bump version to 0.1.15

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

.gitignore

@@ -1,2 +1,3 @@
-skopeo
-skopeo.1
+/docs/skopeo.1
+/layers-*
+/skopeo

.travis.yml

@@ -1,19 +1,10 @@
----
-  language: go
-  sudo: false
-  notifications:
-    email: false
-  env:
-    global:
-    - GO15VENDOREXPERIMENT=1
-  go:
-    - 1.5
-    - tip
-  install:
-    - go get github.com/golang/lint/golint
-  script:
-    - go vet .
-    - test -z "$(golint . | tee /dev/stderr)"
-    - test -z "$(gofmt -s -l . | tee /dev/stderr)"
-    - go build -o skopeo .
-    - go test -v .
+sudo: required
+
+services:
+  - docker
+
+notifications:
+  email: false
+
+script:
+  - make check

CONTRIBUTING.md

@@ -0,0 +1,142 @@
+# Contributing to Skopeo
+
+We'd love to have you join the community! Below summarizes the processes
+that we follow.
+
+## Topics
+
+* [Reporting Issues](#reporting-issues)
+* [Submitting Pull Requests](#submitting-pull-requests)
+* [Communications](#communications)
+* [Becomign a Maintainer](#becoming-a-maintainer)
+
+## Reporting Issues
+
+Before reporting an issue, check our backlog of 
+[open issues](https://github.com/projectatomic/skopeo/issues)
+to see if someone else has already reported it. If so, feel free to add
+your scenario, or additional information, to the discussion. Or simply 
+"subscribe" to it to be notified when it is updated.
+
+If you find a new issue with the project we'd love to hear about it! The most
+important aspect of a bug report is that it includes enough information for
+us to reproduce it. So, please include as much detail as possible and try
+to remove the extra stuff that doesn't really relate to the issue itself.
+The easier it is for us to reproduce it, the faster it'll be fixed!
+
+Please don't include any private/sensitive information in your issue!
+
+## Submitting Pull Requests
+
+No Pull Request (PR) is too small! Typos, additional comments in the code,
+new testcases, bug fixes, new features, more documentation, ... it's all 
+welcome!
+
+While bug fixes can first be identified via an "issue", that is not required.
+It's ok to just open up a PR with the fix, but make sure you include the same
+information you would have included in an issue - like how to reproduce it.
+
+PRs for new features should include some background on what use cases the
+new code is trying to address. And, when possible and it makes, try to break-up
+larger PRs into smaller ones - it's easier to review smaller
+code changes. But, only if those smaller ones make sense as stand-alone PRs.
+
+Regardless of the type of PR, all PRs should include:
+* well documented code changes
+* additional testcases. Ideally, they should fail w/o your code change applied
+* documentation changes
+
+Squash your commits into logical pieces of work that might want to be reviewed
+separate from the rest of the PRs. But, squashing down to just one commit is ok
+too since in the end the entire PR will be reviewed anyway. When in doubt, 
+squash.
+
+PRs that fix issues should include a reference like `Closes #XXXX` in the
+commit message so that github will automatically close the referenced issue
+when the PR is merged.
+
+<!--
+All PRs require at least two LGTMs (Looks Good To Me) from maintainers.
+-->
+
+### Sign your PRs
+
+The sign-off is a line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+## Communications
+
+For general questions, or dicsussions, please use the 
+IRC group on `irc.freenode.net` called `container-projects`
+that has been setup.
+
+For discussions around issues/bugs and features, you can use the github
+[issues](https://github.com/projectatomic/skopeo/issues)
+and
+[PRs](https://github.com/projectatomic/skopeo/pulls)
+tracking system.
+
+<!--
+## Becoming a Maintainer
+
+To become a maintainer you must first be nominated by an existing maintainer.
+If a majority (>50%) of maintainers agree then the proposal is adopted and
+you will be added to the list.
+
+Removing a maintainer requires at least 75% of the remaining maintainers
+approval, or if the person requests to be removed then it is automatic.
+Normally, a maintainer will only be removed if they are considered to be
+inactive for a long period of time or are viewed as disruptive to the community.
+
+The current list of maintainers can be found in the 
+[MAINTAINERS](MAINTAINERS) file.
+-->

Dockerfile

@@ -0,0 +1,58 @@
+FROM fedora
+
+RUN dnf -y update && dnf install -y make git golang golang-github-cpuguy83-go-md2man \
+	# gpgme bindings deps
+	libassuan-devel gpgme-devel \
+	gnupg \
+	# registry v1 deps
+	xz-devel \
+	python-devel \
+	python-pip \
+	swig \
+	redhat-rpm-config \
+	openssl-devel \
+	patch
+
+# Install three versions of the registry. The first is an older version that
+# only supports schema1 manifests. The second is a newer version that supports
+# both. This allows integration-cli tests to cover push/pull with both schema1
+# and schema2 manifests. Install registry v1 also.
+ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
+ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
+RUN set -x \
+	&& export GOPATH="$(mktemp -d)" \
+	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
+	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
+	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
+		go build -o /usr/local/bin/registry-v2 github.com/docker/distribution/cmd/registry \
+	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1") \
+	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
+		go build -o /usr/local/bin/registry-v2-schema1 github.com/docker/distribution/cmd/registry \
+	&& rm -rf "$GOPATH" \
+	&& export DRV1="$(mktemp -d)" \
+	&& git clone https://github.com/docker/docker-registry.git "$DRV1" \
+	# no need for setuptools since we have a version conflict with fedora
+	&& sed -i.bak s/setuptools==5.8//g "$DRV1/requirements/main.txt" \
+	&& sed -i.bak s/setuptools==5.8//g "$DRV1/depends/docker-registry-core/requirements/main.txt" \
+	&& pip install "$DRV1/depends/docker-registry-core" \
+	&& pip install file://"$DRV1#egg=docker-registry[bugsnag,newrelic,cors]" \
+	&& patch $(python -c 'import boto; import os; print os.path.dirname(boto.__file__)')/connection.py \
+		< "$DRV1/contrib/boto_header_patch.diff" \
+	&& dnf -y update && dnf install -y m2crypto
+
+RUN set -x \
+	&& yum install -y which git tar wget hostname util-linux bsdtar socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs xfsprogs lsof docker iproute \
+	&& export GOPATH=$(mktemp -d) \
+	&& git clone -b v1.3.0-alpha.3 git://github.com/openshift/origin "$GOPATH/src/github.com/openshift/origin" \
+	&& (cd "$GOPATH/src/github.com/openshift/origin" && make clean build && make all WHAT=cmd/dockerregistry) \
+	&& cp -a "$GOPATH/src/github.com/openshift/origin/_output/local/bin/linux"/*/* /usr/local/bin \
+	&& cp "$GOPATH/src/github.com/openshift/origin/images/dockerregistry/config.yml" /atomic-registry-config.yml \
+	&& mkdir /registry
+
+ENV GOPATH /usr/share/gocode:/go
+ENV PATH $GOPATH/bin:/usr/share/gocode/bin:$PATH
+RUN go get github.com/golang/lint/golint
+WORKDIR /go/src/github.com/projectatomic/skopeo
+COPY . /go/src/github.com/projectatomic/skopeo
+
+#ENTRYPOINT ["hack/dind"]

Dockerfile.build

@@ -0,0 +1,5 @@
+FROM ubuntu:16.04
+RUN apt-get update
+RUN apt-get install -y golang git-core libgpgme11-dev
+ENV GOPATH=/
+WORKDIR /src/github.com/projectatomic/skopeo

LICENSE

@@ -1,20 +1,189 @@
-Copyright (c) 2016 Antonio Murdaca <runcom@redhat.com>
 
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
 
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -1,17 +1,100 @@
+.PHONY: all binary build-container build-local clean install install-binary install-completions shell test-integration
+
 export GO15VENDOREXPERIMENT=1
 
-BINDIR=${DESTDIR}/usr/bin/
-MANDIR=${DESTDIR}/usr/share/man
+PREFIX ?= ${DESTDIR}/usr
+INSTALLDIR=${PREFIX}/bin
+MANINSTALLDIR=${PREFIX}/share/man
+CONTAINERSSYSCONFIGDIR=${DESTDIR}/etc/containers
+REGISTRIESDDIR=${CONTAINERSSYSCONFIGDIR}/registries.d
+BASHINSTALLDIR=${PREFIX}/share/bash-completion/completions
+GO_MD2MAN ?= /usr/bin/go-md2man
 
-all:
-	go build -o skopeo .
-	go-md2man -in man/skopeo.1.md -out skopeo.1
+ifeq ($(DEBUG), 1)
+  override GOGCFLAGS += -N -l
+endif
 
-install:
-	install -d -m 0755 ${BINDIR}
-	install -m 755 skopeo ${BINDIR}
-	install -m 644 skopeo.1 ${MANDIR}/man1/
+GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
+DOCKER_IMAGE := skopeo-dev$(if $(GIT_BRANCH),:$(GIT_BRANCH))
+# set env like gobuildtag?
+DOCKER_FLAGS := docker run --rm -i #$(DOCKER_ENVS)
+# if this session isn't interactive, then we don't want to allocate a
+# TTY, which would fail, but if it is interactive, we do want to attach
+# so that the user can send e.g. ^C through.
+INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
+ifeq ($(INTERACTIVE), 1)
+	DOCKER_FLAGS += -t
+endif
+DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
+
+GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null || true)
+
+MANPAGES_MD = $(wildcard docs/*.md)
+
+#   make all DEBUG=1
+#     Note: Uses the -N -l go compiler options to disable compiler optimizations
+#           and inlining. Using these build options allows you to subsequently
+#           use source debugging tools like delve.
+all: binary docs
+
+# Build a docker image (skopeobuild) that has everything we need to build.
+# Then do the build and the output (skopeo) should appear in current dir
+binary: cmd/skopeo
+	docker build ${DOCKER_BUILD_ARGS} -f Dockerfile.build -t skopeobuildimage .
+	docker run --rm --security-opt label:disable -v $$(pwd):/src/github.com/projectatomic/skopeo \
+		skopeobuildimage make binary-local $(if $(DEBUG),DEBUG=$(DEBUG))
+
+# Build w/o using Docker containers
+binary-local:
+	go build -ldflags "-X main.gitCommit=${GIT_COMMIT}" -gcflags "$(GOGCFLAGS)" -o skopeo ./cmd/skopeo
+
+
+build-container:
+	docker build ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" .
+
+docs/%.1: docs/%.1.md
+	$(GO_MD2MAN) -in $< -out $@.tmp && touch $@.tmp && mv $@.tmp $@
+
+.PHONY: docs
+docs: $(MANPAGES_MD:%.md=%)
 
 clean:
-	rm -f skopeo
-	rm -f skopeo.1
+	rm -f skopeo docs/*.1
+
+install: install-binary install-docs install-completions
+	install -D -m 644 default-policy.json ${CONTAINERSSYSCONFIGDIR}/policy.json
+	install -d -m 755 ${REGISTRIESDDIR}
+
+install-binary: ./skopeo
+	install -D -m 755 skopeo ${INSTALLDIR}/skopeo
+
+install-docs: docs/skopeo.1
+	install -D -m 644 docs/skopeo.1 ${MANINSTALLDIR}/man1/skopeo.1
+
+install-completions:
+	install -m 644 -D hack/make/bash_autocomplete ${BASHINSTALLDIR}/skopeo
+
+shell: build-container
+	$(DOCKER_RUN_DOCKER) bash
+
+check: validate test-unit test-integration
+
+# The tests can run out of entropy and block in containers, so replace /dev/random.
+test-integration: build-container
+	$(DOCKER_RUN_DOCKER) bash -c 'rm -f /dev/random; ln -sf /dev/urandom /dev/random; SKOPEO_CONTAINER_TESTS=1 hack/make.sh test-integration'
+
+test-unit: build-container
+	# Just call (make test unit-local) here instead of worrying about environment differences, e.g. GO15VENDOREXPERIMENT.
+	$(DOCKER_RUN_DOCKER) make test-unit-local
+
+validate: build-container
+	$(DOCKER_RUN_DOCKER) hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+
+# This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
+test-all-local: validate-local test-unit-local
+
+validate-local:
+	hack/make.sh validate-git-marks validate-gofmt validate-lint validate-vet
+
+test-unit-local:
+	go test $$(go list -e ./... | grep -v '^github\.com/projectatomic/skopeo/\(integration\|vendor/.*\)$$')

README.md

@@ -1,45 +1,68 @@
-skopeo [![Build Status](https://travis-ci.org/runcom/skopeo.svg?branch=master)](https://travis-ci.org/runcom/skopeo)
+skopeo [![Build Status](https://travis-ci.org/projectatomic/skopeo.svg?branch=master)](https://travis-ci.org/projectatomic/skopeo)
 =
 
-_Please be aware `skopeo` is still work in progress_
+_Please be aware `skopeo` is still work in progress and it currently supports only registry API V2_
 
-`skopeo` is a command line utility which is able to _inspect_ a repository on a Docker registry.
+`skopeo` is a command line utility for various operations on container images and image repositories.
+
+Inspecting a repository
+-
+`skopeo` is able to _inspect_ a repository on a Docker registry and fetch images layers.
 By _inspect_ I mean it fetches the repository's manifest and it is able to show you a `docker inspect`-like
-json output about a whole repository or a tag. This tool, in constrast to `docker inspect`, helps you gather useful information about
+json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about
 a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?
 
 Examples:
 ```sh
-# show repository's labels of rhel7:latest
-$ skopeo registry.access.redhat.com/rhel7 | jq '.Config.Labels'
+# show properties of fedora:latest
+$ skopeo inspect docker://docker.io/fedora
 {
-  "Architecture": "x86_64",
-  "Authoritative_Registry": "registry.access.redhat.com",
-  "BZComponent": "rhel-server-docker",
-  "Build_Host": "rcm-img04.build.eng.bos.redhat.com",
-  "Name": "rhel7/rhel",
-  "Release": "38",
-  "Vendor": "Red Hat, Inc.",
-  "Version": "7.2"
+    "Name": "docker.io/library/fedora",
+    "Tag": "latest",
+    "Digest": "sha256:cfd8f071bf8da7a466748f522406f7ae5908d002af1b1a1c0dcf893e183e5b32",
+    "RepoTags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "heisenbug",
+        "latest",
+        "rawhide"
+    ],
+    "Created": "2016-03-04T18:40:02.92155334Z",
+    "DockerVersion": "1.9.1",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:236608c7b546e2f4e7223526c74fc71470ba06d46ec82aeb402e704bfdee02a2",
+        "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+    ]
 }
 
-# show repository's tags
-$ skopeo docker.io/fedora | jq '.RepoTags'
-[
-  "20",
-  "21",
-  "22",
-  "23",
-  "heisenbug",
-  "latest",
-  "rawhide"
-]
-
-# show image's digest
-$ skopeo docker.io/fedora:rawhide | jq '.Digest'
+# show unverifed image's digest
+$ skopeo inspect docker://docker.io/fedora:rawhide | jq '.Digest'
 "sha256:905b4846938c8aef94f52f3e41a11398ae5b40f5855fb0e40ed9c157e721d7f8"
 ```
 
+Copying images
+-
+`skopeo` can copy container images between various storage mechanisms,
+e.g. Docker registries (including the Docker Hub), the Atomic Registry,
+and local directories:
+
+```sh
+$ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
+$ skopeo copy docker://busybox:latest dir:existingemptydirectory
+```
+
+Deleting images
+-
+For example,
+```sh
+$ skopeo delete docker://localhost:5000/imagename:latest
+```
+
 Private registries with authentication
 -
 When interacting with private registries, `skopeo` first looks for the Docker's cli config file (usually located at `$HOME/.docker/config.json`) to get the credentials needed to authenticate. When the file isn't available it falls back looking for `--username` and `--password` flags. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.
@@ -61,24 +84,15 @@ $ cat /home/runcom/.docker/config.json
 }
 
 # we can see I'm already authenticated via docker login so everything will be fine
-$ skopeo myregistrydomain.com:5000/busybox
+$ skopeo inspect docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
 
 # let's try now to fake a non existent Docker's config file
-$ skopeo --docker-cfg="" myregistrydomain.com:5000/busybox
-INFO[0000] Docker cli config file not found: stat : no such file or directory, falling back to --username and --password
-FATA[0000] unable to ping registry endpoint http://myregistrydomain.com:5000/v0/
-v2 ping attempt failed with error: Get http://myregistrydomain.com:5000/v2/: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
- v1 ping attempt failed with error: Get http://myregistrydomain.com:5000/v1/_ping: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
+$ skopeo --docker-cfg="" inspect docker://myregistrydomain.com:5000/busybox
+FATA[0000] Get https://myregistrydomain.com:5000/v2/busybox/manifests/latest: no basic auth credentials
 
