2dtUw7Rw=
+github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.0 h1:J8lpUdobwIeCI7OiSxHqEwJUKvJwicL5+3v1oe2Yb4k=
+github.com/pkg/errors v0.9.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/ffjson v0.0.0-20181028064349-e517b90714f7/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
+github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9 h1:kyf9snWXHvQc+yxE9imhdI8YAm4oKeZISlaAR+x73zs=
+github.com/pquerna/ffjson v0.0.0-20190813045741-dac163c6c0a9/go.mod h1:YARuvh7BUWHNhzDq2OM5tzR2RiCcN2D7sapiKyCel/M=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
+github.com/prometheus/client_golang v1.1.0 h1:BQ53HtBmfOitExawJ6LokA4x8ov/z0SYYb0+HxJfRI8=
+github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.6.0 h1:kRhiuYSXR3+uv2IbVbZhUxK5zVD/2pp3Gd2PpvPkpEo=
+github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.3 h1:CTwfnzjQ+8dS6MhHHu4YswVAD99sL2wjPqP+VkURmKE=
+github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
+github.com/prometheus/procfs v0.0.5 h1:3+auTFlqw+ZaQYJARz6ArODtkaIwtvBTx3N2NehQlL8=
+github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
+github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
+github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/russross/blackfriday v2.0.0+incompatible h1:cBXrhZNUf9C+La9/YpS+UHpUT8YD6Td9ZMSU9APFcsk=
+github.com/russross/blackfriday v2.0.0+incompatible/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/seccomp/containers-golang v0.0.0-20180629143253-cdfdaa7543f4 h1:rOG9oHVIndNR14f3HRyBy9UPQYmIPniWqTU1TDdHhq4=
+github.com/seccomp/containers-golang v0.0.0-20180629143253-cdfdaa7543f4/go.mod h1:f/98/SnvAzhAEFQJ3u836FePXvcbE8BS0YGMQNn4mhA=
+github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo=
+github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/tchap/go-patricia v2.3.0+incompatible h1:GkY4dP3cEfEASBPPkWd+AmjYxhmDkqO9/zg7R0lSQRs=
+github.com/tchap/go-patricia v2.3.0+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
+github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
+github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
+github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY=
+github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/vbatts/tar-split v0.11.1 h1:0Odu65rhcZ3JZaPHxl7tCI3V/C/Q9Zf82UFravl02dE=
+github.com/vbatts/tar-split v0.11.1/go.mod h1:LEuURwDEiWjRjwu46yU3KVGuUdVv/dcnpcEPSzR8z6g=
+github.com/vbauerster/mpb v3.4.0+incompatible h1:mfiiYw87ARaeRW6x5gWwYRUawxaW1tLAD8IceomUCNw=
+github.com/vbauerster/mpb v3.4.0+incompatible/go.mod h1:zAHG26FUhVKETRu+MWqYXcI70POlC6N8up9p1dID7SU=
+github.com/vbauerster/mpb/v4 v4.11.1 h1:ZOYQSVHgmeanXsbyC44aDg76tBGCS/54Rk8VkL8dJGA=
+github.com/vbauerster/mpb/v4 v4.11.1/go.mod h1:vMLa1J/ZKC83G2lB/52XpqT+ZZtFG4aZOdKhmpRL1uM=
+github.com/vbauerster/mpb/v4 v4.11.2 h1:ynkUoKzi65DZ1UsQPx7sgi/KN6G9f7br+Us2nKm35AM=
+github.com/vbauerster/mpb/v4 v4.11.2/go.mod h1:jIuIRCltGJUnm6DCyPVkwjlLUk4nHTH+m4eD14CdFF0=
+github.com/vishvananda/netlink v1.0.0/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
+github.com/vishvananda/netns v0.0.0-20190625233234-7109fa855b0f/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b h1:6cLsL+2FW6dRAdl5iMtHgRogVCff0QpRi9653YmdcJA=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+github.com/xeipuuv/gojsonschema v0.0.0-20190816131739-be0936907f66/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
+github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
+go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go4.org v0.0.0-20190218023631-ce4c26f7be8e h1:m9LfARr2VIOW0vsV19kEKp/sWQvZnGobA8JHui/XJoY=
+go4.org v0.0.0-20190218023631-ce4c26f7be8e/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190927123631-a832865fa7ad h1:5E5raQxcv+6CZ11RrBYQe5WRbUIWpScjh0kvHZkZIrQ=
+golang.org/x/crypto v0.0.0-20190927123631-a832865fa7ad/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 h1:pXVtWnwHkrWD9ru3sDxY/qFK/bfc0egRovX91EjWjf4=
+golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7 h1:rTIdg5QFRR7XCaK4LCjBiPbx8j4DQRpdYMnGn/bJUEU=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190902133755-9109b7679e13 h1:tdsQdquKbTNMsSZLqnLELJGzCANp9oXhu6zFBW6ODx4=
+golang.org/x/sys v0.0.0-20190902133755-9109b7679e13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 h1:7TYNF4UdlohbFwpNH04CoPMp1cHUZgO1Ebq5r2hIjfo=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191113165036-4c7a9d0fe056/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2 h1:/J2nHFg1MTqaRLFO7M+J78ASNsJoz3r0cvHBPQ77fsE=
+golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0 h1:xQwXv67TxFo9nC1GJFyab5eq/5B590r6RlnL/G8Sz7w=
+golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180810170437-e96c4e24768d/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
+gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
+gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb h1:i1Ppqkc3WQXikh8bXiwHqAN5Rv3/qDCcRk0/Otx73BY=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.24.0 h1:vb/1TCsVn3DcJlQ0Gs1yB1pKI6Do2/QNwxdKqmc/b0s=
+google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.0 h1:3zYtXIO92bvsdS3ggAdA8Gb4Azj0YU+TVY1uGYNFA8o=
+gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
+gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
+gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gotest.tools v0.0.0-20190624233834-05ebafbffc79/go.mod h1:R//lfYlUuTOTfblYI3lGoAAAebUdzjvbmQsuB7Ykd90=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.0.0-20190813020757-36bff7324fb7 h1:4uJOjRn9kWq4AqJRE8+qzmAy+lJd9rh8TY455dNef4U=
+k8s.io/api v0.0.0-20190813020757-36bff7324fb7/go.mod h1:3Iy+myeAORNCLgjd/Xu9ebwN7Vh59Bw0vh9jhoX+V58=
+k8s.io/api v0.17.0 h1:H9d/lw+VkZKEVIUc8F3wgiQ+FUXTTr21M87jXLU7yqM=
+k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
+k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010 h1:pyoq062NftC1y/OcnbSvgolyZDJ8y4fmUPWMkdA6gfU=
+k8s.io/apimachinery v0.0.0-20190809020650-423f5d784010/go.mod h1:Waf/xTS2FGRrgXCkO5FP3XxTOWh0qLf2QhL1qFZZ/R8=
+k8s.io/apimachinery v0.17.0 h1:xRBnuie9rXcPxUkDizUsGvPf1cnlZCFu210op7J7LJo=
+k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/client-go v0.0.0-20170217214107-bcde30fb7eae/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
+k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083 h1:+Qf/nITucAbm09aIdxvoA+7X0BwaXmQGVoR8k7Ynk9o=
+k8s.io/client-go v0.0.0-20181219152756-3dd551c0f083/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
+k8s.io/code-generator v0.17.0/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s=
+k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.1 h1:RVgyDHY/kFKtLqh67NvEWIgkMneNoIrdkN0CxDSQc68=
+k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
+k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20190709113604-33be087ad058/go.mod h1:nfDlWeOsu3pUf4yWGL+ERqohP4YsZcBJXWMK+gkzOA4=
+k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
+modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
+modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
+modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=
+modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs=
+modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
+sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
--- a/hack/.vendor-helpers.sh
+++ b/hack/.vendor-helpers.sh
@@ -1,115 +0,0 @@
-#!/usr/bin/env bash
-
-PROJECT=github.com/projectatomic/skopeo
-
-# Downloads dependencies into vendor/ directory
-mkdir -p vendor
-
-original_GOPATH=$GOPATH
-export GOPATH="${PWD}/vendor:$GOPATH"
-
-find="/usr/bin/find"
-
-clone() {
-	local delete_vendor=true
-	if [ "x$1" = x--keep-vendor ]; then
-		delete_vendor=false
-		shift
-	fi
-
-	local vcs="$1"
-	local pkg="$2"
-	local rev="$3"
-	local url="$4"
-
-	: ${url:=https://$pkg}
-	local target="vendor/src/$pkg"
-
-	echo -n "$pkg @ $rev: "
-
-	if [ -d "$target" ]; then
-		echo -n 'rm old, '
-		rm -rf "$target"
-	fi
-
-	echo -n 'clone, '
-	case "$vcs" in
-		git)
-			git clone --quiet --no-checkout "$url" "$target"
-			( cd "$target" && git checkout --quiet "$rev" && git reset --quiet --hard "$rev" )
-			;;
-		hg)
-			hg clone --quiet --updaterev "$rev" "$url" "$target"
-			;;
-	esac
-
-	echo -n 'rm VCS, '
-	( cd "$target" && rm -rf .{git,hg} )
-
-	if $delete_vendor; then
-		echo -n 'rm vendor, '
-		( cd "$target" && rm -rf vendor Godeps/_workspace )
-	fi
-
-	echo done
-}
-
-clean() {
-	# If $GOPATH starts with ./vendor, (go list) shows the short-form import paths for packages inside ./vendor.
-	# So, reset GOPATH to the external value (without ./vendor), so that the grep -v works.
-	local packages=($(GOPATH=$original_GOPATH go list -e ./... | grep -v "^${PROJECT}/vendor"))
-	local platforms=( linux/amd64 linux/386 )
-
-	local buildTags=(  )
-
-	echo
-
-	echo -n 'collecting import graph, '
-	local IFS=$'\n'
-	local imports=( $(
-		for platform in "${platforms[@]}"; do
-			export GOOS="${platform%/*}";
-			export GOARCH="${platform##*/}";
-			go list -e -tags "$buildTags" -f '{{join .Deps "\n"}}' "${packages[@]}"
-			go list -e -tags "$buildTags" -f '{{join .TestImports "\n"}}' "${packages[@]}"
-		done | grep -vE "^${PROJECT}" | sort -u
-	) )
-	# .TestImports does not include indirect dependencies, so do one more iteration.
-	imports+=( $(
-		go list -e -f '{{join .Deps "\n"}}' "${imports[@]}" | grep -vE "^${PROJECT}" | sort -u
-	) )
-	imports=( $(go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' "${imports[@]}") )
-	unset IFS
-
-	echo -n 'pruning unused packages, '
-	findArgs=(
-		# This directory contains only .c and .h files which are necessary
-		# -path vendor/src/github.com/mattn/go-sqlite3/code
-	)
-	for import in "${imports[@]}"; do
-		[ "${#findArgs[@]}" -eq 0 ] || findArgs+=( -or )
-		findArgs+=( -path "vendor/src/$import" )
-	done
-	local IFS=$'\n'
-	local prune=( $($find vendor -depth -type d -not '(' "${findArgs[@]}" ')') )
-	unset IFS
-	for dir in "${prune[@]}"; do
-		$find "$dir" -maxdepth 1 -not -type d -not -name 'LICENSE*' -not -name 'COPYING*' -exec rm -v -f '{}' ';'
-		rmdir "$dir" 2>/dev/null || true
-	done
-
-	echo -n 'pruning unused files, '
-	$find vendor -type f -name '*_test.go' -exec rm -v '{}' ';'
-
-	echo done
-}
-
-# Fix up hard-coded imports that refer to Godeps paths so they'll work with our vendoring
-fix_rewritten_imports () {
-       local pkg="$1"
-       local remove="${pkg}/Godeps/_workspace/src/"
-       local target="vendor/src/$pkg"
-
-       echo "$pkg: fixing rewritten imports"
-       $find "$target" -name \*.go -exec sed -i -e "s|\"${remove}|\"|g" {} \;
-}
--- a/hack/btrfs_installed_tag.sh
+++ b/hack/btrfs_installed_tag.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+cc -E - > /dev/null 2> /dev/null << EOF
+#include <btrfs/ioctl.h>
+EOF
+if test $? -ne 0 ; then
+	echo exclude_graphdriver_btrfs
+fi
--- a/hack/btrfs_tag.sh
+++ b/hack/btrfs_tag.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+cc -E - > /dev/null 2> /dev/null << EOF
+#include <btrfs/version.h>
+EOF
+if test $? -ne 0 ; then
+	echo btrfs_noversion
+fi
--- a/hack/libdm_tag.sh
+++ b/hack/libdm_tag.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+tmpdir="$PWD/tmp.$RANDOM"
+mkdir -p "$tmpdir"
+trap 'rm -fr "$tmpdir"' EXIT
+cc -c -o "$tmpdir"/libdm_tag.o -x c - > /dev/null 2> /dev/null << EOF
+#include <libdevmapper.h>
+int main() {
+	struct dm_task *task;
+	return 0;
+}
+EOF
+if test $? -ne 0 ; then
+	echo libdm_no_deferred_remove
+fi
--- a/hack/make.sh
+++ b/hack/make.sh
@@ -6,7 +6,7 @@ set -e
 #
 # Requirements:
 # - The current directory should be a checkout of the skopeo source code
-#   (https://github.com/projectatomic/skopeo). Whatever version is checked out
+#   (https://github.com/containers/skopeo). Whatever version is checked out
 #   will be built.
 # - The script is intended to be run inside the docker container specified
 #   in the Dockerfile at the root of the source. In other words:
@@ -19,7 +19,7 @@ set -e

 set -o pipefail

-export SKOPEO_PKG='github.com/projectatomic/skopeo'
+export SKOPEO_PKG='github.com/containers/skopeo'
 export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export MAKEDIR="$SCRIPTDIR/make"