-# we can see the cli config isn't found so it looks for --username and --password
-# but because I didn't provide them I can't auth to the registry and I receive the above error
-INFO[0000] Docker cli config file not found: stat : no such file or directory, falling back to --username and --password
-
-# passing --username and --password - we can see that everything goes fine despite an info showing
-# cli config can't be found
-$ skopeo --docker-cfg="" --username=testuser --password=testpassword myregistrydomain.com:5000/busybox
-INFO[0000] Docker cli config file not found: stat : no such file or directory, falling back to --username and --password
+# passing --username and --password - we can see that everything goes fine
+$ skopeo --docker-cfg="" --username=testuser --password=testpassword inspect docker://myregistrydomain.com:5000/busybox
 {"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
 ```
 If your cli config is found but it doesn't contain the necessary credentials for the queried registry
@@ -86,19 +100,38 @@ you'll get an error. You can fix this by either logging in (via `docker login`)
 and `--password`.
 Building
 -
+To build the manual you will need go-md2man.
 ```sh
-$ git clone https://github.com/runcom/skopeo
-$ make
+$ sudo apt-get install go-md2man
+```
+To build the `skopeo` binary you need at least Go 1.5 because it uses the latest `GO15VENDOREXPERIMENT` flag. Also, make sure to clone the repository in your `GOPATH` - otherwise compilation fails.  
+```sh
+$ git clone https://github.com/projectatomic/skopeo $GOPATH/src/github.com/projectatomic/skopeo
+$ cd $GOPATH/src/github.com/projectatomic/skopeo && make all
+```
+
+You may need to install additional development packages: gpgme-devel and libassuan-devel
+```sh
+$ dnf install gpgme-devel libassuan-devel
 ```
 Installing
 -
+If you built from source:
 ```sh
 $ sudo make install
 ```
+`skopeo` is also available from Fedora 23:
+```sh
+sudo dnf install skopeo
+```
 TODO
 -
+- list all images on registry?
+- registry v2 search?
+- support output to docker load tar(s)
 - show repo tags via flag or when reference isn't tagged or digested
 - add tests (integration with deployed registries in container - Docker-like)
+- support rkt/appc image spec
 
 NOT TODO
 -
@@ -106,4 +139,5 @@ NOT TODO
 
 License
 -
-MIT
+skopeo is licensed under the Apache License, Version 2.0. See
+[LICENSE](LICENSE) for the full license text.

cmd/skopeo/cgo_pthread_ordering_workaround.go

@@ -0,0 +1,32 @@
+package main
+
+/*
+This is a pretty horrible workaround.  Due to a glibc bug
+https://bugzilla.redhat.com/show_bug.cgi?id=1326903 , we must ensure we link
+with -lgpgme before -lpthread.  Such arguments come from various packages
+using cgo, and the ordering of these arguments is, with current (go tool link),
+dependent on the order in which the cgo-using packages are found in a
+breadth-first search following dependencies, starting from “main”.
+
+Thus, if
+   import "net"
+is processed before
+   import "…/skopeo/signature"
+it will, in the next level of the BFS, pull in "runtime/cgo" (a dependency of
+"net") before "mtrmac/gpgme" (a dependency of "…/skopeo/signature"), causing
+-lpthread (used by "runtime/cgo") to be used before -lgpgme.
+
+This might be possible to work around by careful import ordering, or by removing
+a direct dependency on "net", but that would be very fragile.
+
+So, until the above bug is fixed, add -lgpgme directly in the "main" package
+to ensure the needed build order.
+
+Unfortunately, this workaround needs to be applied at the top level of any user
+of "…/skopeo/signature"; it cannot be added to "…/skopeo/signature" itself,
+by that time this package is first processed by the linker, a -lpthread may
+already be queued and it would be too late.
+*/
+
+// #cgo LDFLAGS: -lgpgme
+import "C"

cmd/skopeo/copy.go

@@ -0,0 +1,58 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/containers/image/copy"
+	"github.com/containers/image/transports"
+	"github.com/urfave/cli"
+)
+
+func copyHandler(context *cli.Context) error {
+	if len(context.Args()) != 2 {
+		return errors.New("Usage: copy source destination")
+	}
+
+	policyContext, err := getPolicyContext(context)
+	if err != nil {
+		return fmt.Errorf("Error loading trust policy: %v", err)
+	}
+	defer policyContext.Destroy()
+
+	srcRef, err := transports.ParseImageName(context.Args()[0])
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", context.Args()[0], err)
+	}
+	destRef, err := transports.ParseImageName(context.Args()[1])
+	if err != nil {
+		return fmt.Errorf("Invalid destination name %s: %v", context.Args()[1], err)
+	}
+	signBy := context.String("sign-by")
+	removeSignatures := context.Bool("remove-signatures")
+
+	return copy.Image(contextFromGlobalOptions(context), policyContext, destRef, srcRef, &copy.Options{
+		RemoveSignatures: removeSignatures,
+		SignBy:           signBy,
+		ReportWriter:     os.Stdout,
+	})
+}
+
+var copyCmd = cli.Command{
+	Name:      "copy",
+	Usage:     "Copy an image from one location to another",
+	ArgsUsage: "SOURCE-IMAGE DESTINATION-IMAGE",
+	Action:    copyHandler,
+	// FIXME: Do we need to namespace the GPG aspect?
+	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "remove-signatures",
+			Usage: "Do not copy signatures from SOURCE-IMAGE",
+		},
+		cli.StringFlag{
+			Name:  "sign-by",
+			Usage: "Sign the image using a GPG key with the specified `FINGERPRINT`",
+		},
+	},
+}

cmd/skopeo/delete.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/containers/image/transports"
+	"github.com/urfave/cli"
+)
+
+func deleteHandler(context *cli.Context) error {
+	if len(context.Args()) != 1 {
+		return errors.New("Usage: delete imageReference")
+	}
+
+	ref, err := transports.ParseImageName(context.Args()[0])
+	if err != nil {
+		return fmt.Errorf("Invalid source name %s: %v", context.Args()[0], err)
+	}
+
+	if err := ref.DeleteImage(contextFromGlobalOptions(context)); err != nil {
+		return err
+	}
+	return nil
+}
+
+var deleteCmd = cli.Command{
+	Name:      "delete",
+	Usage:     "Delete image IMAGE-NAME",
+	ArgsUsage: "IMAGE-NAME",
+	Action:    deleteHandler,
+}

cmd/skopeo/fixtures/.gitignore

@@ -0,0 +1,4 @@
+/*.gpg~
+/.gpg-v21-migrated
+/private-keys-v1.d
+/random_seed

cmd/skopeo/fixtures/image.manifest.json

@@ -0,0 +1,26 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+        "mediaType": "application/vnd.docker.container.image.v1+json",
+        "size": 7023,
+        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 32654,
+            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 16724,
+            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 73109,
+            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+        }
+    ]
+}

cmd/skopeo/fixtures/v2s1-invalid-signatures.manifest.json

@@ -0,0 +1,11 @@
+{
+   "schemaVersion": 1,
+   "name": "mitr/buxybox",
+   "tag": "latest",
+   "architecture": "amd64",
+   "fsLayers": [
+   ],
+   "history": [
+   ],
+   "signatures": 1
+}

cmd/skopeo/inspect.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/containers/image/docker"
+	"github.com/containers/image/manifest"
+	"github.com/urfave/cli"
+)
+
+// inspectOutput is the output format of (skopeo inspect), primarily so that we can format it with a simple json.MarshalIndent.
+type inspectOutput struct {
+	Name          string `json:",omitempty"`
+	Tag           string `json:",omitempty"`
+	Digest        string
+	RepoTags      []string
+	Created       time.Time
+	DockerVersion string
+	Labels        map[string]string
+	Architecture  string
+	Os            string
+	Layers        []string
+}
+
+var inspectCmd = cli.Command{
+	Name:      "inspect",
+	Usage:     "Inspect image IMAGE-NAME",
+	ArgsUsage: "IMAGE-NAME",
+	Flags: []cli.Flag{
+		cli.BoolFlag{
+			Name:  "raw",
+			Usage: "output raw manifest",
+		},
+	},
+	Action: func(c *cli.Context) error {
+		img, err := parseImage(c)
+		if err != nil {
+			return err
+		}
+		defer img.Close()
+
+		rawManifest, _, err := img.Manifest()
+		if err != nil {
+			return err
+		}
+		if c.Bool("raw") {
+			_, err := c.App.Writer.Write(rawManifest)
+			if err != nil {
+				return fmt.Errorf("Error writing manifest to standard output: %v", err)
+			}
+			return nil
+		}
+		imgInspect, err := img.Inspect()
+		if err != nil {
+			return err
+		}
+		outputData := inspectOutput{
+			Name: "", // Possibly overridden for a docker.Image.
+			Tag:  imgInspect.Tag,
+			// Digest is set below.
+			RepoTags:      []string{}, // Possibly overriden for a docker.Image.
+			Created:       imgInspect.Created,
+			DockerVersion: imgInspect.DockerVersion,
+			Labels:        imgInspect.Labels,
+			Architecture:  imgInspect.Architecture,
+			Os:            imgInspect.Os,
+			Layers:        imgInspect.Layers,
+		}
+		outputData.Digest, err = manifest.Digest(rawManifest)
+		if err != nil {
+			return fmt.Errorf("Error computing manifest digest: %v", err)
+		}
+		if dockerImg, ok := img.(*docker.Image); ok {
+			outputData.Name = dockerImg.SourceRefFullName()
+			outputData.RepoTags, err = dockerImg.GetRepositoryTags()
+			if err != nil {
+				return fmt.Errorf("Error determining repository tags: %v", err)
+			}
+		}
+		out, err := json.MarshalIndent(outputData, "", "    ")
+		if err != nil {
+			return err
+		}
+		fmt.Fprintln(c.App.Writer, string(out))
+		return nil
+	},
+}

cmd/skopeo/layers.go

@@ -0,0 +1,97 @@
+package main
+
+import (
+	"io/ioutil"
+	"strings"
+
+	"github.com/containers/image/directory"
+	"github.com/containers/image/image"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/urfave/cli"
+)
+
+// TODO(runcom): document args and usage
+var layersCmd = cli.Command{
+	Name:      "layers",
+	Usage:     "Get layers of IMAGE-NAME",
+	ArgsUsage: "IMAGE-NAME",
+	Action: func(c *cli.Context) error {
+		rawSource, err := parseImageSource(c, c.Args()[0], []string{
+			// TODO: skopeo layers only support these now
+			// eventually we'll remove this command altogether...
+			manifest.DockerV2Schema1SignedMediaType,
+			manifest.DockerV2Schema1MediaType,
+		})
+		if err != nil {
+			return err
+		}
+		src := image.FromSource(rawSource)
+		defer src.Close()
+
+		blobDigests := c.Args().Tail()
+		if len(blobDigests) == 0 {
+			layers, err := src.LayerInfos()
+			if err != nil {
+				return err
+			}
+			seenLayers := map[string]struct{}{}
+			for _, info := range layers {
+				if _, ok := seenLayers[info.Digest]; !ok {
+					blobDigests = append(blobDigests, info.Digest)
+					seenLayers[info.Digest] = struct{}{}
+				}
+			}
+			configInfo, err := src.ConfigInfo()
+			if err != nil {
+				return err
+			}
+			if configInfo.Digest != "" {
+				blobDigests = append(blobDigests, configInfo.Digest)
+			}
+		}
+
+		tmpDir, err := ioutil.TempDir(".", "layers-")
+		if err != nil {
+			return err
+		}
+		tmpDirRef, err := directory.NewReference(tmpDir)
+		if err != nil {
+			return err
+		}
+		dest, err := tmpDirRef.NewImageDestination(nil)
+		if err != nil {
+			return err
+		}
+		defer dest.Close()
+
+		for _, digest := range blobDigests {
+			if !strings.HasPrefix(digest, "sha256:") {
+				digest = "sha256:" + digest
+			}
+			r, blobSize, err := rawSource.GetBlob(digest)
+			if err != nil {
+				return err
+			}
+			if _, err := dest.PutBlob(r, types.BlobInfo{Digest: digest, Size: blobSize}); err != nil {
+				r.Close()
+				return err
+			}
+			r.Close()
+		}
+
+		manifest, _, err := src.Manifest()
+		if err != nil {
+			return err
+		}
+		if err := dest.PutManifest(manifest); err != nil {
+			return err
+		}
+
+		if err := dest.Commit(); err != nil {
+			return err
+		}
+
+		return nil
+	},
+}

cmd/skopeo/main.go

@@ -0,0 +1,104 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/signature"
+	"github.com/projectatomic/skopeo/version"
+	"github.com/urfave/cli"
+)
+
+// gitCommit will be the hash that the binary was built from
+// and will be populated by the Makefile
+var gitCommit = ""
+
+// createApp returns a cli.App to be run or tested.
+func createApp() *cli.App {
+	app := cli.NewApp()
+	app.EnableBashCompletion = true
+	app.Name = "skopeo"
+	if gitCommit != "" {
+		app.Version = fmt.Sprintf("%s commit: %s", version.Version, gitCommit)
+	} else {
+		app.Version = version.Version
+	}
+	app.Usage = "Various operations with container images and container image registries"
+	// TODO(runcom)
+	//app.EnableBashCompletion = true
+	app.Flags = []cli.Flag{
+		cli.BoolFlag{
+			Name:  "debug",
+			Usage: "enable debug output",
+		},
+		cli.StringFlag{
+			Name:  "username",
+			Value: "",
+			Usage: "use `USERNAME` for accessing the registry",
+		},
+		cli.StringFlag{
+			Name:  "password",
+			Value: "",
+			Usage: "use `PASSWORD` for accessing the registry",
+		},
+		cli.StringFlag{
+			Name:  "cert-path",
+			Value: "",
+			Usage: "use certificates at `PATH` (cert.pem, key.pem) to connect to the registry",
+		},
+		cli.BoolTFlag{
+			Name:  "tls-verify",
+			Usage: "require HTTPS and verify certificates when talking to docker registries (defaults to true)",
+		},
+		cli.StringFlag{
+			Name:  "policy",
+			Value: "",
+			Usage: "Path to a trust policy file",
+		},
+		cli.StringFlag{
+			Name:  "registries.d",
+			Value: "",
+			Usage: "use registry configuration files in `DIR` (e.g. for docker signature storage)",
+		},
+	}
+	app.Before = func(c *cli.Context) error {
+		if c.GlobalBool("debug") {
+			logrus.SetLevel(logrus.DebugLevel)
+		}
+		return nil
+	}
+	app.Commands = []cli.Command{
+		copyCmd,
+		inspectCmd,
+		layersCmd,
+		deleteCmd,
+		manifestDigestCmd,
+		standaloneSignCmd,
+		standaloneVerifyCmd,
+	}
+	return app
+}
+
+func main() {
+	app := createApp()
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// getPolicyContext handles the global "policy" flag.
+func getPolicyContext(c *cli.Context) (*signature.PolicyContext, error) {
+	policyPath := c.GlobalString("policy")
+	var policy *signature.Policy // This could be cached across calls, if we had an application context.
+	var err error
+	if policyPath == "" {
+		policy, err = signature.DefaultPolicy(nil)
+	} else {
+		policy, err = signature.NewPolicyFromFile(policyPath)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return signature.NewPolicyContext(policy)
+}

cmd/skopeo/main_test.go

@@ -0,0 +1,14 @@
+package main
+
+import "bytes"
+
+// runSkopeo creates an app object and runs it with args, with an implied first "skopeo".
+// Returns output intended for stdout and the returned error, if any.
+func runSkopeo(args ...string) (string, error) {
+	app := createApp()
+	stdout := bytes.Buffer{}
+	app.Writer = &stdout
+	args = append([]string{"skopeo"}, args...)
+	err := app.Run(args)
+	return stdout.String(), err
+}

cmd/skopeo/manifest.go

@@ -0,0 +1,35 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/containers/image/manifest"
+	"github.com/urfave/cli"
+)
+
+func manifestDigest(context *cli.Context) error {
+	if len(context.Args()) != 1 {
+		return errors.New("Usage: skopeo manifest-digest manifest")
+	}
+	manifestPath := context.Args()[0]
+
+	man, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	digest, err := manifest.Digest(man)
+	if err != nil {
+		return fmt.Errorf("Error computing digest: %v", err)
+	}
+	fmt.Fprintf(context.App.Writer, "%s\n", digest)
+	return nil
+}
+
+var manifestDigestCmd = cli.Command{
+	Name:      "manifest-digest",
+	Usage:     "Compute a manifest digest of a file",
+	ArgsUsage: "MANIFEST",
+	Action:    manifestDigest,
+}

cmd/skopeo/manifest_test.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestManifestDigest(t *testing.T) {
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+	} {
+		out, err := runSkopeo(append([]string{"manifest-digest"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("manifest-digest", "/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error computing manifest
+	out, err = runSkopeo("manifest-digest", "fixtures/v2s1-invalid-signatures.manifest.json")
+	assertTestFailed(t, out, err, "computing digest")
+
+	// Success
+	out, err = runSkopeo("manifest-digest", "fixtures/image.manifest.json")
+	assert.NoError(t, err)
+	assert.Equal(t, fixturesTestImageManifestDigest+"\n", out)
+}

cmd/skopeo/signing.go

@@ -0,0 +1,90 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/containers/image/signature"
+	"github.com/urfave/cli"
+)
+
+func standaloneSign(context *cli.Context) error {
+	outputFile := context.String("output")
+	if len(context.Args()) != 3 || outputFile == "" {
+		return errors.New("Usage: skopeo standalone-sign manifest docker-reference key-fingerprint -o signature")
+	}
+	manifestPath := context.Args()[0]
+	dockerReference := context.Args()[1]
+	fingerprint := context.Args()[2]
+
+	manifest, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading %s: %v", manifestPath, err)
+	}
+
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return fmt.Errorf("Error initializing GPG: %v", err)
+	}
+	signature, err := signature.SignDockerManifest(manifest, dockerReference, mech, fingerprint)
+	if err != nil {
+		return fmt.Errorf("Error creating signature: %v", err)
+	}
+
+	if err := ioutil.WriteFile(outputFile, signature, 0644); err != nil {
+		return fmt.Errorf("Error writing signature to %s: %v", outputFile, err)
+	}
+	return nil
+}
+
+var standaloneSignCmd = cli.Command{
+	Name:      "standalone-sign",
+	Usage:     "Create a signature using local files",
+	ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT",
+	Action:    standaloneSign,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "output, o",
+			Usage: "output the signature to `SIGNATURE`",
+		},
+	},
+}
+
+func standaloneVerify(context *cli.Context) error {
+	if len(context.Args()) != 4 {
+		return errors.New("Usage: skopeo standalone-verify manifest docker-reference key-fingerprint signature")
+	}
+	manifestPath := context.Args()[0]
+	expectedDockerReference := context.Args()[1]
+	expectedFingerprint := context.Args()[2]
+	signaturePath := context.Args()[3]
+
+	unverifiedManifest, err := ioutil.ReadFile(manifestPath)
+	if err != nil {
+		return fmt.Errorf("Error reading manifest from %s: %v", manifestPath, err)
+	}
+	unverifiedSignature, err := ioutil.ReadFile(signaturePath)
+	if err != nil {
+		return fmt.Errorf("Error reading signature from %s: %v", signaturePath, err)
+	}
+
+	mech, err := signature.NewGPGSigningMechanism()
+	if err != nil {
+		return fmt.Errorf("Error initializing GPG: %v", err)
+	}
+	sig, err := signature.VerifyDockerManifestSignature(unverifiedSignature, unverifiedManifest, expectedDockerReference, mech, expectedFingerprint)
+	if err != nil {
+		return fmt.Errorf("Error verifying signature: %v", err)
+	}
+
+	fmt.Fprintf(context.App.Writer, "Signature verified, digest %s\n", sig.DockerManifestDigest)
+	return nil
+}
+
+var standaloneVerifyCmd = cli.Command{
+	Name:      "standalone-verify",
+	Usage:     "Verify a signature using local files",
+	ArgsUsage: "MANIFEST DOCKER-REFERENCE KEY-FINGERPRINT SIGNATURE",
+	Action:    standaloneVerify,
+}

cmd/skopeo/signing_test.go

@@ -0,0 +1,126 @@
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/containers/image/signature"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	// fixturesTestImageManifestDigest is the Docker manifest digest of "image.manifest.json"
+	fixturesTestImageManifestDigest = "sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55"
+	// fixturesTestKeyFingerprint is the fingerprint of the private key.
+	fixturesTestKeyFingerprint = "1D8230F6CDB6A06716E414C1DB72F2188BB46CC8"
+)
+
+// Test that results of runSkopeo failed with nothing on stdout, and substring
+// within the error message.
+func assertTestFailed(t *testing.T, stdout string, err error, substring string) {
+	assert.Error(t, err)
+	assert.Empty(t, stdout)
+	assert.Contains(t, err.Error(), substring)
+}
+
+func TestStandaloneSign(t *testing.T) {
+	manifestPath := "fixtures/image.manifest.json"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2"},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4"},
+		{"-o", "o", "a1", "a2"},
+		{"-o", "o", "a1", "a2", "a3", "a4"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-sign"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-sign", "-o", "/dev/null",
+		"/this/doesnt/exist", dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Invalid Docker reference
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, "" /* empty reference */, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "empty signature content")
+
+	// Unknown key. (FIXME? The error is 'Error creating signature: End of file")
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/null",
+		manifestPath, dockerReference, "UNKNOWN GPG FINGERPRINT")
+	assert.Error(t, err)
+	assert.Empty(t, out)
+
+	// Error writing output
+	out, err = runSkopeo("standalone-sign", "-o", "/dev/full",
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	assertTestFailed(t, out, err, "/dev/full")
+
+	// Success
+	sigOutput, err := ioutil.TempFile("", "sig")
+	require.NoError(t, err)
+	defer os.Remove(sigOutput.Name())
+	out, err = runSkopeo("standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, fixturesTestKeyFingerprint)
+	assert.NoError(t, err)
+	assert.Empty(t, out)
+
+	sig, err := ioutil.ReadFile(sigOutput.Name())
+	require.NoError(t, err)
+	manifest, err := ioutil.ReadFile(manifestPath)
+	require.NoError(t, err)
+	mech, err := signature.NewGPGSigningMechanism()
+	require.NoError(t, err)
+	verified, err := signature.VerifyDockerManifestSignature(sig, manifest, dockerReference, mech, fixturesTestKeyFingerprint)
+	assert.NoError(t, err)
+	assert.Equal(t, dockerReference, verified.DockerReference)
+	assert.Equal(t, fixturesTestImageManifestDigest, verified.DockerManifestDigest)
+}
+
+func TestStandaloneVerify(t *testing.T) {
+	manifestPath := "fixtures/image.manifest.json"
+	signaturePath := "fixtures/image.signature"
+	dockerReference := "testing/manifest"
+	os.Setenv("GNUPGHOME", "fixtures")
+	defer os.Unsetenv("GNUPGHOME")
+
+	// Invalid command-line arguments
+	for _, args := range [][]string{
+		{},
+		{"a1", "a2", "a3"},
+		{"a1", "a2", "a3", "a4", "a5"},
+	} {
+		out, err := runSkopeo(append([]string{"standalone-verify"}, args...)...)
+		assertTestFailed(t, out, err, "Usage")
+	}
+
+	// Error reading manifest
+	out, err := runSkopeo("standalone-verify", "/this/doesnt/exist",
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error reading signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "/this/doesnt/exist")
+	assertTestFailed(t, out, err, "/this/doesnt/exist")
+
+	// Error verifying signature
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, "fixtures/corrupt.signature")
+	assertTestFailed(t, out, err, "Error verifying signature")
+
+	// Success
+	out, err = runSkopeo("standalone-verify", manifestPath,
+		dockerReference, fixturesTestKeyFingerprint, signaturePath)
+	assert.NoError(t, err)
+	assert.Equal(t, "Signature verified, digest "+fixturesTestImageManifestDigest+"\n", out)
+}

cmd/skopeo/utils.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+	"github.com/urfave/cli"
+)
+
+// contextFromGlobalOptions returns a types.SystemContext depending on c.
+func contextFromGlobalOptions(c *cli.Context) *types.SystemContext {
+	tlsVerify := c.GlobalBoolT("tls-verify")
+	return &types.SystemContext{
+		RegistriesDirPath:           c.GlobalString("registries.d"),
+		DockerCertPath:              c.GlobalString("cert-path"),
+		DockerInsecureSkipTLSVerify: !tlsVerify,
+	}
+}
+
+// ParseImage converts image URL-like string to an initialized handler for that image.
+// The caller must call .Close() on the returned Image.
+func parseImage(c *cli.Context) (types.Image, error) {
+	imgName := c.Args().First()
+	ref, err := transports.ParseImageName(imgName)
+	if err != nil {
+		return nil, err
+	}
+	return ref.NewImage(contextFromGlobalOptions(c))
+}
+
+// parseImageSource converts image URL-like string to an ImageSource.
+// requestedManifestMIMETypes is as in types.ImageReference.NewImageSource.
+// The caller must call .Close() on the returned ImageSource.
+func parseImageSource(c *cli.Context, name string, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	ref, err := transports.ParseImageName(name)
+	if err != nil {
+		return nil, err
+	}
+	return ref.NewImageSource(contextFromGlobalOptions(c), requestedManifestMIMETypes)
+}

default-policy.json

@@ -0,0 +1,7 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ]
+}

docs/skopeo.1.md

@@ -0,0 +1,230 @@
+% SKOPEO(1) Skopeo Man Pages
+% Jhon Honce
+% August 2016
+# NAME
+skopeo -- Various operations with container images images and container image registries
+# SYNOPSIS
+**skopeo** [_global options_] _command_ [_command options_]
+# DESCRIPTION
+`skopeo` is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a Docker registry and fetch image. It fetches the repository's manifest and it is able to show you a `docker inspect`-like json output about a whole repository or a tag. This tool, in contrast to `docker inspect`, helps you gather useful information about a repository or a tag without requiring you to run `docker pull` - e.g. - which tags are available for the given repository? which labels the image has?
+
+It also allows you to copy container images between various registries, possibly converting them as necessary, and to sign and verify images.
+## IMAGE NAMES
+Most commands refer to container images, using a _transport_`:`_details_ format. The following formats are supported:
+
+  **atomic:**_namespace_**/**_stream_**:**_tag_
+  An image in the current project of the current default Atomic
+  Registry. The current project and Atomic Registry instance are by
+  default read from `$HOME/.kube/config`, which is set e.g. using
+  `(oc login)`.
+
+  **dir:**_path_
+  An existing local directory _path_ storing the manifest, layer
+  tarballs and signatures as individual files. This is a
+  non-standardized format, primarily useful for debugging or
+  noninvasive container inspection.
+
+  **docker://**_docker-reference_
+  An image in a registry implementing the "Docker Registry HTTP API V2".
+  By default, uses the authorization state in `$HOME/.docker/config.json`,
+  which is set e.g. using `(docker login)`.
+
+  **oci:**_path_**:**_tag_
+  An image _tag_ in a directory compliant with "Open Container Image
+  Layout Specification" at _path_.
+
+# OPTIONS
+
+  **--debug** enable debug output
+
+  **--username** _username_ for accessing  the registry
+
+  **--password** _password_ for accessing the registry
+
+  **--cert-path** _path_ Use certificates at _path_ (cert.pem, key.pem) to connect to the registry
+
+  **--policy** _path-to-policy_ Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
+
+  **--registries.d** _dir_ use registry configuration files in _dir_ (e.g. for docker signature storage), overriding the default path.
+
+  **--tls-verify** _bool-value_ Require HTTPS and verify certificates when talking to docker registries (defaults to true)
+
+  **--help**|**-h** Show help
+
+  **--version**|**-v** print the version number
+
+# COMMANDS
+
+## skopeo copy
+**skopeo copy** [**--sign-by=**_key-ID_] _source-image destination-image_
+
+Copy an image (manifest, filesystem layers, signatures) from one location to another.
+
+Uses the system's trust policy to validate images, rejects images not trusted by the policy.
+
+  _source-image_ use the "image name" format described above
+
+  _destination-image_ use the "image name" format described above
+
+  **--remove-signatures** do not copy signatures, if any, from _source-image_. Necessary when copying a signed image to a destination which does not support signatures.
+
+  **--sign-by=**_key-id_ add a signature using that key ID for an image name corresponding to _destination-image_
+
+Existing signatures, if any, are preserved as well.
+
+## skopeo delete
+**skopeo delete** _image-name_
+
+Mark _image-name_ for deletion.  To release the allocated disk space, you need to execute the docker registry garabage collector. E.g.,
+
+```sh
+$ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml
+```
+
+Additionally, the registry must allow deletions by setting `REGISTRY_STORAGE_DELETE_ENABLED=true` for the registry daemon.
+
+## skopeo inspect
+**skopeo inspect** [**--raw**] _image-name_
+
+Return low-level information about _image-name_ in a registry
+
+  **--raw** output raw manifest, default is to format in JSON
+
+  _image-name_ name of image to retrieve information about
+
+## skopeo layers
+**skopeo layers** _image-name_
+
+Get image layers of _image-name_
+
+  _image-name_ name of the image to retrieve layers
+
+## skopeo manifest-digest
+**skopeo manifest-digest** _manifest-file_
+
+Compute a manifest digest of _manifest-file_ and write it to standard output.
+
+## skopeo standalone-sign
+**skopeo standalone-sign** _manifest docker-reference key-fingerprint_ **--output**|**-o** _signature_
+
+This is primarily a debugging tool, or useful for special cases,
+and usually should not be a part of your normal operational workflow; use `skopeo copy --sign-by` instead to publish and sign an image in one step.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference to identify the image with
+
+  _key-fingerprint_ Key identity to use for signing
+
+  **--output**|**-o** output file
+
+## skopeo standalone-verify
+**skopeo standalone-verify** _manifest docker-reference key-fingerprint signature_
+
+Verify a signature using local files, digest will be printed on success.
+
+  _manifest_ Path to a file containing the image manifest
+
+  _docker-reference_ A docker reference expected to identify the image in the signature
+
+  _key-fingerprint_ Expected identity of the signing key
+
+  _signature_ Path to signature file
+
+**Note:** If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.
+
+## skopeo help
+show help for `skopeo`
+
+# FILES
+  **/etc/containers/policy.json**
+  Default trust policy file, if **--policy** is not specified.
+  The policy format is documented in https://github.com/containers/image/blob/master/docs/policy.json.md .
+
+  **/etc/containers/registries.d**
+  Default directory containing registry configuration, if **--registries.d** is not specified.
+  The contents of this directory are documented in https://github.com/containers/image/blob/master/docs/registries.d.md .
+
+# EXAMPLES
+
+## skopeo copy
+To copy the layers of the docker.io busybox image to a local directory:
+```sh
+$ mkdir -p /var/lib/images/busybox
+$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
+$ ls /var/lib/images/busybox/*
+  /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
+  /tmp/busybox/manifest.json
+  /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
+```
+
+To copy and sign an image:
+
+```sh
+$ skopeo copy --sign-by dev@example.com atomic:example/busybox:streaming atomic:example/busybox:gold
+```
+## skopeo delete
+Mark image example/pause for deletion from the registry.example.com registry:
+```sh
+$ skopeo delete --force docker://registry.example.com/example/pause:latest
+```
+See above for additional details on using the command **delete**.
+
+## skopeo inspect
+To review information for the image fedora from the docker.io registry:
+```sh
+$ skopeo inspect docker://docker.io/fedora
+{
+    "Name": "docker.io/library/fedora",
+    "Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
+    "RepoTags": [
+        "20",
+        "21",
+        "22",
+        "23",
+        "24",
+        "heisenbug",
+        "latest",
+        "rawhide"
+    ],
+    "Created": "2016-06-20T19:33:43.220526898Z",
+    "DockerVersion": "1.10.3",
+    "Labels": {},
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Layers": [
+        "sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
+    ]
+}
+```
+## skopeo layers
+Another method to retrieve the layers for the busybox image from the docker.io registry:
+```sh
+$ skopeo layers docker://busybox
+$ ls layers-500650331/
+  8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
+  manifest.json
+  a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4.tar
+```
+## skopeo manifest-digest
+```sh
+$ skopeo manifest-digest manifest.json
+sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
+```
+## skopeo standalone-sign
+```sh
+$ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
+$
+```
+
+See `skopeo copy` above for the preferred method of signing images.
+## skopeo standalone-verify
+```sh
+$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8  busybox.signature
+Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
+```
+
+# AUTHORS
+
+Antonio Murdaca <runcom@redhat.com>, Miloslav Trmac <mitr@redhat.com>, Jhon Honce <jhonce@redhat.com>
+

hack/.vendor-helpers.sh

@@ -1,15 +1,22 @@
 #!/usr/bin/env bash
 
-PROJECT=github.com/runcom/skopeo
+PROJECT=github.com/projectatomic/skopeo
 
 # Downloads dependencies into vendor/ directory
 mkdir -p vendor
 
-export GOPATH="$GOPATH:${PWD}/vendor"
+original_GOPATH=$GOPATH
+export GOPATH="${PWD}/vendor:$GOPATH"
 
 find="/usr/bin/find"
 
 clone() {
+	local delete_vendor=true
+	if [ "x$1" = x--keep-vendor ]; then
+		delete_vendor=false
+		shift
+	fi
+
 	local vcs="$1"
 	local pkg="$2"
 	local rev="$3"
@@ -29,7 +36,7 @@ clone() {
 	case "$vcs" in
 		git)
 			git clone --quiet --no-checkout "$url" "$target"
-			( cd "$target" && git checkout --quiet "$rev" && git reset --quiet --hard "$rev" )
+			( cd "$target" && git checkout --quiet "$rev" && git reset --quiet --hard "$rev" -- )
 			;;
 		hg)
 			hg clone --quiet --updaterev "$rev" "$url" "$target"
@@ -39,16 +46,18 @@ clone() {
 	echo -n 'rm VCS, '
 	( cd "$target" && rm -rf .{git,hg} )
 
-	echo -n 'rm vendor, '
-	( cd "$target" && rm -rf vendor Godeps/_workspace )
+	if $delete_vendor; then
+		echo -n 'rm vendor, '
+		( cd "$target" && rm -rf vendor Godeps/_workspace )
+	fi
 
 	echo done
 }
 
 clean() {
-	local packages=(
-		"${PROJECT}" # package main
-	)
+	# If $GOPATH starts with ./vendor, (go list) shows the short-form import paths for packages inside ./vendor.
+	# So, reset GOPATH to the external value (without ./vendor), so that the grep -v works.
+	local packages=($(GOPATH=$original_GOPATH go list -e ./... | grep -v "^${PROJECT}/vendor"))
 	local platforms=( linux/amd64 linux/386 )
 
 	local buildTags=(  )
@@ -65,6 +74,10 @@ clean() {
 			go list -e -tags "$buildTags" -f '{{join .TestImports "\n"}}' "${packages[@]}"
 		done | grep -vE "^${PROJECT}" | sort -u
 	) )
+	# .TestImports does not include indirect dependencies, so do one more iteration.
+	imports+=( $(
+		go list -e -f '{{join .Deps "\n"}}' "${imports[@]}" | grep -vE "^${PROJECT}" | sort -u
+	) )
 	imports=( $(go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' "${imports[@]}") )
 	unset IFS
 

hack/make.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -e
+
+# This script builds various binary from a checkout of the skopeo
+# source code.
+#
+# Requirements:
+# - The current directory should be a checkout of the skopeo source code
+#   (https://github.com/projectatomic/skopeo). Whatever version is checked out
+#   will be built.
+# - The script is intended to be run inside the docker container specified
+#   in the Dockerfile at the root of the source. In other words:
+#   DO NOT CALL THIS SCRIPT DIRECTLY.
+# - The right way to call this script is to invoke "make" from
+#   your checkout of the skopeo repository.
+#   the Makefile will do a "docker build -t skopeo ." and then
+#   "docker run hack/make.sh" in the resulting image.
+#
+
+set -o pipefail
+
+export SKOPEO_PKG='github.com/projectatomic/skopeo'
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export MAKEDIR="$SCRIPTDIR/make"
+
+# We're a nice, sexy, little shell script, and people might try to run us;
+# but really, they shouldn't. We want to be in a container!
+inContainer="AssumeSoInitially"
+if [ "$PWD" != "/go/src/$SKOPEO_PKG" ]; then
+	unset inContainer
+fi
+
+if [ -z "$inContainer" ]; then
+	{
+		echo "# WARNING! I don't seem to be running in a Docker container."
+		echo "# The result of this command might be an incorrect build, and will not be"
+		echo "# officially supported."
+		echo "#"
+		echo "# Try this instead: make all"
+		echo "#"
+	} >&2
+fi
+
+echo
+
+# List of bundles to create when no argument is passed
+# TODO(runcom): these are the one left from Docker...for now
+# test-unit
+# validate-dco
+# cover
+DEFAULT_BUNDLES=(
+	validate-gofmt
+	validate-lint
+	validate-vet
+	validate-git-marks
+
+	test-integration
+)
+
+TESTFLAGS+=" -test.timeout=10m"
+
+# If $TESTFLAGS is set in the environment, it is passed as extra arguments to 'go test'.
+# You can use this to select certain tests to run, eg.
+#
+#     TESTFLAGS='-test.run ^TestBuild$' ./hack/make.sh test-unit
+#
+# For integration-cli test, we use [gocheck](https://labix.org/gocheck), if you want
+# to run certain tests on your local host, you should run with command:
+#
+#     TESTFLAGS='-check.f DockerSuite.TestBuild*' ./hack/make.sh binary test-integration-cli
+#
+go_test_dir() {
+	dir=$1
+	(
+		echo '+ go test' $TESTFLAGS "${SKOPEO_PKG}${dir#.}"
+		cd "$dir"
+		export DEST="$ABS_DEST" # we're in a subshell, so this is safe -- our integration-cli tests need DEST, and "cd" screws it up
+		go test $TESTFLAGS
+	)
+}
+
+bundle() {
+	local bundle="$1"; shift
+	echo "---> Making bundle: $(basename "$bundle")"
+	source "$SCRIPTDIR/make/$bundle" "$@"
+}
+
+main() {
+	if [ $# -lt 1 ]; then
+		bundles=(${DEFAULT_BUNDLES[@]})
+	else
+		bundles=($@)
+	fi
+	for bundle in ${bundles[@]}; do
+		bundle "$bundle"
+		echo
+	done
+}
+
+main "$@"

hack/make/.validate

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+if [ -z "$VALIDATE_UPSTREAM" ]; then
+	# this is kind of an expensive check, so let's not do this twice if we
+	# are running more than one validate bundlescript
+	
+	VALIDATE_REPO='https://github.com/projectatomic/skopeo.git'
+	VALIDATE_BRANCH='master'
+	
+	if [ "$TRAVIS" = 'true' -a "$TRAVIS_PULL_REQUEST" != 'false' ]; then
+		VALIDATE_REPO="https://github.com/${TRAVIS_REPO_SLUG}.git"
+		VALIDATE_BRANCH="${TRAVIS_BRANCH}"
+	fi
+	
+	VALIDATE_HEAD="$(git rev-parse --verify HEAD)"
+	
+	git fetch -q "$VALIDATE_REPO" "refs/heads/$VALIDATE_BRANCH"
+	VALIDATE_UPSTREAM="$(git rev-parse --verify FETCH_HEAD)"
+	
+	VALIDATE_COMMIT_LOG="$VALIDATE_UPSTREAM..$VALIDATE_HEAD"
+	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
+	
+	validate_diff() {
+		git diff "$VALIDATE_UPSTREAM" "$@"
+	}
+	validate_log() {
+		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
+			git log "$VALIDATE_COMMIT_LOG" "$@"
+		fi
+	}
+fi

hack/make/bash_autocomplete

@@ -0,0 +1,14 @@
+#! /bin/bash
+
+: ${PROG:=$(basename ${BASH_SOURCE})}
+
+_cli_bash_autocomplete() {
+     local cur opts base
+     COMPREPLY=()
+     cur="${COMP_WORDS[COMP_CWORD]}"
+     opts=$( ${COMP_WORDS[@]:0:$COMP_CWORD} --generate-bash-completion )
+     COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
+     return 0
+ }
+
+ complete -F _cli_bash_autocomplete $PROG

hack/make/test-integration

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+bundle_test_integration() {
+	TESTFLAGS="$TESTFLAGS -check.v"
+	go_test_dir ./integration
+}
+
+# subshell so that we can export PATH without breaking other things
+(
+	make binary-local
+	make install
+	export GO15VENDOREXPERIMENT=1
+	bundle_test_integration
+) 2>&1

hack/make/validate-git-marks

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+source "$(dirname "$BASH_SOURCE")/.validate"
+
+# folders=$(find * -type d | egrep -v '^Godeps|bundles|.git')
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- '*' | grep -v '^vendor/' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+    if [ $(grep -r "^<<<<<<<" $f) ]; then
+        badFiles+=( "$f" )
+        continue
+    fi
+
+    if [ $(grep -r "^>>>>>>>" $f) ]; then
+        badFiles+=( "$f" )
+        continue
+    fi
+
+    if [ $(grep -r "^=======$" $f) ]; then
+        badFiles+=( "$f" )
+        continue
+    fi
+    set -e
+done
+
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  There is no conflict.'
+else
+	{
+		echo "There is trace of conflict(s) in the following files :"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please fix the conflict(s) commit the result.'
+		echo
+	} >&2
+	false
+fi

hack/make/validate-gofmt

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+source "$(dirname "$BASH_SOURCE")/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+	if [ "$(gofmt -s -l < $f)" ]; then
+		badFiles+=( "$f" )
+	fi
+done
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  All Go source files are properly formatted.'
+else
+	{
+		echo "These files are not properly gofmt'd:"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please reformat the above files using "gofmt -s -w" and commit the result.'
+		echo
+	} >&2
+	false
+fi

hack/make/validate-lint

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+source "$(dirname "$BASH_SOURCE")/.validate"
+
+# We will eventually get to the point where packages should be the complete list
+# of subpackages, vendoring excluded, as given by:
+#
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/\|^integration' || true) )
+unset IFS
+
+errors=()
+for f in "${files[@]}"; do
+	failedLint=$(golint "$f")
+	if [ "$failedLint" ]; then
+		errors+=( "$failedLint" )
+	fi
+done
+
+if [ ${#errors[@]} -eq 0 ]; then
+	echo 'Congratulations!  All Go source files have been linted.'
+else
+	{
+		echo "Errors from golint:"
+		for err in "${errors[@]}"; do
+			echo "$err"
+		done
+		echo
+		echo 'Please fix the above errors. You can test via "golint" and commit the result.'
+		echo
+	} >&2
+	false
+fi

hack/make/validate-vet

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+source "$(dirname "$BASH_SOURCE")/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- '*.go' | grep -v '^vendor/' || true) )
+unset IFS
+
+errors=()
+for f in "${files[@]}"; do
+	failedVet=$(go vet "$f")
+	if [ "$failedVet" ]; then
+		errors+=( "$failedVet" )
+	fi
+done
+
+
+if [ ${#errors[@]} -eq 0 ]; then
+	echo 'Congratulations!  All Go source files have been vetted.'
+else
+	{
+		echo "Errors from go vet:"
+		for err in "${errors[@]}"; do
+			echo " - $err"
+		done
+		echo
+		echo 'Please fix the above errors. You can test via "go vet" and commit the result.'
+		echo
+	} >&2
+	false
+fi

hack/vendor.sh

@@ -5,19 +5,34 @@ cd "$(dirname "$BASH_SOURCE")/.."
 rm -rf vendor/
 source 'hack/.vendor-helpers.sh'
 
-clone git github.com/codegangsta/cli v1.2.0
-clone git github.com/Sirupsen/logrus v0.8.7 # logrus is a common dependency among multiple deps
-clone git github.com/docker/docker master
+clone git github.com/urfave/cli v1.17.0
+clone git github.com/containers/image master
+clone git gopkg.in/cheggaaa/pb.v1 ad4efe000aa550bb54918c06ebbadc0ff17687b9 https://github.com/cheggaaa/pb
+clone git github.com/Sirupsen/logrus v0.10.0
+clone git github.com/go-check/check v1
+clone git github.com/stretchr/testify v1.1.3
+clone git github.com/davecgh/go-spew master
+clone git github.com/pmezard/go-difflib master
+# docker deps from https://github.com/docker/docker/blob/v1.11.2/hack/vendor.sh
+clone git github.com/docker/docker v1.11.2
+clone git github.com/docker/engine-api v0.3.3
+clone git github.com/docker/go-connections v0.2.0
+clone git github.com/vbatts/tar-split v0.9.11
+clone git github.com/gorilla/context 14f550f51a
+clone git github.com/docker/go-units 651fc226e7441360384da338d0fd37f2440ffbe3
 clone git golang.org/x/net master https://github.com/golang/net.git
-clone git github.com/docker/engine-api master
-clone git github.com/docker/distribution v2.3.0-rc.1
-clone git github.com/docker/go-connections master
-clone git github.com/docker/go-units master
+# end docker deps
+clone git github.com/docker/distribution master
 clone git github.com/docker/libtrust master
 clone git github.com/opencontainers/runc master
-clone git github.com/vbatts/tar-split master
-clone git github.com/gorilla/mux master
-clone git github.com/gorilla/context master
+clone git github.com/opencontainers/image-spec master
+clone git github.com/mtrmac/gpgme master
+# openshift/origin' k8s dependencies as of OpenShift v1.1.5
+clone git github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
+clone git k8s.io/kubernetes 4a3f9c5b19c7ff804cbc1bf37a15c044ca5d2353 https://github.com/openshift/kubernetes
+clone git github.com/ghodss/yaml 73d445a93680fa1a78ae23a5839bad48f32ba1ee
+clone git gopkg.in/yaml.v2 d466437aa4adc35830964cffc5b5f262c63ddcb4
+clone git github.com/imdario/mergo 6633656539c1639d9d78127b7d47c622b5d7b6dc
 
 clean
 

inspect.go

@@ -1,303 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/docker/distribution/digest"
-	distreference "github.com/docker/distribution/reference"
-	"github.com/docker/docker/api"
-	"github.com/docker/docker/cliconfig"
-	"github.com/docker/docker/image"
-	versionPkg "github.com/docker/docker/pkg/version"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	types "github.com/docker/engine-api/types"
-	containerTypes "github.com/docker/engine-api/types/container"
-	registryTypes "github.com/docker/engine-api/types/registry"
-	"golang.org/x/net/context"
-)
-
-// fallbackError wraps an error that can possibly allow fallback to a different
-// endpoint.
-type fallbackError struct {
-	// err is the error being wrapped.
-	err error
-	// confirmedV2 is set to true if it was confirmed that the registry
-	// supports the v2 protocol. This is used to limit fallbacks to the v1
-	// protocol.
-	confirmedV2 bool
-}
-
-// Error renders the FallbackError as a string.
-func (f fallbackError) Error() string {
-	return f.err.Error()
-}
-
-type manifestFetcher interface {
-	Fetch(ctx context.Context, ref reference.Named) (*imageInspect, error)
-}
-
-type imageInspect struct {
-	Tag             string
-	Digest          string
-	RepoTags        []string
-	Comment         string
-	Created         string
-	ContainerConfig *containerTypes.Config
-	DockerVersion   string
-	Author          string
-	Config          *containerTypes.Config
-	Architecture    string
-	Os              string
-}
-
-func validateName(name string) error {
-	distref, err := distreference.ParseNamed(name)
-	if err != nil {
-		return err
-	}
-	hostname, _ := distreference.SplitHostname(distref)
-	if hostname == "" {
-		return fmt.Errorf("Please use a fully qualified repository name")
-	}
-	return nil
-}
-
-func inspect(c *cli.Context) (*imageInspect, error) {
-	name := c.Args().First()
-	if err := validateName(name); err != nil {
-		return nil, err
-	}
-	ref, err := reference.ParseNamed(name)
-	if err != nil {
-		return nil, err
-	}
-	imgInspect, err := getData(c, ref)
-	if err != nil {
-		return nil, err
-	}
-	return imgInspect, nil
-}
-
-func getData(c *cli.Context, ref reference.Named) (*imageInspect, error) {
-	repoInfo, err := registry.ParseRepositoryInfo(ref)
-	if err != nil {
-		return nil, err
-	}
-	authConfig, err := getAuthConfig(c, repoInfo.Index)
-	if err != nil {
-		return nil, err
-	}
-	if err := validateRepoName(repoInfo.Name()); err != nil {
-		return nil, err
-	}
-	//options := &registry.Options{}
-	//options.Mirrors = opts.NewListOpts(nil)
-	//options.InsecureRegistries = opts.NewListOpts(nil)
-	//options.InsecureRegistries.Set("0.0.0.0/0")
-	//registryService := registry.NewService(options)
-	registryService := registry.NewService(nil)
-	//// TODO(runcom): hacky, provide a way of passing tls cert (flag?) to be used to lookup
-	//for _, ic := range registryService.Config.IndexConfigs {
-	//ic.Secure = false
-	//}
-
-	endpoints, err := registryService.LookupPullEndpoints(repoInfo)
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		ctx                    = context.Background()
-		lastErr                error
-		discardNoSupportErrors bool
-		imgInspect             *imageInspect
-		confirmedV2            bool
-	)
-
-	for _, endpoint := range endpoints {
-		// make sure I can reach the registry, same as docker pull does
-		v1endpoint, err := endpoint.ToV1Endpoint(nil)
-		if err != nil {
-			return nil, err
-		}
-		if _, err := v1endpoint.Ping(); err != nil {
-			if strings.Contains(err.Error(), "timeout") {
-				return nil, err
-			}
-			continue
-		}
-
-		if confirmedV2 && endpoint.Version == registry.APIVersion1 {
-			logrus.Debugf("Skipping v1 endpoint %s because v2 registry was detected", endpoint.URL)
-			continue
-		}
-		logrus.Debugf("Trying to fetch image manifest of %s repository from %s %s", repoInfo.Name(), endpoint.URL, endpoint.Version)
-
-		//fetcher, err := newManifestFetcher(endpoint, repoInfo, config)
-		fetcher, err := newManifestFetcher(endpoint, repoInfo, authConfig, registryService)
-		if err != nil {
-			lastErr = err
-			continue
-		}
-
-		if imgInspect, err = fetcher.Fetch(ctx, ref); err != nil {
-			// Was this fetch cancelled? If so, don't try to fall back.
-			fallback := false
-			select {
-			case <-ctx.Done():
-			default:
-				if fallbackErr, ok := err.(fallbackError); ok {
-					fallback = true
-					confirmedV2 = confirmedV2 || fallbackErr.confirmedV2
-					err = fallbackErr.err
-				}
-			}
-			if fallback {
-				if _, ok := err.(registry.ErrNoSupport); !ok {
-					// Because we found an error that's not ErrNoSupport, discard all subsequent ErrNoSupport errors.
-					discardNoSupportErrors = true
-					// save the current error
-					lastErr = err
-				} else if !discardNoSupportErrors {
-					// Save the ErrNoSupport error, because it's either the first error or all encountered errors
-					// were also ErrNoSupport errors.
-					lastErr = err
-				}
-				continue
-			}
-			logrus.Debugf("Not continuing with error: %v", err)
-			return nil, err
-		}
-
-		return imgInspect, nil
-	}
-
-	if lastErr == nil {
-		lastErr = fmt.Errorf("no endpoints found for %s", ref.String())
-	}
-
-	return nil, lastErr
-}
-
-func newManifestFetcher(endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, authConfig types.AuthConfig, registryService *registry.Service) (manifestFetcher, error) {
-	switch endpoint.Version {
-	case registry.APIVersion2:
-		return &v2ManifestFetcher{
-			endpoint:   endpoint,
-			authConfig: authConfig,
-			service:    registryService,
-			repoInfo:   repoInfo,
-		}, nil
-	case registry.APIVersion1:
-		return &v1ManifestFetcher{
-			endpoint:   endpoint,
-			authConfig: authConfig,
-			service:    registryService,
-			repoInfo:   repoInfo,
-		}, nil
-	}
-	return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)
-}
-
-func getAuthConfig(c *cli.Context, index *registryTypes.IndexInfo) (types.AuthConfig, error) {
-	var (
-		username = c.GlobalString("username")
-		password = c.GlobalString("password")
-		cfg      = c.GlobalString("docker-cfg")
-	)
-	if _, err := os.Stat(cfg); err != nil {
-		logrus.Infof("Docker cli config file %q not found: %v, falling back to --username and --password if needed", cfg, err)
-		return types.AuthConfig{
-			Username: username,
-			Password: password,
-			Email:    "stub@example.com",
-		}, nil
-	}
-	confFile, err := cliconfig.Load(cfg)
-	if err != nil {
-		return types.AuthConfig{}, err
-	}
-	authConfig := registry.ResolveAuthConfig(confFile.AuthConfigs, index)
-	logrus.Debugf("authConfig for %s: %v", index.Name, authConfig)
-
-	return authConfig, nil
-}
-
-func validateRepoName(name string) error {
-	if name == "" {
-		return fmt.Errorf("Repository name can't be empty")
-	}
-	if name == api.NoBaseImageSpecifier {
-		return fmt.Errorf("'%s' is a reserved name", api.NoBaseImageSpecifier)
-	}
-	return nil
-}
-
-func makeImageInspect(img *image.Image, tag string, dgst digest.Digest, tagList []string) *imageInspect {
-	var digest string
-	if err := dgst.Validate(); err == nil {
-		digest = dgst.String()
-	}
-	return &imageInspect{
-		Tag:             tag,
-		Digest:          digest,
-		RepoTags:        tagList,
-		Comment:         img.Comment,
-		Created:         img.Created.Format(time.RFC3339Nano),
-		ContainerConfig: &img.ContainerConfig,
-		DockerVersion:   img.DockerVersion,
-		Author:          img.Author,
-		Config:          img.Config,
-		Architecture:    img.Architecture,
-		Os:              img.OS,
-	}
-}
-
-func makeRawConfigFromV1Config(imageJSON []byte, rootfs *image.RootFS, history []image.History) (map[string]*json.RawMessage, error) {
-	var dver struct {
-		DockerVersion string `json:"docker_version"`
-	}
-
-	if err := json.Unmarshal(imageJSON, &dver); err != nil {
-		return nil, err
-	}
-
-	useFallback := versionPkg.Version(dver.DockerVersion).LessThan("1.8.3")
-
-	if useFallback {
-		var v1Image image.V1Image
-		err := json.Unmarshal(imageJSON, &v1Image)
-		if err != nil {
-			return nil, err
-		}
-		imageJSON, err = json.Marshal(v1Image)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	var c map[string]*json.RawMessage
-	if err := json.Unmarshal(imageJSON, &c); err != nil {
-		return nil, err
-	}
-
-	c["rootfs"] = rawJSON(rootfs)
-	c["history"] = rawJSON(history)
-
-	return c, nil
-}
-
-func rawJSON(value interface{}) *json.RawMessage {
-	jsonval, err := json.Marshal(value)
-	if err != nil {
-		return nil
-	}
-	return (*json.RawMessage)(&jsonval)
-}

inspect_v1.go

@@ -1,167 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/registry/client/transport"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/image/v1"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	"github.com/docker/engine-api/types"
-	"golang.org/x/net/context"
-)
-
-type v1ManifestFetcher struct {
-	endpoint    registry.APIEndpoint
-	repoInfo    *registry.RepositoryInfo
-	repo        distribution.Repository
-	confirmedV2 bool
-	// wrap in a config?
-	authConfig types.AuthConfig
-	service    *registry.Service
-	session    *registry.Session
-}
-
-func (mf *v1ManifestFetcher) Fetch(ctx context.Context, ref reference.Named) (*imageInspect, error) {
-	var (
-		imgInspect *imageInspect
-	)
-	if _, isCanonical := ref.(reference.Canonical); isCanonical {
-		// Allowing fallback, because HTTPS v1 is before HTTP v2
-		return nil, fallbackError{err: registry.ErrNoSupport{errors.New("Cannot pull by digest with v1 registry")}}
-	}
-	tlsConfig, err := mf.service.TLSConfig(mf.repoInfo.Index.Name)
-	if err != nil {
-		return nil, err
-	}
-	// Adds Docker-specific headers as well as user-specified headers (metaHeaders)
-	tr := transport.NewTransport(
-		registry.NewTransport(tlsConfig),
-		//registry.DockerHeaders(mf.config.MetaHeaders)...,
-		registry.DockerHeaders(nil)...,
-	)
-	client := registry.HTTPClient(tr)
-	//v1Endpoint, err := mf.endpoint.ToV1Endpoint(mf.config.MetaHeaders)
-	v1Endpoint, err := mf.endpoint.ToV1Endpoint(nil)
-	if err != nil {
-		logrus.Debugf("Could not get v1 endpoint: %v", err)
-		return nil, fallbackError{err: err}
-	}
-	mf.session, err = registry.NewSession(client, &mf.authConfig, v1Endpoint)
-	if err != nil {
-		logrus.Debugf("Fallback from error: %s", err)
-		return nil, fallbackError{err: err}
-	}
-	imgInspect, err = mf.fetchWithSession(ctx, ref)
-	if err != nil {
-		return nil, err
-	}
-	return imgInspect, nil
-}
-
-func (mf *v1ManifestFetcher) fetchWithSession(ctx context.Context, ref reference.Named) (*imageInspect, error) {
-	repoData, err := mf.session.GetRepositoryData(mf.repoInfo)
-	if err != nil {
-		if strings.Contains(err.Error(), "HTTP code: 404") {
-			return nil, fmt.Errorf("Error: image %s not found", mf.repoInfo.RemoteName())
-		}
-		// Unexpected HTTP error
-		return nil, err
-	}
-
-	var tagsList map[string]string
-	tagsList, err = mf.session.GetRemoteTags(repoData.Endpoints, mf.repoInfo)
-	if err != nil {
-		logrus.Errorf("unable to get remote tags: %s", err)
-		return nil, err
-	}
-
-	logrus.Debugf("Retrieving the tag list")
-	tagged, isTagged := ref.(reference.NamedTagged)
-	var tagID, tag string
-	if isTagged {
-		tag = tagged.Tag()
-		tagsList[tagged.Tag()] = tagID
-	} else {
-		ref, err = reference.WithTag(ref, reference.DefaultTag)
-		if err != nil {
-			return nil, err
-		}
-		tagged, _ := ref.(reference.NamedTagged)
-		tag = tagged.Tag()
-		tagsList[tagged.Tag()] = tagID
-	}
-	tagID, err = mf.session.GetRemoteTag(repoData.Endpoints, mf.repoInfo, tag)
-	if err == registry.ErrRepoNotFound {
-		return nil, fmt.Errorf("Tag %s not found in repository %s", tag, mf.repoInfo.FullName())
-	}
-	if err != nil {
-		logrus.Errorf("unable to get remote tags: %s", err)
-		return nil, err
-	}
-
-	tagList := []string{}
-	for tag := range tagsList {
-		tagList = append(tagList, tag)
-	}
-
-	img := repoData.ImgList[tagID]
-
-	var pulledImg *image.Image
-	for _, ep := range mf.repoInfo.Index.Mirrors {
-		if pulledImg, err = mf.pullImageJSON(img.ID, ep, repoData.Tokens); err != nil {
-			// Don't report errors when pulling from mirrors.
-			logrus.Debugf("Error pulling image json of %s:%s, mirror: %s, %s", mf.repoInfo.FullName(), img.Tag, ep, err)
-			continue
-		}
-		break
-	}
-	if pulledImg == nil {
-		for _, ep := range repoData.Endpoints {
-			if pulledImg, err = mf.pullImageJSON(img.ID, ep, repoData.Tokens); err != nil {
-				// It's not ideal that only the last error is returned, it would be better to concatenate the errors.
-				logrus.Infof("Error pulling image json of %s:%s, endpoint: %s, %v", mf.repoInfo.FullName(), img.Tag, ep, err)
-				continue
-			}
-			break
-		}
-	}
-	if err != nil {
-		return nil, fmt.Errorf("Error pulling image (%s) from %s, %v", img.Tag, mf.repoInfo.FullName(), err)
-	}
-	if pulledImg == nil {
-		return nil, fmt.Errorf("No such image %s:%s", mf.repoInfo.FullName(), tag)
-	}
-
-	return makeImageInspect(pulledImg, tag, "", tagList), nil
-}
-
-func (mf *v1ManifestFetcher) pullImageJSON(imgID, endpoint string, token []string) (*image.Image, error) {
-	imgJSON, _, err := mf.session.GetRemoteImageJSON(imgID, endpoint)
-	if err != nil {
-		return nil, err
-	}
-	h, err := v1.HistoryFromConfig(imgJSON, false)
-	if err != nil {
-		return nil, err
-	}
-	configRaw, err := makeRawConfigFromV1Config(imgJSON, image.NewRootFS(), []image.History{h})
-	if err != nil {
-		return nil, err
-	}
-	config, err := json.Marshal(configRaw)
-	if err != nil {
-		return nil, err
-	}
-	img, err := image.NewFromJSON(config)
-	if err != nil {
-		return nil, err
-	}
-	return img, nil
-}

inspect_v2.go

@@ -1,473 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"runtime"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/distribution"
-	"github.com/docker/distribution/digest"
-	"github.com/docker/distribution/manifest/manifestlist"
-	"github.com/docker/distribution/manifest/schema1"
-	"github.com/docker/distribution/manifest/schema2"
-	"github.com/docker/distribution/registry/api/errcode"
-	"github.com/docker/distribution/registry/client"
-	dockerdistribution "github.com/docker/docker/distribution"
-	"github.com/docker/docker/image"
-	"github.com/docker/docker/image/v1"
-	"github.com/docker/docker/reference"
-	"github.com/docker/docker/registry"
-	"github.com/docker/engine-api/types"
-	"golang.org/x/net/context"
-)
-
-type v2ManifestFetcher struct {
-	endpoint    registry.APIEndpoint
-	repoInfo    *registry.RepositoryInfo
-	repo        distribution.Repository
-	confirmedV2 bool
-	// wrap in a config?
-	authConfig types.AuthConfig
-	service    *registry.Service
-}
-
-func (mf *v2ManifestFetcher) Fetch(ctx context.Context, ref reference.Named) (*imageInspect, error) {
-	var (
-		imgInspect *imageInspect
-		err        error
-	)
-
-	//mf.repo, mf.confirmedV2, err = distribution.NewV2Repository(ctx, mf.repoInfo, mf.endpoint, mf.config.MetaHeaders, mf.config.AuthConfig, "pull")
-	mf.repo, mf.confirmedV2, err = dockerdistribution.NewV2Repository(ctx, mf.repoInfo, mf.endpoint, nil, &mf.authConfig, "pull")
-	if err != nil {
-		logrus.Debugf("Error getting v2 registry: %v", err)
-		return nil, fallbackError{err: err, confirmedV2: mf.confirmedV2}
-	}
-
-	imgInspect, err = mf.fetchWithRepository(ctx, ref)
-	if err != nil {
-		if _, ok := err.(fallbackError); ok {
-			return nil, err
-		}
-		if registry.ContinueOnError(err) {
-			err = fallbackError{err: err, confirmedV2: mf.confirmedV2}
-		}
-	}
-	return imgInspect, err
-}
-
-func (mf *v2ManifestFetcher) fetchWithRepository(ctx context.Context, ref reference.Named) (*imageInspect, error) {
-	var (
-		manifest    distribution.Manifest
-		tagOrDigest string // Used for logging/progress only
-		tagList     = []string{}
-	)
-
-	manSvc, err := mf.repo.Manifests(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if _, isTagged := ref.(reference.NamedTagged); !isTagged {
-		ref, err = reference.WithTag(ref, reference.DefaultTag)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
-		// NOTE: not using TagService.Get, since it uses HEAD requests
-		// against the manifests endpoint, which are not supported by
-		// all registry versions.
-		manifest, err = manSvc.Get(ctx, "", client.WithTag(tagged.Tag()))
-		if err != nil {
-			return nil, allowV1Fallback(err)
-		}
-		tagOrDigest = tagged.Tag()
-	} else if digested, isDigested := ref.(reference.Canonical); isDigested {
-		manifest, err = manSvc.Get(ctx, digested.Digest())
-		if err != nil {
-			return nil, err
-		}
-		tagOrDigest = digested.Digest().String()
-	} else {
-		return nil, fmt.Errorf("internal error: reference has neither a tag nor a digest: %s", ref.String())
-	}
-
-	if manifest == nil {
-		return nil, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
-	}
-
-	// If manSvc.Get succeeded, we can be confident that the registry on
-	// the other side speaks the v2 protocol.
-	mf.confirmedV2 = true
-
-	tagList, err = mf.repo.Tags(ctx).All(ctx)
-	if err != nil {
-		// If this repository doesn't exist on V2, we should
-		// permit a fallback to V1.
-		return nil, allowV1Fallback(err)
-	}
-
-	var (
-		image          *image.Image
-		manifestDigest digest.Digest
-	)
-
-	switch v := manifest.(type) {
-	case *schema1.SignedManifest:
-		image, manifestDigest, err = mf.pullSchema1(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	case *schema2.DeserializedManifest:
-		image, manifestDigest, err = mf.pullSchema2(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	case *manifestlist.DeserializedManifestList:
-		image, manifestDigest, err = mf.pullManifestList(ctx, ref, v)
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, errors.New("unsupported manifest format")
-	}
-
-	// TODO(runcom)
-	//var showTags bool
-	//if reference.IsNameOnly(ref) {
-	//showTags = true
-	//logrus.Debug("Using default tag: latest")
-	//ref = reference.WithDefaultTag(ref)
-	//}
-	//_ = showTags
-	return makeImageInspect(image, tagOrDigest, manifestDigest, tagList), nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema1(ctx context.Context, ref reference.Named, unverifiedManifest *schema1.SignedManifest) (img *image.Image, manifestDigest digest.Digest, err error) {
-	var verifiedManifest *schema1.Manifest
-	verifiedManifest, err = verifySchema1Manifest(unverifiedManifest, ref)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// remove duplicate layers and check parent chain validity
-	err = fixManifestLayers(verifiedManifest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// Image history converted to the new format
-	var history []image.History
-
-	// Note that the order of this loop is in the direction of bottom-most
-	// to top-most, so that the downloads slice gets ordered correctly.
-	for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
-		var throwAway struct {
-			ThrowAway bool `json:"throwaway,omitempty"`
-		}
-		if err := json.Unmarshal([]byte(verifiedManifest.History[i].V1Compatibility), &throwAway); err != nil {
-			return nil, "", err
-		}
-
-		h, err := v1.HistoryFromConfig([]byte(verifiedManifest.History[i].V1Compatibility), throwAway.ThrowAway)
-		if err != nil {
-			return nil, "", err
-		}
-		history = append(history, h)
-	}
-
-	rootFS := image.NewRootFS()
-	configRaw, err := makeRawConfigFromV1Config([]byte(verifiedManifest.History[0].V1Compatibility), rootFS, history)
-
-	config, err := json.Marshal(configRaw)
-	if err != nil {
-		return nil, "", err
-	}
-
-	img, err = image.NewFromJSON(config)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestDigest = digest.FromBytes(unverifiedManifest.Canonical)
-
-	return img, manifestDigest, nil
-}
-
-func verifySchema1Manifest(signedManifest *schema1.SignedManifest, ref reference.Named) (m *schema1.Manifest, err error) {
-	// If pull by digest, then verify the manifest digest. NOTE: It is
-	// important to do this first, before any other content validation. If the
-	// digest cannot be verified, don't even bother with those other things.
-	if digested, isCanonical := ref.(reference.Canonical); isCanonical {
-		verifier, err := digest.NewDigestVerifier(digested.Digest())
-		if err != nil {
-			return nil, err
-		}
-		if _, err := verifier.Write(signedManifest.Canonical); err != nil {
-			return nil, err
-		}
-		if !verifier.Verified() {
-			err := fmt.Errorf("image verification failed for digest %s", digested.Digest())
-			logrus.Error(err)
-			return nil, err
-		}
-	}
-	m = &signedManifest.Manifest
-
-	if m.SchemaVersion != 1 {
-		return nil, fmt.Errorf("unsupported schema version %d for %q", m.SchemaVersion, ref.String())
-	}
-	if len(m.FSLayers) != len(m.History) {
-		return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
-	}
-	if len(m.FSLayers) == 0 {
-		return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
-	}
-	return m, nil
-}
-
-func fixManifestLayers(m *schema1.Manifest) error {
-	imgs := make([]*image.V1Image, len(m.FSLayers))
-	for i := range m.FSLayers {
-		img := &image.V1Image{}
-
-		if err := json.Unmarshal([]byte(m.History[i].V1Compatibility), img); err != nil {
-			return err
-		}
-
-		imgs[i] = img
-		if err := v1.ValidateID(img.ID); err != nil {
-			return err
-		}
-	}
-
-	if imgs[len(imgs)-1].Parent != "" && runtime.GOOS != "windows" {
-		// Windows base layer can point to a base layer parent that is not in manifest.
-		return errors.New("Invalid parent ID in the base layer of the image.")
-	}
-
-	// check general duplicates to error instead of a deadlock
-	idmap := make(map[string]struct{})
-
-	var lastID string
-	for _, img := range imgs {
-		// skip IDs that appear after each other, we handle those later
-		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
-			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
-		}
-		lastID = img.ID
-		idmap[lastID] = struct{}{}
-	}
-
-	// backwards loop so that we keep the remaining indexes after removing items
-	for i := len(imgs) - 2; i >= 0; i-- {
-		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
-			m.FSLayers = append(m.FSLayers[:i], m.FSLayers[i+1:]...)
-			m.History = append(m.History[:i], m.History[i+1:]...)
-		} else if imgs[i].Parent != imgs[i+1].ID {
-			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
-		}
-	}
-
-	return nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema2(ctx context.Context, ref reference.Named, mfst *schema2.DeserializedManifest) (img *image.Image, manifestDigest digest.Digest, err error) {
-	manifestDigest, err = schema2ManifestDigest(ref, mfst)
-	if err != nil {
-		return nil, "", err
-	}
-
-	target := mfst.Target()
-
-	configChan := make(chan []byte, 1)
-	errChan := make(chan error, 1)
-	var cancel func()
-	ctx, cancel = context.WithCancel(ctx)
-
-	// Pull the image config
-	go func() {
-		configJSON, err := mf.pullSchema2ImageConfig(ctx, target.Digest)
-		if err != nil {
-			errChan <- err
-			cancel()
-			return
-		}
-		configChan <- configJSON
-	}()
-
-	var (
-		configJSON         []byte      // raw serialized image config
-		unmarshalledConfig image.Image // deserialized image config
-	)
-	if runtime.GOOS == "windows" {
-		configJSON, unmarshalledConfig, err = receiveConfig(configChan, errChan)
-		if err != nil {
-			return nil, "", err
-		}
-		if unmarshalledConfig.RootFS == nil {
-			return nil, "", errors.New("image config has no rootfs section")
-		}
-	}
-
-	if configJSON == nil {
-		configJSON, unmarshalledConfig, err = receiveConfig(configChan, errChan)
-		if err != nil {
-			return nil, "", err
-		}
-	}
-
-	img, err = image.NewFromJSON(configJSON)
-	if err != nil {
-		return nil, "", err
-	}
-
-	return img, manifestDigest, nil
-}
-
-func (mf *v2ManifestFetcher) pullSchema2ImageConfig(ctx context.Context, dgst digest.Digest) (configJSON []byte, err error) {
-	blobs := mf.repo.Blobs(ctx)
-	configJSON, err = blobs.Get(ctx, dgst)
-	if err != nil {
-		return nil, err
-	}
-
-	// Verify image config digest
-	verifier, err := digest.NewDigestVerifier(dgst)
-	if err != nil {
-		return nil, err
-	}
-	if _, err := verifier.Write(configJSON); err != nil {
-		return nil, err
-	}
-	if !verifier.Verified() {
-		err := fmt.Errorf("image config verification failed for digest %s", dgst)
-		logrus.Error(err)
-		return nil, err
-	}
-
-	return configJSON, nil
-}
-
-func receiveConfig(configChan <-chan []byte, errChan <-chan error) ([]byte, image.Image, error) {
-	select {
-	case configJSON := <-configChan:
-		var unmarshalledConfig image.Image
-		if err := json.Unmarshal(configJSON, &unmarshalledConfig); err != nil {
-			return nil, image.Image{}, err
-		}
-		return configJSON, unmarshalledConfig, nil
-	case err := <-errChan:
-		return nil, image.Image{}, err
-		// Don't need a case for ctx.Done in the select because cancellation
-		// will trigger an error in p.pullSchema2ImageConfig.
-	}
-}
-
-// allowV1Fallback checks if the error is a possible reason to fallback to v1
-// (even if confirmedV2 has been set already), and if so, wraps the error in
-// a fallbackError with confirmedV2 set to false. Otherwise, it returns the
-// error unmodified.
-func allowV1Fallback(err error) error {
-	switch v := err.(type) {
-	case errcode.Errors:
-		if len(v) != 0 {
-			if v0, ok := v[0].(errcode.Error); ok && registry.ShouldV2Fallback(v0) {
-				return fallbackError{err: err, confirmedV2: false}
-			}
-		}
-	case errcode.Error:
-		if registry.ShouldV2Fallback(v) {
-			return fallbackError{err: err, confirmedV2: false}
-		}
-	}
-	return err
-}
-
-// schema2ManifestDigest computes the manifest digest, and, if pulling by
-// digest, ensures that it matches the requested digest.
-func schema2ManifestDigest(ref reference.Named, mfst distribution.Manifest) (digest.Digest, error) {
-	_, canonical, err := mfst.Payload()
-	if err != nil {
-		return "", err
-	}
-
-	// If pull by digest, then verify the manifest digest.
-	if digested, isDigested := ref.(reference.Canonical); isDigested {
-		verifier, err := digest.NewDigestVerifier(digested.Digest())
-		if err != nil {
-			return "", err
-		}
-		if _, err := verifier.Write(canonical); err != nil {
-			return "", err
-		}
-		if !verifier.Verified() {
-			err := fmt.Errorf("manifest verification failed for digest %s", digested.Digest())
-			logrus.Error(err)
-			return "", err
-		}
-		return digested.Digest(), nil
-	}
-
-	return digest.FromBytes(canonical), nil
-}
-
-// pullManifestList handles "manifest lists" which point to various
-// platform-specifc manifests.
-func (mf *v2ManifestFetcher) pullManifestList(ctx context.Context, ref reference.Named, mfstList *manifestlist.DeserializedManifestList) (img *image.Image, manifestListDigest digest.Digest, err error) {
-	manifestListDigest, err = schema2ManifestDigest(ref, mfstList)
-	if err != nil {
-		return nil, "", err
-	}
-
-	var manifestDigest digest.Digest
-	for _, manifestDescriptor := range mfstList.Manifests {
-		// TODO(aaronl): The manifest list spec supports optional
-		// "features" and "variant" fields. These are not yet used.
-		// Once they are, their values should be interpreted here.
-		if manifestDescriptor.Platform.Architecture == runtime.GOARCH && manifestDescriptor.Platform.OS == runtime.GOOS {
-			manifestDigest = manifestDescriptor.Digest
-			break
-		}
-	}
-
-	if manifestDigest == "" {
-		return nil, "", errors.New("no supported platform found in manifest list")
-	}
-
-	manSvc, err := mf.repo.Manifests(ctx)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifest, err := manSvc.Get(ctx, manifestDigest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	manifestRef, err := reference.WithDigest(ref, manifestDigest)
-	if err != nil {
-		return nil, "", err
-	}
-
-	switch v := manifest.(type) {
-	case *schema1.SignedManifest:
-		img, _, err = mf.pullSchema1(ctx, manifestRef, v)
-		if err != nil {
-			return nil, "", err
-		}
-	case *schema2.DeserializedManifest:
-		img, _, err = mf.pullSchema2(ctx, manifestRef, v)
-		if err != nil {
-			return nil, "", err
-		}
-	default:
-		return nil, "", errors.New("unsupported manifest format")
-	}
-
-	return img, manifestListDigest, err
-}

integration/check_test.go

@@ -0,0 +1,105 @@
+package main
+
+import (
+	"fmt"
+	"os/exec"
+	"testing"
+
+	"github.com/go-check/check"
+	"github.com/projectatomic/skopeo/version"
+)
+
+const (
+	privateRegistryURL0 = "127.0.0.1:5000"
+	privateRegistryURL1 = "127.0.0.1:5001"
+	privateRegistryURL2 = "127.0.0.1:5002"
+	privateRegistryURL3 = "127.0.0.1:5003"
+	privateRegistryURL4 = "127.0.0.1:5004"
+)
+
+func Test(t *testing.T) {
+	check.TestingT(t)
+}
+
+func init() {
+	check.Suite(&SkopeoSuite{})
+}
+
+type SkopeoSuite struct {
+	regV1         *testRegistryV1
+	regV2         *testRegistryV2
+	regV2Shema1   *testRegistryV2
+	regV1WithAuth *testRegistryV1 // does v1 support auth?
+	regV2WithAuth *testRegistryV2
+}
+
+func (s *SkopeoSuite) SetUpSuite(c *check.C) {
+
+}
+
+func (s *SkopeoSuite) TearDownSuite(c *check.C) {
+
+}
+
+func (s *SkopeoSuite) SetUpTest(c *check.C) {
+	_, err := exec.LookPath(skopeoBinary)
+	c.Assert(err, check.IsNil)
+
+	s.regV1 = setupRegistryV1At(c, privateRegistryURL0, false) // TODO:(runcom)
+	s.regV2 = setupRegistryV2At(c, privateRegistryURL1, false, false)
+	s.regV2Shema1 = setupRegistryV2At(c, privateRegistryURL2, false, true)
+	s.regV1WithAuth = setupRegistryV1At(c, privateRegistryURL3, true) // not used
+	s.regV2WithAuth = setupRegistryV2At(c, privateRegistryURL4, true, false)
+}
+
+func (s *SkopeoSuite) TearDownTest(c *check.C) {
+	// not checking V1 registries now...
+	if s.regV2 != nil {
+		s.regV2.Close()
+	}
+	if s.regV2Shema1 != nil {
+		s.regV2Shema1.Close()
+	}
+	if s.regV2WithAuth != nil {
+		//cmd := exec.Command("docker", "logout", s.regV2WithAuth)
+		//c.Assert(cmd.Run(), check.IsNil)
+		s.regV2WithAuth.Close()
+	}
+}
+
+// TODO like dockerCmd but much easier, just out,err
+//func skopeoCmd()
+
+func (s *SkopeoSuite) TestVersion(c *check.C) {
+	wanted := fmt.Sprintf(".*%s version %s.*", skopeoBinary, version.Version)
+	assertSkopeoSucceeds(c, wanted, "--version")
+}
+
+const (
+	errFetchManifestRegexp = ".*error fetching manifest: status code: %s.*"
+)
+
+func (s *SkopeoSuite) TestCanAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
+	// TODO(runcom)
+	c.Skip("we need to restore --username --password flags!")
+	wanted := fmt.Sprintf(errFetchManifestRegexp, "401")
+	assertSkopeoFails(c, wanted, "--docker-cfg=''", "--username="+s.regV2WithAuth.username, "--password="+s.regV2WithAuth.password, "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+}
+
+func (s *SkopeoSuite) TestNeedAuthToPrivateRegistryV2WithoutDockerCfg(c *check.C) {
+	// TODO(runcom): mock the empty docker-cfg by removing it in the test itself (?)
+	c.Skip("mock empty docker config")
+	wanted := fmt.Sprintf(errFetchManifestRegexp, "401")
+	assertSkopeoFails(c, wanted, "--docker-cfg=''", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2WithAuth.url))
+}
+
+// TODO(runcom): as soon as we can push to registries ensure you can inspect here
+// not just get image not found :)
+func (s *SkopeoSuite) TestNoNeedAuthToPrivateRegistryV2ImageNotFound(c *check.C) {
+	out, err := exec.Command(skopeoBinary, "--tls-verify=false", "inspect", fmt.Sprintf("docker://%s/busybox:latest", s.regV2.url)).CombinedOutput()
+	c.Assert(err, check.NotNil, check.Commentf(string(out)))
+	wanted := fmt.Sprintf(errFetchManifestRegexp, "404")
+	c.Assert(string(out), check.Matches, "(?s)"+wanted) // (?s) : '.' will also match newlines
+	wanted = fmt.Sprintf(errFetchManifestRegexp, "401")
+	c.Assert(string(out), check.Not(check.Matches), "(?s)"+wanted) // (?s) : '.' will also match newlines
+}

integration/copy_test.go

@@ -0,0 +1,293 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/containers/image/manifest"
+	"github.com/go-check/check"
+)
+
+func init() {
+	check.Suite(&CopySuite{})
+}
+
+const v2DockerRegistryURL = "localhost:5555"
+
+type CopySuite struct {
+	cluster  *openshiftCluster
+	registry *testRegistryV2
+	gpgHome  string
+}
+
+func (s *CopySuite) SetUpSuite(c *check.C) {
+	if os.Getenv("SKOPEO_CONTAINER_TESTS") != "1" {
+		c.Skip("Not running in a container, refusing to affect user state")
+	}
+
+	s.cluster = startOpenshiftCluster(c) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+
+	for _, stream := range []string{"unsigned", "personal", "official", "naming", "cosigned", "compression"} {