@@ -57,7 +57,15 @@ DEFAULT_BUNDLES=(
 	test-integration
 )

-TESTFLAGS+=" -test.timeout=10m"
+TESTFLAGS+=" -test.timeout=15m"
+
+# Go module support: set `-mod=vendor` to use the vendored sources
+# See also the top-level Makefile.
+mod_vendor=
+if go help mod >/dev/null 2>&1; then
+  export GO111MODULE=on
+  mod_vendor='-mod=vendor'
+fi

 # If $TESTFLAGS is set in the environment, it is passed as extra arguments to 'go test'.
 # You can use this to select certain tests to run, eg.
@@ -72,10 +80,10 @@ TESTFLAGS+=" -test.timeout=10m"
 go_test_dir() {
 	dir=$1
 	(
-		echo '+ go test' $TESTFLAGS "${SKOPEO_PKG}${dir#.}"
+		echo '+ go test' $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"} "${SKOPEO_PKG}${dir#.}"
 		cd "$dir"
 		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
-		go test $TESTFLAGS
+		go test $mod_vendor $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
 	)
 }

--- a/hack/make/.validate
+++ b/hack/make/.validate
@@ -4,7 +4,7 @@ if [ -z "$VALIDATE_UPSTREAM" ]; then
 	# this is kind of an expensive check, so let's not do this twice if we
 	# are running more than one validate bundlescript
 	
-	VALIDATE_REPO='https://github.com/projectatomic/skopeo.git'
+	VALIDATE_REPO='https://github.com/containers/skopeo.git'
 	VALIDATE_BRANCH='master'
 	
 	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
--- a/hack/make/test-integration
+++ b/hack/make/test-integration
@@ -8,8 +8,7 @@ bundle_test_integration() {

 # subshell so that we can export PATH without breaking other things
 (
-	make binary
-	make install-binary
-	export GO15VENDOREXPERIMENT=1
+	make binary-local ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
+	make install
 	bundle_test_integration
 ) 2>&1
--- a/hack/make/test-system
+++ b/hack/make/test-system
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+# Before running podman for the first time, make sure
+# to set storage to vfs (not overlay): podman-in-podman
+# doesn't work with overlay. And, disable mountopt,
+# which causes error with vfs.
+sed -i \
+    -e 's/^driver\s*=.*/driver = "vfs"/' \
+    -e 's/^mountopt/#mountopt/' \
+    /etc/containers/storage.conf
+
+# Build skopeo, install into /usr/bin
+make binary-local ${BUILDTAGS:+BUILDTAGS="$BUILDTAGS"}
+make install
+
+# Run tests
+SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest
--- a/hack/make/validate-vet
+++ b/hack/make/validate-vet
@@ -1,28 +1,13 @@
 #!/bin/bash

-source "$(dirname "$BASH_SOURCE")/.validate"
+errors=$(go vet $mod_vendor $(go list $mod_vendor -e ./...))

-IFS=$'\n'
-files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
-unset IFS
-
-errors=()
-for f in "${files[@]}"; do
-	failedVet=$(go vet "$f")
-	if [ "$failedVet" ]; then
-		errors+=( "$failedVet" )
-	fi
-done
-
-
-if [ ${#errors[@]} -eq 0 ]; then
+if [ -z "$errors" ]; then
 	echo 'Congratulations!  All Go source files have been vetted.'
 else
 	{
 		echo "Errors from go vet:"
-		for err in "${errors[@]}"; do
-			echo " - $err"
-		done
+		echo "$errors"
 		echo
 		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
 		echo
--- a/hack/travis_osx.sh
+++ b/hack/travis_osx.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -e
+
+export GOPATH=$(pwd)/_gopath
+export PATH=$GOPATH/bin:$PATH
+
+_containers="${GOPATH}/src/github.com/containers"
+mkdir -vp ${_containers}
+ln -vsf $(pwd) ${_containers}/skopeo
+
+go version
+GO111MODULE=off go get -u github.com/cpuguy83/go-md2man golang.org/x/lint/golint
+
+cd ${_containers}/skopeo
+make validate-local test-unit-local binary-local
+sudo make install
+skopeo -v
--- a/hack/tree_status.sh
+++ b/hack/tree_status.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+STATUS=$(git status --porcelain)
+if [[ -z $STATUS ]]
+then
+	echo "tree is clean"
+else
+	echo "tree is dirty, please commit all changes and sync the vendor.conf"
+	echo ""
+	echo "$STATUS"
+	exit 1
+fi
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-cd "$(dirname "$BASH_SOURCE")/.."
-rm -rf vendor/
-source 'hack/.vendor-helpers.sh'
-
-clone git github.com/codegangsta/cli v1.2.0
-clone git github.com/Sirupsen/logrus v0.10.0
-clone git github.com/go-check/check v1
-clone git github.com/stretchr/testify v1.1.3
-clone git github.com/davecgh/go-spew master
-clone git github.com/pmezard/go-difflib master
-clone git github.com/docker/docker 0f5c9d301b9b1cca66b3ea0f9dec3b5317d3686d
-clone git github.com/docker/distribution master
-clone git github.com/docker/libtrust master
-clone git github.com/opencontainers/runc master
-clone git github.com/mtrmac/gpgme master
-# openshift/origin' k8s dependencies as of OpenShift v1.1.5
-clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
-clone git k8s.io/kubernetes 4a3f9c5b19c7ff804cbc1bf37a15c044ca5d2353 https://github.com/openshift/kubernetes
-clone git github.com/ghodss/yaml 73d445a93680fa1a78ae23a5839bad48f32ba1ee
-clone git gopkg.in/yaml.v2 d466437aa4adc35830964cffc5b5f262c63ddcb4
-clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
-
-clean
-
-mv vendor/src/* vendor/
--- a/integration/blocked_test.go
+++ b/integration/blocked_test.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"github.com/go-check/check"
+)
+
+const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
+const blockedErrorRegex = `.*registry registry-blocked.com is blocked in .*`
+
+func (s *SkopeoSuite) TestCopyBlockedSource(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "copy",
+		"docker://registry-blocked.com/image:test",
+		"docker://registry-unblocked.com/image:test")
+}
+
+func (s *SkopeoSuite) TestCopyBlockedDestination(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "copy",
+		"docker://registry-unblocked.com/image:test",
+		"docker://registry-blocked.com/image:test")
+}
+
+func (s *SkopeoSuite) TestInspectBlocked(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "inspect",
+		"docker://registry-blocked.com/image:test")
+}
+
+func (s *SkopeoSuite) TestDeleteBlocked(c *check.C) {
+	assertSkopeoFails(c, blockedErrorRegex,
+		"--registries-conf", blockedRegistriesConf, "delete",
+		"docker://registry-blocked.com/image:test")
+}
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -3,20 +3,15 @@ package main
 import (
 	"fmt"
 	"os/exec"
-	"strings"
 	"testing"

+	"github.com/containers/skopeo/version"
 	"github.com/go-check/check"
 )

 const (
 	privateRegistryURL0 = "127.0.0.1:5000"
 	privateRegistryURL1 = "127.0.0.1:5001"
-	privateRegistryURL2 = "127.0.0.1:5002"
-	privateRegistryURL3 = "127.0.0.1:5003"
-	privateRegistryURL4 = "127.0.0.1:5004"
-
-	skopeoBinary = "skopeo"
 )

 func Test(t *testing.T) {
@@ -28,15 +23,13 @@ func init() {
 }

 type SkopeoSuite struct {
-	regV1         *testRegistryV1
 	regV2         *testRegistryV2
-	regV2Shema1   *testRegistryV2
-	regV1WithAuth *testRegistryV1 // does v1 support auth?
 	regV2WithAuth *testRegistryV2
 }

 func (s *SkopeoSuite) SetUpSuite(c *check.C) {
-
+	_, err := exec.LookPath(skopeoBinary)
+	c.Assert(err, check.IsNil)
 }

 func (s *SkopeoSuite) TearDownSuite(c *check.C) {
@@ -44,24 +37,14 @@ func (s *SkopeoSuite) TearDownSuite(c *check.C) {
 }

 func (s *SkopeoSuite) SetUpTest(c *check.C) {
-	_, err := exec.LookPath(skopeoBinary)
-	c.Assert(err, check.IsNil)
-
-	s.regV1 = setupRegistryV1At(c, privateRegistryURL0, false) // TODO:(runcom)
-	s.regV2 = setupRegistryV2At(c, privateRegistryURL1, false, false)
-	s.regV2Shema1 = setupRegistryV2At(c, privateRegistryURL2, false, true)
-	s.regV1WithAuth = setupRegistryV1At(c, privateRegistryURL3, true) // not used
-	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL4, true, false)
+	s.regV2 = setupRegistryV2At(c, privateRegistryURL0, false, false)
+	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL1, true, false)
 }

 func (s *SkopeoSuite) TearDownTest(c *check.C) {
-	// not checking V1 registries now...
 	if s.regV2 != nil {
 		s.regV2.Close()
 	}
-	if s.regV2Shema1 != nil {
-		s.regV2Shema1.Close()
-	}
 	if s.regV2WithAuth != nil {
 		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
 		//c.Assert(cmd.Run(), check.IsNil)
@@ -73,51 +56,38 @@ func (s *SkopeoSuite) TearDownTest(c *check.C) {
 //func skopeoCmd()

 func (s *SkopeoSuite) TestVersion(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "--version").CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf(string(out)))
-	wanted := skopeoBinary + " version "
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version)
+	assertSkopeoSucceeds(c, wanted, "--version")
 }

-var (
-	errFetchManifest = "error fetching manifest: status code: %s"
-)
-
 func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	// TODO(runcom)
-	c.Skip("we need to restore --username --password flags!")
-	out, err := exec.Command(skopeoBinary, "--docker-cfg=''", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := fmt.Sprintf(errFetchManifest, "401")
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*manifest unknown: manifest unknown.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", "--creds="+s.regV2WithAuth.username+":"+s.regV2WithAuth.password, fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
 }

 func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
-	// TODO(runcom): mock the empty docker-cfg by removing it in the test itself (?)
-	c.Skip("mock empty docker config")
-	out, err := exec.Command(skopeoBinary, "--docker-cfg=''", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url)).CombinedOutput()
-	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := fmt.Sprintf(errFetchManifest, "401")
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+}
+
+func (s *SkopeoSuite) TestCertDirInsteadOfCertPath(c *check.C) {
+	wanted := ".*flag provided but not defined: -cert-path.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-path=/")
+	wanted = ".*unauthorized: authentication required.*"
+	assertSkopeoFails(c, wanted, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url), "--cert-dir=/etc/docker/certs.d/")
 }