+		isJSON := fmt.Sprintf(`{
+			"kind": "ImageStream",
+			"apiVersion": "v1",
+			"metadata": {
+			    "name": "%s"
+			},
+			"spec": {}
+		}`, stream)
+		runCommandWithInput(c, isJSON, "oc", "create", "-f", "-")
+	}
+
+	s.registry = setupRegistryV2At(c, v2DockerRegistryURL, false, false) // FIXME: Set up TLS for the docker registry port instead of using "--tls-verify=false" all over the place.
+
+	gpgHome, err := ioutil.TempDir("", "skopeo-gpg")
+	c.Assert(err, check.IsNil)
+	s.gpgHome = gpgHome
+	os.Setenv("GNUPGHOME", s.gpgHome)
+
+	for _, key := range []string{"personal", "official"} {
+		batchInput := fmt.Sprintf("Key-Type: RSA\nName-Real: Test key - %s\nName-email: %s@example.com\n%%commit\n",
+			key, key)
+		runCommandWithInput(c, batchInput, gpgBinary, "--batch", "--gen-key")
+
+		out := combinedOutputOfCommand(c, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
+		err := ioutil.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
+			[]byte(out), 0600)
+		c.Assert(err, check.IsNil)
+	}
+}
+
+func (s *CopySuite) TearDownSuite(c *check.C) {
+	if s.gpgHome != "" {
+		os.RemoveAll(s.gpgHome)
+	}
+	if s.registry != nil {
+		s.registry.Close()
+	}
+	if s.cluster != nil {
+		s.cluster.tearDown()
+	}
+}
+
+// preparePolicyFixture applies edits to fixtures/policy.json and returns a path to the temporary file.
+// Callers should defer os.Remove(the_returned_path)
+func preparePolicyFixture(c *check.C, edits map[string]string) string {
+	commands := []string{}
+	for template, value := range edits {
+		commands = append(commands, fmt.Sprintf("s,%s,%s,g", template, value))
+	}
+	json := combinedOutputOfCommand(c, "sed", strings.Join(commands, "; "), "fixtures/policy.json")
+
+	file, err := ioutil.TempFile("", "policy.json")
+	c.Assert(err, check.IsNil)
+	path := file.Name()
+
+	_, err = file.Write([]byte(json))
+	c.Assert(err, check.IsNil)
+	err = file.Close()
+	c.Assert(err, check.IsNil)
+	return path
+}
+
+// The most basic (skopeo copy) use:
+func (s *CopySuite) TestCopySimple(c *check.C) {
+	dir1, err := ioutil.TempDir("", "copy-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "copy-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	// "pull": docker: → dir:
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:latest", "dir:"+dir1)
+	// "push": dir: → atomic:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "dir:"+dir1, "atomic:localhost:5000/myns/unsigned:unsigned")
+	// The result of pushing and pulling is an unmodified image.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/unsigned:unsigned", "dir:"+dir2)
+	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+
+	// docker v2s2 -> OCI image layout
+	// ociDest will be created by oci: if it doesn't exist
+	// so don't create it here to exercise auto-creation
+	ociDest := "busybox-latest"
+	defer os.RemoveAll(ociDest)
+	assertSkopeoSucceeds(c, "", "copy", "docker://busybox:latest", "oci:"+ociDest)
+	_, err = os.Stat(ociDest)
+	c.Assert(err, check.IsNil)
+
+	// FIXME: Also check pushing to docker://
+}
+
+// Streaming (skopeo copy)
+func (s *CopySuite) TestCopyStreaming(c *check.C) {
+	dir1, err := ioutil.TempDir("", "streaming-1")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir1)
+	dir2, err := ioutil.TempDir("", "streaming-2")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir2)
+
+	// FIXME: It would be nice to use one of the local Docker registries instead of neeeding an Internet connection.
+	// streaming: docker: → atomic:
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--debug", "copy", "docker://estesp/busybox:amd64", "atomic:localhost:5000/myns/unsigned:streaming")
+	// Compare (copies of) the original and the copy:
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:amd64", "dir:"+dir1)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/unsigned:streaming", "dir:"+dir2)
+	// The manifests will have different JWS signatures; so, compare the manifests by digests, which
+	// strips the signatures, and remove them, comparing the rest file by file.
+	digests := []string{}
+	for _, dir := range []string{dir1, dir2} {
+		manifestPath := filepath.Join(dir, "manifest.json")
+		m, err := ioutil.ReadFile(manifestPath)
+		c.Assert(err, check.IsNil)
+		digest, err := manifest.Digest(m)
+		c.Assert(err, check.IsNil)
+		digests = append(digests, digest)
+		err = os.Remove(manifestPath)
+		c.Assert(err, check.IsNil)
+		c.Logf("Manifest file %s (digest %s) removed", manifestPath, digest)
+	}
+	c.Assert(digests[0], check.Equals, digests[1])
+	out := combinedOutputOfCommand(c, "diff", "-urN", dir1, dir2)
+	c.Assert(out, check.Equals, "")
+	// FIXME: Also check pushing to docker://
+}
+
+// --sign-by and --policy copy, primarily using atomic:
+func (s *CopySuite) TestCopySignatures(c *check.C) {
+	dir, err := ioutil.TempDir("", "signatures-dest")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(dir)
+	dirDest := "dir:" + dir
+
+	policy := preparePolicyFixture(c, map[string]string{"@keydir@": s.gpgHome})
+	defer os.Remove(policy)
+
+	// type: reject
+	assertSkopeoFails(c, ".*Source image rejected: Running image docker://busybox:latest is rejected by policy.*",
+		"--policy", policy, "copy", "docker://busybox:latest", dirDest)
+
+	// type: insecureAcceptAnything
+	assertSkopeoSucceeds(c, "", "--policy", policy, "copy", "docker://openshift/hello-openshift", dirDest)
+
+	// type: signedBy
+	// Sign the images
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "docker://busybox:1.23", "atomic:localhost:5000/myns/personal:personal")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "official@example.com", "docker://busybox:1.23.2", "atomic:localhost:5000/myns/official:official")
+	// Verify that we can pull them
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/personal:personal", dirDest)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/official:official", dirDest)
+	// Verify that mis-signed images are rejected
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:personal", "atomic:localhost:5000/myns/official:attack")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/personal:attack")
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/personal:attack", dirDest)
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/official:attack", dirDest)
+
+	// Verify that signed identity is verified.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/naming:test1")
+	assertSkopeoFails(c, ".*Source image rejected: Signature for identity localhost:5000/myns/official:official is not accepted.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/naming:test1", dirDest)
+	// signedIdentity works
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/naming:naming")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/naming:naming", dirDest)
+
+	// Verify that cosigning requirements are enforced
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/cosigned:cosigned")
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/cosigned:cosigned", dirDest)
+
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/cosigned:cosigned")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/cosigned:cosigned", dirDest)
+}
+
+// --policy copy for dir: sources
+func (s *CopySuite) TestCopyDirSignatures(c *check.C) {
+	topDir, err := ioutil.TempDir("", "dir-signatures-top")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+	topDirDest := "dir:" + topDir
+
+	for _, suffix := range []string{"/dir1", "/dir2", "/restricted/personal", "/restricted/official", "/restricted/badidentity", "/dest"} {
+		err := os.MkdirAll(topDir+suffix, 0755)
+		c.Assert(err, check.IsNil)
+	}
+
+	// Note the "/@dirpath@": The value starts with a slash so that it is not rejected in other tests which do not replace it,
+	// but we must ensure that the result is a canonical path, not something starting with a "//".
+	policy := preparePolicyFixture(c, map[string]string{"@keydir@": s.gpgHome, "/@dirpath@": topDir + "/restricted"})
+	defer os.Remove(policy)
+
+	// Get some images.
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:armfh", topDirDest+"/dir1")
+	assertSkopeoSucceeds(c, "", "copy", "docker://estesp/busybox:s390x", topDirDest+"/dir2")
+
+	// Sign the images. By coping fom a topDirDest/dirN, also test that non-/restricted paths
+	// use the dir:"" default of insecureAcceptAnything.
+	// (For signing, we must push to atomic: to get a Docker identity to use in the signature.)
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "--sign-by", "personal@example.com", topDirDest+"/dir1", "atomic:localhost:5000/myns/personal:dirstaging")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "--sign-by", "official@example.com", topDirDest+"/dir2", "atomic:localhost:5000/myns/official:dirstaging")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:dirstaging", topDirDest+"/restricted/personal")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:dirstaging", topDirDest+"/restricted/official")
+
+	// type: signedBy, with a signedIdentity override (necessary because dir: identities can't be signed)
+	// Verify that correct images are accepted
+	assertSkopeoSucceeds(c, "", "--policy", policy, "copy", topDirDest+"/restricted/official", topDirDest+"/dest")
+	// ... and that mis-signed images are rejected.
+	assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*",
+		"--policy", policy, "copy", topDirDest+"/restricted/personal", topDirDest+"/dest")
+
+	// Verify that the signed identity is verified.
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "--sign-by", "official@example.com", topDirDest+"/dir1", "atomic:localhost:5000/myns/personal:dirstaging2")
+	assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:dirstaging2", topDirDest+"/restricted/badidentity")
+	assertSkopeoFails(c, ".*Source image rejected: .*Signature for identity localhost:5000/myns/personal:dirstaging2 is not accepted.*",
+		"--policy", policy, "copy", topDirDest+"/restricted/badidentity", topDirDest+"/dest")
+}
+
+// Compression during copy
+func (s *CopySuite) TestCopyCompression(c *check.C) {
+	const uncompresssedLayerFile = "160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710.tar"
+
+	topDir, err := ioutil.TempDir("", "compression-top")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(topDir)
+
+	for i, t := range []struct{ fixture, remote string }{
+		//{"uncompressed-image-s1", "docker://" + v2DockerRegistryURL + "/compression/compression:s1"}, // FIXME: depends on push to tag working
+		//{"uncompressed-image-s2", "docker://" + v2DockerRegistryURL + "/compression/compression:s2"}, // FIXME: depends on push to tag working
+		{"uncompressed-image-s1", "atomic:localhost:5000/myns/compression:s1"},
+		//{"uncompressed-image-s2", "atomic:localhost:5000/myns/compression:s2"}, // FIXME: The unresolved "MANIFEST_UNKNOWN"/"unexpected end of JSON input" failure
+	} {
+		dir := filepath.Join(topDir, fmt.Sprintf("case%d", i))
+		err := os.MkdirAll(dir, 0755)
+		c.Assert(err, check.IsNil)
+
+		assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "dir:fixtures/"+t.fixture, t.remote)
+		assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", t.remote, "dir:"+dir)
+
+		// The original directory contained an uncompressed file, the copy after pushing and pulling doesn't (we use a different name for the compressed file).
+		_, err = os.Lstat(filepath.Join("fixtures", t.fixture, uncompresssedLayerFile))
+		c.Assert(err, check.IsNil)
+		_, err = os.Lstat(filepath.Join(dir, uncompresssedLayerFile))
+		c.Assert(err, check.NotNil)
+		c.Assert(os.IsNotExist(err), check.Equals, true)
+
+		// All pulled layers are smaller than the uncompressed size of uncompresssedLayerFile. (Note that this includes the manifest in s2, but that works out OK).
+		dirf, err := os.Open(dir)
+		c.Assert(err, check.IsNil)
+		fis, err := dirf.Readdir(-1)
+		c.Assert(err, check.IsNil)
+		for _, fi := range fis {
+			if strings.HasSuffix(fi.Name(), ".tar") {
+				c.Assert(fi.Size() < 2048, check.Equals, true)
+			}
+		}
+	}
+}

integration/fixtures/image.manifest.json

@@ -0,0 +1,26 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+        "mediaType": "application/vnd.docker.container.image.v1+json",
+        "size": 7023,
+        "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7"
+    },
+    "layers": [
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 32654,
+            "digest": "sha256:e692418e4cbaf90ca69d05a66403747baa33ee08806650b51fab815ad7fc331f"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 16724,
+            "digest": "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b"
+        },
+        {
+            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+            "size": 73109,
+            "digest": "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736"
+        }
+    ]
+}

integration/fixtures/policy.json

@@ -0,0 +1,84 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "docker.io/openshift": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "/@dirpath@": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5000/myns/official"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "localhost:5000/myns/personal": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/official": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/naming:test1": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg"
+                }
+            ],
+            "localhost:5000/myns/naming:naming": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5000/myns/official"
+                    }
+                }
+            ],
+            "localhost:5000/myns/cosigned:cosigned": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/official-pubkey.gpg",
+                    "signedIdentity": {
+                        "type": "exactRepository",
+                        "dockerRepository": "localhost:5000/myns/official"
+                    }
+                },
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "@keydir@/personal-pubkey.gpg"
+                }
+            ]
+        }
+    }
+}

integration/fixtures/uncompressed-image-s1/manifest.json

@@ -0,0 +1,32 @@
+{
+   "schemaVersion": 1,
+   "name": "nonempty",
+   "tag": "nonempty",
+   "architecture": "amd64",
+   "fsLayers": [
+      {
+         "blobSum": "sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"
+      }
+   ],
+   "history": [
+      {
+         "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"59c20544b2f4\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container\":\"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d\",\"container_config\":{\"Hostname\":\"59c20544b2f4\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /\"],\"Image\":\"\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2016-09-19T18:23:54.9949213Z\",\"docker_version\":\"1.10.3\",\"id\":\"4c224eac5061bb85f523ca4e3316618fd7921a80fe94286979667b1edb8e1bdd\",\"os\":\"linux\"}"
+      }
+   ],
+   "signatures": [
+      {
+         "header": {
+            "jwk": {
+               "crv": "P-256",
+               "kid": "DGWZ:GAUM:WCOC:IMDL:D67M:CEI6:YTVH:M2CM:5HX4:FYDD:77OD:D3F7",
+               "kty": "EC",
+               "x": "eprZNqLO9mHZ4Z4GxefucEgov_1gwEi9lehpJR2suRo",
+               "y": "wIr2ucNg32ROfVCkR_8A5VbBJ-mFmsoIUVa6vt8lIxM"
+            },
+            "alg": "ES256"
+         },
+         "signature": "bvTLWW4YVFRjAanN1EJqwQw60fWSWJPxcGO3UZGFI_gyV6ucGdW4x7jyYL6g06sg925s9cy0wN1lw91CCFv4BA",
+         "protected": "eyJmb3JtYXRMZW5ndGgiOjE0ODcsImZvcm1hdFRhaWwiOiJDbjBLIiwidGltZSI6IjIwMTYtMDktMTlUMTg6NDM6MzNaIn0"
+      }
+   ]
+}

integration/fixtures/uncompressed-image-s2/86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff.tar

@@ -0,0 +1 @@
+{"architecture":"amd64","config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"59c20544b2f4ad7a8639433bacb1ec215b7dad4a7bf1a83b5ab4679329a46c1d","container_config":{"Hostname":"59c20544b2f4","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"],"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2016-09-19T18:23:54.9949213Z","docker_version":"1.10.3","history":[{"created":"2016-09-19T18:23:54.9949213Z","created_by":"/bin/sh -c #(nop) ADD file:14f49faade3db5e596826746d9ed3dfd658490c16c4d61d4886726153ad0591a in /"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"]}}

integration/fixtures/uncompressed-image-s2/manifest.json

@@ -0,0 +1,16 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+   "config": {
+      "mediaType": "application/octet-stream",
+      "size": 1272,
+      "digest": "sha256:86ce150e65c72b30f885c261449d18b7c6832596916e7f654e08377b5a67b4ff"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+         "size": 2048,
+         "digest": "sha256:160d823fdc48e62f97ba62df31e55424f8f5eb6b679c865eec6e59adfe304710"
+      }
+   ]
+}

integration/fixtures_info_test.go

@@ -0,0 +1,6 @@
+package main
+
+const (
+	// TestImageManifestDigest is the Docker manifest digest of "fixtures/image.manifest.json"
+	TestImageManifestDigest = "sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55"
+)

integration/openshift.go

@@ -0,0 +1,193 @@
+package main
+
+import (
+	"bufio"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/go-check/check"
+)
+
+// openshiftCluster is an OpenShift API master and integrated registry
+// running on localhost.
+type openshiftCluster struct {
+	c          *check.C
+	workingDir string
+	master     *exec.Cmd
+	registry   *exec.Cmd
+}
+
+// startOpenshiftCluster creates a new openshiftCluster.
+// WARNING: This affects state in users' home directory! Only run
+// in isolated test environment.
+func startOpenshiftCluster(c *check.C) *openshiftCluster {
+	cluster := &openshiftCluster{c: c}
+
+	dir, err := ioutil.TempDir("", "openshift-cluster")
+	cluster.c.Assert(err, check.IsNil)
+	cluster.workingDir = dir
+
+	cluster.startMaster()
+	cluster.startRegistry()
+	cluster.ocLoginToProject()
+	cluster.dockerLogin()
+	cluster.relaxImageSignerPermissions()
+
+	return cluster
+}
+
+// startMaster starts the OpenShift master (etcd+API server) and waits for it to be ready, or terminates on failure.
+func (c *openshiftCluster) startMaster() {
+	c.master = exec.Command("openshift", "start", "master")
+	c.master.Dir = c.workingDir
+	stdout, err := c.master.StdoutPipe()
+	// Send both to the same pipe. This might cause the two streams to be mixed up,
+	// but logging actually goes only to stderr - this primarily ensure we log any
+	// unexpected output to stdout.
+	c.master.Stderr = c.master.Stdout
+	err = c.master.Start()
+	c.c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c.c, 8443)
+	defer func() {
+		c.c.Logf("Terminating port check")
+		terminatePortCheck <- true
+	}()
+
+	terminateLogCheck := make(chan bool, 1)
+	logCheckFound := make(chan bool)
+	go func() {
+		defer func() {
+			c.c.Logf("Log checker exiting")
+		}()
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			line := scanner.Text()
+			c.c.Logf("Log line: %s", line)
+			if strings.Contains(line, "Started Origin Controllers") {
+				logCheckFound <- true
+				return
+				// FIXME? We stop reading from stdout; could this block the master?
+			}
+			// Note: we can block before we get here.
+			select {
+			case <-terminateLogCheck:
+				c.c.Logf("terminated")
+				return
+			default:
+				// Do not block here and read the next line.
+			}
+		}
+		logCheckFound <- false
+	}()
+	defer func() {
+		c.c.Logf("Terminating log check")
+		terminateLogCheck <- true
+	}()
+
+	gotPortCheck := false
+	gotLogCheck := false
+	for !gotPortCheck || !gotLogCheck {
+		c.c.Logf("Waiting for master")
+		select {
+		case <-portOpen:
+			c.c.Logf("port check done")
+			gotPortCheck = true
+		case found := <-logCheckFound:
+			c.c.Logf("log check done, found: %t", found)
+			if !found {
+				c.c.Fatal("log check done, success message not found")
+			}
+			gotLogCheck = true
+		}
+	}
+	c.c.Logf("OK, master started!")
+}
+
+// startRegistry starts the OpenShift registry and waits for it to be ready, or terminates on failure.
+func (c *openshiftCluster) startRegistry() {
+	//KUBECONFIG=openshift.local.config/master/openshift-registry.kubeconfig DOCKER_REGISTRY_URL=127.0.0.1:5000
+	c.registry = exec.Command("dockerregistry", "/atomic-registry-config.yml")
+	c.registry.Dir = c.workingDir
+	c.registry.Env = os.Environ()
+	c.registry.Env = modifyEnviron(c.registry.Env, "KUBECONFIG", "openshift.local.config/master/openshift-registry.kubeconfig")
+	c.registry.Env = modifyEnviron(c.registry.Env, "DOCKER_REGISTRY_URL", "127.0.0.1:5000")
+	consumeAndLogOutputs(c.c, "registry", c.registry)
+	err := c.registry.Start()
+	c.c.Assert(err, check.IsNil)
+
+	portOpen, terminatePortCheck := newPortChecker(c.c, 5000)
+	defer func() {
+		terminatePortCheck <- true
+	}()
+	c.c.Logf("Waiting for registry to start")
+	<-portOpen
+	c.c.Logf("OK, Registry port open")
+}
+
+// ocLogin runs (oc login) and (oc new-project) on the cluster, or terminates on failure.
+func (c *openshiftCluster) ocLoginToProject() {
+	c.c.Logf("oc login")
+	cmd := exec.Command("oc", "login", "--certificate-authority=openshift.local.config/master/ca.crt", "-u", "myuser", "-p", "mypw", "https://localhost:8443")
+	cmd.Dir = c.workingDir
+	out, err := cmd.CombinedOutput()
+	c.c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	c.c.Assert(string(out), check.Matches, "(?s).*Login successful.*") // (?s) : '.' will also match newlines
+
+	outString := combinedOutputOfCommand(c.c, "oc", "new-project", "myns")
+	c.c.Assert(outString, check.Matches, `(?s).*Now using project "myns".*`) // (?s) : '.' will also match newlines
+}
+
+// dockerLogin simulates (docker login) to the cluster, or terminates on failure.
+// We do not run (docker login) directly, because that requires a running daemon and a docker package.
+func (c *openshiftCluster) dockerLogin() {
+	dockerDir := filepath.Join(homedir.Get(), ".docker")
+	err := os.Mkdir(dockerDir, 0700)
+	c.c.Assert(err, check.IsNil)
+
+	out := combinedOutputOfCommand(c.c, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
+	c.c.Logf("oc config value: %s", out)
+	configJSON := fmt.Sprintf(`{
+		"auths": {
+			"localhost:5000": {
+				"auth": "%s",
+				"email": "unused"
+			}
+		}
+	}`, base64.StdEncoding.EncodeToString([]byte("unused:"+out)))
+	err = ioutil.WriteFile(filepath.Join(dockerDir, "config.json"), []byte(configJSON), 0600)
+	c.c.Assert(err, check.IsNil)
+}
+
+// relaxImageSignerPermissions opens up the system:image-signer permissions so that
+// anyone can work with signatures
+// FIXME: This also allows anyone to DoS anyone else; this design is really not all
+// that workable, but it is the best we can do for now.
+func (c *openshiftCluster) relaxImageSignerPermissions() {
+	cmd := exec.Command("oadm", "policy", "add-cluster-role-to-group", "system:image-signer", "system:authenticated")
+	cmd.Dir = c.workingDir
+	cmd.Env = os.Environ()
+	cmd.Env = modifyEnviron(cmd.Env, "KUBECONFIG", "openshift.local.config/master/admin.kubeconfig")
+	out, err := cmd.CombinedOutput()
+	c.c.Assert(err, check.IsNil, check.Commentf("%s", string(out)))
+	c.c.Assert(string(out), check.Equals, "")
+}
+
+// tearDown stops the cluster services and deletes (only some!) of the state.
+func (c *openshiftCluster) tearDown() {
+	if c.registry != nil && c.registry.Process != nil {
+		c.registry.Process.Kill()
+	}
+	if c.master != nil && c.master.Process != nil {
+		c.master.Process.Kill()
+	}
+	if c.workingDir != "" {
+		os.RemoveAll(c.workingDir)
+	}
+}

integration/registry.go

@@ -0,0 +1,142 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/go-check/check"
+)
+
+const (
+	binaryV1        = "docker-registry"
+	binaryV2        = "registry-v2"
+	binaryV2Schema1 = "registry-v2-schema1"
+)
+
+type testRegistryV1 struct {
+	cmd *exec.Cmd
+	url string
+	dir string
+}
+
+func setupRegistryV1At(c *check.C, url string, auth bool) *testRegistryV1 {
+	return &testRegistryV1{
+		url: url,
+	}
+}
+
+type testRegistryV2 struct {
+	cmd      *exec.Cmd
+	url      string
+	dir      string
+	username string
+	password string
+	email    string
+}
+
+func setupRegistryV2At(c *check.C, url string, auth, schema1 bool) *testRegistryV2 {
+	reg, err := newTestRegistryV2At(c, url, auth, schema1)
+	c.Assert(err, check.IsNil)
+
+	// Wait for registry to be ready to serve requests.
+	for i := 0; i != 5; i++ {
+		if err = reg.Ping(); err == nil {
+			break
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	if err != nil {
+		c.Fatal("Timeout waiting for test registry to become available")
+	}
+	return reg
+}
+
+func newTestRegistryV2At(c *check.C, url string, auth, schema1 bool) (*testRegistryV2, error) {
+	tmp, err := ioutil.TempDir("", "registry-test-")
+	if err != nil {
+		return nil, err
+	}
+	template := `version: 0.1
+loglevel: debug
+storage:
+    filesystem:
+        rootdirectory: %s
+http:
+    addr: %s
+%s`
+	var (
+		htpasswd string
+		username string
+		password string
+		email    string
+	)
+	if auth {
+		htpasswdPath := filepath.Join(tmp, "htpasswd")
+		userpasswd := "testuser:$2y$05$sBsSqk0OpSD1uTZkHXc4FeJ0Z70wLQdAX/82UiHuQOKbNbBrzs63m"
+		username = "testuser"
+		password = "testpassword"
+		email = "test@test.org"
+		if err := ioutil.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
+			return nil, err
+		}
+		htpasswd = fmt.Sprintf(`auth:
+    htpasswd:
+        realm: basic-realm
+        path: %s
+`, htpasswdPath)
+	}
+	confPath := filepath.Join(tmp, "config.yaml")
+	config, err := os.Create(confPath)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := fmt.Fprintf(config, template, tmp, url, htpasswd); err != nil {
+		os.RemoveAll(tmp)
+		return nil, err
+	}
+
+	binary := binaryV2
+	if schema1 {
+		binary = binaryV2Schema1
+	}
+
+	cmd := exec.Command(binary, confPath)
+	if err := cmd.Start(); err != nil {
+		os.RemoveAll(tmp)
+		if os.IsNotExist(err) {
+			c.Skip(err.Error())
+		}
+		return nil, err
+	}
+	return &testRegistryV2{
+		cmd:      cmd,
+		url:      url,
+		dir:      tmp,
+		username: username,
+		password: password,
+		email:    email,
+	}, nil
+}
+
+func (t *testRegistryV2) Ping() error {
+	// We always ping through HTTP for our test registry.
+	resp, err := http.Get(fmt.Sprintf("http://%s/v2/", t.url))
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
+		return fmt.Errorf("registry ping replied with an unexpected status code %d", resp.StatusCode)
+	}
+	return nil
+}
+
+func (t *testRegistryV2) Close() {
+	t.cmd.Process.Kill()
+	os.RemoveAll(t.dir)
+}

integration/signing_test.go

@@ -0,0 +1,77 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/go-check/check"
+)
+
+const (
+	gpgBinary = "gpg"
+)
+
+func init() {
+	check.Suite(&SigningSuite{})
+}
+
+type SigningSuite struct {
+	gpgHome     string
+	fingerprint string
+}
+
+func findFingerprint(lineBytes []byte) (string, error) {
+	lines := string(lineBytes)
+	for _, line := range strings.Split(lines, "\n") {
+		fields := strings.Split(line, ":")
+		if len(fields) >= 10 && fields[0] == "fpr" {
+			return fields[9], nil
+		}
+	}
+	return "", errors.New("No fingerprint found")
+}
+
+func (s *SigningSuite) SetUpTest(c *check.C) {
+	_, err := exec.LookPath(skopeoBinary)
+	c.Assert(err, check.IsNil)
+
+	s.gpgHome, err = ioutil.TempDir("", "skopeo-gpg")
+	c.Assert(err, check.IsNil)
+	os.Setenv("GNUPGHOME", s.gpgHome)
+
+	runCommandWithInput(c, "Key-Type: RSA\nName-Real: Testing user\n%commit\n", gpgBinary, "--homedir", s.gpgHome, "--batch", "--gen-key")
+
+	lines, err := exec.Command(gpgBinary, "--homedir", s.gpgHome, "--with-colons", "--no-permission-warning", "--fingerprint").Output()
+	c.Assert(err, check.IsNil)
+	s.fingerprint, err = findFingerprint(lines)
+	c.Assert(err, check.IsNil)
+}
+
+func (s *SigningSuite) TearDownTest(c *check.C) {
+	if s.gpgHome != "" {
+		err := os.RemoveAll(s.gpgHome)
+		c.Assert(err, check.IsNil)
+	}
+	s.gpgHome = ""
+
+	os.Unsetenv("GNUPGHOME")
+}
+
+func (s *SigningSuite) TestSignVerifySmoke(c *check.C) {
+	manifestPath := "fixtures/image.manifest.json"
+	dockerReference := "testing/smoketest"
+
+	sigOutput, err := ioutil.TempFile("", "sig")
+	c.Assert(err, check.IsNil)
+	defer os.Remove(sigOutput.Name())
+	assertSkopeoSucceeds(c, "^$", "standalone-sign", "-o", sigOutput.Name(),
+		manifestPath, dockerReference, s.fingerprint)
+
+	expected := fmt.Sprintf("^Signature verified, digest %s\n$", TestImageManifestDigest)
+	assertSkopeoSucceeds(c, expected, "standalone-verify", manifestPath,
+		dockerReference, s.fingerprint, sigOutput.Name())
+}

integration/utils.go

@@ -0,0 +1,146 @@
+package main
+
+import (
+	"io"
+	"net"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/go-check/check"
+)
+
+const skopeoBinary = "skopeo"
+
+// consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to c.
+func consumeAndLogOutputStream(c *check.C, id string, f io.ReadCloser, err error) {
+	c.Assert(err, check.IsNil)
+	go func() {
+		defer func() {
+			f.Close()
+			c.Logf("Output %s: Closed", id)
+		}()
+		buf := make([]byte, 1024)
+		for {
+			c.Logf("Output %s: waiting", id)
+			n, err := f.Read(buf)
+			c.Logf("Output %s: got %d,%#v: %s", id, n, err, strings.TrimSuffix(string(buf[:n]), "\n"))
+			if n <= 0 {
+				break
+			}
+		}
+	}()
+}
+
+// consumeAndLogOutputs causes all output to stdout and stderr from an *exec.Cmd to be logged to c
+func consumeAndLogOutputs(c *check.C, id string, cmd *exec.Cmd) {
+	stdout, err := cmd.StdoutPipe()
+	consumeAndLogOutputStream(c, id+" stdout", stdout, err)
+	stderr, err := cmd.StderrPipe()
+	consumeAndLogOutputStream(c, id+" stderr", stderr, err)
+}
+
+// combinedOutputOfCommand runs a command as if exec.Command().CombinedOutput(), verifies that the exit status is 0, and returns the output,
+// or terminates c on failure.
+func combinedOutputOfCommand(c *check.C, name string, args ...string) string {
+	c.Logf("Running %s %s", name, strings.Join(args, " "))
+	out, err := exec.Command(name, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	return string(out)
+}
+
+// assertSkopeoSucceeds runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and optionally that the output matches a multi-line regexp if it is nonempty;
+// or terminates c on failure
+func assertSkopeoSucceeds(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
+	c.Assert(err, check.IsNil, check.Commentf("%s", out))
+	if regexp != "" {
+		c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+	}
+}
+
+// assertSkopeoFails runs a skopeo command as if exec.Command().CombinedOutput, verifies that the exit status is 0,
+// and that the output matches a multi-line regexp;
+// or terminates c on failure
+func assertSkopeoFails(c *check.C, regexp string, args ...string) {
+	c.Logf("Running %s %s", skopeoBinary, strings.Join(args, " "))
+	out, err := exec.Command(skopeoBinary, args...).CombinedOutput()
+	c.Assert(err, check.NotNil, check.Commentf("%s", out))
+	c.Assert(string(out), check.Matches, "(?s)"+regexp) // (?s) : '.' will also match newlines
+}
+
+// runCommandWithInput runs a command as if exec.Command(), sending it the input to stdin,
+// and verifies that the exit status is 0, or terminates c on failure.
+func runCommandWithInput(c *check.C, input string, name string, args ...string) {
+	c.Logf("Running %s %s", name, strings.Join(args, " "))
+	cmd := exec.Command(name, args...)
+	consumeAndLogOutputs(c, name+" "+strings.Join(args, " "), cmd)
+	stdin, err := cmd.StdinPipe()
+	c.Assert(err, check.IsNil)
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+	_, err = stdin.Write([]byte(input))
+	c.Assert(err, check.IsNil)
+	err = stdin.Close()
+	c.Assert(err, check.IsNil)
+	err = cmd.Wait()
+	c.Assert(err, check.IsNil)
+}
+
+// isPortOpen returns true iff the specified port on localhost is open.
+func isPortOpen(port int) bool {
+	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+	if err != nil {
+		return false
+	}
+	conn.Close()
+	return true
+}
+
+// newPortChecker sets up a portOpen channel which will receive true after the specified port is open.
+// The checking can be aborted by sending a value to the terminate channel, which the caller should
+// always do using
+// defer func() {terminate <- true}()
+func newPortChecker(c *check.C, port int) (portOpen <-chan bool, terminate chan<- bool) {
+	portOpenBidi := make(chan bool)
+	// Buffered, so that sending a terminate request after the goroutine has exited does not block.
+	terminateBidi := make(chan bool, 1)
+
+	go func() {
+		defer func() {
+			c.Logf("Port checker for port %d exiting", port)
+		}()
+		for {
+			c.Logf("Checking for port %d...", port)
+			if isPortOpen(port) {
+				c.Logf("Port %d open", port)
+				portOpenBidi <- true
+				return
+			}
+			c.Logf("Sleeping for port %d", port)
+			sleepChan := time.After(100 * time.Millisecond)
+			select {
+			case <-sleepChan: // Try again
+				c.Logf("Sleeping for port %d done, will retry", port)
+			case <-terminateBidi:
+				c.Logf("Check for port %d terminated", port)
+				return
+			}
+		}
+	}()
+	return portOpenBidi, terminateBidi
+}
+
+// modifyEnviron modifies os.Environ()-like list of name=value assignments to set name to value.
+func modifyEnviron(env []string, name, value string) []string {
+	prefix := name + "="
+	res := []string{}
+	for _, e := range env {
+		if !strings.HasPrefix(e, prefix) {
+			res = append(res, e)
+		}
+	}
+	return append(res, prefix+value)
+}

main.go

@@ -1,66 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/codegangsta/cli"
-	"github.com/docker/docker/cliconfig"
-)
-
-const (
-	version = "0.1.2"
-	usage   = "inspect images on a registry"
-)
-
-var inspectCmd = func(c *cli.Context) {
-	imgInspect, err := inspect(c)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-	out, err := json.Marshal(imgInspect)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-	fmt.Println(string(out))
-}
-
-func main() {
-	app := cli.NewApp()
-	app.Name = "skopeo"
-	app.Version = version
-	app.Usage = usage
-	app.Flags = []cli.Flag{
-		cli.BoolFlag{
-			Name:  "debug",
-			Usage: "enable debug output",
-		},
-		cli.StringFlag{
-			Name:  "username",
-			Value: "",
-			Usage: "registry username",
-		},
-		cli.StringFlag{
-			Name:  "password",
-			Value: "",
-			Usage: "registry password",
-		},
-		cli.StringFlag{
-			Name:  "docker-cfg",
-			Value: cliconfig.ConfigDir(),
-			Usage: "Docker's cli config for auth",
-		},
-	}
-	app.Before = func(c *cli.Context) error {
-		if c.GlobalBool("debug") {
-			logrus.SetLevel(logrus.DebugLevel)
-		}
-		return nil
-	}
-	app.Action = inspectCmd
-	if err := app.Run(os.Args); err != nil {
-		logrus.Fatal(err)
-	}
-}

man/skopeo.1.md

@@ -1,14 +0,0 @@
-% SKOPEO(1)
-% Antonio Murdaca
-% JANUARY 2016
-# NAME
-skopeo - Inspect Docker images and repositories on registries
-
-# SYNOPSIS
-
-# DESCRIPTION
-
-# ARGUMENTS
-
-# AUTHORS
-Antonio Murdaca <runcom@redhat.com>

skopeo.spec

@@ -1,48 +0,0 @@
-Name:           skopeo
-Version:        0.1.2
-Release:        0%{?dist}
-Summary:        Inspect Docker images and repositories on registries
-License:        MIT
-URL:            https://github.com/runcom/skopeo
-Source:         https://github.com/runcom/skopeo/archive/v%{version}.tar.gz
-
-BuildRequires: golang >= 1.5
-BuildRequires: golang-github-cpuguy83-go-md2man
-BuildRequires: golang(github.com/Sirupsen/logrus) >= 0.8.4
-BuildRequires: golang(github.com/codegangsta/cli) >= 1.2.0
-BuildRequires: golang(golang.org/x/net/context)
-
-%global debug_package %{nil}
-
-%description
-Get information about a Docker image or repository without pulling it
-
-%prep
-%setup -q -n %{name}-%{version}
-
-rm -rf vendor/github.com/codegangsta
-rm -rf vendor/github.com/Sirupsen
-rm -rf vendor/golang.org
-
-%build
-mkdir -p ./_build/src/github.com/runcom
-ln -s $(pwd) ./_build/src/github.com/runcom/skopeo
-export GOPATH=$(pwd)/_build:%{gopath}
-cd $(pwd)/_build/src/github.com/runcom/skopeo && make %{?_smp_mflags}
-
-%install
-mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man1
-make DESTDIR=%{buildroot} install
-
-%files
-%{_bindir}/skopeo
-%{_mandir}/man1/skopeo.1*
-%doc README.md LICENSE
-
-%changelog
-* Fri Jan 22 2016 Antonio Murdaca <runcom@redhat.com> - 0.1.2
-- v0.1.2
-* Fri Jan 22 2016 Antonio Murdaca <runcom@redhat.com> - 0.1.1
-- v0.1.1
-* Thu Jan 21 2016 Antonio Murdaca <runcom@redhat.com> - 0.1.0
-- v0.1.0

vendor/github.com/Sirupsen/logrus/.travis.yml

@@ -1,8 +1,9 @@
 language: go
 go:
-  - 1.2
   - 1.3
   - 1.4
+  - 1.5
   - tip
 install:
   - go get -t ./...
+script: GOMAXPROCS=4 GORACE="halt_on_error=1" go test -race -v ./...

vendor/github.com/Sirupsen/logrus/CHANGELOG.md

@@ -1,3 +1,22 @@
+# 0.10.0
+
+* feature: Add a test hook (#180)
+* feature: `ParseLevel` is now case-insensitive (#326)
+* feature: `FieldLogger` interface that generalizes `Logger` and `Entry` (#308)
+* performance: avoid re-allocations on `WithFields` (#335)
+
+# 0.9.0
+
+* logrus/text_formatter: don't emit empty msg
+* logrus/hooks/airbrake: move out of main repository
+* logrus/hooks/sentry: move out of main repository
+* logrus/hooks/papertrail: move out of main repository
+* logrus/hooks/bugsnag: move out of main repository
+* logrus/core: run tests with `-race`
+* logrus/core: detect TTY based on `stderr`
+* logrus/core: support `WithError` on logger
+* logrus/core: Solaris support
+
 # 0.8.7
 
 * logrus/core: fix possible race (#216)

vendor/github.com/Sirupsen/logrus/README.md

@@ -1,4 +1,4 @@
-# Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:"/>&nbsp;[![Build Status](https://travis-ci.org/Sirupsen/logrus.svg?branch=master)](https://travis-ci.org/Sirupsen/logrus)&nbsp;[![godoc reference](https://godoc.org/github.com/Sirupsen/logrus?status.png)][godoc]
+# Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:"/>&nbsp;[![Build Status](https://travis-ci.org/Sirupsen/logrus.svg?branch=master)](https://travis-ci.org/Sirupsen/logrus)&nbsp;[![GoDoc](https://godoc.org/github.com/Sirupsen/logrus?status.svg)](https://godoc.org/github.com/Sirupsen/logrus)
 
 Logrus is a structured logger for Go (golang), completely API compatible with
 the standard library logger. [Godoc][godoc]. **Please note the Logrus API is not
@@ -12,7 +12,7 @@ plain text):
 
 ![Colored](http://i.imgur.com/PY7qMwd.png)
 
-With `log.Formatter = new(logrus.JSONFormatter)`, for easy parsing by logstash
+With `log.SetFormatter(&log.JSONFormatter{})`, for easy parsing by logstash
 or Splunk:
 