 // TODO(runcom): as soon as we can push to registries ensure you can inspect here
 // not just get image not found :)
 func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
-	out, err := exec.Command(skopeoBinary, "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
+	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
 	c.Assert(err, check.NotNil, check.Commentf(string(out)))
-	wanted := fmt.Sprintf(errFetchManifest, "404")
-	if !strings.Contains(string(out), wanted) {
-		c.Fatalf("wanted %s, got %s", wanted, string(out))
-	}
-	wanted = fmt.Sprintf(errFetchManifest, "401")
-	if strings.Contains(string(out), wanted) {
-		c.Fatalf("not wanted %s, got %s", wanted, string(out))
-	}
+	wanted := ".*manifest unknown.*"
+	c.Assert(string(out), check.Matches, "(?s)"+wanted) // (?s) : '.' will also match newlines
+	wanted = ".*unauthorized: authentication required.*"
+	c.Assert(string(out), check.Not(check.Matches), "(?s)"+wanted) // (?s) : '.' will also match newlines
+}
+
+func (s *SkopeoSuite) TestInspectFailsWhenReferenceIsInvalid(c *check.C) {
+	assertSkopeoFails(c, `.*Invalid image name.*`, "inspect", "unknown")
 }
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
--- a/integration/decompress-dirs.sh
+++ b/integration/decompress-dirs.sh
@@ -0,0 +1,23 @@
+#!/bin/bash -e
+# Account for differences between dir: images that are solely due to one being
+# compressed (fresh from a registry) and the other not being compressed (read
+# from storage, which decompressed it and had to reassemble the layer blobs).
+for dir in "$@" ; do
+    # Updating the manifest's blob digests may change the formatting, so
+    # use jq to get them into similar shape.
+    jq -M . "${dir}"/manifest.json > "${dir}"/manifest.json.tmp && mv "${dir}"/manifest.json.tmp "${dir}"/manifest.json
+    for candidate in "${dir}"/???????????????????????????????????????????????????????????????? ; do
+        # If a digest-identified file looks like it was compressed,
+        # decompress it, and replace its hash and size in the manifest
+        # with the values for their decompressed versions.
+        uncompressed=`zcat "${candidate}" 2> /dev/null | sha256sum | cut -c1-64`
+        if test $? -eq 0 ; then
+            if test "$uncompressed" != e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ; then
+                zcat "${candidate}" > "${dir}"/${uncompressed}
+                sed -r -i -e "s#sha256:$(basename ${candidate})#sha256:${uncompressed}#g" "${dir}"/manifest.json
+                sed -r -i -e "s#\"size\": $(wc -c < ${candidate}),#\"size\": $(wc -c < ${dir}/${uncompressed}),#g" "${dir}"/manifest.json
+                rm -f "${candidate}"
+            fi
+        fi
+    done
+done
--- a/integration/fixtures/blocked-registries.conf
+++ b/integration/fixtures/blocked-registries.conf
@@ -0,0 +1,6 @@
+[[registry]]
+location = "registry-unblocked.com"
+
+[[registry]]
+location = "registry-blocked.com"
+blocked = true
--- a/integration/fixtures/policy.json
+++ b/integration/fixtures/policy.json
@@ -0,0 +1,105 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "localhost:5555": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "docker.io/openshift": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "/@dirpath@": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5000/myns/official"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "localhost:5006/myns/personal": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/official": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/naming:test1": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5006/myns/naming:naming": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5006/myns/official"
+                    }
+                }
+            ],
+            "localhost:5006/myns/cosigned:cosigned": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5006/myns/official"
+                    }
+                },
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/extension": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ]
+        }
+    }
+}
--- a/integration/fixtures/registries.conf
+++ b/integration/fixtures/registries.conf
@@ -0,0 +1,28 @@
+[[registry]]
+location = "mirror.invalid"
+mirror = [
+    { location = "mirror-0.invalid" },
+    { location = "mirror-1.invalid" },
+    { location = "gcr.io/google-containers" },
+]
+
+# This entry is currently unused and exists only to ensure
+# that the mirror.invalid/busybox is not rewritten twice.
+[[registry]]
+location = "gcr.io"
+prefix = "gcr.io/google-containers"
+
+[[registry]]
+location = "invalid.invalid"
+mirror = [
+    { location = "invalid-mirror-0.invalid" },
+    { location = "invalid-mirror-1.invalid" },
+]
+
+[[registry]]
+location = "gcr.invalid"
+prefix = "gcr.invalid/foo/bar"
+mirror = [
+    { location = "wrong-mirror-0.invalid" },
+    { location = "gcr.io/google-containers" },
+]
--- a/integration/fixtures/registries.yaml
+++ b/integration/fixtures/registries.yaml
@@ -0,0 +1,6 @@
+docker:
+   localhost:5555:
+        sigstore: file://@sigstore@
+   localhost:5555/public:
+        sigstore-staging: file://@split-staging@
+        sigstore: @split-read@
--- a/integration/fixtures/uncompressed-image-s1/160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710
+++ b/integration/fixtures/uncompressed-image-s1/160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710
--- a/integration/fixtures/uncompressed-image-s1/manifest.json
+++ b/integration/fixtures/uncompressed-image-s1/manifest.json
@@ -0,0 +1,32 @@
+{
+   "schemaVersion": 1,
+   "name": "nonempty",
+   "tag": "nonempty",
+   "architecture": "amd64",
+   "fsLayers": [
+      {
+         "blobSum": "sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"
+      }
+   ],
+   "history": [
+      {
+         "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"59c20544b2f4\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container\":\"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d\",\"container_config\":{\"Hostname\":\"59c20544b2f4\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /\"],\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2016-09-19T18:23:54.9949213Z\",\"docker_version\":\"1.10.3\",\"id\":\"4c224eac5061bb85f523ca4e3316618fd7921a80fe94286979667b1edb8e1bdd\",\"os\":\"linux\"}"
+      }
+   ],
+   "signatures": [
+      {
+         "header": {
+            "jwk": {
+               "crv": "P-256",
+               "kid": "DGWZ:GAUM:WCOC:IMDL:D67M:CEI6:YTVH:M2CM:5HX4:FYDD:77OD:D3F7",
+               "kty": "EC",
+               "x": "eprZNqLO9mHZ4Z4GxefucEgov_1gwEi9lehpJR2suRo",
+               "y": "wIr2ucNg32ROfVCkR_8A5VbBJ-mFmsoIUVa6vt8lIxM"
+            },
+            "alg": "ES256"
+         },
+         "signature": "bvTLWW4YVFRjAanN1EJqwQw60fWSWJPxcGO3UZGFI_gyV6ucGdW4x7jyYL6g06sg925s9cy0wN1lw91CCFv4BA",
+         "protected": "eyJmb3JtYXRMZW5ndGgiOjE0ODcsImZvcm1hdFRhaWwiOiJDbjBLIiwidGltZSI6IjIwMTYtMDktMTlUMTg6NDM6MzNaIn0"
+      }
+   ]
+}
--- a/integration/fixtures/uncompressed-image-s2/160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710
+++ b/integration/fixtures/uncompressed-image-s2/160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710
--- a/integration/fixtures/uncompressed-image-s2/86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff
+++ b/integration/fixtures/uncompressed-image-s2/86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff
@@ -0,0 +1 @@
+{"architecture":"amd64","config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d","container_config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"],"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2016-09-19T18:23:54.9949213Z","docker_version":"1.10.3","history":[{"created":"2016-09-19T18:23:54.9949213Z","created_by":"/bin/sh -c #(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"]}}
--- a/integration/fixtures/uncompressed-image-s2/manifest.json
+++ b/integration/fixtures/uncompressed-image-s2/manifest.json
@@ -0,0 +1,16 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+   "config": {
+      "mediaType": "application/octet-stream",
+      "size": 1272,
+      "digest": "sha256:86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+         "size": 2048,
+         "digest": "sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"
+      }
+   ]
+}
--- a/integration/openshift.go
+++ b/integration/openshift.go
@@ -0,0 +1,256 @@
+package main
+
+import (
+	"bufio"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/go-check/check"
+)
+
+var adminKUBECONFIG = map[string]string{
+	"KUBECONFIG": "openshift.local.config/master/admin.kubeconfig",
+}
+
+// openshiftCluster is an OpenShift API master and integrated registry
+// running on localhost.
+type openshiftCluster struct {
+	workingDir string
+	dockerDir  string
+	processes  []*exec.Cmd // Processes to terminate on teardown; append to the end, terminate from end to the start.
+}
+
+// startOpenshiftCluster creates a new openshiftCluster.
+// WARNING: This affects state in users' home directory! Only run
+// in isolated test environment.
+func startOpenshiftCluster(c *check.C) *openshiftCluster {
+	cluster := &openshiftCluster{}
+
+	dir, err := ioutil.TempDir("", "openshift-cluster")
+	c.Assert(err, check.IsNil)
+	cluster.workingDir = dir
+
+	cluster.startMaster(c)
+	cluster.prepareRegistryConfig(c)
+	cluster.startRegistry(c)
+	cluster.ocLoginToProject(c)
+	cluster.dockerLogin(c)
+	cluster.relaxImageSignerPermissions(c)
+
+	return cluster
+}
+
+// clusterCmd creates an exec.Cmd in cluster.workingDir with current environment modified by environment
+func (cluster *openshiftCluster) clusterCmd(env map[string]string, name string, args ...string) *exec.Cmd {
+	cmd := exec.Command(name, args...)
+	cmd.Dir = cluster.workingDir
+	cmd.Env = os.Environ()
+	for key, value := range env {
+		cmd.Env = modifyEnviron(cmd.Env, key, value)
+	}
+	return cmd
+}
+
+// startMaster starts the OpenShift master (etcd+API server) and waits for it to be ready, or terminates on failure.
+func (cluster *openshiftCluster) startMaster(c *check.C) {
+	cmd := cluster.clusterCmd(nil, "openshift", "start", "master")
+	cluster.processes = append(cluster.processes, cmd)
+	stdout, err := cmd.StdoutPipe()
+	// Send both to the same pipe. This might cause the two streams to be mixed up,
+	// but logging actually goes only to stderr - this primarily ensure we log any
+	// unexpected output to stdout.
+	cmd.Stderr = cmd.Stdout
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c, 8443)
+	defer func() {
+		c.Logf("Terminating port check")
+		terminatePortCheck <- true
+	}()
+
+	terminateLogCheck := make(chan bool, 1)
+	logCheckFound := make(chan bool)
+	go func() {
+		defer func() {
+			c.Logf("Log checker exiting")
+		}()
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			line := scanner.Text()
+			c.Logf("Log line: %s", line)
+			if strings.Contains(line, "Started Origin Controllers") {
+				logCheckFound <- true
+				return
+				// FIXME? We stop reading from stdout; could this block the master?
+			}
+			// Note: we can block before we get here.
+			select {
+			case <-terminateLogCheck:
+				c.Logf("terminated")
+				return
+			default:
+				// Do not block here and read the next line.
+			}
+		}
+		logCheckFound <- false
+	}()
+	defer func() {
+		c.Logf("Terminating log check")
+		terminateLogCheck <- true
+	}()
+
+	gotPortCheck := false
+	gotLogCheck := false
+	for !gotPortCheck || !gotLogCheck {
+		c.Logf("Waiting for master")
+		select {
+		case <-portOpen:
+			c.Logf("port check done")
+			gotPortCheck = true
+		case found := <-logCheckFound:
+			c.Logf("log check done, found: %t", found)
+			if !found {
+				c.Fatal("log check done, success message not found")
+			}
+			gotLogCheck = true
+		}
+	}
+	c.Logf("OK, master started!")
+}
+
+// prepareRegistryConfig creates a registry service account and a related k8s client configuration in ${cluster.workingDir}/openshift.local.registry.
+func (cluster *openshiftCluster) prepareRegistryConfig(c *check.C) {
+	// This partially mimics the objects created by (oadm registry), except that we run the
+	// server directly as an ordinary process instead of a pod with an implicitly attached service account.
+	saJSON := `{
+		"apiVersion": "v1",
+		"kind": "ServiceAccount",
+		"metadata": {
+			"name": "registry"
+		}
+	}`
+	cmd := cluster.clusterCmd(adminKUBECONFIG, "oc", "create", "-f", "-")
+	runExecCmdWithInput(c, cmd, saJSON)
+
+	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-user", "system:registry", "-z", "registry")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "cluster role \"system:registry\" added: \"registry\"\n")
+
+	cmd = cluster.clusterCmd(adminKUBECONFIG, "oadm", "create-api-client-config", "--client-dir=openshift.local.registry", "--basename=openshift-registry", "--user=system:serviceaccount:default:registry")
+	out, err = cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "")
+}
+
+// startRegistry starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
+func (cluster *openshiftCluster) startRegistryProcess(c *check.C, port int, configPath string) *exec.Cmd {
+	cmd := cluster.clusterCmd(map[string]string{
+		"KUBECONFIG":          "openshift.local.registry/openshift-registry.kubeconfig",
+		"DOCKER_REGISTRY_URL": fmt.Sprintf("127.0.0.1:%d", port),
+	}, "dockerregistry", configPath)
+	consumeAndLogOutputs(c, fmt.Sprintf("registry-%d", port), cmd)
+	err := cmd.Start()
+	c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c, port)
+	defer func() {
+		terminatePortCheck <- true
+	}()
+	c.Logf("Waiting for registry to start")
+	<-portOpen
+	c.Logf("OK, Registry port open")
+
+	return cmd
+}
+
+// startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
+func (cluster *openshiftCluster) startRegistry(c *check.C) {
+	// Our “primary” registry
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5000, "/atomic-registry-config.yml"))
+
+	// A registry configured with acceptschema2:false
+	schema1Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+		"addr: :5000":              "addr: :5005",
+		"rootdirectory: /registry": "rootdirectory: /registry-schema1",
+		// The default configuration currently already contains acceptschema2: false
+	})
+	// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
+	configContents, err := ioutil.ReadFile(schema1Config)
+	c.Assert(err, check.IsNil)
+	c.Assert(string(configContents), check.Matches, "(?s).*acceptschema2: false.*")
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5005, schema1Config))
+
+	// A registry configured with acceptschema2:true
+	schema2Config := fileFromFixture(c, "/atomic-registry-config.yml", map[string]string{
+		"addr: :5000":              "addr: :5006",
+		"rootdirectory: /registry": "rootdirectory: /registry-schema2",
+		"acceptschema2: false":     "acceptschema2: true",
+	})
+	cluster.processes = append(cluster.processes, cluster.startRegistryProcess(c, 5006, schema2Config))
+}
+
+// ocLogin runs (oc login) and (oc new-project) on the cluster, or terminates on failure.
+func (cluster *openshiftCluster) ocLoginToProject(c *check.C) {
+	c.Logf("oc login")
+	cmd := cluster.clusterCmd(nil, "oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines
+
+	outString := combinedOutputOfCommand(c, "oc", "new-project", "myns")
+	c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
+}
+
+// dockerLogin simulates (docker login) to the cluster, or terminates on failure.
+// We do not run (docker login) directly, because that requires a running daemon and a docker package.
+func (cluster *openshiftCluster) dockerLogin(c *check.C) {
+	cluster.dockerDir = filepath.Join(homedir.Get(), ".docker")
+	err := os.Mkdir(cluster.dockerDir, 0700)
+	c.Assert(err, check.IsNil)
+
+	out := combinedOutputOfCommand(c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
+	c.Logf("oc config value: %s", out)
+	authValue := base64.StdEncoding.EncodeToString([]byte("unused:" + out))
+	auths := []string{}
+	for _, port := range []int{5000, 5005, 5006} {
+		auths = append(auths, fmt.Sprintf(`"localhost:%d": {
+				"auth": "%s",
+				"email": "unused"
+			}`, port, authValue))
+	}
+	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
+	err = ioutil.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
+	c.Assert(err, check.IsNil)
+}
+
+// relaxImageSignerPermissions opens up the system:image-signer permissions so that
+// anyone can work with signatures
+// FIXME: This also allows anyone to DoS anyone else; this design is really not all
+// that workable, but it is the best we can do for now.
+func (cluster *openshiftCluster) relaxImageSignerPermissions(c *check.C) {
+	cmd := cluster.clusterCmd(adminKUBECONFIG, "oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
+	out, err := cmd.CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.Assert(string(out), check.Equals, "cluster role \"system:image-signer\" added: \"system:authenticated\"\n")
+}
+
+// tearDown stops the cluster services and deletes (only some!) of the state.
+func (cluster *openshiftCluster) tearDown(c *check.C) {
+	for i := len(cluster.processes) - 1; i >= 0; i-- {
+		cluster.processes[i].Process.Kill()
+	}
+	if cluster.workingDir != "" {
+		os.RemoveAll(cluster.workingDir)
+	}
+	if cluster.dockerDir != "" {
+		os.RemoveAll(cluster.dockerDir)
+	}
+}
--- a/integration/openshift_shell_test.go
+++ b/integration/openshift_shell_test.go
@@ -0,0 +1,40 @@
+// +build openshift_shell
+
+package main
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/go-check/check"
+)
+
+/*
+TestRunShell is not really a test; it is a convenient way to use the registry setup code
+in openshift.go and CopySuite to get an interactive environment for experimentation.
+
+To use it, run:
+	sudo make shell
+to start a container, then within the container:
+	SKOPEO_CONTAINER_TESTS=1 PS1='nested> ' go test -tags openshift_shell -timeout=24h ./integration -v -check.v -check.vv -check.f='CopySuite.TestRunShell'
+
+An example of what can be done within the container:
+	cd ..; make binary-local install
+	./skopeo --tls-verify=false  copy --sign-by=personal@example.com docker://busybox:latest atomic:localhost:5000/myns/personal:personal
+	oc get istag personal:personal -o json
+	curl -L -v 'http://localhost:5000/v2/'
+	cat ~/.docker/config.json
+	curl -L -v 'http://localhost:5000/openshift/token&scope=repository:myns/personal:pull' --header 'Authorization: Basic $auth_from_docker'
+	curl -L -v 'http://localhost:5000/v2/myns/personal/manifests/personal' --header 'Authorization: Bearer $token_from_oauth'
+	curl -L -v 'http://localhost:5000/extensions/v2/myns/personal/signatures/$manifest_digest' --header 'Authorization: Bearer $token_from_oauth'
+*/
+func (s *CopySuite) TestRunShell(c *check.C) {
+	cmd := exec.Command("bash", "-i")
+	tty, err := os.OpenFile("/dev/tty", os.O_RDWR, 0)
+	c.Assert(err, check.IsNil)
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	err = cmd.Run()
+	c.Assert(err, check.IsNil)
+}
--- a/integration/registry.go
+++ b/integration/registry.go
@@ -13,23 +13,10 @@ import (
 )

 const (
-	binaryV1        = "docker-registry"
 	binaryV2        = "registry-v2"
 	binaryV2Schema1 = "registry-v2-schema1"
 )

-type testRegistryV1 struct {
-	cmd *exec.Cmd
-	url string
-	dir string
-}
-
-func setupRegistryV1At(c *check.C, url string, auth bool) *testRegistryV1 {
-	return &testRegistryV1{
-		url: url,
-	}
-}
-
 type testRegistryV2 struct {
 	cmd      *exec.Cmd
 	url      string
@@ -44,7 +31,7 @@ func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistry
 	c.Assert(err, check.IsNil)

 	// Wait for registry to be ready to serve requests.
-	for i := 0; i != 5; i++ {
+	for i := 0; i != 50; i++ {
 		if err = reg.Ping(); err == nil {
 			break
 		}
@@ -67,6 +54,8 @@ loglevel: debug
 storage:
    filesystem:
        rootdirectory: %s
+    delete:
+        enabled: true
 http:
    addr: %s
 %s`
@@ -107,6 +96,7 @@ http:
 	}

 	cmd := exec.Command(binary, confPath)
+	consumeAndLogOutputs(c, fmt.Sprintf("registry-%s", url), cmd)
 	if err := cmd.Start(); err != nil {
 		os.RemoveAll(tmp)
 		if os.IsNotExist(err) {
--- a/integration/signing_test.go
+++ b/integration/signing_test.go
@@ -2,12 +2,13 @@ package main

 import (
 	"errors"
-	"io"
+	"fmt"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"strings"

+	"github.com/containers/image/v5/signature"
 	"github.com/go-check/check"
 )

@@ -35,27 +36,7 @@ func findFingerprint(lineBytes []byte) (string, error) {
 	return "", errors.New("No fingerprint found")
 }

-// ConsumeAndLogOutput takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
-func ConsumeAndLogOutput(c *check.C, id string, f io.ReadCloser, err error) {
-	c.Assert(err, check.IsNil)
-	go func() {
-		defer func() {
-			f.Close()
-			c.Logf("Output %s: Closed", id)
-		}()
-		buf := make([]byte, 0, 1024)
-		for {
-			c.Logf("Output %s: waiting", id)
-			n, err := f.Read(buf)
-			c.Logf("Output %s: got %d,%#v: %#v", id, n, err, buf[:n])
-			if n <= 0 {
-				break
-			}
-		}
-	}()
-}
-
-func (s *SigningSuite) SetUpTest(c *check.C) {
+func (s *SigningSuite) SetUpSuite(c *check.C) {
 	_, err := exec.LookPath(skopeoBinary)
 	c.Assert(err, check.IsNil)

@@ -63,21 +44,7 @@ func (s *SigningSuite) SetUpTest(c *check.C) {
 	c.Assert(err, check.IsNil)
 	os.Setenv("GNUPGHOME", s.gpgHome)

-	cmd := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")
-	stdin, err := cmd.StdinPipe()
-	c.Assert(err, check.IsNil)
-	stdout, err := cmd.StdoutPipe()
-	ConsumeAndLogOutput(c, "gen-key stdout", stdout, err)
-	stderr, err := cmd.StderrPipe()
-	ConsumeAndLogOutput(c, "gen-key stderr", stderr, err)
-	err = cmd.Start()
-	c.Assert(err, check.IsNil)
-	_, err = stdin.Write([]byte("Key-Type: RSA\nName-Real: Testing user\n%commit\n"))
-	c.Assert(err, check.IsNil)
-	err = stdin.Close()
-	c.Assert(err, check.IsNil)
-	err = cmd.Wait()
-	c.Assert(err, check.IsNil)
+	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%no-protection\n%commit\n", gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")

 	lines, err := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
 	c.Assert(err, check.IsNil)
@@ -85,7 +52,7 @@ func (s *SigningSuite) SetUpTest(c *check.C) {
 	c.Assert(err, check.IsNil)
 }

-func (s *SigningSuite) TearDownTest(c *check.C) {
+func (s *SigningSuite) TearDownSuite(c *check.C) {
 	if s.gpgHome != "" {
 		err := os.RemoveAll(s.gpgHome)
 		c.Assert(err, check.IsNil)
@@ -96,19 +63,23 @@ func (s *SigningSuite) TearDownTest(c *check.C) {
 }

 func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
+	mech, _, err := signature.NewEphemeralGPGSigningMechanism([]byte{})
+	c.Assert(err, check.IsNil)
+	defer mech.Close()
+	if err := mech.SupportsSigning(); err != nil { // FIXME? Test that verification and policy enforcement works, using signatures from fixtures
+		c.Skip(fmt.Sprintf("Signing not supported: %v", err))
+	}
+
 	manifestPath := "fixtures/image.manifest.json"
 	dockerReference := "testing/smoketest"

 	sigOutput, err := ioutil.TempFile("", "sig")
 	c.Assert(err, check.IsNil)
 	defer os.Remove(sigOutput.Name())
-	out, err := exec.Command(skopeoBinary, "standalone-sign", "-o", sigOutput.Name(),
-		manifestPath, dockerReference, s.fingerprint).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	c.Assert(string(out), check.Equals, "")
+	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, s.fingerprint)