 ```json
@@ -32,7 +32,7 @@ ocean","size":10,"time":"2014-03-10 19:57:38.562264131 -0400 EDT"}
 "time":"2014-03-10 19:57:38.562543128 -0400 EDT"}
 ```
 
-With the default `log.Formatter = new(&log.TextFormatter{})` when a TTY is not
+With the default `log.SetFormatter(&log.TextFormatter{})` when a TTY is not
 attached, the output is compatible with the
 [logfmt](http://godoc.org/github.com/kr/logfmt) format:
 
@@ -75,17 +75,12 @@ package main
 import (
   "os"
   log "github.com/Sirupsen/logrus"
-  "github.com/Sirupsen/logrus/hooks/airbrake"
 )
 
 func init() {
   // Log as JSON instead of the default ASCII formatter.
   log.SetFormatter(&log.JSONFormatter{})
 
-  // Use the Airbrake hook to report errors that have Error severity or above to
-  // an exception tracker. You can create custom hooks, see the Hooks section.
-  log.AddHook(airbrake.NewHook("https://example.com", "xyz", "development"))
-
   // Output to stderr instead of stdout, could also be a file.
   log.SetOutput(os.Stderr)
 
@@ -182,13 +177,16 @@ Logrus comes with [built-in hooks](hooks/). Add those, or your custom hook, in
 ```go
 import (
   log "github.com/Sirupsen/logrus"
-  "github.com/Sirupsen/logrus/hooks/airbrake"
+  "gopkg.in/gemnasium/logrus-airbrake-hook.v2" // the package is named "aibrake"
   logrus_syslog "github.com/Sirupsen/logrus/hooks/syslog"
   "log/syslog"
 )
 