-	out, err = exec.Command(skopeoBinary, "standalone-verify", manifestPath,
-		dockerReference, s.fingerprint, sigOutput.Name()).CombinedOutput()
-	c.Assert(err, check.IsNil, check.Commentf("%s", out))
-	c.Assert(string(out), check.Equals, "Signature verified, digest "+TestImageManifestDigest+"\n")
+	expected := fmt.Sprintf("^Signature verified, digest %s\n$", TestImageManifestDigest)
+	assertSkopeoSucceeds(c, expected, "standalone-verify", manifestPath,
+		dockerReference, s.fingerprint, sigOutput.Name())
 }
--- a/integration/sync_test.go
+++ b/integration/sync_test.go
@@ -0,0 +1,514 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/types"
+	"github.com/go-check/check"
+)
+
+func init() {
+	check.Suite(&SyncSuite{})
+}
+
+type SyncSuite struct {
+	cluster  *openshiftCluster
+	registry *testRegistryV2
+	gpgHome  string
+}
+
+func (s *SyncSuite) SetUpSuite(c *check.C) {
+	const registryAuth = false
+	const registrySchema1 = false
+
+	if os.Getenv("SKOPEO_LOCAL_TESTS") == "1" {
+		c.Log("Running tests without a container")
+		fmt.Printf("NOTE: tests requires a V2 registry at url=%s, with auth=%t, schema1=%t \n", v2DockerRegistryURL, registryAuth, registrySchema1)
+		return
+	}
+
+	if os.Getenv("SKOPEO_CONTAINER_TESTS") != "1" {
+		c.Skip("Not running in a container, refusing to affect user state")
+	}
+
+	s.cluster = startOpenshiftCluster(c) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+
+	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression", "schema1", "schema2"} {
+		isJSON := fmt.Sprintf(`{
+			"kind": "ImageStream",
+			"apiVersion": "v1",
+			"metadata": {
+			    "name": "%s"
+			},
+			"spec": {}
+		}`, stream)
+		runCommandWithInput(c, isJSON, "oc", "create", "-f", "-")
+	}
+
+	// FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, registryAuth, registrySchema1)
+
+	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
+	c.Assert(err, check.IsNil)
+	s.gpgHome = gpgHome
+	os.Setenv("GNUPGHOME", s.gpgHome)
+
+	for _, key := range []string{"personal", "official"} {
+		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%no-protection\n%%commit\n",
+			key, key)
+		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")
+
+		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
+		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+			[]byte(out), 0600)
+		c.Assert(err, check.IsNil)
+	}
+}
+
+func (s *SyncSuite) TearDownSuite(c *check.C) {
+	if os.Getenv("SKOPEO_LOCAL_TESTS") == "1" {
+		return
+	}
+
+	if s.gpgHome != "" {
+		os.RemoveAll(s.gpgHome)
+	}
+	if s.registry != nil {
+		s.registry.Close()
+	}
+	if s.cluster != nil {
+		s.cluster.tearDown(c)
+	}
+}
+
+func (s *SyncSuite) TestDocker2DirTagged(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	image := "busybox:latest"
+	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
+	c.Assert(err, check.IsNil)
+	imagePath := imageRef.DockerReference().String()
+
+	dir1 := path.Join(tmpDir, "dir1")
+	dir2 := path.Join(tmpDir, "dir2")
+
+	// sync docker => dir
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	// copy docker => dir
+	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+dir2)
+	_, err = os.Stat(path.Join(dir2, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	out := combinedOutputOfCommand(c, "diff", "-urN", path.Join(dir1, imagePath), dir2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *SyncSuite) TestScoped(c *check.C) {
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	image := "busybox:latest"
+	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
+	c.Assert(err, check.IsNil)
+	imagePath := imageRef.DockerReference().String()
+
+	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
+	_, err = os.Stat(path.Join(dir1, image, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	os.RemoveAll(dir1)
+}
+
+func (s *SyncSuite) TestDirIsNotOverwritten(c *check.C) {
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	image := "busybox:latest"
+	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
+	c.Assert(err, check.IsNil)
+	imagePath := imageRef.DockerReference().String()
+
+	// make a copy of the image in the local registry
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, image))
+
+	//sync upstream image to dir, not scoped
+	dir1, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	assertSkopeoSucceeds(c, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
+	_, err = os.Stat(path.Join(dir1, image, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	//sync local registry image to dir, not scoped
+	assertSkopeoFails(c, ".*Refusing to overwrite destination directory.*", "sync", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, image), dir1)
+
+	//sync local registry image to dir, scoped
+	imageRef, err = docker.ParseReference(fmt.Sprintf("//%s", path.Join(v2DockerRegistryURL, image)))
+	c.Assert(err, check.IsNil)
+	imagePath = imageRef.DockerReference().String()
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, image), dir1)
+	_, err = os.Stat(path.Join(dir1, imagePath, "manifest.json"))
+	c.Assert(err, check.IsNil)
+	os.RemoveAll(dir1)
+}
+
+func (s *SyncSuite) TestDocker2DirUntagged(c *check.C) {
+
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	image := "alpine"
+	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
+	c.Assert(err, check.IsNil)
+	imagePath := imageRef.DockerReference().String()
+
+	dir1 := path.Join(tmpDir, "dir1")
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "docker", "--dest", "dir", image, dir1)
+
+	sysCtx := types.SystemContext{}
+	tags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
+	c.Assert(err, check.IsNil)
+	c.Check(len(tags), check.Not(check.Equals), 0)
+
+	nManifests, err := filepath.Glob(path.Join(dir1, path.Dir(imagePath), "*", "manifest.json"))
+	c.Assert(err, check.IsNil)
+	c.Assert(len(nManifests), check.Equals, len(tags))
+}
+
+func (s *SyncSuite) TestYamlUntagged(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+	dir1 := path.Join(tmpDir, "dir1")
+
+	image := "alpine"
+	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
+	c.Assert(err, check.IsNil)
+	imagePath := imageRef.DockerReference().Name()
+
+	sysCtx := types.SystemContext{}
+	tags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
+	c.Assert(err, check.IsNil)
+	c.Check(len(tags), check.Not(check.Equals), 0)
+
+	yamlConfig := fmt.Sprintf(`
+docker.io:
+  images:
+    %s:
+`, image)
+
+	//sync to the local reg
+	yamlFile := path.Join(tmpDir, "registries.yaml")
+	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
+	// sync back from local reg to a folder
+	os.Remove(yamlFile)
+	yamlConfig = fmt.Sprintf(`
+%s:
+  tls-verify: false
+  images:
+    %s:
+
+`, v2DockerRegistryURL, imagePath)
+
+	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+
+	sysCtx = types.SystemContext{
+		DockerInsecureSkipTLSVerify: types.NewOptionalBool(true),
+	}
+	localTags, err := docker.GetRepositoryTags(context.Background(), &sysCtx, imageRef)
+	c.Assert(err, check.IsNil)
+	c.Check(len(localTags), check.Not(check.Equals), 0)
+	c.Assert(len(localTags), check.Equals, len(tags))
+
+	nManifests := 0
+	//count the number of manifest.json in dir1
+	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() && info.Name() == "manifest.json" {
+			nManifests++
+			return filepath.SkipDir
+		}
+		return nil
+	})
+	c.Assert(err, check.IsNil)
+	c.Assert(nManifests, check.Equals, len(tags))
+}
+
+func (s *SyncSuite) TestYaml2Dir(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+	dir1 := path.Join(tmpDir, "dir1")
+
+	yamlConfig := `
+docker.io:
+  images:
+    busybox:
+      - latest
+      - musl
+    alpine:
+      - edge
+      - 3.8
+
+    opensuse/leap:
+      - latest
+
+quay.io:
+  images:
+      quay/busybox:
+          - latest`
+
+	// get the number of tags
+	re := regexp.MustCompile(`^ +- +[^:/ ]+`)
+	var nTags int
+	for _, l := range strings.Split(yamlConfig, "\n") {
+		if re.MatchString(l) {
+			nTags++
+		}
+	}
+	c.Assert(nTags, check.Not(check.Equals), 0)
+
+	yamlFile := path.Join(tmpDir, "registries.yaml")
+	ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+
+	nManifests := 0
+	err = filepath.Walk(dir1, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() && info.Name() == "manifest.json" {
+			nManifests++
+			return filepath.SkipDir
+		}
+		return nil
+	})
+	c.Assert(err, check.IsNil)
+	c.Assert(nManifests, check.Equals, nTags)
+}
+
+func (s *SyncSuite) TestYamlTLSVerify(c *check.C) {
+	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+	dir1 := path.Join(tmpDir, "dir1")
+	image := "busybox"
+	tag := "latest"
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	// copy docker => docker
+	assertSkopeoSucceeds(c, "", "copy", "--dest-tls-verify=false", "docker://"+image+":"+tag, localRegURL+image+":"+tag)
+
+	yamlTemplate := `
+%s:
+  %s
+  images:
+    %s:
+      - %s`
+
+	testCfg := []struct {
+		tlsVerify string
+		msg       string
+		checker   func(c *check.C, regexp string, args ...string)
+	}{
+		{
+			tlsVerify: "tls-verify: false",
+			msg:       "",
+			checker:   assertSkopeoSucceeds,
+		},
+		{
+			tlsVerify: "tls-verify: true",
+			msg:       ".*server gave HTTP response to HTTPS client.*",
+			checker:   assertSkopeoFails,
+		},
+		// no "tls-verify" line means default TLS verify must be ON
+		{
+			tlsVerify: "",
+			msg:       ".*server gave HTTP response to HTTPS client.*",
+			checker:   assertSkopeoFails,
+		},
+	}
+
+	for _, cfg := range testCfg {
+		yamlConfig := fmt.Sprintf(yamlTemplate, v2DockerRegistryURL, cfg.tlsVerify, image, tag)
+		yamlFile := path.Join(tmpDir, "registries.yaml")
+		ioutil.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+
+		cfg.checker(c, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
+		os.Remove(yamlFile)
+		os.RemoveAll(dir1)
+	}
+
+}
+
+func (s *SyncSuite) TestDocker2DockerTagged(c *check.C) {
+	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
+
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	image := "busybox:latest"
+	imageRef, err := docker.ParseReference(fmt.Sprintf("//%s", image))
+	c.Assert(err, check.IsNil)
+	imagePath := imageRef.DockerReference().String()
+
+	dir1 := path.Join(tmpDir, "dir1")
+	dir2 := path.Join(tmpDir, "dir2")
+
+	// sync docker => docker
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", image, v2DockerRegistryURL)
+
+	// copy docker => dir
+	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+dir1)
+	_, err = os.Stat(path.Join(dir1, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	// copy docker => dir
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", localRegURL+imagePath, "dir:"+dir2)
+	_, err = os.Stat(path.Join(dir2, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *SyncSuite) TestDir2DockerTagged(c *check.C) {
+	const localRegURL = "docker://" + v2DockerRegistryURL + "/"
+
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	image := "busybox:latest"
+
+	dir1 := path.Join(tmpDir, "dir1")
+	err = os.Mkdir(dir1, 0755)
+	c.Assert(err, check.IsNil)
+	dir2 := path.Join(tmpDir, "dir2")
+	err = os.Mkdir(dir2, 0755)
+	c.Assert(err, check.IsNil)
+
+	// copy docker => dir
+	assertSkopeoSucceeds(c, "", "copy", "docker://"+image, "dir:"+path.Join(dir1, image))
+	_, err = os.Stat(path.Join(dir1, image, "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	// sync dir => docker
+	assertSkopeoSucceeds(c, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", dir1, v2DockerRegistryURL)
+
+	// copy docker => dir
+	assertSkopeoSucceeds(c, "", "copy", "--src-tls-verify=false", localRegURL+image, "dir:"+path.Join(dir2, image))
+	_, err = os.Stat(path.Join(path.Join(dir2, image), "manifest.json"))
+	c.Assert(err, check.IsNil)
+
+	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+}
+
+func (s *SyncSuite) TestFailsWithDir2Dir(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	dir1 := path.Join(tmpDir, "dir1")
+	dir2 := path.Join(tmpDir, "dir2")
+
+	// sync dir => dir is not allowed
+	assertSkopeoFails(c, ".*sync from 'dir' to 'dir' not implemented.*", "sync", "--scoped", "--src", "dir", "--dest", "dir", dir1, dir2)
+}
+
+func (s *SyncSuite) TestFailsNoSourceImages(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	assertSkopeoFails(c, ".*No images to sync found in .*",
+		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)
+
+	assertSkopeoFails(c, ".*No images to sync found in .*",
+		"sync", "--scoped", "--dest-tls-verify=false", "--src", "docker", "--dest", "docker", "hopefully_no_images_will_ever_be_called_like_this", v2DockerRegistryURL)
+}
+
+func (s *SyncSuite) TestFailsWithDockerSourceNoRegistry(c *check.C) {
+	const regURL = "google.com/namespace/imagename"
+
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	//untagged
+	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL, tmpDir)
+
+	//tagged
+	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL+":thetag", tmpDir)
+}
+
+func (s *SyncSuite) TestFailsWithDockerSourceUnauthorized(c *check.C) {
+	const repo = "privateimagenamethatshouldnotbepublic"
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	//untagged
+	assertSkopeoFails(c, ".*Registry disallows tag list retrieval.*",
+		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo, tmpDir)
+
+	//tagged
+	assertSkopeoFails(c, ".*unauthorized: authentication required.*",
+		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
+}
+
+func (s *SyncSuite) TestFailsWithDockerSourceNotExisting(c *check.C) {
+	repo := path.Join(v2DockerRegistryURL, "imagedoesdotexist")
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	//untagged
+	assertSkopeoFails(c, ".*invalid status code from registry 404.*",
+		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo, tmpDir)
+
+	//tagged
+	assertSkopeoFails(c, ".*Error reading manifest.*",
+		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
+}
+
+func (s *SyncSuite) TestFailsWithDirSourceNotExisting(c *check.C) {
+	// Make sure the dir does not exist!
+	tmpDir, err := ioutil.TempDir("", "skopeo-sync-test")
+	c.Assert(err, check.IsNil)
+	err = os.RemoveAll(tmpDir)
+	c.Assert(err, check.IsNil)
+	_, err = os.Stat(path.Join(tmpDir))
+	c.Check(os.IsNotExist(err), check.Equals, true)
+
+	assertSkopeoFails(c, ".*no such file or directory.*",
+		"sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", tmpDir, v2DockerRegistryURL)
+}
--- a/integration/utils.go
+++ b/integration/utils.go
@@ -0,0 +1,202 @@
+package main
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"net"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/go-check/check"
+)
+
+const skopeoBinary = "skopeo"
+const decompressDirsBinary = "./decompress-dirs.sh"
+
+// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
+func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
+	c.Assert(err, check.IsNil)
+	go func() {
+		defer func() {
+			f.Close()
+			c.Logf("Output %s: Closed", id)
+		}()
+		buf := make([]byte, 1024)
+		for {
+			c.Logf("Output %s: waiting", id)
+			n, err := f.Read(buf)
+			c.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
+			if n <= 0 {
+				break
+			}
+		}
+	}()
+}
+
+// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c
+func consumeAndLogOutputs(c *check.C, id string, cmd *exec.Cmd) {
+	stdout, err := cmd.StdoutPipe()
+	consumeAndLogOutputStream(c, id+" stdout", stdout, err)
+	stderr, err := cmd.StderrPipe()
+	consumeAndLogOutputStream(c, id+" stderr", stderr, err)
+}
+
+// combinedOutputOfCommand runs a command as if exec.Command().CombinedOutput(), verifies that the exit status is 0, and returns the output,
+// or terminates c on failure.
+func combinedOutputOfCommand(c *check.C, name string, args ...string) string {
+	c.Logf("Running %s %s", name, strings.Join(args, " "))
+	out, err := exec.Command(name, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	return string(out)
+}
+
+// assertSkopeoSucceeds runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and optionally that the output matches a multi-line regexp if it is nonempty;
+// or terminates c on failure
+func assertSkopeoSucceeds(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	if regexp != "" {
+		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	}
+}
+
+// assertSkopeoFails runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and that the output matches a multi-line regexp;
+// or terminates c on failure
+func assertSkopeoFails(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
+	c.Assert(err, check.NotNil, check.Commentf("%s", out))
+	c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+}
+
+// runCommandWithInput runs a command as if exec.Command(), sending it the input to stdin,
+// and verifies that the exit status is 0, or terminates c on failure.
+func runCommandWithInput(c *check.C, input string, name string, args ...string) {
+	cmd := exec.Command(name, args...)
+	runExecCmdWithInput(c, cmd, input)
+}
+
+// runExecCmdWithInput runs an exec.Cmd, sending it the input to stdin,
+// and verifies that the exit status is 0, or terminates c on failure.
+func runExecCmdWithInput(c *check.C, cmd *exec.Cmd, input string) {
+	c.Logf("Running %s %s", cmd.Path, strings.Join(cmd.Args, " "))
+	consumeAndLogOutputs(c, cmd.Path+" "+strings.Join(cmd.Args, " "), cmd)
+	stdin, err := cmd.StdinPipe()
+	c.Assert(err, check.IsNil)
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+	_, err = stdin.Write([]byte(input))
+	c.Assert(err, check.IsNil)
+	err = stdin.Close()
+	c.Assert(err, check.IsNil)
+	err = cmd.Wait()
+	c.Assert(err, check.IsNil)
+}
+
+// isPortOpen returns true iff the specified port on localhost is open.
+func isPortOpen(port int) bool {
+	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+	if err != nil {
+		return false
+	}
+	conn.Close()
+	return true
+}
+
+// newPortChecker sets up a portOpen channel which will receive true after the specified port is open.
+// The checking can be aborted by sending a value to the terminate channel, which the caller should
+// always do using
+// defer func() {terminate <- true}()
+func newPortChecker(c *check.C, port int) (portOpen <-chan bool, terminate chan<- bool) {
+	portOpenBidi := make(chan bool)
+	// Buffered, so that sending a terminate request after the goroutine has exited does not block.
+	terminateBidi := make(chan bool, 1)
+
+	go func() {
+		defer func() {
+			c.Logf("Port checker for port %d exiting", port)
+		}()
+		for {
+			c.Logf("Checking for port %d...", port)
+			if isPortOpen(port) {
+				c.Logf("Port %d open", port)
+				portOpenBidi <- true
+				return
+			}
+			c.Logf("Sleeping for port %d", port)
+			sleepChan := time.After(100 * time.Millisecond)
+			select {
+			case <-sleepChan: // Try again
+				c.Logf("Sleeping for port %d done, will retry", port)
+			case <-terminateBidi:
+				c.Logf("Check for port %d terminated", port)
+				return
+			}
+		}
+	}()
+	return portOpenBidi, terminateBidi
+}
+
+// modifyEnviron modifies os.Environ()-like list of name=value assignments to set name to value.
+func modifyEnviron(env []string, name, value string) []string {
+	prefix := name + "="
+	res := []string{}
+	for _, e := range env {
+		if !strings.HasPrefix(e, prefix) {
+			res = append(res, e)
+		}
+	}
+	return append(res, prefix+value)
+}
+
+// fileFromFixtureFixture applies edits to inputPath and returns a path to the temporary file.
+// Callers should defer os.Remove(the_returned_path)
+func fileFromFixture(c *check.C, inputPath string, edits map[string]string) string {
+	contents, err := ioutil.ReadFile(inputPath)
+	c.Assert(err, check.IsNil)
+	for template, value := range edits {
+		updated := bytes.Replace(contents, []byte(template), []byte(value), -1)
+		c.Assert(bytes.Equal(updated, contents), check.Equals, false, check.Commentf("Replacing %s in %#v failed", template, string(contents))) // Verify that the template has matched something and we are not silently ignoring it.
+		contents = updated
+	}
+
+	file, err := ioutil.TempFile("", "policy.json")
+	c.Assert(err, check.IsNil)
+	path := file.Name()
+
+	_, err = file.Write(contents)
+	c.Assert(err, check.IsNil)
+	err = file.Close()
+	c.Assert(err, check.IsNil)
+	return path
+}
+
+// runDecompressDirs runs decompress-dirs.sh using exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and optionally that the output matches a multi-line regexp if it is nonempty; or terminates c on failure
+func runDecompressDirs(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", decompressDirsBinary, strings.Join(args, " "))
+	for i, dir := range args {
+		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		c.Assert(err, check.IsNil)
+		c.Logf("manifest %d before: %s", i+1, string(m))
+	}
+	out, err := exec.Command(decompressDirsBinary, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	for i, dir := range args {
+		if len(out) > 0 {
+			c.Logf("output: %s", out)
+		}
+		m, err := ioutil.ReadFile(filepath.Join(dir, "manifest.json"))
+		c.Assert(err, check.IsNil)
+		c.Logf("manifest %d after: %s", i+1, string(m))
+	}
+	if regexp != "" {
+		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	}
+}
--- a/man1/skopeo.1
+++ b/man1/skopeo.1
@@ -1,118 +0,0 @@
-.\" To review this file formatted
-.\" groff -man -Tascii skopeo.1
-.\"
-.de FN
-\fI\|\\$1\|\fP
-..
-.TH "skopeo" "1" "2016-04-21" "Linux" "Linux Programmer's Manual"
-.SH NAME
-skopeo \(em Inspect Docker images and repositories on registries
-.SH SYNOPSIS
-\fBskopeo copy\fR [\fB--sign-by=\fRkey-ID] source-location destination-location
-.PP
-\fBskopeo inspect\fR image-name [\fB--raw\fR]
-.PP
-\fBskopeo layers\fR image-name
-.PP
-\fBskopeo standalone-sign\fR manifest docker-reference key-fingerprint \%\fB--output\fR|\fB-o\fR signature
-.PP
-\fBskopeo standalone-verify\fR manifest docker-reference key-fingerprint \%signature
-.PP
-\fBskopeo help\fR [command]
-.SH DESCRIPTION
-\fBskopeo\fR is a command line utility which is able to inspect a repository on a Docker registry and fetch images
-layers. It fetches the repository's manifest and it is able to show you a \fBdocker inspect\fR-like json output about a
-whole repository or a tag. This tool, in contrast to \fBdocker inspect\fR, helps you gather useful information about a
-repository or a tag without requiring you to run \fBdocker pull\fR - e.g. - which tags are available for the given
-repository? which labels the image has?
-.SH OPTIONS
-.B "--debug"
-enable debug output
-.PP
-.B "--username"
-Username to use to authenicate to the given registry
-.PP
-.B --password
-Password to use to authenicate to the given registry
-.PP
-.B "--cert-path"
-Path to certificates to use to authenicate to the given registry (cert.pem, key.pem)
-.PP
-.B "--tls-verify"
-Whether to verify certificates or not
-.PP
-.B "--help, -h"
-Show help
-.PP
-.B "--version, -v"
-print the version number
-.SH COMMANDS
-.TP
-.B copy
-Copy an image (manifest, filesystem layers, signatures) from one location to another.
-.sp
-.B source-location
-and
-.B destination-location
-can be \fBdocker://\fRdocker-reference, \fBdir:\fRlocal-path, or \fBatomic:\fRimagestream-name\fB:\fRtag .
-.sp
-\fB\-\-sign\-by=\fRkey-id
-Add a signature by the specified key ID for image name corresponding to \fBdestination-location\fR.
-Existing signatures, if any, are preserved as well.
-.TP
-.B inspect
-Return low-level information on images in a registry
-.sp
-.B image-name
-name of image to retrieve information about
-.br
-.B "--raw"
-output raw manifest, default is to format in JSON
-.TP
-.B layers
-Get image layers
-.sp
-.B image-name
-name of the image to retrieve layers
-.TP
-.B standalone-sign
-Create a signature using local files.
-This is primarily a debugging tool and should not be part of your normal operational workflow.
-.sp
-.B manifest
-path to file containing manifest of image
-.br
-.B docker-reference
-docker reference of blob to be signed
-.br
-.B key-fingerprint
-key identity to use for signing
-.br
-.B ""--output, -o"
-write signature to given file
-.TP
-.B standalone-verify
-Verify a signature using local files, digest will be printed on success.
-This is primarily a debugging tool and should not be part of your normal operational workflow.
-.sp
-.B manifest
-Path to file containing manifest of image
-.br
-.B docker-reference
-docker reference of signed blob
-.br
-.B key-fingerprint
-key identity to use for verification
-.br
-.B signature
-Path to file containing signature
-.TP
-.B help
-show help for \fBskopeo\fR
-.SH AUTHORS
-Antonio Murdaca <runcom@redhat.com>
-.br
-Miloslav Trmac <mitr@redhat.com>
-.br
-Jhon Honce <jhonce@redhat.com>
-
--- a/openshift/openshift.go
+++ b/openshift/openshift.go
@@ -1,398 +0,0 @@
-package openshift
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"regexp"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/projectatomic/skopeo/docker"
-	"github.com/projectatomic/skopeo/docker/utils"
-	"github.com/projectatomic/skopeo/types"
-	"github.com/projectatomic/skopeo/version"
-)
-
-// openshiftClient is configuration for dealing with a single image stream, for reading or writing.
-type openshiftClient struct {
-	// Values from Kubernetes configuration
-	baseURL     *url.URL
-	httpClient  *http.Client
-	bearerToken string // "" if not used
-	username    string // "" if not used
-	password    string // if username != ""
-	// Values specific to this image