 func init() {
-  log.AddHook(airbrake.NewHook("https://example.com", "xyz", "development"))
+
+  // Use the Airbrake hook to report errors that have Error severity or above to
+  // an exception tracker. You can create custom hooks, see the Hooks section.
+  log.AddHook(airbrake.NewHook(123, "xyz", "production"))
 
   hook, err := logrus_syslog.NewSyslogHook("udp", "localhost:514", syslog.LOG_INFO, "")
   if err != nil {
@@ -198,20 +196,21 @@ func init() {
   }
 }
 ```
-
+Note: Syslog hook also support connecting to local syslog (Ex. "/dev/log" or "/var/run/syslog" or "/var/run/log"). For the detail, please check the [syslog hook README](hooks/syslog/README.md).
 
 | Hook  | Description |
 | ----- | ----------- |
-| [Airbrake](https://github.com/Sirupsen/logrus/blob/master/hooks/airbrake/airbrake.go) | Send errors to an exception tracking service compatible with the Airbrake API. Uses [`airbrake-go`](https://github.com/tobi/airbrake-go) behind the scenes. |
-| [Papertrail](https://github.com/Sirupsen/logrus/blob/master/hooks/papertrail/papertrail.go) | Send errors to the Papertrail hosted logging service via UDP. |
+| [Airbrake](https://github.com/gemnasium/logrus-airbrake-hook) | Send errors to the Airbrake API V3. Uses the official [`gobrake`](https://github.com/airbrake/gobrake) behind the scenes. |
+| [Airbrake "legacy"](https://github.com/gemnasium/logrus-airbrake-legacy-hook) | Send errors to an exception tracking service compatible with the Airbrake API V2. Uses [`airbrake-go`](https://github.com/tobi/airbrake-go) behind the scenes. |
+| [Papertrail](https://github.com/polds/logrus-papertrail-hook) | Send errors to the [Papertrail](https://papertrailapp.com) hosted logging service via UDP. |
 | [Syslog](https://github.com/Sirupsen/logrus/blob/master/hooks/syslog/syslog.go) | Send errors to remote syslog server. Uses standard library `log/syslog` behind the scenes. |
-| [BugSnag](https://github.com/Sirupsen/logrus/blob/master/hooks/bugsnag/bugsnag.go) | Send errors to the Bugsnag exception tracking service. |
-| [Sentry](https://github.com/Sirupsen/logrus/blob/master/hooks/sentry/sentry.go) | Send errors to the Sentry error logging and aggregation service. |
+| [Bugsnag](https://github.com/Shopify/logrus-bugsnag/blob/master/bugsnag.go) | Send errors to the Bugsnag exception tracking service. |
+| [Sentry](https://github.com/evalphobia/logrus_sentry) | Send errors to the Sentry error logging and aggregation service. |
 | [Hiprus](https://github.com/nubo/hiprus) | Send errors to a channel in hipchat. |
 | [Logrusly](https://github.com/sebest/logrusly) | Send logs to [Loggly](https://www.loggly.com/) |
 | [Slackrus](https://github.com/johntdyer/slackrus) | Hook for Slack chat. |
 | [Journalhook](https://github.com/wercker/journalhook) | Hook for logging to `systemd-journald` |
-| [Graylog](https://github.com/gemnasium/logrus-hooks/tree/master/graylog) | Hook for logging to [Graylog](http://graylog2.org/) |
+| [Graylog](https://github.com/gemnasium/logrus-graylog-hook) | Hook for logging to [Graylog](http://graylog2.org/) |
 | [Raygun](https://github.com/squirkle/logrus-raygun-hook) | Hook for logging to [Raygun.io](http://raygun.io/) |
 | [LFShook](https://github.com/rifflock/lfshook) | Hook for logging to the local filesystem |
 | [Honeybadger](https://github.com/agonzalezro/logrus_honeybadger) | Hook for sending exceptions to Honeybadger |
@@ -219,6 +218,15 @@ func init() {
 | [Rollrus](https://github.com/heroku/rollrus) | Hook for sending errors to rollbar |
 | [Fluentd](https://github.com/evalphobia/logrus_fluent) | Hook for logging to fluentd |
 | [Mongodb](https://github.com/weekface/mgorus) | Hook for logging to mongodb |
+| [InfluxDB](https://github.com/Abramovic/logrus_influxdb) | Hook for logging to influxdb |
+| [Octokit](https://github.com/dorajistyle/logrus-octokit-hook) | Hook for logging to github via octokit |
+| [DeferPanic](https://github.com/deferpanic/dp-logrus) | Hook for logging to DeferPanic |
+| [Redis-Hook](https://github.com/rogierlommers/logrus-redis-hook) | Hook for logging to a ELK stack (through Redis) |
+| [Amqp-Hook](https://github.com/vladoatanasov/logrus_amqp) | Hook for logging to Amqp broker (Like RabbitMQ) |
+| [KafkaLogrus](https://github.com/goibibo/KafkaLogrus) | Hook for logging to kafka |
+| [Typetalk](https://github.com/dragon3/logrus-typetalk-hook) | Hook for logging to [Typetalk](https://www.typetalk.in/) |
+| [ElasticSearch](https://github.com/sohlich/elogrus) | Hook for logging to ElasticSearch|
+
 
 #### Level logging
 
@@ -296,15 +304,16 @@ The built-in logging formatters are:
     field to `true`.  To force no colored output even if there is a TTY  set the
     `DisableColors` field to `true`
 * `logrus.JSONFormatter`. Logs fields as JSON.
-* `logrus_logstash.LogstashFormatter`. Logs fields as Logstash Events (http://logstash.net).
+* `logrus/formatters/logstash.LogstashFormatter`. Logs fields as [Logstash](http://logstash.net) Events.
 
     ```go
-      logrus.SetFormatter(&logrus_logstash.LogstashFormatter{Type: “application_name"})
+      logrus.SetFormatter(&logstash.LogstashFormatter{Type: "application_name"})
     ```
 
 Third party logging formatters:
 
-* [`zalgo`](https://github.com/aybabtme/logzalgo): invoking the P͉̫o̳̼̊w̖͈̰͎e̬͔̭͂r͚̼̹̲ ̫͓͉̳͈ō̠͕͖̚f̝͍̠ ͕̲̞͖͑Z̖̫̤̫ͪa͉̬͈̗l͖͎g̳̥o̰̥̅!̣͔̲̻͊̄ ̙̘̦̹̦.
+* [`prefixed`](https://github.com/x-cray/logrus-prefixed-formatter). Displays log entry source along with alternative layout.
+* [`zalgo`](https://github.com/aybabtme/logzalgo). Invoking the P͉̫o̳̼̊w̖͈̰͎e̬͔̭͂r͚̼̹̲ ̫͓͉̳͈ō̠͕͖̚f̝͍̠ ͕̲̞͖͑Z̖̫̤̫ͪa͉̬͈̗l͖͎g̳̥o̰̥̅!̣͔̲̻͊̄ ̙̘̦̹̦.
 
 You can define your formatter by implementing the `Formatter` interface,
 requiring a `Format` method. `Format` takes an `*Entry`. `entry.Data` is a
@@ -353,5 +362,27 @@ Log rotation is not provided with Logrus. Log rotation should be done by an
 external program (like `logrotate(8)`) that can compress and delete old log
 entries. It should not be a feature of the application-level logger.
 
+#### Tools
 
-[godoc]: https://godoc.org/github.com/Sirupsen/logrus
+| Tool | Description |
+| ---- | ----------- |
+|[Logrus Mate](https://github.com/gogap/logrus_mate)|Logrus mate is a tool for Logrus to manage loggers, you can initial logger's level, hook and formatter by config file, the logger will generated with different config at different environment.|
+
+#### Testing
+
+Logrus has a built in facility for asserting the presence of log messages. This is implemented through the `test` hook and provides:
+
+* decorators for existing logger (`test.NewLocal` and `test.NewGlobal`) which basically just add the `test` hook
+* a test logger (`test.NewNullLogger`) that just records log messages (and does not output any):
+
+```go
+logger, hook := NewNullLogger()
+logger.Error("Hello error")
+
+assert.Equal(1, len(hook.Entries))
+assert.Equal(logrus.ErrorLevel, hook.LastEntry().Level)
+assert.Equal("Hello error", hook.LastEntry().Message)
+
+hook.Reset()
+assert.Nil(hook.LastEntry())
+```

vendor/github.com/Sirupsen/logrus/entry.go

@@ -68,7 +68,7 @@ func (entry *Entry) WithField(key string, value interface{}) *Entry {
 
 // Add a map of fields to the Entry.
 func (entry *Entry) WithFields(fields Fields) *Entry {
-	data := Fields{}
+	data := make(Fields, len(entry.Data)+len(fields))
 	for k, v := range entry.Data {
 		data[k] = v
 	}

vendor/github.com/Sirupsen/logrus/logger.go

@@ -64,6 +64,12 @@ func (logger *Logger) WithFields(fields Fields) *Entry {
 	return NewEntry(logger).WithFields(fields)
 }
 
+// Add an error as single field to the log entry.  All it does is call
+// `WithError` for the given `error`.
+func (logger *Logger) WithError(err error) *Entry {
+	return NewEntry(logger).WithError(err)
+}
+
 func (logger *Logger) Debugf(format string, args ...interface{}) {
 	if logger.Level >= DebugLevel {
 		NewEntry(logger).Debugf(format, args...)

vendor/github.com/Sirupsen/logrus/logrus.go

@@ -3,6 +3,7 @@ package logrus
 import (
 	"fmt"
 	"log"
+	"strings"
 )
 
 // Fields type, used to pass to `WithFields`.
@@ -33,7 +34,7 @@ func (level Level) String() string {
 
 // ParseLevel takes a string level and returns the Logrus log level constant.
 func ParseLevel(lvl string) (Level, error) {
-	switch lvl {
+	switch strings.ToLower(lvl) {
 	case "panic":
 		return PanicLevel, nil
 	case "fatal":
@@ -52,6 +53,16 @@ func ParseLevel(lvl string) (Level, error) {
 	return l, fmt.Errorf("not a valid logrus Level: %q", lvl)
 }
 
+// A constant exposing all logging levels
+var AllLevels = []Level{
+	PanicLevel,
+	FatalLevel,
+	ErrorLevel,
+	WarnLevel,
+	InfoLevel,
+	DebugLevel,
+}
+
 // These are the different logging levels. You can set the logging level to log
 // on your instance of logger, obtained with `logrus.New()`.
 const (
@@ -96,3 +107,37 @@ type StdLogger interface {
 	Panicf(string, ...interface{})
 	Panicln(...interface{})
 }
+
+// The FieldLogger interface generalizes the Entry and Logger types
+type FieldLogger interface {
+	WithField(key string, value interface{}) *Entry
+	WithFields(fields Fields) *Entry
+	WithError(err error) *Entry
+
+	Debugf(format string, args ...interface{})
+	Infof(format string, args ...interface{})
+	Printf(format string, args ...interface{})
+	Warnf(format string, args ...interface{})
+	Warningf(format string, args ...interface{})
+	Errorf(format string, args ...interface{})
+	Fatalf(format string, args ...interface{})
+	Panicf(format string, args ...interface{})
+
+	Debug(args ...interface{})
+	Info(args ...interface{})
+	Print(args ...interface{})
+	Warn(args ...interface{})
+	Warning(args ...interface{})
+	Error(args ...interface{})
+	Fatal(args ...interface{})
+	Panic(args ...interface{})
+
+	Debugln(args ...interface{})
+	Infoln(args ...interface{})
+	Println(args ...interface{})
+	Warnln(args ...interface{})
+	Warningln(args ...interface{})
+	Errorln(args ...interface{})
+	Fatalln(args ...interface{})
+	Panicln(args ...interface{})
+}

vendor/github.com/Sirupsen/logrus/terminal_notwindows.go

@@ -12,9 +12,9 @@ import (
 	"unsafe"
 )
 
-// IsTerminal returns true if the given file descriptor is a terminal.
+// IsTerminal returns true if stderr's file descriptor is a terminal.
 func IsTerminal() bool {
-	fd := syscall.Stdout
+	fd := syscall.Stderr
 	var termios Termios
 	_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
 	return err == 0

vendor/github.com/Sirupsen/logrus/terminal_solaris.go

@@ -0,0 +1,15 @@
+// +build solaris
+
+package logrus
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// IsTerminal returns true if the given file descriptor is a terminal.
+func IsTerminal() bool {
+	_, err := unix.IoctlGetTermios(int(os.Stdout.Fd()), unix.TCGETA)
+	return err == nil
+}

vendor/github.com/Sirupsen/logrus/terminal_windows.go

@@ -18,9 +18,9 @@ var (
 	procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
 )
 
-// IsTerminal returns true if the given file descriptor is a terminal.
+// IsTerminal returns true if stderr's file descriptor is a terminal.
 func IsTerminal() bool {
-	fd := syscall.Stdout
+	fd := syscall.Stderr
 	var st uint32
 	r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(fd), uintptr(unsafe.Pointer(&st)), 0)
 	return r != 0 && e == 0

vendor/github.com/Sirupsen/logrus/text_formatter.go

@@ -84,7 +84,9 @@ func (f *TextFormatter) Format(entry *Entry) ([]byte, error) {
 			f.appendKeyValue(b, "time", entry.Time.Format(timestampFormat))
 		}
 		f.appendKeyValue(b, "level", entry.Level.String())
-		f.appendKeyValue(b, "msg", entry.Message)
+		if entry.Message != "" {
+			f.appendKeyValue(b, "msg", entry.Message)
+		}
 		for _, key := range keys {
 			f.appendKeyValue(b, key, entry.Data[key])
 		}

vendor/github.com/codegangsta/cli/.travis.yml

@@ -1,6 +0,0 @@
-language: go
-go: 1.1
-
-script:
-- go vet ./...
-- go test -v ./...

vendor/github.com/codegangsta/cli/README.md

@@ -1,280 +0,0 @@
-[![Build Status](https://travis-ci.org/codegangsta/cli.png?branch=master)](https://travis-ci.org/codegangsta/cli)
-
-# cli.go
-cli.go is simple, fast, and fun package for building command line apps in Go. The goal is to enable developers to write fast and distributable command line applications in an expressive way.
-
-You can view the API docs here:
-http://godoc.org/github.com/codegangsta/cli
-
-## Overview
-Command line apps are usually so tiny that there is absolutely no reason why your code should *not* be self-documenting. Things like generating help text and parsing command flags/options should not hinder productivity when writing a command line app.
-
-This is where cli.go comes into play. cli.go makes command line programming fun, organized, and expressive!
-
-## Installation
-Make sure you have a working Go environment (go 1.1 is *required*). [See the install instructions](http://golang.org/doc/install.html).
-
-To install cli.go, simply run:
-```
-$ go get github.com/codegangsta/cli
-```
-
-Make sure your PATH includes to the `$GOPATH/bin` directory so your commands can be easily used:
-```
-export PATH=$PATH:$GOPATH/bin
-```
-
-## Getting Started
-One of the philosophies behind cli.go is that an API should be playful and full of discovery. So a cli.go app can be as little as one line of code in `main()`. 
-
-``` go
-package main
-
-import (
-  "os"
-  "github.com/codegangsta/cli"
-)
-
-func main() {
-  cli.NewApp().Run(os.Args)
-}
-```
-
-This app will run and show help text, but is not very useful. Let's give an action to execute and some help documentation:
-
-``` go
-package main
-
-import (
-  "os"
-  "github.com/codegangsta/cli"
-)
-
-func main() {
-  app := cli.NewApp()
-  app.Name = "boom"
-  app.Usage = "make an explosive entrance"
-  app.Action = func(c *cli.Context) {
-    println("boom! I say!")
-  }
-  
-  app.Run(os.Args)
-}
-```
-
-Running this already gives you a ton of functionality, plus support for things like subcommands and flags, which are covered below.
-
-## Example
-
-Being a programmer can be a lonely job. Thankfully by the power of automation that is not the case! Let's create a greeter app to fend off our demons of loneliness!
-
-``` go
-/* greet.go */
-package main
-
-import (
-  "os"
-  "github.com/codegangsta/cli"
-)
-
-func main() {
-  app := cli.NewApp()
-  app.Name = "greet"
-  app.Usage = "fight the loneliness!"
-  app.Action = func(c *cli.Context) {
-    println("Hello friend!")
-  }
-  
-  app.Run(os.Args)
-}
-```
-
-Install our command to the `$GOPATH/bin` directory:
-
-```
-$ go install
-```
-
-Finally run our new command:
-
-```
-$ greet
-Hello friend!
-```
-
-cli.go also generates some bitchass help text:
-```
-$ greet help
-NAME:
-    greet - fight the loneliness!
-
-USAGE:
-    greet [global options] command [command options] [arguments...]
-
-VERSION:
-    0.0.0
-
-COMMANDS:
-    help, h  Shows a list of commands or help for one command
-
-GLOBAL OPTIONS
-    --version	Shows version information
-```
-
-### Arguments
-You can lookup arguments by calling the `Args` function on cli.Context.
-
-``` go
-...
-app.Action = func(c *cli.Context) {
-  println("Hello", c.Args()[0])
-}
-...
-```
-
-### Flags
-Setting and querying flags is simple.
-``` go
-...
-app.Flags = []cli.Flag {
-  cli.StringFlag{
-    Name: "lang",
-    Value: "english",
-    Usage: "language for the greeting",
-  },
-}
-app.Action = func(c *cli.Context) {
-  name := "someone"
-  if len(c.Args()) > 0 {
-    name = c.Args()[0]
-  }
-  if c.String("lang") == "spanish" {
-    println("Hola", name)
-  } else {
-    println("Hello", name)
-  }
-}
-...
-```
-
-#### Alternate Names
-
-You can set alternate (or short) names for flags by providing a comma-delimited list for the Name. e.g.
-
-``` go
-app.Flags = []cli.Flag {
-  cli.StringFlag{
-    Name: "lang, l",
-    Value: "english",
-    Usage: "language for the greeting",
-  },
-}
-```
-
-#### Values from the Environment
-
-You can also have the default value set from the environment via EnvVar.  e.g.
-
-``` go
-app.Flags = []cli.Flag {
-  cli.StringFlag{
-    Name: "lang, l",
-    Value: "english",
-    Usage: "language for the greeting",
-    EnvVar: "APP_LANG",
-  },
-}
-```
-
-That flag can then be set with `--lang spanish` or `-l spanish`. Note that giving two different forms of the same flag in the same command invocation is an error.
-
-### Subcommands
-
-Subcommands can be defined for a more git-like command line app.
-```go
-...
-app.Commands = []cli.Command{
-  {
-    Name:      "add",
-    ShortName: "a",
-    Usage:     "add a task to the list",
-    Action: func(c *cli.Context) {
-      println("added task: ", c.Args().First())
-    },
-  },
-  {
-    Name:      "complete",
-    ShortName: "c",
-    Usage:     "complete a task on the list",
-    Action: func(c *cli.Context) {
-      println("completed task: ", c.Args().First())
-    },
-  },
-  {
-    Name:      "template",
-    ShortName: "r",
-    Usage:     "options for task templates",
-    Subcommands: []cli.Command{
-      {
-        Name:  "add",
-        Usage: "add a new template",
-        Action: func(c *cli.Context) {
-            println("new task template: ", c.Args().First())
-        },
-      },
-      {
-        Name:  "remove",
-        Usage: "remove an existing template",
-        Action: func(c *cli.Context) {
-          println("removed task template: ", c.Args().First())
-        },
-      },
-    },
-  },     
-}
-...
-```
-
-### Bash Completion
-
-You can enable completion commands by setting the EnableBashCompletion
-flag on the App object.  By default, this setting will only auto-complete to
-show an app's subcommands, but you can write your own completion methods for
-the App or its subcommands.
-```go
-...
-var tasks = []string{"cook", "clean", "laundry", "eat", "sleep", "code"}
-app := cli.NewApp()
-app.EnableBashCompletion = true
-app.Commands = []cli.Command{
-  {
-    Name: "complete",
-    ShortName: "c",
-    Usage: "complete a task on the list",
-    Action: func(c *cli.Context) {
-       println("completed task: ", c.Args().First())
-    },
-    BashComplete: func(c *cli.Context) {
-      // This will complete if no args are passed
-      if len(c.Args()) > 0 {
-        return
-      }
-      for _, t := range tasks {
-        println(t)
-      }
-    },
-  }
-}
-...
-```
-
-#### To Enable
-
-Source the autocomplete/bash_autocomplete file in your .bashrc file while
-setting the PROG variable to the name of your program:
-
-`PROG=myprogram source /.../cli/autocomplete/bash_autocomplete`
-
-
-## About
-cli.go is written by none other than the [Code Gangsta](http://codegangsta.io)

vendor/github.com/codegangsta/cli/app.go

@@ -1,248 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"time"
-)
-
-// App is the main structure of a cli application. It is recomended that
-// and app be created with the cli.NewApp() function
-type App struct {
-	// The name of the program. Defaults to os.Args[0]
-	Name string
-	// Description of the program.
-	Usage string
-	// Version of the program
-	Version string
-	// List of commands to execute
-	Commands []Command
-	// List of flags to parse
-	Flags []Flag
-	// Boolean to enable bash completion commands
-	EnableBashCompletion bool
-	// Boolean to hide built-in help command
-	HideHelp bool
-	// An action to execute when the bash-completion flag is set
-	BashComplete func(context *Context)
-	// An action to execute before any subcommands are run, but after the context is ready
-	// If a non-nil error is returned, no subcommands are run
-	Before func(context *Context) error
-	// The action to execute when no subcommands are specified
-	Action func(context *Context)
-	// Execute this function if the proper command cannot be found
-	CommandNotFound func(context *Context, command string)
-	// Compilation date
-	Compiled time.Time
-	// Author
-	Author string
-	// Author e-mail
-	Email string
-}
-
-// Tries to find out when this binary was compiled.
-// Returns the current time if it fails to find it.
-func compileTime() time.Time {
-	info, err := os.Stat(os.Args[0])
-	if err != nil {
-		return time.Now()
-	}
-	return info.ModTime()
-}
-
-// Creates a new cli Application with some reasonable defaults for Name, Usage, Version and Action.
-func NewApp() *App {
-	return &App{
-		Name:         os.Args[0],
-		Usage:        "A new cli application",
-		Version:      "0.0.0",
-		BashComplete: DefaultAppComplete,
-		Action:       helpCommand.Action,
-		Compiled:     compileTime(),
-		Author:       "Author",
-		Email:        "unknown@email",
-	}
-}
-
-// Entry point to the cli app. Parses the arguments slice and routes to the proper flag/args combination
-func (a *App) Run(arguments []string) error {
-	// append help to commands
-	if a.Command(helpCommand.Name) == nil && !a.HideHelp {
-		a.Commands = append(a.Commands, helpCommand)
-		a.appendFlag(HelpFlag)
-	}
-
-	//append version/help flags
-	if a.EnableBashCompletion {
-		a.appendFlag(BashCompletionFlag)
-	}
-	a.appendFlag(VersionFlag)
-
-	// parse flags
-	set := flagSet(a.Name, a.Flags)
-	set.SetOutput(ioutil.Discard)
-	err := set.Parse(arguments[1:])
-	nerr := normalizeFlags(a.Flags, set)
-	if nerr != nil {
-		fmt.Println(nerr)
-		context := NewContext(a, set, set)
-		ShowAppHelp(context)
-		fmt.Println("")
-		return nerr
-	}
-	context := NewContext(a, set, set)
-
-	if err != nil {
-		fmt.Printf("Incorrect Usage.\n\n")
-		ShowAppHelp(context)
-		fmt.Println("")
-		return err
-	}
-
-	if checkCompletions(context) {
-		return nil
-	}
-
-	if checkHelp(context) {
-		return nil
-	}
-
-	if checkVersion(context) {
-		return nil
-	}
-
-	if a.Before != nil {
-		err := a.Before(context)
-		if err != nil {
-			return err
-		}
-	}
-
-	args := context.Args()
-	if args.Present() {
-		name := args.First()
-		c := a.Command(name)
-		if c != nil {
-			return c.Run(context)
-		}
-	}
-
-	// Run default Action
-	a.Action(context)
-	return nil
-}
-
-// Another entry point to the cli app, takes care of passing arguments and error handling
-func (a *App) RunAndExitOnError() {
-	if err := a.Run(os.Args); err != nil {
-		os.Stderr.WriteString(fmt.Sprintln(err))
-		os.Exit(1)
-	}
-}
-
-// Invokes the subcommand given the context, parses ctx.Args() to generate command-specific flags
-func (a *App) RunAsSubcommand(ctx *Context) error {
-	// append help to commands
-	if len(a.Commands) > 0 {
-		if a.Command(helpCommand.Name) == nil && !a.HideHelp {
-			a.Commands = append(a.Commands, helpCommand)
-			a.appendFlag(HelpFlag)
-		}
-	}
-
-	// append flags
-	if a.EnableBashCompletion {
-		a.appendFlag(BashCompletionFlag)
-	}
-
-	// parse flags
-	set := flagSet(a.Name, a.Flags)
-	set.SetOutput(ioutil.Discard)
-	err := set.Parse(ctx.Args().Tail())
-	nerr := normalizeFlags(a.Flags, set)
-	context := NewContext(a, set, ctx.globalSet)
-
-	if nerr != nil {
-		fmt.Println(nerr)
-		if len(a.Commands) > 0 {
-			ShowSubcommandHelp(context)
-		} else {
-			ShowCommandHelp(ctx, context.Args().First())
-		}
-		fmt.Println("")
-		return nerr
-	}
-
-	if err != nil {
-		fmt.Printf("Incorrect Usage.\n\n")
-		ShowSubcommandHelp(context)
-		return err
-	}
-
-	if checkCompletions(context) {
-		return nil
-	}
-
-	if len(a.Commands) > 0 {
-		if checkSubcommandHelp(context) {
-			return nil
-		}
-	} else {
-		if checkCommandHelp(ctx, context.Args().First()) {
-			return nil
-		}
-	}
-
-	if a.Before != nil {
-		err := a.Before(context)
-		if err != nil {
-			return err
-		}
-	}
-
-	args := context.Args()
-	if args.Present() {
-		name := args.First()
-		c := a.Command(name)
-		if c != nil {
-			return c.Run(context)
-		}
-	}
-
-	// Run default Action
-	if len(a.Commands) > 0 {
-		a.Action(context)
-	} else {
-		a.Action(ctx)
-	}
-
-	return nil
-}
-
-// Returns the named command on App. Returns nil if the command does not exist
-func (a *App) Command(name string) *Command {
-	for _, c := range a.Commands {
-		if c.HasName(name) {
-			return &c
-		}
-	}
-
-	return nil
-}
-
-func (a *App) hasFlag(flag Flag) bool {
-	for _, f := range a.Flags {
-		if flag == f {
-			return true
-		}
-	}
-
-	return false
-}
-
-func (a *App) appendFlag(flag Flag) {
-	if !a.hasFlag(flag) {
-		a.Flags = append(a.Flags, flag)
-	}
-}

vendor/github.com/codegangsta/cli/command.go

@@ -1,141 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"io/ioutil"
-	"strings"
-)
-
-// Command is a subcommand for a cli.App.
-type Command struct {
-	// The name of the command
-	Name string
-	// short name of the command. Typically one character
-	ShortName string
-	// A short description of the usage of this command
-	Usage string
-	// A longer explanation of how the command works
-	Description string
-	// The function to call when checking for bash command completions
-	BashComplete func(context *Context)
-	// An action to execute before any sub-subcommands are run, but after the context is ready
-	// If a non-nil error is returned, no sub-subcommands are run
-	Before func(context *Context) error
-	// The function to call when this command is invoked
-	Action func(context *Context)
-	// List of child commands
-	Subcommands []Command
-	// List of flags to parse
-	Flags []Flag
-	// Treat all flags as normal arguments if true
-	SkipFlagParsing bool
-	// Boolean to hide built-in help command
-	HideHelp bool
-}
-
-// Invokes the command given the context, parses ctx.Args() to generate command-specific flags
-func (c Command) Run(ctx *Context) error {
-
-	if len(c.Subcommands) > 0 || c.Before != nil {
-		return c.startApp(ctx)
-	}
-
-	if !c.HideHelp {
-		// append help to flags
-		c.Flags = append(
-			c.Flags,
-			HelpFlag,
-		)
-	}
-
-	if ctx.App.EnableBashCompletion {
-		c.Flags = append(c.Flags, BashCompletionFlag)
-	}
-
-	set := flagSet(c.Name, c.Flags)
-	set.SetOutput(ioutil.Discard)
-
-	firstFlagIndex := -1
-	for index, arg := range ctx.Args() {
-		if strings.HasPrefix(arg, "-") {
-			firstFlagIndex = index
-			break
-		}
-	}
-
-	var err error
-	if firstFlagIndex > -1 && !c.SkipFlagParsing {
-		args := ctx.Args()
-		regularArgs := args[1:firstFlagIndex]
-		flagArgs := args[firstFlagIndex:]
-		err = set.Parse(append(flagArgs, regularArgs...))
-	} else {
-		err = set.Parse(ctx.Args().Tail())
-	}
-
-	if err != nil {
-		fmt.Printf("Incorrect Usage.\n\n")
-		ShowCommandHelp(ctx, c.Name)
-		fmt.Println("")
-		return err
-	}
-
-	nerr := normalizeFlags(c.Flags, set)
-	if nerr != nil {
-		fmt.Println(nerr)
-		fmt.Println("")
-		ShowCommandHelp(ctx, c.Name)
-		fmt.Println("")
-		return nerr
-	}
-	context := NewContext(ctx.App, set, ctx.globalSet)
-
-	if checkCommandCompletions(context, c.Name) {
-		return nil
-	}
-
-	if checkCommandHelp(context, c.Name) {
-		return nil
-	}
-	context.Command = c
-	c.Action(context)
-	return nil
-}
-
-// Returns true if Command.Name or Command.ShortName matches given name
-func (c Command) HasName(name string) bool {
-	return c.Name == name || c.ShortName == name
-}
-
-func (c Command) startApp(ctx *Context) error {
-	app := NewApp()
-
-	// set the name and usage
-	app.Name = fmt.Sprintf("%s %s", ctx.App.Name, c.Name)
-	if c.Description != "" {
-		app.Usage = c.Description
-	} else {
-		app.Usage = c.Usage
-	}
-
-	// set the flags and commands
-	app.Commands = c.Subcommands
-	app.Flags = c.Flags
-	app.HideHelp = c.HideHelp
-
-	// bash completion
-	app.EnableBashCompletion = ctx.App.EnableBashCompletion
-	if c.BashComplete != nil {
-		app.BashComplete = c.BashComplete
-	}
-
-	// set the actions
-	app.Before = c.Before
-	if c.Action != nil {
-		app.Action = c.Action
-	} else {
-		app.Action = helpSubcommand.Action
-	}
-
-	return app.RunAsSubcommand(ctx)
-}

vendor/github.com/codegangsta/cli/context.go

@@ -1,280 +0,0 @@
-package cli
-
-import (
-	"errors"
-	"flag"
-	"strconv"
-	"strings"
-)
-
-// Context is a type that is passed through to
-// each Handler action in a cli application. Context
-// can be used to retrieve context-specific Args and
-// parsed command-line options.
-type Context struct {
-	App       *App
-	Command   Command
-	flagSet   *flag.FlagSet
-	globalSet *flag.FlagSet
-	setFlags  map[string]bool
-}
-
-// Creates a new context. For use in when invoking an App or Command action.
-func NewContext(app *App, set *flag.FlagSet, globalSet *flag.FlagSet) *Context {
-	return &Context{App: app, flagSet: set, globalSet: globalSet}
-}
-
-// Looks up the value of a local int flag, returns 0 if no int flag exists
-func (c *Context) Int(name string) int {
-	return lookupInt(name, c.flagSet)
-}
-
-// Looks up the value of a local float64 flag, returns 0 if no float64 flag exists
-func (c *Context) Float64(name string) float64 {
-	return lookupFloat64(name, c.flagSet)
-}
-
-// Looks up the value of a local bool flag, returns false if no bool flag exists
-func (c *Context) Bool(name string) bool {
-	return lookupBool(name, c.flagSet)
-}
-
-// Looks up the value of a local boolT flag, returns false if no bool flag exists
-func (c *Context) BoolT(name string) bool {
-	return lookupBoolT(name, c.flagSet)
-}
-
-// Looks up the value of a local string flag, returns "" if no string flag exists
-func (c *Context) String(name string) string {
-	return lookupString(name, c.flagSet)
-}
-
-// Looks up the value of a local string slice flag, returns nil if no string slice flag exists
-func (c *Context) StringSlice(name string) []string {
-	return lookupStringSlice(name, c.flagSet)
-}
-
-// Looks up the value of a local int slice flag, returns nil if no int slice flag exists
-func (c *Context) IntSlice(name string) []int {
-	return lookupIntSlice(name, c.flagSet)
-}
-
-// Looks up the value of a local generic flag, returns nil if no generic flag exists
-func (c *Context) Generic(name string) interface{} {
-	return lookupGeneric(name, c.flagSet)
-}
-
-// Looks up the value of a global int flag, returns 0 if no int flag exists
-func (c *Context) GlobalInt(name string) int {
-	return lookupInt(name, c.globalSet)
-}
-
-// Looks up the value of a global bool flag, returns false if no bool flag exists
-func (c *Context) GlobalBool(name string) bool {
-	return lookupBool(name, c.globalSet)
-}
-
-// Looks up the value of a global string flag, returns "" if no string flag exists
-func (c *Context) GlobalString(name string) string {
-	return lookupString(name, c.globalSet)
-}
-
-// Looks up the value of a global string slice flag, returns nil if no string slice flag exists
-func (c *Context) GlobalStringSlice(name string) []string {
-	return lookupStringSlice(name, c.globalSet)
-}
-
-// Looks up the value of a global int slice flag, returns nil if no int slice flag exists
-func (c *Context) GlobalIntSlice(name string) []int {
-	return lookupIntSlice(name, c.globalSet)
-}
-
-// Looks up the value of a global generic flag, returns nil if no generic flag exists
-func (c *Context) GlobalGeneric(name string) interface{} {
-	return lookupGeneric(name, c.globalSet)
-}
-
-// Determines if the flag was actually set exists
-func (c *Context) IsSet(name string) bool {
-	if c.setFlags == nil {
-		c.setFlags = make(map[string]bool)
-		c.flagSet.Visit(func(f *flag.Flag) {
-			c.setFlags[f.Name] = true
-		})
-	}
-	return c.setFlags[name] == true
-}
-
-type Args []string
-
-// Returns the command line arguments associated with the context.
-func (c *Context) Args() Args {
-	args := Args(c.flagSet.Args())
-	return args
-}
-
-// Returns the nth argument, or else a blank string
-func (a Args) Get(n int) string {
-	if len(a) > n {
-		return a[n]
-	}
-	return ""
-}
-
-// Returns the first argument, or else a blank string
-func (a Args) First() string {
-	return a.Get(0)
-}
-
-// Return the rest of the arguments (not the first one)
-// or else an empty string slice
-func (a Args) Tail() []string {
-	if len(a) >= 2 {
-		return []string(a)[1:]
-	}
-	return []string{}
-}
-
-// Checks if there are any arguments present
-func (a Args) Present() bool {
-	return len(a) != 0
-}
-
-// Swaps arguments at the given indexes
-func (a Args) Swap(from, to int) error {
-	if from >= len(a) || to >= len(a) {
-		return errors.New("index out of range")
-	}
-	a[from], a[to] = a[to], a[from]
-	return nil
-}
-
-func lookupInt(name string, set *flag.FlagSet) int {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.Atoi(f.Value.String())
-		if err != nil {
-			return 0
-		}
-		return val
-	}
-
-	return 0
-}
-
-func lookupFloat64(name string, set *flag.FlagSet) float64 {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.ParseFloat(f.Value.String(), 64)
-		if err != nil {
-			return 0
-		}
-		return val
-	}
-
-	return 0
-}
-
-func lookupString(name string, set *flag.FlagSet) string {
-	f := set.Lookup(name)
-	if f != nil {
-		return f.Value.String()
-	}
-
-	return ""
-}
-
-func lookupStringSlice(name string, set *flag.FlagSet) []string {
-	f := set.Lookup(name)
-	if f != nil {
-		return (f.Value.(*StringSlice)).Value()
-
-	}
-
-	return nil
-}
-
-func lookupIntSlice(name string, set *flag.FlagSet) []int {
-	f := set.Lookup(name)
-	if f != nil {
-		return (f.Value.(*IntSlice)).Value()
-
-	}
-
-	return nil
-}
-
-func lookupGeneric(name string, set *flag.FlagSet) interface{} {
-	f := set.Lookup(name)
-	if f != nil {
-		return f.Value
-	}
-	return nil
-}
-
-func lookupBool(name string, set *flag.FlagSet) bool {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.ParseBool(f.Value.String())
-		if err != nil {
-			return false
-		}
-		return val
-	}
-
-	return false
-}
-
-func lookupBoolT(name string, set *flag.FlagSet) bool {
-	f := set.Lookup(name)
-	if f != nil {
-		val, err := strconv.ParseBool(f.Value.String())
-		if err != nil {
-			return true
-		}
-		return val
-	}
-
-	return false
-}
-
-func copyFlag(name string, ff *flag.Flag, set *flag.FlagSet) {
-	switch ff.Value.(type) {
-	case *StringSlice:
-	default:
-		set.Set(name, ff.Value.String())
-	}
-}
-
-func normalizeFlags(flags []Flag, set *flag.FlagSet) error {
-	visited := make(map[string]bool)
-	set.Visit(func(f *flag.Flag) {
-		visited[f.Name] = true
-	})
-	for _, f := range flags {
-		parts := strings.Split(f.getName(), ",")
-		if len(parts) == 1 {
-			continue
-		}
-		var ff *flag.Flag
-		for _, name := range parts {
-			name = strings.Trim(name, " ")
-			if visited[name] {
-				if ff != nil {
-					return errors.New("Cannot use two forms of the same flag: " + name + " " + ff.Name)
-				}
-				ff = set.Lookup(name)
-			}
-		}
-		if ff == nil {
-			continue
-		}
-		for _, name := range parts {
-			name = strings.Trim(name, " ")
-			if !visited[name] {
-				copyFlag(name, ff, set)
-			}
-		}
-	}
-	return nil
-}

vendor/github.com/codegangsta/cli/flag.go

@@ -1,379 +0,0 @@
-package cli
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-)
-
-// This flag enables bash-completion for all commands and subcommands
-var BashCompletionFlag = BoolFlag{
-	Name: "generate-bash-completion",
-}
-
-// This flag prints the version for the application
-var VersionFlag = BoolFlag{
-	Name:  "version, v",
-	Usage: "print the version",
-}
-
-// This flag prints the help for all commands and subcommands
-var HelpFlag = BoolFlag{
-	Name:  "help, h",
-	Usage: "show help",
-}
-
-// Flag is a common interface related to parsing flags in cli.
-// For more advanced flag parsing techniques, it is recomended that
-// this interface be implemented.
-type Flag interface {
-	fmt.Stringer
-	// Apply Flag settings to the given flag set
-	Apply(*flag.FlagSet)