-	namespace string
-	stream    string
-	tag       string
-}
-
-// FIXME: Is imageName like this a good way to refer to OpenShift images?
-var imageNameRegexp = regexp.MustCompile("^([^:/]*)/([^:/]*):([^:/]*)$")
-
-// newOpenshiftClient creates a new openshiftClient for the specified image.
-func newOpenshiftClient(imageName string) (*openshiftClient, error) {
-	// Overall, this is modelled on openshift/origin/pkg/cmd/util/clientcmd.New().ClientConfig() and openshift/origin/pkg/client.
-	cmdConfig := defaultClientConfig()
-	logrus.Debugf("cmdConfig: %#v", cmdConfig)
-	restConfig, err := cmdConfig.ClientConfig()
-	if err != nil {
-		return nil, err
-	}
-	// REMOVED: SetOpenShiftDefaults (values are not overridable in config files, so hard-coded these defaults.)
-	logrus.Debugf("restConfig: %#v", restConfig)
-	baseURL, httpClient, err := restClientFor(restConfig)
-	if err != nil {
-		return nil, err
-	}
-	logrus.Debugf("URL: %#v", *baseURL)
-
-	m := imageNameRegexp.FindStringSubmatch(imageName)
-	if m == nil || len(m) != 4 {
-		return nil, fmt.Errorf("Invalid image reference %s, %#v", imageName, m)
-	}
-
-	return &openshiftClient{
-		baseURL:     baseURL,
-		httpClient:  httpClient,
-		bearerToken: restConfig.BearerToken,
-		username:    restConfig.Username,
-		password:    restConfig.Password,
-
-		namespace: m[1],
-		stream:    m[2],
-		tag:       m[3],
-	}, nil
-}
-
-// doRequest performs a correctly authenticated request to a specified path, and returns response body or an error object.
-func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([]byte, error) {
-	url := *c.baseURL
-	url.Path = path
-	var requestBodyReader io.Reader
-	if requestBody != nil {
-		logrus.Debugf("Will send body: %s", requestBody)
-		requestBodyReader = bytes.NewReader(requestBody)
-	}
-	req, err := http.NewRequest(method, url.String(), requestBodyReader)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(c.bearerToken) != 0 {
-		req.Header.Set("Authorization", "Bearer "+c.bearerToken)
-	} else if len(c.username) != 0 {
-		req.SetBasicAuth(c.username, c.password)
-	}
-	req.Header.Set("Accept", "application/json, */*")
-	req.Header.Set("User-Agent", fmt.Sprintf("skopeo/%s", version.Version))
-	if requestBody != nil {
-		req.Header.Set("Content-Type", "application/json")
-	}
-
-	logrus.Debugf("%s %s", method, url)
-	res, err := c.httpClient.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	body, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-	logrus.Debugf("Got body: %s", body)
-	// FIXME: Just throwing this useful information away only to try to guess later...
-	logrus.Debugf("Got content-type: %s", res.Header.Get("Content-Type"))
-
-	var status status
-	statusValid := false
-	if err := json.Unmarshal(body, &status); err == nil && len(status.Status) > 0 {
-		statusValid = true
-	}
-
-	switch {
-	case res.StatusCode == http.StatusSwitchingProtocols: // FIXME?! No idea why this weird case exists in k8s.io/kubernetes/pkg/client/restclient.
-		if statusValid && status.Status != "Success" {
-			return nil, errors.New(status.Message)
-		}
-	case res.StatusCode >= http.StatusOK && res.StatusCode <= http.StatusPartialContent:
-		// OK.
-	default:
-		if statusValid {
-			return nil, errors.New(status.Message)
-		}
-		return nil, fmt.Errorf("HTTP error: status code: %d, body: %s", res.StatusCode, string(body))
-	}
-
-	return body, nil
-}
-
-// canonicalDockerReference returns a canonical reference we use for signing OpenShift images.
-// FIXME: This is, strictly speaking, a namespace conflict with images placed in a Docker registry running on the same host.
-// Do we need to do something else, perhaps disambiguate (port number?) or namespace Docker and OpenShift separately?
-func (c *openshiftClient) canonicalDockerReference() string {
-	return fmt.Sprintf("%s/%s/%s:%s", c.baseURL.Host, c.namespace, c.stream, c.tag)
-}
-
-// convertDockerImageReference takes an image API DockerImageReference value and returns a reference we can actually use;
-// currently OpenShift stores the cluster-internal service IPs here, which are unusable from the outside.
-func (c *openshiftClient) convertDockerImageReference(ref string) (string, error) {
-	parts := strings.SplitN(ref, "/", 2)
-	if len(parts) != 2 {
-		return "", fmt.Errorf("Invalid format of docker reference %s: missing '/'", ref)
-	}
-	// Sanity check that the reference is at least plausibly similar, i.e. uses the hard-coded port we expect.
-	if !strings.HasSuffix(parts[0], ":5000") {
-		return "", fmt.Errorf("Invalid format of docker reference %s: expecting port 5000", ref)
-	}
-	return c.dockerRegistryHostPart() + "/" + parts[1], nil
-}
-
-// dockerRegistryHostPart returns the host:port of the embedded Docker Registry API endpoint
-// FIXME: There seems to be no way to discover the correct:host port using the API, so hard-code our knowledge
-// about how the OpenShift Atomic Registry is configured, per examples/atomic-registry/run.sh:
-// -p OPENSHIFT_OAUTH_PROVIDER_URL=https://${INSTALL_HOST}:8443,COCKPIT_KUBE_URL=https://${INSTALL_HOST},REGISTRY_HOST=${INSTALL_HOST}:5000
-func (c *openshiftClient) dockerRegistryHostPart() string {
-	return strings.SplitN(c.baseURL.Host, ":", 2)[0] + ":5000"
-}
-
-type openshiftImageSource struct {
-	client *openshiftClient
-	// Values specific to this image
-	certPath  string // Only for parseDockerImageSource
-	tlsVerify bool   // Only for parseDockerImageSource
-	// State
-	docker               types.ImageSource // The Docker Registry endpoint, or nil if not resolved yet
-	imageStreamImageName string            // Resolved image identifier, or "" if not known yet
-}
-
-// NewOpenshiftImageSource creates a new ImageSource for the specified image and connection specification.
-func NewOpenshiftImageSource(imageName, certPath string, tlsVerify bool) (types.ImageSource, error) {
-	client, err := newOpenshiftClient(imageName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &openshiftImageSource{
-		client:    client,
-		certPath:  certPath,
-		tlsVerify: tlsVerify,
-	}, nil
-}
-
-// IntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
-// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
-// May be "" if unknown.
-func (s *openshiftImageSource) IntendedDockerReference() string {
-	return s.client.canonicalDockerReference()
-}
-
-func (s *openshiftImageSource) GetManifest(mimetypes []string) ([]byte, string, error) {
-	if err := s.ensureImageIsResolved(); err != nil {
-		return nil, "", err
-	}
-	return s.docker.GetManifest(mimetypes)
-}
-
-func (s *openshiftImageSource) GetLayer(digest string) (io.ReadCloser, error) {
-	if err := s.ensureImageIsResolved(); err != nil {
-		return nil, err
-	}
-	return s.docker.GetLayer(digest)
-}
-
-func (s *openshiftImageSource) GetSignatures() ([][]byte, error) {
-	return nil, nil
-}
-
-// ensureImageIsResolved sets up s.docker and s.imageStreamImageName
-func (s *openshiftImageSource) ensureImageIsResolved() error {
-	if s.docker != nil {
-		return nil
-	}
-
-	// FIXME: validate components per validation.IsValidPathSegmentName?
-	path := fmt.Sprintf("/oapi/v1/namespaces/%s/imagestreams/%s", s.client.namespace, s.client.stream)
-	body, err := s.client.doRequest("GET", path, nil)
-	if err != nil {
-		return err
-	}
-	// Note: This does absolutely no kind/version checking or conversions.
-	var is imageStream
-	if err := json.Unmarshal(body, &is); err != nil {
-		return err
-	}
-	var te *tagEvent
-	for _, tag := range is.Status.Tags {
-		if tag.Tag != s.client.tag {
-			continue
-		}
-		if len(tag.Items) > 0 {
-			te = &tag.Items[0]
-			break
-		}
-	}
-	if te == nil {
-		return fmt.Errorf("No matching tag found")
-	}
-	logrus.Debugf("tag event %#v", te)
-	dockerRef, err := s.client.convertDockerImageReference(te.DockerImageReference)
-	if err != nil {
-		return err
-	}
-	logrus.Debugf("Resolved reference %#v", dockerRef)
-	d, err := docker.NewDockerImageSource(dockerRef, s.certPath, s.tlsVerify)
-	if err != nil {
-		return err
-	}
-	s.docker = d
-	s.imageStreamImageName = te.Image
-	return nil
-}
-
-type openshiftImageDestination struct {
-	client *openshiftClient
-	docker types.ImageDestination // The Docker Registry endpoint
-}
-
-// NewOpenshiftImageDestination creates a new ImageDestination for the specified image and connection specification.
-func NewOpenshiftImageDestination(imageName, certPath string, tlsVerify bool) (types.ImageDestination, error) {
-	client, err := newOpenshiftClient(imageName)
-	if err != nil {
-		return nil, err
-	}
-
-	// FIXME: Should this always use a digest, not a tag? Uploading to Docker by tag requires the tag _inside_ the manifest to match,
-	// i.e. a single signed image cannot be available under multiple tags.  But with types.ImageDestination, we don't know
-	// the manifest digest at this point.
-	dockerRef := fmt.Sprintf("%s/%s/%s:%s", client.dockerRegistryHostPart(), client.namespace, client.stream, client.tag)
-	docker, err := docker.NewDockerImageDestination(dockerRef, certPath, tlsVerify)
-	if err != nil {
-		return nil, err
-	}
-
-	return &openshiftImageDestination{
-		client: client,
-		docker: docker,
-	}, nil
-}
-
-func (d *openshiftImageDestination) CanonicalDockerReference() (string, error) {
-	return d.client.canonicalDockerReference(), nil
-}
-
-func (d *openshiftImageDestination) PutManifest(manifest []byte) error {
-	// Note: This does absolutely no kind/version checking or conversions.
-	manifestDigest, err := utils.ManifestDigest(manifest)
-	if err != nil {
-		return err
-	}
-	// FIXME: We can't do what respositorymiddleware.go does because we don't know the internal address. Does any of this matter?
-	dockerImageReference := fmt.Sprintf("%s/%s/%s@%s", d.client.dockerRegistryHostPart(), d.client.namespace, d.client.stream, manifestDigest)
-	ism := imageStreamMapping{
-		typeMeta: typeMeta{
-			Kind:       "ImageStreamMapping",
-			APIVersion: "v1",
-		},
-		objectMeta: objectMeta{
-			Namespace: d.client.namespace,
-			Name:      d.client.stream,
-		},
-		Image: image{
-			objectMeta: objectMeta{
-				Name: manifestDigest,
-			},
-			DockerImageReference: dockerImageReference,
-			DockerImageManifest:  string(manifest),
-		},
-		Tag: d.client.tag,
-	}
-	body, err := json.Marshal(ism)
-	if err != nil {
-		return err
-	}
-
-	// FIXME: validate components per validation.IsValidPathSegmentName?
-	path := fmt.Sprintf("/oapi/v1/namespaces/%s/imagestreammappings", d.client.namespace)
-	body, err = d.client.doRequest("POST", path, body)
-	if err != nil {
-		return err
-	}
-
-	return d.docker.PutManifest(manifest)
-}
-
-func (d *openshiftImageDestination) PutLayer(digest string, stream io.Reader) error {
-	return d.docker.PutLayer(digest, stream)
-}
-
-func (d *openshiftImageDestination) PutSignatures(signatures [][]byte) error {
-	if len(signatures) != 0 {
-		return fmt.Errorf("Pushing signatures to an Atomic Registry is not supported")
-	}
-	return nil
-}
-
-// These structs are subsets of github.com/openshift/origin/pkg/image/api/v1 and its dependencies.
-type imageStream struct {
-	Status imageStreamStatus `json:"status,omitempty"`
-}
-type imageStreamStatus struct {
-	DockerImageRepository string              `json:"dockerImageRepository"`
-	Tags                  []namedTagEventList `json:"tags,omitempty"`
-}
-type namedTagEventList struct {
-	Tag   string     `json:"tag"`
-	Items []tagEvent `json:"items"`
-}
-type tagEvent struct {
-	DockerImageReference string `json:"dockerImageReference"`
-	Image                string `json:"image"`
-}
-type imageStreamImage struct {
-	Image image `json:"image"`
-}
-type image struct {
-	objectMeta           `json:"metadata,omitempty"`
-	DockerImageReference string `json:"dockerImageReference,omitempty"`
-	//	DockerImageMetadata        runtime.RawExtension `json:"dockerImageMetadata,omitempty"`
-	DockerImageMetadataVersion string `json:"dockerImageMetadataVersion,omitempty"`
-	DockerImageManifest        string `json:"dockerImageManifest,omitempty"`
-	//	DockerImageLayers          []ImageLayer         `json:"dockerImageLayers"`
-}
-type imageStreamMapping struct {
-	typeMeta   `json:",inline"`
-	objectMeta `json:"metadata,omitempty"`
-	Image      image  `json:"image"`
-	Tag        string `json:"tag"`
-}
-type typeMeta struct {
-	Kind       string `json:"kind,omitempty"`
-	APIVersion string `json:"apiVersion,omitempty"`
-}
-type objectMeta struct {
-	Name                       string            `json:"name,omitempty"`
-	GenerateName               string            `json:"generateName,omitempty"`
-	Namespace                  string            `json:"namespace,omitempty"`