-	getName() string
-}
-
-func flagSet(name string, flags []Flag) *flag.FlagSet {
-	set := flag.NewFlagSet(name, flag.ContinueOnError)
-
-	for _, f := range flags {
-		f.Apply(set)
-	}
-	return set
-}
-
-func eachName(longName string, fn func(string)) {
-	parts := strings.Split(longName, ",")
-	for _, name := range parts {
-		name = strings.Trim(name, " ")
-		fn(name)
-	}
-}
-
-// Generic is a generic parseable type identified by a specific flag
-type Generic interface {
-	Set(value string) error
-	String() string
-}
-
-// GenericFlag is the flag type for types implementing Generic
-type GenericFlag struct {
-	Name   string
-	Value  Generic
-	Usage  string
-	EnvVar string
-}
-
-func (f GenericFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s%s %v\t`%v` %s", prefixFor(f.Name), f.Name, f.Value, "-"+f.Name+" option -"+f.Name+" option", f.Usage))
-}
-
-func (f GenericFlag) Apply(set *flag.FlagSet) {
-	val := f.Value
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			val.Set(envVal)
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Var(f.Value, name, f.Usage)
-	})
-}
-
-func (f GenericFlag) getName() string {
-	return f.Name
-}
-
-type StringSlice []string
-
-func (f *StringSlice) Set(value string) error {
-	*f = append(*f, value)
-	return nil
-}
-
-func (f *StringSlice) String() string {
-	return fmt.Sprintf("%s", *f)
-}
-
-func (f *StringSlice) Value() []string {
-	return *f
-}
-
-type StringSliceFlag struct {
-	Name   string
-	Value  *StringSlice
-	Usage  string
-	EnvVar string
-}
-
-func (f StringSliceFlag) String() string {
-	firstName := strings.Trim(strings.Split(f.Name, ",")[0], " ")
-	pref := prefixFor(firstName)
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), pref+firstName+" option "+pref+firstName+" option", f.Usage))
-}
-
-func (f StringSliceFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			newVal := &StringSlice{}
-			for _, s := range strings.Split(envVal, ",") {
-				newVal.Set(s)
-			}
-			f.Value = newVal
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Var(f.Value, name, f.Usage)
-	})
-}
-
-func (f StringSliceFlag) getName() string {
-	return f.Name
-}
-
-type IntSlice []int
-
-func (f *IntSlice) Set(value string) error {
-
-	tmp, err := strconv.Atoi(value)
-	if err != nil {
-		return err
-	} else {
-		*f = append(*f, tmp)
-	}
-	return nil
-}
-
-func (f *IntSlice) String() string {
-	return fmt.Sprintf("%d", *f)
-}
-
-func (f *IntSlice) Value() []int {
-	return *f
-}
-
-type IntSliceFlag struct {
-	Name   string
-	Value  *IntSlice
-	Usage  string
-	EnvVar string
-}
-
-func (f IntSliceFlag) String() string {
-	firstName := strings.Trim(strings.Split(f.Name, ",")[0], " ")
-	pref := prefixFor(firstName)
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), pref+firstName+" option "+pref+firstName+" option", f.Usage))
-}
-
-func (f IntSliceFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			newVal := &IntSlice{}
-			for _, s := range strings.Split(envVal, ",") {
-				err := newVal.Set(s)
-				if err != nil {
-					fmt.Fprintf(os.Stderr, err.Error())
-				}
-			}
-			f.Value = newVal
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Var(f.Value, name, f.Usage)
-	})
-}
-
-func (f IntSliceFlag) getName() string {
-	return f.Name
-}
-
-type BoolFlag struct {
-	Name   string
-	Usage  string
-	EnvVar string
-}
-
-func (f BoolFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s\t%v", prefixedNames(f.Name), f.Usage))
-}
-
-func (f BoolFlag) Apply(set *flag.FlagSet) {
-	val := false
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValBool, err := strconv.ParseBool(envVal)
-			if err == nil {
-				val = envValBool
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Bool(name, val, f.Usage)
-	})
-}
-
-func (f BoolFlag) getName() string {
-	return f.Name
-}
-
-type BoolTFlag struct {
-	Name   string
-	Usage  string
-	EnvVar string
-}
-
-func (f BoolTFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s\t%v", prefixedNames(f.Name), f.Usage))
-}
-
-func (f BoolTFlag) Apply(set *flag.FlagSet) {
-	val := true
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValBool, err := strconv.ParseBool(envVal)
-			if err == nil {
-				val = envValBool
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Bool(name, val, f.Usage)
-	})
-}
-
-func (f BoolTFlag) getName() string {
-	return f.Name
-}
-
-type StringFlag struct {
-	Name   string
-	Value  string
-	Usage  string
-	EnvVar string
-}
-
-func (f StringFlag) String() string {
-	var fmtString string
-	fmtString = "%s %v\t%v"
-
-	if len(f.Value) > 0 {
-		fmtString = "%s '%v'\t%v"
-	} else {
-		fmtString = "%s %v\t%v"
-	}
-
-	return withEnvHint(f.EnvVar, fmt.Sprintf(fmtString, prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-func (f StringFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			f.Value = envVal
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.String(name, f.Value, f.Usage)
-	})
-}
-
-func (f StringFlag) getName() string {
-	return f.Name
-}
-
-type IntFlag struct {
-	Name   string
-	Value  int
-	Usage  string
-	EnvVar string
-}
-
-func (f IntFlag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-func (f IntFlag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValInt, err := strconv.ParseUint(envVal, 10, 64)
-			if err == nil {
-				f.Value = int(envValInt)
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Int(name, f.Value, f.Usage)
-	})
-}
-
-func (f IntFlag) getName() string {
-	return f.Name
-}
-
-type Float64Flag struct {
-	Name   string
-	Value  float64
-	Usage  string
-	EnvVar string
-}
-
-func (f Float64Flag) String() string {
-	return withEnvHint(f.EnvVar, fmt.Sprintf("%s '%v'\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-func (f Float64Flag) Apply(set *flag.FlagSet) {
-	if f.EnvVar != "" {
-		if envVal := os.Getenv(f.EnvVar); envVal != "" {
-			envValFloat, err := strconv.ParseFloat(envVal, 10)
-			if err == nil {
-				f.Value = float64(envValFloat)
-			}
-		}
-	}
-
-	eachName(f.Name, func(name string) {
-		set.Float64(name, f.Value, f.Usage)
-	})
-}
-
-func (f Float64Flag) getName() string {
-	return f.Name
-}
-
-func prefixFor(name string) (prefix string) {
-	if len(name) == 1 {
-		prefix = "-"
-	} else {
-		prefix = "--"
-	}
-
-	return
-}
-
-func prefixedNames(fullName string) (prefixed string) {
-	parts := strings.Split(fullName, ",")
-	for i, name := range parts {
-		name = strings.Trim(name, " ")
-		prefixed += prefixFor(name) + name
-		if i < len(parts)-1 {
-			prefixed += ", "
-		}
-	}
-	return
-}
-
-func withEnvHint(envVar, str string) string {
-	envText := ""
-	if envVar != "" {
-		envText = fmt.Sprintf(" [$%s]", envVar)
-	}
-	return str + envText
-}

vendor/github.com/codegangsta/cli/help.go

@@ -1,213 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"os"
-	"text/tabwriter"
-	"text/template"
-)
-
-// The text template for the Default help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var AppHelpTemplate = `NAME:
-   {{.Name}} - {{.Usage}}
-
-USAGE:
-   {{.Name}} {{ if .Flags }}[global options] {{ end }}command{{ if .Flags }} [command options]{{ end }} [arguments...]
-
-VERSION:
-   {{.Version}}
-
-COMMANDS:
-   {{range .Commands}}{{.Name}}{{with .ShortName}}, {{.}}{{end}}{{ "\t" }}{{.Usage}}
-   {{end}}{{ if .Flags }}
-GLOBAL OPTIONS:
-   {{range .Flags}}{{.}}
-   {{end}}{{ end }}
-`
-
-// The text template for the command help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var CommandHelpTemplate = `NAME:
-   {{.Name}} - {{.Usage}}
-
-USAGE:
-   command {{.Name}}{{ if .Flags }} [command options]{{ end }} [arguments...]
-
-DESCRIPTION:
-   {{.Description}}{{ if .Flags }}
-
-OPTIONS:
-   {{range .Flags}}{{.}}
-   {{end}}{{ end }}
-`
-
-// The text template for the subcommand help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var SubcommandHelpTemplate = `NAME:
-   {{.Name}} - {{.Usage}}
-
-USAGE:
-   {{.Name}} command{{ if .Flags }} [command options]{{ end }} [arguments...]
-
-COMMANDS:
-   {{range .Commands}}{{.Name}}{{with .ShortName}}, {{.}}{{end}}{{ "\t" }}{{.Usage}}
-   {{end}}{{ if .Flags }}
-OPTIONS:
-   {{range .Flags}}{{.}}
-   {{end}}{{ end }}
-`
-
-var helpCommand = Command{
-	Name:      "help",
-	ShortName: "h",
-	Usage:     "Shows a list of commands or help for one command",
-	Action: func(c *Context) {
-		args := c.Args()
-		if args.Present() {
-			ShowCommandHelp(c, args.First())
-		} else {
-			ShowAppHelp(c)
-		}
-	},
-}
-
-var helpSubcommand = Command{
-	Name:      "help",
-	ShortName: "h",
-	Usage:     "Shows a list of commands or help for one command",
-	Action: func(c *Context) {
-		args := c.Args()
-		if args.Present() {
-			ShowCommandHelp(c, args.First())
-		} else {
-			ShowSubcommandHelp(c)
-		}
-	},
-}
-
-// Prints help for the App
-var HelpPrinter = printHelp
-
-func ShowAppHelp(c *Context) {
-	HelpPrinter(AppHelpTemplate, c.App)
-}
-
-// Prints the list of subcommands as the default app completion method
-func DefaultAppComplete(c *Context) {
-	for _, command := range c.App.Commands {
-		fmt.Println(command.Name)
-		if command.ShortName != "" {
-			fmt.Println(command.ShortName)
-		}
-	}
-}
-
-// Prints help for the given command
-func ShowCommandHelp(c *Context, command string) {
-	for _, c := range c.App.Commands {
-		if c.HasName(command) {
-			HelpPrinter(CommandHelpTemplate, c)
-			return
-		}
-	}
-
-	if c.App.CommandNotFound != nil {
-		c.App.CommandNotFound(c, command)
-	} else {
-		fmt.Printf("No help topic for '%v'\n", command)
-	}
-}
-
-// Prints help for the given subcommand
-func ShowSubcommandHelp(c *Context) {
-	HelpPrinter(SubcommandHelpTemplate, c.App)
-}
-
-// Prints the version number of the App
-func ShowVersion(c *Context) {
-	fmt.Printf("%v version %v\n", c.App.Name, c.App.Version)
-}
-
-// Prints the lists of commands within a given context
-func ShowCompletions(c *Context) {
-	a := c.App
-	if a != nil && a.BashComplete != nil {
-		a.BashComplete(c)
-	}
-}
-
-// Prints the custom completions for a given command
-func ShowCommandCompletions(ctx *Context, command string) {
-	c := ctx.App.Command(command)
-	if c != nil && c.BashComplete != nil {
-		c.BashComplete(ctx)
-	}
-}
-
-func printHelp(templ string, data interface{}) {
-	w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
-	t := template.Must(template.New("help").Parse(templ))
-	err := t.Execute(w, data)
-	if err != nil {
-		panic(err)
-	}
-	w.Flush()
-}
-
-func checkVersion(c *Context) bool {
-	if c.GlobalBool("version") {
-		ShowVersion(c)
-		return true
-	}
-
-	return false
-}
-
-func checkHelp(c *Context) bool {
-	if c.GlobalBool("h") || c.GlobalBool("help") {
-		ShowAppHelp(c)
-		return true
-	}
-
-	return false
-}
-
-func checkCommandHelp(c *Context, name string) bool {
-	if c.Bool("h") || c.Bool("help") {
-		ShowCommandHelp(c, name)
-		return true
-	}
-
-	return false
-}
-
-func checkSubcommandHelp(c *Context) bool {
-	if c.GlobalBool("h") || c.GlobalBool("help") {
-		ShowSubcommandHelp(c)
-		return true
-	}
-
-	return false
-}
-
-func checkCompletions(c *Context) bool {
-	if c.GlobalBool(BashCompletionFlag.Name) && c.App.EnableBashCompletion {
-		ShowCompletions(c)
-		return true
-	}
-
-	return false
-}
-
-func checkCommandCompletions(c *Context, name string) bool {
-	if c.Bool(BashCompletionFlag.Name) && c.App.EnableBashCompletion {
-		ShowCommandCompletions(c, name)
-		return true
-	}
-
-	return false
-}

vendor/github.com/containers/image/LICENSE

@@ -0,0 +1,189 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/containers/image/copy/copy.go

@@ -0,0 +1,353 @@
+package copy
+
+import (
+	"bytes"
+	"compress/gzip"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"io/ioutil"
+	"reflect"
+	"strings"
+
+	pb "gopkg.in/cheggaaa/pb.v1"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/image"
+	"github.com/containers/image/signature"
+	"github.com/containers/image/transports"
+	"github.com/containers/image/types"
+)
+
+// supportedDigests lists the supported blob digest types.
+var supportedDigests = map[string]func() hash.Hash{
+	"sha256": sha256.New,
+}
+
+type digestingReader struct {
+	source           io.Reader
+	digest           hash.Hash
+	expectedDigest   []byte
+	validationFailed bool
+}
+
+// newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
+// and set validationFailed to true if the source stream does not match expectedDigestString.
+func newDigestingReader(source io.Reader, expectedDigestString string) (*digestingReader, error) {
+	fields := strings.SplitN(expectedDigestString, ":", 2)
+	if len(fields) != 2 {
+		return nil, fmt.Errorf("Invalid digest specification %s", expectedDigestString)
+	}
+	fn, ok := supportedDigests[fields[0]]
+	if !ok {
+		return nil, fmt.Errorf("Invalid digest specification %s: unknown digest type %s", expectedDigestString, fields[0])
+	}
+	digest := fn()
+	expectedDigest, err := hex.DecodeString(fields[1])
+	if err != nil {
+		return nil, fmt.Errorf("Invalid digest value %s: %v", expectedDigestString, err)
+	}
+	if len(expectedDigest) != digest.Size() {
+		return nil, fmt.Errorf("Invalid digest specification %s: length %d does not match %d", expectedDigestString, len(expectedDigest), digest.Size())
+	}
+	return &digestingReader{
+		source:           source,
+		digest:           digest,
+		expectedDigest:   expectedDigest,
+		validationFailed: false,
+	}, nil
+}
+
+func (d *digestingReader) Read(p []byte) (int, error) {
+	n, err := d.source.Read(p)
+	if n > 0 {
+		if n2, err := d.digest.Write(p[:n]); n2 != n || err != nil {
+			// Coverage: This should not happen, the hash.Hash interface requires
+			// d.digest.Write to never return an error, and the io.Writer interface
+			// requires n2 == len(input) if no error is returned.
+			return 0, fmt.Errorf("Error updating digest during verification: %d vs. %d, %v", n2, n, err)
+		}
+	}
+	if err == io.EOF {
+		actualDigest := d.digest.Sum(nil)
+		if subtle.ConstantTimeCompare(actualDigest, d.expectedDigest) != 1 {
+			d.validationFailed = true
+			return 0, fmt.Errorf("Digest did not match, expected %s, got %s", hex.EncodeToString(d.expectedDigest), hex.EncodeToString(actualDigest))
+		}
+	}
+	return n, err
+}
+
+// Options allows supplying non-default configuration modifying the behavior of CopyImage.
+type Options struct {
+	RemoveSignatures bool   // Remove any pre-existing signatures. SignBy will still add a new signature.
+	SignBy           string // If non-empty, asks for a signature to be added during the copy, and specifies a key ID, as accepted by signature.NewGPGSigningMechanism().SignDockerManifest(),
+	ReportWriter     io.Writer
+}
+
+// Image copies image from srcRef to destRef, using policyContext to validate source image admissibility.
+func Image(ctx *types.SystemContext, policyContext *signature.PolicyContext, destRef, srcRef types.ImageReference, options *Options) error {
+	reportWriter := options.ReportWriter
+	if reportWriter == nil {
+		reportWriter = ioutil.Discard
+	}
+	writeReport := func(f string, a ...interface{}) {
+		fmt.Fprintf(reportWriter, f, a...)
+	}
+	dest, err := destRef.NewImageDestination(ctx)
+	if err != nil {
+		return fmt.Errorf("Error initializing destination %s: %v", transports.ImageName(destRef), err)
+	}
+	defer dest.Close()
+
+	rawSource, err := srcRef.NewImageSource(ctx, dest.SupportedManifestMIMETypes())
+	if err != nil {
+		return fmt.Errorf("Error initializing source %s: %v", transports.ImageName(srcRef), err)
+	}
+	src := image.FromSource(rawSource)
+	defer src.Close()
+
+	// Please keep this policy check BEFORE reading any other information about the image.
+	if allowed, err := policyContext.IsRunningImageAllowed(src); !allowed || err != nil { // Be paranoid and fail if either return value indicates so.
+		return fmt.Errorf("Source image rejected: %v", err)
+	}
+
+	writeReport("Getting image source manifest\n")
+	manifest, _, err := src.Manifest()
+	if err != nil {
+		return fmt.Errorf("Error reading manifest: %v", err)
+	}
+
+	var sigs [][]byte
+	if options != nil && options.RemoveSignatures {
+		sigs = [][]byte{}
+	} else {
+		writeReport("Getting image source signatures\n")
+		s, err := src.Signatures()
+		if err != nil {
+			return fmt.Errorf("Error reading signatures: %v", err)
+		}
+		sigs = s
+	}
+	if len(sigs) != 0 {
+		writeReport("Checking if image destination supports signatures\n")
+		if err := dest.SupportsSignatures(); err != nil {
+			return fmt.Errorf("Can not copy signatures: %v", err)
+		}
+	}
+	canModifyManifest := len(sigs) == 0
+
+	writeReport("Getting image source configuration\n")
+	srcConfigInfo, err := src.ConfigInfo()
+	if err != nil {
+		return fmt.Errorf("Error parsing manifest: %v", err)
+	}
+	if srcConfigInfo.Digest != "" {
+		writeReport("Uploading blob %s\n", srcConfigInfo.Digest)
+		destConfigInfo, err := copyBlob(dest, rawSource, srcConfigInfo, false, options.ReportWriter)
+		if err != nil {
+			return err
+		}
+		if destConfigInfo.Digest != srcConfigInfo.Digest {
+			return fmt.Errorf("Internal error: copying uncompressed config blob %s changed digest to %s", srcConfigInfo.Digest, destConfigInfo.Digest)
+		}
+	}
+
+	srcLayerInfos, err := src.LayerInfos()
+	if err != nil {
+		return fmt.Errorf("Error parsing manifest: %v", err)
+	}
+	destLayerInfos := []types.BlobInfo{}
+	copiedLayers := map[string]types.BlobInfo{}
+	for _, srcLayer := range srcLayerInfos {
+		destLayer, ok := copiedLayers[srcLayer.Digest]
+		if !ok {
+			writeReport("Uploading blob %s\n", srcLayer.Digest)
+			destLayer, err = copyBlob(dest, rawSource, srcLayer, canModifyManifest, options.ReportWriter)
+			if err != nil {
+				return err
+			}
+			copiedLayers[srcLayer.Digest] = destLayer
+		}
+		destLayerInfos = append(destLayerInfos, destLayer)
+	}
+
+	manifestUpdates := types.ManifestUpdateOptions{}
+	if layerDigestsDiffer(srcLayerInfos, destLayerInfos) {
+		manifestUpdates.LayerInfos = destLayerInfos
+	}
+
+	if !reflect.DeepEqual(manifestUpdates, types.ManifestUpdateOptions{}) {
+		if !canModifyManifest {
+			return fmt.Errorf("Internal error: copy needs an updated manifest but that was known to be forbidden")
+		}
+		manifest, err = src.UpdatedManifest(manifestUpdates)
+		if err != nil {
+			return fmt.Errorf("Error creating an updated manifest: %v", err)
+		}
+	}
+
+	if options != nil && options.SignBy != "" {
+		mech, err := signature.NewGPGSigningMechanism()
+		if err != nil {
+			return fmt.Errorf("Error initializing GPG: %v", err)
+		}
+		dockerReference := dest.Reference().DockerReference()
+		if dockerReference == nil {
+			return fmt.Errorf("Cannot determine canonical Docker reference for destination %s", transports.ImageName(dest.Reference()))
+		}
+
+		writeReport("Signing manifest\n")
+		newSig, err := signature.SignDockerManifest(manifest, dockerReference.String(), mech, options.SignBy)
+		if err != nil {
+			return fmt.Errorf("Error creating signature: %v", err)
+		}
+		sigs = append(sigs, newSig)
+	}
+
+	writeReport("Uploading manifest to image destination\n")
+	if err := dest.PutManifest(manifest); err != nil {
+		return fmt.Errorf("Error writing manifest: %v", err)
+	}
+
+	writeReport("Storing signatures\n")
+	if err := dest.PutSignatures(sigs); err != nil {
+		return fmt.Errorf("Error writing signatures: %v", err)
+	}
+
+	if err := dest.Commit(); err != nil {
+		return fmt.Errorf("Error committing the finished image: %v", err)
+	}
+
+	return nil
+}
+
+// layerDigestsDiffer return true iff the digests in a and b differ (ignoring sizes and possible other fields)
+func layerDigestsDiffer(a, b []types.BlobInfo) bool {
+	if len(a) != len(b) {
+		return true
+	}
+	for i := range a {
+		if a[i].Digest != b[i].Digest {
+			return true
+		}
+	}
+	return false
+}
+
+// copyBlob copies a blob with srcInfo (with known Digest and possibly known Size) in src to dest, perhaps compressing it if canCompress,
+// and returns a complete blobInfo of the copied blob.
+func copyBlob(dest types.ImageDestination, src types.ImageSource, srcInfo types.BlobInfo, canCompress bool, reportWriter io.Writer) (types.BlobInfo, error) {
+	srcStream, srcBlobSize, err := src.GetBlob(srcInfo.Digest) // We currently completely ignore srcInfo.Size throughout.
+	if err != nil {
+		return types.BlobInfo{}, fmt.Errorf("Error reading blob %s: %v", srcInfo.Digest, err)
+	}
+	defer srcStream.Close()
+
+	// Be paranoid; in case PutBlob somehow managed to ignore an error from digestingReader,
+	// use a separate validation failure indicator.
+	// Note that we don't use a stronger "validationSucceeded" indicator, because
+	// dest.PutBlob may detect that the layer already exists, in which case we don't
+	// read stream to the end, and validation does not happen.
+	digestingReader, err := newDigestingReader(srcStream, srcInfo.Digest)
+	if err != nil {
+		return types.BlobInfo{}, fmt.Errorf("Error preparing to verify blob %s: %v", srcInfo.Digest, err)
+	}
+	var destStream io.Reader = digestingReader
+	isCompressed, destStream, err := isStreamCompressed(destStream) // We could skip this in some cases, but let's keep the code path uniform
+	if err != nil {
+		return types.BlobInfo{}, fmt.Errorf("Error reading blob %s: %v", srcInfo.Digest, err)
+	}
+
+	bar := pb.New(int(srcInfo.Size)).SetUnits(pb.U_BYTES)
+	bar.Output = reportWriter
+	bar.SetMaxWidth(80)
+	bar.ShowTimeLeft = false
+	bar.ShowPercent = false
+	bar.Start()
+	destStream = bar.NewProxyReader(destStream)
+
+	defer fmt.Fprint(reportWriter, "\n")
+
+	var inputInfo types.BlobInfo
+	if !canCompress || isCompressed || !dest.ShouldCompressLayers() {
+		logrus.Debugf("Using original blob without modification")
+		inputInfo.Digest = srcInfo.Digest
+		inputInfo.Size = srcBlobSize
+	} else {
+		logrus.Debugf("Compressing blob on the fly")
+		pipeReader, pipeWriter := io.Pipe()
+		defer pipeReader.Close()
+
+		// If this fails while writing data, it will do pipeWriter.CloseWithError(); if it fails otherwise,
+		// e.g. because we have exited and due to pipeReader.Close() above further writing to the pipe has failed,
+		// we don’t care.
+		go compressGoroutine(pipeWriter, destStream) // Closes pipeWriter
+		destStream = pipeReader
+		inputInfo.Digest = ""
+		inputInfo.Size = -1
+	}
+
+	uploadedInfo, err := dest.PutBlob(destStream, inputInfo)
+	if err != nil {
+		return types.BlobInfo{}, fmt.Errorf("Error writing blob: %v", err)
+	}
+	if digestingReader.validationFailed { // Coverage: This should never happen.
+		return types.BlobInfo{}, fmt.Errorf("Internal error uploading blob %s, digest verification failed but was ignored", srcInfo.Digest)
+	}
+	if inputInfo.Digest != "" && uploadedInfo.Digest != inputInfo.Digest {
+		return types.BlobInfo{}, fmt.Errorf("Internal error uploading blob %s, blob with digest %s uploaded with digest %s", srcInfo.Digest, inputInfo.Digest, uploadedInfo.Digest)
+	}
+	return uploadedInfo, nil
+}
+
+// compressionPrefixes is an internal implementation detail of isStreamCompressed
+var compressionPrefixes = map[string][]byte{
+	"gzip":  {0x1F, 0x8B, 0x08},                   // gzip (RFC 1952)
+	"bzip2": {0x42, 0x5A, 0x68},                   // bzip2 (decompress.c:BZ2_decompress)
+	"xz":    {0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}, // xz (/usr/share/doc/xz/xz-file-format.txt)
+}
+
+// isStreamCompressed returns true if input is recognized as a compressed format.
+// Because it consumes the start of input, other consumers must use the returned io.Reader instead to also read from the beginning.
+func isStreamCompressed(input io.Reader) (bool, io.Reader, error) {
+	buffer := [8]byte{}
+
+	n, err := io.ReadAtLeast(input, buffer[:], len(buffer))
+	if err != nil && err != io.EOF && err != io.ErrUnexpectedEOF {
+		// This is a “real” error. We could just ignore it this time, process the data we have, and hope that the source will report the same error again.
+		// Instead, fail immediately with the original error cause instead of a possibly secondary/misleading error returned later.
+		return false, nil, err
+	}
+
+	isCompressed := false
+	for algo, prefix := range compressionPrefixes {
+		if bytes.HasPrefix(buffer[:n], prefix) {
+			logrus.Debugf("Detected compression format %s", algo)
+			isCompressed = true
+			break
+		}
+	}
+	if !isCompressed {
+		logrus.Debugf("No compression detected")
+	}
+
+	return isCompressed, io.MultiReader(bytes.NewReader(buffer[:n]), input), nil
+}
+
+// compressGoroutine reads all input from src and writes its compressed equivalent to dest.
+func compressGoroutine(dest *io.PipeWriter, src io.Reader) {
+	err := errors.New("Internal error: unexpected panic in compressGoroutine")
+	defer func() { // Note that this is not the same as {defer dest.CloseWithError(err)}; we need err to be evaluated lazily.
+		dest.CloseWithError(err) // CloseWithError(nil) is equivalent to Close()
+	}()
+
+	zipper := gzip.NewWriter(dest)
+	defer zipper.Close()
+
+	_, err = io.Copy(zipper, src) // Sets err to nil, i.e. causes dest.Close()
+}

vendor/github.com/containers/image/directory/directory_dest.go

@@ -0,0 +1,111 @@
+package directory
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/containers/image/types"
+)
+
+type dirImageDestination struct {
+	ref dirReference
+}
+
+// newImageDestination returns an ImageDestination for writing to an existing directory.
+func newImageDestination(ref dirReference) types.ImageDestination {
+	return &dirImageDestination{ref}
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *dirImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *dirImageDestination) Close() {
+}
+
+func (d *dirImageDestination) SupportedManifestMIMETypes() []string {
+	return nil
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
+// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
+func (d *dirImageDestination) SupportsSignatures() error {
+	return nil
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
+func (d *dirImageDestination) ShouldCompressLayers() bool {
+	return false
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
+// to any other readers for download using the supplied digest.
+// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
+func (d *dirImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	blobFile, err := ioutil.TempFile(d.ref.path, "dir-put-blob")
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	succeeded := false
+	defer func() {
+		blobFile.Close()
+		if !succeeded {
+			os.Remove(blobFile.Name())
+		}
+	}()
+
+	h := sha256.New()
+	tee := io.TeeReader(stream, h)
+
+	size, err := io.Copy(blobFile, tee)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	computedDigest := hex.EncodeToString(h.Sum(nil))
+	if inputInfo.Size != -1 && size != inputInfo.Size {
+		return types.BlobInfo{}, fmt.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
+	}
+	if err := blobFile.Sync(); err != nil {
+		return types.BlobInfo{}, err
+	}
+	if err := blobFile.Chmod(0644); err != nil {
+		return types.BlobInfo{}, err
+	}
+	blobPath := d.ref.layerPath(computedDigest)
+	if err := os.Rename(blobFile.Name(), blobPath); err != nil {
+		return types.BlobInfo{}, err
+	}
+	succeeded = true
+	return types.BlobInfo{Digest: "sha256:" + computedDigest, Size: size}, nil
+}
+
+func (d *dirImageDestination) PutManifest(manifest []byte) error {
+	return ioutil.WriteFile(d.ref.manifestPath(), manifest, 0644)
+}
+
+func (d *dirImageDestination) PutSignatures(signatures [][]byte) error {
+	for i, sig := range signatures {
+		if err := ioutil.WriteFile(d.ref.signaturePath(i), sig, 0644); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *dirImageDestination) Commit() error {
+	return nil
+}

vendor/github.com/containers/image/directory/directory_src.go

@@ -0,0 +1,66 @@
+package directory
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/containers/image/types"
+)
+
+type dirImageSource struct {
+	ref dirReference
+}
+
+// newImageSource returns an ImageSource reading from an existing directory.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSource(ref dirReference) types.ImageSource {
+	return &dirImageSource{ref}
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *dirImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *dirImageSource) Close() {
+}
+
+// it's up to the caller to determine the MIME type of the returned manifest's bytes
+func (s *dirImageSource) GetManifest() ([]byte, string, error) {
+	m, err := ioutil.ReadFile(s.ref.manifestPath())
+	if err != nil {
+		return nil, "", err
+	}
+	return m, "", err
+}
+
+// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
+func (s *dirImageSource) GetBlob(digest string) (io.ReadCloser, int64, error) {
+	r, err := os.Open(s.ref.layerPath(digest))
+	if err != nil {
+		return nil, 0, nil
+	}
+	fi, err := r.Stat()
+	if err != nil {
+		return nil, 0, nil
+	}
+	return r, fi.Size(), nil
+}
+
+func (s *dirImageSource) GetSignatures() ([][]byte, error) {
+	signatures := [][]byte{}
+	for i := 0; ; i++ {
+		signature, err := ioutil.ReadFile(s.ref.signaturePath(i))
+		if err != nil {
+			if os.IsNotExist(err) {
+				break
+			}
+			return nil, err
+		}
+		signatures = append(signatures, signature)
+	}
+	return signatures, nil
+}

vendor/github.com/containers/image/directory/directory_transport.go

@@ -0,0 +1,170 @@
+package directory
+
+import (
+	"errors"
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/containers/image/directory/explicitfilepath"
+	"github.com/containers/image/image"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/reference"
+)
+
+// Transport is an ImageTransport for directory paths.
+var Transport = dirTransport{}
+
+type dirTransport struct{}
+
+func (t dirTransport) Name() string {
+	return "dir"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t dirTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return NewReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t dirTransport) ValidatePolicyConfigurationScope(scope string) error {
+	if !strings.HasPrefix(scope, "/") {
+		return fmt.Errorf("Invalid scope %s: Must be an absolute path", scope)
+	}
+	// Refuse also "/", otherwise "/" and "" would have the same semantics,
+	// and "" could be unexpectedly shadowed by the "/" entry.
+	if scope == "/" {
+		return errors.New(`Invalid scope "/": Use the generic default scope ""`)
+	}
+	cleaned := filepath.Clean(scope)
+	if cleaned != scope {
+		return fmt.Errorf(`Invalid scope %s: Uses non-canonical format, perhaps try %s`, scope, cleaned)
+	}
+	return nil
+}
+
+// dirReference is an ImageReference for directory paths.
+type dirReference struct {
+	// Note that the interpretation of paths below depends on the underlying filesystem state, which may change under us at any time!
+	// Either of the paths may point to a different, or no, inode over time.  resolvedPath may contain symbolic links, and so on.
+
+	// Generally we follow the intent of the user, and use the "path" member for filesystem operations (e.g. the user can use a relative path to avoid
+	// being exposed to symlinks and renames in the parent directories to the working directory).
+	// (But in general, we make no attempt to be completely safe against concurrent hostile filesystem modifications.)
+	path         string // As specified by the user. May be relative, contain symlinks, etc.
+	resolvedPath string // Absolute path with no symlinks, at least at the time of its creation. Primarily used for policy namespaces.
+}
+
+// There is no directory.ParseReference because it is rather pointless.
+// Callers who need a transport-independent interface will go through
+// dirTransport.ParseReference; callers who intentionally deal with directories
+// can use directory.NewReference.
+
+// NewReference returns a directory reference for a specified path.
+//
+// We do not expose an API supplying the resolvedPath; we could, but recomputing it
+// is generally cheap enough that we prefer being confident about the properties of resolvedPath.
+func NewReference(path string) (types.ImageReference, error) {
+	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(path)
+	if err != nil {
+		return nil, err
+	}
+	return dirReference{path: path, resolvedPath: resolved}, nil
+}
+
+func (ref dirReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref dirReference) StringWithinTransport() string {
+	return ref.path
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref dirReference) DockerReference() reference.Named {
+	return nil
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref dirReference) PolicyConfigurationIdentity() string {
+	return ref.resolvedPath
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref dirReference) PolicyConfigurationNamespaces() []string {
+	res := []string{}
+	path := ref.resolvedPath
+	for {
+		lastSlash := strings.LastIndex(path, "/")
+		if lastSlash == -1 || lastSlash == 0 {
+			break
+		}
+		path = path[:lastSlash]
+		res = append(res, path)
+	}
+	// Note that we do not include "/"; it is redundant with the default "" global default,
+	// and rejected by dirTransport.ValidatePolicyConfigurationScope above.
+	return res
+}
+
+// NewImage returns a types.Image for this reference.
+// The caller must call .Close() on the returned Image.
+func (ref dirReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src := newImageSource(ref)
+	return image.FromSource(src), nil
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref dirReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return newImageSource(ref), nil
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref dirReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ref), nil
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref dirReference) DeleteImage(ctx *types.SystemContext) error {
+	return fmt.Errorf("Deleting images not implemented for dir: images")
+}
+
+// manifestPath returns a path for the manifest within a directory using our conventions.
+func (ref dirReference) manifestPath() string {
+	return filepath.Join(ref.path, "manifest.json")
+}
+
+// layerPath returns a path for a layer tarball within a directory using our conventions.
+func (ref dirReference) layerPath(digest string) string {
+	// FIXME: Should we keep the digest identification?
+	return filepath.Join(ref.path, strings.TrimPrefix(digest, "sha256:")+".tar")
+}
+
+// signaturePath returns a path for a signature within a directory using our conventions.
+func (ref dirReference) signaturePath(index int) string {
+	return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1))
+}

vendor/github.com/containers/image/directory/explicitfilepath/path.go

@@ -0,0 +1,55 @@
+package explicitfilepath
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// ResolvePathToFullyExplicit returns the input path converted to an absolute, no-symlinks, cleaned up path.
+// To do so, all elements of the input path must exist; as a special case, the final component may be
+// a non-existent name (but not a symlink pointing to a non-existent name)
+// This is intended as a a helper for implementations of types.ImageReference.PolicyConfigurationIdentity etc.
+func ResolvePathToFullyExplicit(path string) (string, error) {
+	switch _, err := os.Lstat(path); {
+	case err == nil:
+		return resolveExistingPathToFullyExplicit(path)
+	case os.IsNotExist(err):
+		parent, file := filepath.Split(path)
+		resolvedParent, err := resolveExistingPathToFullyExplicit(parent)
+		if err != nil {
+			return "", err
+		}
+		if file == "." || file == ".." {