-	SelfLink                   string            `json:"selfLink,omitempty"`
-	ResourceVersion            string            `json:"resourceVersion,omitempty"`
-	Generation                 int64             `json:"generation,omitempty"`
-	DeletionGracePeriodSeconds *int64            `json:"deletionGracePeriodSeconds,omitempty"`
-	Labels                     map[string]string `json:"labels,omitempty"`
-	Annotations                map[string]string `json:"annotations,omitempty"`
-}
-
-// A subset of k8s.io/kubernetes/pkg/api/unversioned/Status
-type status struct {
-	Status  string `json:"status,omitempty"`
-	Message string `json:"message,omitempty"`
-	// Reason StatusReason `json:"reason,omitempty"`
-	// Details *StatusDetails `json:"details,omitempty"`
-	Code int32 `json:"code,omitempty"`
-}
--- a/reference/reference.go
+++ b/reference/reference.go
@@ -1,210 +0,0 @@
-package reference // COPY WITH EDITS FROM DOCKER/DOCKER
-
-import (
-	"errors"
-	"fmt"
-	"regexp"
-	"strings"
-
-	"github.com/docker/distribution/digest"
-	distreference "github.com/docker/distribution/reference"
-)
-
-const (
-	// DefaultTag defines the default tag used when performing images related actions and no tag or digest is specified
-	DefaultTag = "latest"
-	// DefaultHostname is the default built-in hostname
-	DefaultHostname = "docker.io"
-	// LegacyDefaultHostname is automatically converted to DefaultHostname
-	LegacyDefaultHostname = "index.docker.io"
-	// DefaultRepoPrefix is the prefix used for default repositories in default host
-	DefaultRepoPrefix = "library/"
-)
-
-// Named is an object with a full name
-type Named interface {
-	// Name returns normalized repository name, like "ubuntu".
-	Name() string
-	// String returns full reference, like "ubuntu@sha256:abcdef..."
-	String() string
-	// FullName returns full repository name with hostname, like "docker.io/library/ubuntu"
-	FullName() string
-	// Hostname returns hostname for the reference, like "docker.io"
-	Hostname() string
-	// RemoteName returns the repository component of the full name, like "library/ubuntu"
-	RemoteName() string
-}
-
-// NamedTagged is an object including a name and tag.
-type NamedTagged interface {
-	Named
-	Tag() string
-}
-
-// Canonical reference is an object with a fully unique
-// name including a name with hostname and digest
-type Canonical interface {
-	Named
-	Digest() digest.Digest
-}
-
-// ParseNamed parses s and returns a syntactically valid reference implementing
-// the Named interface. The reference must have a name, otherwise an error is
-// returned.
-// If an error was encountered it is returned, along with a nil Reference.
-func ParseNamed(s string) (Named, error) {
-	named, err := distreference.ParseNamed(s)
-	if err != nil {
-		return nil, fmt.Errorf("Error parsing reference: %q is not a valid repository/tag", s)
-	}
-	r, err := WithName(named.Name())
-	if err != nil {
-		return nil, err
-	}
-	if canonical, isCanonical := named.(distreference.Canonical); isCanonical {
-		return WithDigest(r, canonical.Digest())
-	}
-	if tagged, isTagged := named.(distreference.NamedTagged); isTagged {
-		return WithTag(r, tagged.Tag())
-	}
-	return r, nil
-}
-
-// WithName returns a named object representing the given string. If the input
-// is invalid ErrReferenceInvalidFormat will be returned.
-func WithName(name string) (Named, error) {
-	name, err := normalize(name)
-	if err != nil {
-		return nil, err
-	}
-	if err := validateName(name); err != nil {
-		return nil, err
-	}
-	r, err := distreference.WithName(name)
-	if err != nil {
-		return nil, err
-	}
-	return &namedRef{r}, nil
-}
-
-// WithTag combines the name from "name" and the tag from "tag" to form a
-// reference incorporating both the name and the tag.
-func WithTag(name Named, tag string) (NamedTagged, error) {
-	r, err := distreference.WithTag(name, tag)
-	if err != nil {
-		return nil, err
-	}
-	return &taggedRef{namedRef{r}}, nil
-}
-
-// WithDigest combines the name from "name" and the digest from "digest" to form
-// a reference incorporating both the name and the digest.
-func WithDigest(name Named, digest digest.Digest) (Canonical, error) {
-	r, err := distreference.WithDigest(name, digest)
-	if err != nil {
-		return nil, err
-	}
-	return &canonicalRef{namedRef{r}}, nil
-}
-
-type namedRef struct {
-	distreference.Named
-}
-type taggedRef struct {
-	namedRef
-}
-type canonicalRef struct {
-	namedRef
-}
-
-func (r *namedRef) FullName() string {
-	hostname, remoteName := splitHostname(r.Name())
-	return hostname + "/" + remoteName
-}
-func (r *namedRef) Hostname() string {
-	hostname, _ := splitHostname(r.Name())
-	return hostname
-}
-func (r *namedRef) RemoteName() string {
-	_, remoteName := splitHostname(r.Name())
-	return remoteName
-}
-func (r *taggedRef) Tag() string {
-	return r.namedRef.Named.(distreference.NamedTagged).Tag()
-}
-func (r *canonicalRef) Digest() digest.Digest {
-	return r.namedRef.Named.(distreference.Canonical).Digest()
-}
-
-// WithDefaultTag adds a default tag to a reference if it only has a repo name.
-func WithDefaultTag(ref Named) Named {
-	if IsNameOnly(ref) {
-		ref, _ = WithTag(ref, DefaultTag)
-	}
-	return ref
-}
-
-// IsNameOnly returns true if reference only contains a repo name.
-func IsNameOnly(ref Named) bool {
-	if _, ok := ref.(NamedTagged); ok {
-		return false
-	}
-	if _, ok := ref.(Canonical); ok {
-		return false
-	}
-	return true
-}
-
-// splitHostname splits a repository name to hostname and remotename string.
-// If no valid hostname is found, the default hostname is used. Repository name
-// needs to be already validated before.
-func splitHostname(name string) (hostname, remoteName string) {
-	i := strings.IndexRune(name, '/')
-	if i == -1 || (!strings.ContainsAny(name[:i], ".:") && name[:i] != "localhost") {
-		hostname, remoteName = DefaultHostname, name
-	} else {
-		hostname, remoteName = name[:i], name[i+1:]
-	}
-	if hostname == LegacyDefaultHostname {
-		hostname = DefaultHostname
-	}
-	if hostname == DefaultHostname && !strings.ContainsRune(remoteName, '/') {
-		remoteName = DefaultRepoPrefix + remoteName
-	}
-	return
-}
-
-// normalize returns a repository name in its normalized form, meaning it
-// will not contain default hostname nor library/ prefix for official images.
-func normalize(name string) (string, error) {
-	host, remoteName := splitHostname(name)
-	if strings.ToLower(remoteName) != remoteName {
-		return "", errors.New("invalid reference format: repository name must be lowercase")
-	}
-	if host == DefaultHostname {
-		if strings.HasPrefix(remoteName, DefaultRepoPrefix) {
-			return strings.TrimPrefix(remoteName, DefaultRepoPrefix), nil
-		}
-		return remoteName, nil
-	}
-	return name, nil
-}
-
-// EDIT FROM DOCKER/DOCKER TO NOT IMPORT IMAGE.V1
-
-func validateName(name string) error {
-	if err := ValidateIDV1(name); err == nil {
-		return fmt.Errorf("Invalid repository name (%s), cannot specify 64-byte hexadecimal strings", name)
-	}
-	return nil
-}
-
-var validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
-
-// ValidateIDV1 checks whether an ID string is a valid image ID.
-func ValidateIDV1(id string) error {
-	if ok := validHex.MatchString(id); !ok {
-		return fmt.Errorf("image ID %q is invalid", id)
-	}
-	return nil
-}
--- a/signature/docker.go
+++ b/signature/docker.go
@@ -1,43 +0,0 @@
-// Note: Consider the API unstable until the code supports at least three different image formats or transports.
-
-package signature
-
-import (
-	"fmt"
-
-	"github.com/projectatomic/skopeo/docker/utils"
-)
-
-// SignDockerManifest returns a signature for manifest as the specified dockerReference,
-// using mech and keyIdentity.
-func SignDockerManifest(manifest []byte, dockerReference string, mech SigningMechanism, keyIdentity string) ([]byte, error) {
-	manifestDigest, err := utils.ManifestDigest(manifest)
-	if err != nil {
-		return nil, err
-	}
-	sig := privateSignature{
-		Signature{
-			DockerManifestDigest: manifestDigest,
-			DockerReference:      dockerReference,
-		},
-	}
-	return sig.sign(mech, keyIdentity)
-}
-
-// VerifyDockerManifestSignature checks that unverifiedSignature uses expectedKeyIdentity to sign unverifiedManifest as expectedDockerReference,
-// using mech.
-func VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest []byte,
-	expectedDockerReference string, mech SigningMechanism, expectedKeyIdentity string) (*Signature, error) {
-	expectedManifestDigest, err := utils.ManifestDigest(unverifiedManifest)
-	if err != nil {
-		return nil, err
-	}
-	sig, err := verifyAndExtractSignature(mech, unverifiedSignature, expectedKeyIdentity, expectedDockerReference)
-	if err != nil {
-		return nil, err
-	}
-	if sig.DockerManifestDigest != expectedManifestDigest {
-		return nil, InvalidSignatureError{msg: fmt.Sprintf("Docker manifest digest %s does not match %s", sig.DockerManifestDigest, expectedManifestDigest)}
-	}
-	return sig, nil
-}
--- a/signature/docker_test.go
+++ b/signature/docker_test.go
@@ -1,79 +0,0 @@
-package signature
-
-import (
-	"io/ioutil"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestSignDockerManifest(t *testing.T) {
-	mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
-	require.NoError(t, err)
-	manifest, err := ioutil.ReadFile("fixtures/image.manifest.json")
-	require.NoError(t, err)
-
-	// Successful signing
-	signature, err := SignDockerManifest(manifest, TestImageSignatureReference, mech, TestKeyFingerprint)
-	require.NoError(t, err)
-
-	verified, err := VerifyDockerManifestSignature(signature, manifest, TestImageSignatureReference, mech, TestKeyFingerprint)
-	assert.NoError(t, err)
-	assert.Equal(t, TestImageSignatureReference, verified.DockerReference)
-	assert.Equal(t, TestImageManifestDigest, verified.DockerManifestDigest)
-
-	// Error computing Docker manifest
-	invalidManifest, err := ioutil.ReadFile("fixtures/v2s1-invalid-signatures.manifest.json")
-	require.NoError(t, err)
-	_, err = SignDockerManifest(invalidManifest, TestImageSignatureReference, mech, TestKeyFingerprint)
-	assert.Error(t, err)
-
-	// Error creating blob to sign
-	_, err = SignDockerManifest(manifest, "", mech, TestKeyFingerprint)
-	assert.Error(t, err)
-
-	// Error signing
-	_, err = SignDockerManifest(manifest, TestImageSignatureReference, mech, "this fingerprint doesn't exist")
-	assert.Error(t, err)
-}
-
-func TestVerifyDockerManifestSignature(t *testing.T) {
-	mech, err := newGPGSigningMechanismInDirectory(testGPGHomeDirectory)
-	require.NoError(t, err)
-	manifest, err := ioutil.ReadFile("fixtures/image.manifest.json")
-	require.NoError(t, err)
-	signature, err := ioutil.ReadFile("fixtures/image.signature")
-	require.NoError(t, err)
-
-	// Successful verification
-	sig, err := VerifyDockerManifestSignature(signature, manifest, TestImageSignatureReference, mech, TestKeyFingerprint)
-	require.NoError(t, err)
-	assert.Equal(t, TestImageSignatureReference, sig.DockerReference)
-	assert.Equal(t, TestImageManifestDigest, sig.DockerManifestDigest)
-
-	// For extra paranoia, test that we return nil data on error.
-
-	// Error computing Docker manifest
-	invalidManifest, err := ioutil.ReadFile("fixtures/v2s1-invalid-signatures.manifest.json")
-	require.NoError(t, err)
-	sig, err = VerifyDockerManifestSignature(signature, invalidManifest, TestImageSignatureReference, mech, TestKeyFingerprint)
-	assert.Error(t, err)
-	assert.Nil(t, sig)
-
-	// Error verifying signature
-	corruptSignature, err := ioutil.ReadFile("fixtures/corrupt.signature")
-	sig, err = VerifyDockerManifestSignature(corruptSignature, manifest, TestImageSignatureReference, mech, TestKeyFingerprint)
-	assert.Error(t, err)
-	assert.Nil(t, sig)
-
-	// Key fingerprint mismatch
-	sig, err = VerifyDockerManifestSignature(signature, manifest, TestImageSignatureReference, mech, "unexpected fingerprint")
-	assert.Error(t, err)
-	assert.Nil(t, sig)
-
-	// Docker manifest digest mismatch
-	sig, err = VerifyDockerManifestSignature(signature, []byte("unexpected manifest"), TestImageSignatureReference, mech, TestKeyFingerprint)
-	assert.Error(t, err)
-	assert.Nil(t, sig)
-}
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				{"architecture":"amd64","config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d","container_config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"],"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2016-09-19T18:23:54.9949213Z","docker_version":"1.10.3","history":[{"created":"2016-09-19T18:23:54.9949213Z","created_by":"/bin/sh -c #(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"]}}