+			// Coverage: This can happen, but very rarely: if we have successfully resolved the parent, both "." and ".." in it should have been resolved as well.
+			// This can still happen if there is a filesystem race condition, causing the Lstat() above to fail but the later resolution to succeed.
+			// We do not care to promise anything if such filesystem race conditions can happen, but we definitely don't want to return "."/".." components
+			// in the resulting path, and especially not at the end.
+			return "", fmt.Errorf("Unexpectedly missing special filename component in %s", path)
+		}
+		resolvedPath := filepath.Join(resolvedParent, file)
+		// As a sanity check, ensure that there are no "." or ".." components.
+		cleanedResolvedPath := filepath.Clean(resolvedPath)
+		if cleanedResolvedPath != resolvedPath {
+			// Coverage: This should never happen.
+			return "", fmt.Errorf("Internal inconsistency: Path %s resolved to %s still cleaned up to %s", path, resolvedPath, cleanedResolvedPath)
+		}
+		return resolvedPath, nil
+	default: // err != nil, unrecognized
+		return "", err
+	}
+}
+
+// resolveExistingPathToFullyExplicit is the same as ResolvePathToFullyExplicit,
+// but without the special case for missing final component.
+func resolveExistingPathToFullyExplicit(path string) (string, error) {
+	resolved, err := filepath.Abs(path)
+	if err != nil {
+		return "", err // Coverage: This can fail only if os.Getwd() fails.
+	}
+	resolved, err = filepath.EvalSymlinks(resolved)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Clean(resolved), nil
+}

vendor/github.com/containers/image/docker/docker_client.go

@@ -0,0 +1,370 @@
+package docker
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/pkg/homedir"
+)
+
+const (
+	dockerHostname     = "docker.io"
+	dockerRegistry     = "registry-1.docker.io"
+	dockerAuthRegistry = "https://index.docker.io/v1/"
+
+	dockerCfg         = ".docker"
+	dockerCfgFileName = "config.json"
+	dockerCfgObsolete = ".dockercfg"
+
+	baseURL       = "%s://%s/v2/"
+	tagsURL       = "%s/tags/list"
+	manifestURL   = "%s/manifests/%s"
+	blobsURL      = "%s/blobs/%s"
+	blobUploadURL = "%s/blobs/uploads/"
+)
+
+// dockerClient is configuration for dealing with a single Docker registry.
+type dockerClient struct {
+	ctx             *types.SystemContext
+	registry        string
+	username        string
+	password        string
+	wwwAuthenticate string // Cache of a value set by ping() if scheme is not empty
+	scheme          string // Cache of a value returned by a successful ping() if not empty
+	client          *http.Client
+	signatureBase   signatureStorageBase
+}
+
+// newDockerClient returns a new dockerClient instance for refHostname (a host a specified in the Docker image reference, not canonicalized to dockerRegistry)
+// “write” specifies whether the client will be used for "write" access (in particular passed to lookaside.go:toplevelFromSection)
+func newDockerClient(ctx *types.SystemContext, ref dockerReference, write bool) (*dockerClient, error) {
+	registry := ref.ref.Hostname()
+	if registry == dockerHostname {
+		registry = dockerRegistry
+	}
+	username, password, err := getAuth(ref.ref.Hostname())
+	if err != nil {
+		return nil, err
+	}
+	var tr *http.Transport
+	if ctx != nil && (ctx.DockerCertPath != "" || ctx.DockerInsecureSkipTLSVerify) {
+		tlsc := &tls.Config{}
+
+		if ctx.DockerCertPath != "" {
+			cert, err := tls.LoadX509KeyPair(filepath.Join(ctx.DockerCertPath, "cert.pem"), filepath.Join(ctx.DockerCertPath, "key.pem"))
+			if err != nil {
+				return nil, fmt.Errorf("Error loading x509 key pair: %s", err)
+			}
+			tlsc.Certificates = append(tlsc.Certificates, cert)
+		}
+		tlsc.InsecureSkipVerify = ctx.DockerInsecureSkipTLSVerify
+		tr = &http.Transport{
+			TLSClientConfig: tlsc,
+		}
+	}
+	client := &http.Client{}
+	if tr != nil {
+		client.Transport = tr
+	}
+
+	sigBase, err := configuredSignatureStorageBase(ctx, ref, write)
+	if err != nil {
+		return nil, err
+	}
+
+	return &dockerClient{
+		ctx:           ctx,
+		registry:      registry,
+		username:      username,
+		password:      password,
+		client:        client,
+		signatureBase: sigBase,
+	}, nil
+}
+
+// makeRequest creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
+// url is NOT an absolute URL, but a path relative to the /v2/ top-level API path.  The host name and schema is taken from the client or autodetected.
+func (c *dockerClient) makeRequest(method, url string, headers map[string][]string, stream io.Reader) (*http.Response, error) {
+	if c.scheme == "" {
+		pr, err := c.ping()
+		if err != nil {
+			return nil, err
+		}
+		c.wwwAuthenticate = pr.WWWAuthenticate
+		c.scheme = pr.scheme
+	}
+
+	url = fmt.Sprintf(baseURL, c.scheme, c.registry) + url
+	return c.makeRequestToResolvedURL(method, url, headers, stream, -1)
+}
+
+// makeRequestToResolvedURL creates and executes a http.Request with the specified parameters, adding authentication and TLS options for the Docker client.
+// streamLen, if not -1, specifies the length of the data expected on stream.
+// makeRequest should generally be preferred.
+func (c *dockerClient) makeRequestToResolvedURL(method, url string, headers map[string][]string, stream io.Reader, streamLen int64) (*http.Response, error) {
+	req, err := http.NewRequest(method, url, stream)
+	if err != nil {
+		return nil, err
+	}
+	if streamLen != -1 { // Do not blindly overwrite if streamLen == -1, http.NewRequest above can figure out the length of bytes.Reader and similar objects without us having to compute it.
+		req.ContentLength = streamLen
+	}
+	req.Header.Set("Docker-Distribution-API-Version", "registry/2.0")
+	for n, h := range headers {
+		for _, hh := range h {
+			req.Header.Add(n, hh)
+		}
+	}
+	if c.wwwAuthenticate != "" {
+		if err := c.setupRequestAuth(req); err != nil {
+			return nil, err
+		}
+	}
+	logrus.Debugf("%s %s", method, url)
+	res, err := c.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+func (c *dockerClient) setupRequestAuth(req *http.Request) error {
+	tokens := strings.SplitN(strings.TrimSpace(c.wwwAuthenticate), " ", 2)
+	if len(tokens) != 2 {
+		return fmt.Errorf("expected 2 tokens in WWW-Authenticate: %d, %s", len(tokens), c.wwwAuthenticate)
+	}
+	switch tokens[0] {
+	case "Basic":
+		req.SetBasicAuth(c.username, c.password)
+		return nil
+	case "Bearer":
+		// FIXME? This gets a new token for every API request;
+		// we may be easily able to reuse a previous token, e.g.
+		// for OpenShift the token only identifies the user and does not vary
+		// across operations.  Should we just try the request first, and
+		// only get a new token on failure?
+		// OTOH what to do with the single-use body stream in that case?
+
+		// Try performing the request, expecting it to fail.
+		testReq := *req
+		// Do not use the body stream, or we couldn't reuse it for the "real" call later.
+		testReq.Body = nil
+		testReq.ContentLength = 0
+		res, err := c.client.Do(&testReq)
+		if err != nil {
+			return err
+		}
+		chs := parseAuthHeader(res.Header)
+		if res.StatusCode != http.StatusUnauthorized || chs == nil || len(chs) == 0 {
+			// no need for bearer? wtf?
+			return nil
+		}
+		// Arbitrarily use the first challenge, there is no reason to expect more than one.
+		challenge := chs[0]
+		if challenge.Scheme != "bearer" { // Another artifact of trying to handle WWW-Authenticate before it actually happens.
+			return fmt.Errorf("Unimplemented: WWW-Authenticate Bearer replaced by %#v", challenge.Scheme)
+		}
+		realm, ok := challenge.Parameters["realm"]
+		if !ok {
+			return fmt.Errorf("missing realm in bearer auth challenge")
+		}
+		service, _ := challenge.Parameters["service"] // Will be "" if not present
+		scope, _ := challenge.Parameters["scope"]     // Will be "" if not present
+		token, err := c.getBearerToken(realm, service, scope)
+		if err != nil {
+			return err
+		}
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+		return nil
+	}
+	return fmt.Errorf("no handler for %s authentication", tokens[0])
+	// support docker bearer with authconfig's Auth string? see docker2aci
+}
+
+func (c *dockerClient) getBearerToken(realm, service, scope string) (string, error) {
+	authReq, err := http.NewRequest("GET", realm, nil)
+	if err != nil {
+		return "", err
+	}
+	getParams := authReq.URL.Query()
+	if service != "" {
+		getParams.Add("service", service)
+	}
+	if scope != "" {
+		getParams.Add("scope", scope)
+	}
+	authReq.URL.RawQuery = getParams.Encode()
+	if c.username != "" && c.password != "" {
+		authReq.SetBasicAuth(c.username, c.password)
+	}
+	// insecure for now to contact the external token service
+	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+	client := &http.Client{Transport: tr}
+	res, err := client.Do(authReq)
+	if err != nil {
+		return "", err
+	}
+	defer res.Body.Close()
+	switch res.StatusCode {
+	case http.StatusUnauthorized:
+		return "", fmt.Errorf("unable to retrieve auth token: 401 unauthorized")
+	case http.StatusOK:
+		break
+	default:
+		return "", fmt.Errorf("unexpected http code: %d, URL: %s", res.StatusCode, authReq.URL)
+	}
+	tokenBlob, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return "", err
+	}
+	tokenStruct := struct {
+		Token string `json:"token"`
+	}{}
+	if err := json.Unmarshal(tokenBlob, &tokenStruct); err != nil {
+		return "", err
+	}
+	// TODO(runcom): reuse tokens?
+	//hostAuthTokens, ok = rb.hostsV2AuthTokens[req.URL.Host]
+	//if !ok {
+	//hostAuthTokens = make(map[string]string)
+	//rb.hostsV2AuthTokens[req.URL.Host] = hostAuthTokens
+	//}
+	//hostAuthTokens[repo] = tokenStruct.Token
+	return tokenStruct.Token, nil
+}
+
+func getAuth(hostname string) (string, string, error) {
+	// TODO(runcom): get this from *cli.Context somehow
+	//if username != "" && password != "" {
+	//return username, password, nil
+	//}
+	if hostname == dockerHostname {
+		hostname = dockerAuthRegistry
+	}
+	dockerCfgPath := filepath.Join(getDefaultConfigDir(".docker"), dockerCfgFileName)
+	if _, err := os.Stat(dockerCfgPath); err == nil {
+		j, err := ioutil.ReadFile(dockerCfgPath)
+		if err != nil {
+			return "", "", err
+		}
+		var dockerAuth dockerConfigFile
+		if err := json.Unmarshal(j, &dockerAuth); err != nil {
+			return "", "", err
+		}
+		// try the normal case
+		if c, ok := dockerAuth.AuthConfigs[hostname]; ok {
+			return decodeDockerAuth(c.Auth)
+		}
+	} else if os.IsNotExist(err) {
+		oldDockerCfgPath := filepath.Join(getDefaultConfigDir(dockerCfgObsolete))
+		if _, err := os.Stat(oldDockerCfgPath); err != nil {
+			return "", "", nil //missing file is not an error
+		}
+		j, err := ioutil.ReadFile(oldDockerCfgPath)
+		if err != nil {
+			return "", "", err
+		}
+		var dockerAuthOld map[string]dockerAuthConfigObsolete
+		if err := json.Unmarshal(j, &dockerAuthOld); err != nil {
+			return "", "", err
+		}
+		if c, ok := dockerAuthOld[hostname]; ok {
+			return decodeDockerAuth(c.Auth)
+		}
+	} else {
+		// if file is there but we can't stat it for any reason other
+		// than it doesn't exist then stop
+		return "", "", fmt.Errorf("%s - %v", dockerCfgPath, err)
+	}
+	return "", "", nil
+}
+
+type apiErr struct {
+	Code    string
+	Message string
+	Detail  interface{}
+}
+
+type pingResponse struct {
+	WWWAuthenticate string
+	APIVersion      string
+	scheme          string
+	errors          []apiErr
+}
+
+func (c *dockerClient) ping() (*pingResponse, error) {
+	ping := func(scheme string) (*pingResponse, error) {
+		url := fmt.Sprintf(baseURL, scheme, c.registry)
+		resp, err := c.client.Get(url)
+		logrus.Debugf("Ping %s err %#v", url, err)
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
+		logrus.Debugf("Ping %s status %d", scheme+"://"+c.registry+"/v2/", resp.StatusCode)
+		if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusUnauthorized {
+			return nil, fmt.Errorf("error pinging repository, response code %d", resp.StatusCode)
+		}
+		pr := &pingResponse{}
+		pr.WWWAuthenticate = resp.Header.Get("WWW-Authenticate")
+		pr.APIVersion = resp.Header.Get("Docker-Distribution-Api-Version")
+		pr.scheme = scheme
+		if resp.StatusCode == http.StatusUnauthorized {
+			type APIErrors struct {
+				Errors []apiErr
+			}
+			errs := &APIErrors{}
+			if err := json.NewDecoder(resp.Body).Decode(errs); err != nil {
+				return nil, err
+			}
+			pr.errors = errs.Errors
+		}
+		return pr, nil
+	}
+	pr, err := ping("https")
+	if err != nil && c.ctx.DockerInsecureSkipTLSVerify {
+		pr, err = ping("http")
+	}
+	return pr, err
+}
+
+func getDefaultConfigDir(confPath string) string {
+	return filepath.Join(homedir.Get(), confPath)
+}
+
+type dockerAuthConfigObsolete struct {
+	Auth string `json:"auth"`
+}
+
+type dockerAuthConfig struct {
+	Auth string `json:"auth,omitempty"`
+}
+
+type dockerConfigFile struct {
+	AuthConfigs map[string]dockerAuthConfig `json:"auths"`
+}
+
+func decodeDockerAuth(s string) (string, string, error) {
+	decoded, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return "", "", err
+	}
+	parts := strings.SplitN(string(decoded), ":", 2)
+	if len(parts) != 2 {
+		// if it's invalid just skip, as docker does
+		return "", "", nil
+	}
+	user := parts[0]
+	password := strings.Trim(parts[1], "\x00")
+	return user, password, nil
+}

vendor/github.com/containers/image/docker/docker_image.go

@@ -0,0 +1,55 @@
+package docker
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/containers/image/image"
+	"github.com/containers/image/types"
+)
+
+// Image is a Docker-specific implementation of types.Image with a few extra methods
+// which are specific to Docker.
+type Image struct {
+	types.Image
+	src *dockerImageSource
+}
+
+// newImage returns a new Image interface type after setting up
+// a client to the registry hosting the given image.
+// The caller must call .Close() on the returned Image.
+func newImage(ctx *types.SystemContext, ref dockerReference) (types.Image, error) {
+	s, err := newImageSource(ctx, ref, nil)
+	if err != nil {
+		return nil, err
+	}
+	return &Image{Image: image.FromSource(s), src: s}, nil
+}
+
+// SourceRefFullName returns a fully expanded name for the repository this image is in.
+func (i *Image) SourceRefFullName() string {
+	return i.src.ref.ref.FullName()
+}
+
+// GetRepositoryTags list all tags available in the repository. Note that this has no connection with the tag(s) used for this specific image, if any.
+func (i *Image) GetRepositoryTags() ([]string, error) {
+	url := fmt.Sprintf(tagsURL, i.src.ref.ref.RemoteName())
+	res, err := i.src.c.makeRequest("GET", url, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		// print url also
+		return nil, fmt.Errorf("Invalid status code returned when fetching tags list %d", res.StatusCode)
+	}
+	type tagsRes struct {
+		Tags []string
+	}
+	tags := &tagsRes{}
+	if err := json.NewDecoder(res.Body).Decode(tags); err != nil {
+		return nil, err
+	}
+	return tags.Tags, nil
+}

vendor/github.com/containers/image/docker/docker_image_dest.go

@@ -0,0 +1,297 @@
+package docker
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strconv"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+)
+
+type dockerImageDestination struct {
+	ref dockerReference
+	c   *dockerClient
+	// State
+	manifestDigest string // or "" if not yet known.
+}
+
+// newImageDestination creates a new ImageDestination for the specified image reference.
+func newImageDestination(ctx *types.SystemContext, ref dockerReference) (types.ImageDestination, error) {
+	c, err := newDockerClient(ctx, ref, true)
+	if err != nil {
+		return nil, err
+	}
+	return &dockerImageDestination{
+		ref: ref,
+		c:   c,
+	}, nil
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *dockerImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *dockerImageDestination) Close() {
+}
+
+func (d *dockerImageDestination) SupportedManifestMIMETypes() []string {
+	return []string{
+		// TODO(runcom): we'll add OCI as part of another PR here
+		manifest.DockerV2Schema2MediaType,
+		manifest.DockerV2Schema1SignedMediaType,
+		manifest.DockerV2Schema1MediaType,
+	}
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
+// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
+func (d *dockerImageDestination) SupportsSignatures() error {
+	return fmt.Errorf("Pushing signatures to a Docker Registry is not supported")
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
+func (d *dockerImageDestination) ShouldCompressLayers() bool {
+	return true
+}
+
+// sizeCounter is an io.Writer which only counts the total size of its input.
+type sizeCounter struct{ size int64 }
+
+func (c *sizeCounter) Write(p []byte) (n int, err error) {
+	c.size += int64(len(p))
+	return len(p), nil
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
+// to any other readers for download using the supplied digest.
+// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
+func (d *dockerImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	if inputInfo.Digest != "" {
+		checkURL := fmt.Sprintf(blobsURL, d.ref.ref.RemoteName(), inputInfo.Digest)
+
+		logrus.Debugf("Checking %s", checkURL)
+		res, err := d.c.makeRequest("HEAD", checkURL, nil, nil)
+		if err != nil {
+			return types.BlobInfo{}, err
+		}
+		defer res.Body.Close()
+		switch res.StatusCode {
+		case http.StatusOK:
+			logrus.Debugf("... already exists, not uploading")
+			blobLength, err := strconv.ParseInt(res.Header.Get("Content-Length"), 10, 64)
+			if err != nil {
+				return types.BlobInfo{}, err
+			}
+			return types.BlobInfo{Digest: inputInfo.Digest, Size: blobLength}, nil
+		case http.StatusUnauthorized:
+			logrus.Debugf("... not authorized")
+			return types.BlobInfo{}, fmt.Errorf("not authorized to read from destination repository %s", d.ref.ref.RemoteName())
+		case http.StatusNotFound:
+			// noop
+		default:
+			return types.BlobInfo{}, fmt.Errorf("failed to read from destination repository %s: %v", d.ref.ref.RemoteName(), http.StatusText(res.StatusCode))
+		}
+		logrus.Debugf("... failed, status %d", res.StatusCode)
+	}
+
+	// FIXME? Chunked upload, progress reporting, etc.
+	uploadURL := fmt.Sprintf(blobUploadURL, d.ref.ref.RemoteName())
+	logrus.Debugf("Uploading %s", uploadURL)
+	res, err := d.c.makeRequest("POST", uploadURL, nil, nil)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusAccepted {
+		logrus.Debugf("Error initiating layer upload, response %#v", *res)
+		return types.BlobInfo{}, fmt.Errorf("Error initiating layer upload to %s, status %d", uploadURL, res.StatusCode)
+	}
+	uploadLocation, err := res.Location()
+	if err != nil {
+		return types.BlobInfo{}, fmt.Errorf("Error determining upload URL: %s", err.Error())
+	}
+
+	h := sha256.New()
+	sizeCounter := &sizeCounter{}
+	tee := io.TeeReader(stream, io.MultiWriter(h, sizeCounter))
+	res, err = d.c.makeRequestToResolvedURL("PATCH", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, tee, inputInfo.Size)
+	if err != nil {
+		logrus.Debugf("Error uploading layer chunked, response %#v", *res)
+		return types.BlobInfo{}, err
+	}
+	defer res.Body.Close()
+	hash := h.Sum(nil)
+	computedDigest := "sha256:" + hex.EncodeToString(hash[:])
+
+	uploadLocation, err = res.Location()
+	if err != nil {
+		return types.BlobInfo{}, fmt.Errorf("Error determining upload URL: %s", err.Error())
+	}
+
+	// FIXME: DELETE uploadLocation on failure
+
+	locationQuery := uploadLocation.Query()
+	// TODO: check inputInfo.Digest == computedDigest https://github.com/containers/image/pull/70#discussion_r77646717
+	locationQuery.Set("digest", computedDigest)
+	uploadLocation.RawQuery = locationQuery.Encode()
+	res, err = d.c.makeRequestToResolvedURL("PUT", uploadLocation.String(), map[string][]string{"Content-Type": {"application/octet-stream"}}, nil, -1)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusCreated {
+		logrus.Debugf("Error uploading layer, response %#v", *res)
+		return types.BlobInfo{}, fmt.Errorf("Error uploading layer to %s, status %d", uploadLocation, res.StatusCode)
+	}
+
+	logrus.Debugf("Upload of layer %s complete", computedDigest)
+	return types.BlobInfo{Digest: computedDigest, Size: sizeCounter.size}, nil
+}
+
+func (d *dockerImageDestination) PutManifest(m []byte) error {
+	digest, err := manifest.Digest(m)
+	if err != nil {
+		return err
+	}
+	d.manifestDigest = digest
+
+	reference, err := d.ref.tagOrDigest()
+	if err != nil {
+		return err
+	}
+	url := fmt.Sprintf(manifestURL, d.ref.ref.RemoteName(), reference)
+
+	headers := map[string][]string{}
+	mimeType := manifest.GuessMIMEType(m)
+	if mimeType != "" {
+		headers["Content-Type"] = []string{mimeType}
+	}
+	res, err := d.c.makeRequest("PUT", url, headers, bytes.NewReader(m))
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusCreated {
+		body, err := ioutil.ReadAll(res.Body)
+		if err == nil {
+			logrus.Debugf("Error body %s", string(body))
+		}
+		logrus.Debugf("Error uploading manifest, status %d, %#v", res.StatusCode, res)
+		return fmt.Errorf("Error uploading manifest to %s, status %d", url, res.StatusCode)
+	}
+	return nil
+}
+
+func (d *dockerImageDestination) PutSignatures(signatures [][]byte) error {
+	// FIXME? This overwrites files one at a time, definitely not atomic.
+	// A failure when updating signatures with a reordered copy could lose some of them.
+
+	// Skip dealing with the manifest digest if not necessary.
+	if len(signatures) == 0 {
+		return nil
+	}
+	if d.c.signatureBase == nil {
+		return fmt.Errorf("Pushing signatures to a Docker Registry is not supported, and there is no applicable signature storage configured")
+	}
+
+	// FIXME: This assumption that signatures are stored after the manifest rather breaks the model.
+	if d.manifestDigest == "" {
+		return fmt.Errorf("Unknown manifest digest, can't add signatures")
+	}
+
+	for i, signature := range signatures {
+		url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
+		if url == nil {
+			return fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+		}
+		err := d.putOneSignature(url, signature)
+		if err != nil {
+			return err
+		}
+	}
+	// Remove any other signatures, if present.
+	// We stop at the first missing signature; if a previous deleting loop aborted
+	// prematurely, this may not clean up all of them, but one missing signature
+	// is enough for dockerImageSource to stop looking for other signatures, so that
+	// is sufficient.
+	for i := len(signatures); ; i++ {
+		url := signatureStorageURL(d.c.signatureBase, d.manifestDigest, i)
+		if url == nil {
+			return fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+		}
+		missing, err := d.c.deleteOneSignature(url)
+		if err != nil {
+			return err
+		}
+		if missing {
+			break
+		}
+	}
+
+	return nil
+}
+
+// putOneSignature stores one signature to url.
+func (d *dockerImageDestination) putOneSignature(url *url.URL, signature []byte) error {
+	switch url.Scheme {
+	case "file":
+		logrus.Debugf("Writing to %s", url.Path)
+		err := os.MkdirAll(filepath.Dir(url.Path), 0755)
+		if err != nil {
+			return err
+		}
+		err = ioutil.WriteFile(url.Path, signature, 0644)
+		if err != nil {
+			return err
+		}
+		return nil
+
+	case "http", "https":
+		return fmt.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location.", url.Scheme, url.String())
+	default:
+		return fmt.Errorf("Unsupported scheme when writing signature to %s", url.String())
+	}
+}
+
+// deleteOneSignature deletes a signature from url, if it exists.
+// If it successfully determines that the signature does not exist, returns (true, nil)
+func (c *dockerClient) deleteOneSignature(url *url.URL) (missing bool, err error) {
+	switch url.Scheme {
+	case "file":
+		logrus.Debugf("Deleting %s", url.Path)
+		err := os.Remove(url.Path)
+		if err != nil && os.IsNotExist(err) {
+			return true, nil
+		}
+		return false, err
+
+	case "http", "https":
+		return false, fmt.Errorf("Writing directly to a %s sigstore %s is not supported. Configure a sigstore-staging: location.", url.Scheme, url.String())
+	default:
+		return false, fmt.Errorf("Unsupported scheme when deleting signature from %s", url.String())
+	}
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *dockerImageDestination) Commit() error {
+	return nil
+}

vendor/github.com/containers/image/docker/docker_image_src.go

@@ -0,0 +1,288 @@
+package docker
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"mime"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+)
+
+type errFetchManifest struct {
+	statusCode int
+	body       []byte
+}
+
+func (e errFetchManifest) Error() string {
+	return fmt.Sprintf("error fetching manifest: status code: %d, body: %s", e.statusCode, string(e.body))
+}
+
+type dockerImageSource struct {
+	ref                        dockerReference
+	requestedManifestMIMETypes []string
+	c                          *dockerClient
+	// State
+	cachedManifest         []byte // nil if not loaded yet
+	cachedManifestMIMEType string // Only valid if cachedManifest != nil
+}
+
+// newImageSource creates a new ImageSource for the specified image reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSource(ctx *types.SystemContext, ref dockerReference, requestedManifestMIMETypes []string) (*dockerImageSource, error) {
+	c, err := newDockerClient(ctx, ref, false)
+	if err != nil {
+		return nil, err
+	}
+	if requestedManifestMIMETypes == nil {
+		requestedManifestMIMETypes = manifest.DefaultRequestedManifestMIMETypes
+	}
+	return &dockerImageSource{
+		ref: ref,
+		requestedManifestMIMETypes: requestedManifestMIMETypes,
+		c: c,
+	}, nil
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *dockerImageSource) Reference() types.ImageReference {
+	return s.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *dockerImageSource) Close() {
+}
+
+// simplifyContentType drops parameters from a HTTP media type (see https://tools.ietf.org/html/rfc7231#section-3.1.1.1)
+// Alternatively, an empty string is returned unchanged, and invalid values are "simplified" to an empty string.
+func simplifyContentType(contentType string) string {
+	if contentType == "" {
+		return contentType
+	}
+	mimeType, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return ""
+	}
+	return mimeType
+}
+
+func (s *dockerImageSource) GetManifest() ([]byte, string, error) {
+	err := s.ensureManifestIsLoaded()
+	if err != nil {
+		return nil, "", err
+	}
+	return s.cachedManifest, s.cachedManifestMIMEType, nil
+}
+
+// ensureManifestIsLoaded sets s.cachedManifest and s.cachedManifestMIMEType
+//
+// ImageSource implementations are not required or expected to do any caching,
+// but because our signatures are “attached” to the manifest digest,
+// we need to ensure that the digest of the manifest returned by GetManifest
+// and used by GetSignatures are consistent, otherwise we would get spurious
+// signature verification failures when pulling while a tag is being updated.
+func (s *dockerImageSource) ensureManifestIsLoaded() error {
+	if s.cachedManifest != nil {
+		return nil
+	}
+
+	reference, err := s.ref.tagOrDigest()
+	if err != nil {
+		return err
+	}
+	url := fmt.Sprintf(manifestURL, s.ref.ref.RemoteName(), reference)
+	// TODO(runcom) set manifest version header! schema1 for now - then schema2 etc etc and v1
+	// TODO(runcom) NO, switch on the resulter manifest like Docker is doing
+	headers := make(map[string][]string)
+	headers["Accept"] = s.requestedManifestMIMETypes
+	res, err := s.c.makeRequest("GET", url, headers, nil)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	manblob, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode != http.StatusOK {
+		return errFetchManifest{res.StatusCode, manblob}
+	}
+	// We might validate manblob against the Docker-Content-Digest header here to protect against transport errors.
+	s.cachedManifest = manblob
+	s.cachedManifestMIMEType = simplifyContentType(res.Header.Get("Content-Type"))
+	return nil
+}
+
+// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
+func (s *dockerImageSource) GetBlob(digest string) (io.ReadCloser, int64, error) {
+	url := fmt.Sprintf(blobsURL, s.ref.ref.RemoteName(), digest)
+	logrus.Debugf("Downloading %s", url)
+	res, err := s.c.makeRequest("GET", url, nil, nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	if res.StatusCode != http.StatusOK {
+		// print url also
+		return nil, 0, fmt.Errorf("Invalid status code returned when fetching blob %d", res.StatusCode)
+	}
+	size, err := strconv.ParseInt(res.Header.Get("Content-Length"), 10, 64)
+	if err != nil {
+		size = -1
+	}
+	return res.Body, size, nil
+}
+
+func (s *dockerImageSource) GetSignatures() ([][]byte, error) {
+	if s.c.signatureBase == nil { // Skip dealing with the manifest digest if not necessary.
+		return [][]byte{}, nil
+	}
+
+	if err := s.ensureManifestIsLoaded(); err != nil {
+		return nil, err
+	}
+	manifestDigest, err := manifest.Digest(s.cachedManifest)
+	if err != nil {
+		return nil, err
+	}
+
+	signatures := [][]byte{}
+	for i := 0; ; i++ {
+		url := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
+		if url == nil {
+			return nil, fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+		}
+		signature, missing, err := s.getOneSignature(url)
+		if err != nil {
+			return nil, err
+		}
+		if missing {
+			break
+		}
+		signatures = append(signatures, signature)
+	}
+	return signatures, nil
+}
+
+// getOneSignature downloads one signature from url.
+// If it successfully determines that the signature does not exist, returns with missing set to true and error set to nil.
+func (s *dockerImageSource) getOneSignature(url *url.URL) (signature []byte, missing bool, err error) {
+	switch url.Scheme {
+	case "file":
+		logrus.Debugf("Reading %s", url.Path)
+		sig, err := ioutil.ReadFile(url.Path)
+		if err != nil {
+			if os.IsNotExist(err) {
+				return nil, true, nil
+			}
+			return nil, false, err
+		}
+		return sig, false, nil
+
+	case "http", "https":
+		logrus.Debugf("GET %s", url)
+		res, err := s.c.client.Get(url.String())
+		if err != nil {
+			return nil, false, err
+		}
+		defer res.Body.Close()
+		if res.StatusCode == http.StatusNotFound {
+			return nil, true, nil
+		} else if res.StatusCode != http.StatusOK {
+			return nil, false, fmt.Errorf("Error reading signature from %s: status %d", url.String(), res.StatusCode)
+		}
+		sig, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return nil, false, err
+		}
+		return sig, false, nil
+
+	default:
+		return nil, false, fmt.Errorf("Unsupported scheme when reading signature from %s", url.String())
+	}
+}
+
+// deleteImage deletes the named image from the registry, if supported.
+func deleteImage(ctx *types.SystemContext, ref dockerReference) error {
+	c, err := newDockerClient(ctx, ref, true)
+	if err != nil {
+		return err
+	}
+
+	// When retrieving the digest from a registry >= 2.3 use the following header:
+	//   "Accept": "application/vnd.docker.distribution.manifest.v2+json"
+	headers := make(map[string][]string)
+	headers["Accept"] = []string{manifest.DockerV2Schema2MediaType}
+
+	reference, err := ref.tagOrDigest()
+	if err != nil {
+		return err
+	}
+	getURL := fmt.Sprintf(manifestURL, ref.ref.RemoteName(), reference)
+	get, err := c.makeRequest("GET", getURL, headers, nil)
+	if err != nil {
+		return err
+	}
+	defer get.Body.Close()
+	manifestBody, err := ioutil.ReadAll(get.Body)
+	if err != nil {
+		return err
+	}
+	switch get.StatusCode {
+	case http.StatusOK:
+	case http.StatusNotFound:
+		return fmt.Errorf("Unable to delete %v. Image may not exist or is not stored with a v2 Schema in a v2 registry.", ref.ref)
+	default:
+		return fmt.Errorf("Failed to delete %v: %s (%v)", ref.ref, manifestBody, get.Status)
+	}
+
+	digest := get.Header.Get("Docker-Content-Digest")
+	deleteURL := fmt.Sprintf(manifestURL, ref.ref.RemoteName(), digest)
+
+	// When retrieving the digest from a registry >= 2.3 use the following header:
+	//   "Accept": "application/vnd.docker.distribution.manifest.v2+json"
+	delete, err := c.makeRequest("DELETE", deleteURL, headers, nil)
+	if err != nil {
+		return err
+	}
+	defer delete.Body.Close()
+
+	body, err := ioutil.ReadAll(delete.Body)
+	if err != nil {
+		return err
+	}
+	if delete.StatusCode != http.StatusAccepted {
+		return fmt.Errorf("Failed to delete %v: %s (%v)", deleteURL, string(body), delete.Status)
+	}
+
+	if c.signatureBase != nil {
+		manifestDigest, err := manifest.Digest(manifestBody)
+		if err != nil {
+			return err
+		}
+
+		for i := 0; ; i++ {
+			url := signatureStorageURL(c.signatureBase, manifestDigest, i)
+			if url == nil {
+				return fmt.Errorf("Internal error: signatureStorageURL with non-nil base returned nil")
+			}
+			missing, err := c.deleteOneSignature(url)
+			if err != nil {
+				return err
+			}
+			if missing {
+				break
+			}
+		}
+	}
+
+	return nil
+}

vendor/github.com/containers/image/docker/docker_transport.go

@@ -0,0 +1,153 @@
+package docker
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/containers/image/docker/policyconfiguration"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/reference"
+)
+
+// Transport is an ImageTransport for Docker registry-hosted images.
+var Transport = dockerTransport{}
+
+type dockerTransport struct{}
+
+func (t dockerTransport) Name() string {
+	return "docker"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t dockerTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t dockerTransport) ValidatePolicyConfigurationScope(scope string) error {
+	// FIXME? We could be verifying the various character set and length restrictions
+	// from docker/distribution/reference.regexp.go, but other than that there
+	// are few semantically invalid strings.
+	return nil
+}
+
+// dockerReference is an ImageReference for Docker images.
+type dockerReference struct {
+	ref reference.Named // By construction we know that !reference.IsNameOnly(ref)
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an Docker ImageReference.
+func ParseReference(refString string) (types.ImageReference, error) {
+	if !strings.HasPrefix(refString, "//") {
+		return nil, fmt.Errorf("docker: image reference %s does not start with //", refString)
+	}
+	ref, err := reference.ParseNamed(strings.TrimPrefix(refString, "//"))
+	if err != nil {
+		return nil, err
+	}
+	ref = reference.WithDefaultTag(ref)
+	return NewReference(ref)
+}
+
+// NewReference returns a Docker reference for a named reference. The reference must satisfy !reference.IsNameOnly().
+func NewReference(ref reference.Named) (types.ImageReference, error) {
+	if reference.IsNameOnly(ref) {
+		return nil, fmt.Errorf("Docker reference %s has neither a tag nor a digest", ref.String())
+	}
+	// A github.com/distribution/reference value can have a tag and a digest at the same time!
+	// docker/reference does not handle that, so fail.
+	// (Even if it were supported, the semantics of policy namespaces are unclear - should we drop
+	// the tag or the digest first?)
+	_, isTagged := ref.(reference.NamedTagged)
+	_, isDigested := ref.(reference.Canonical)
+	if isTagged && isDigested {
+		return nil, fmt.Errorf("Docker references with both a tag and digest are currently not supported")
+	}
+	return dockerReference{
+		ref: ref,
+	}, nil
+}
+
+func (ref dockerReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref dockerReference) StringWithinTransport() string {
+	return "//" + ref.ref.String()
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref dockerReference) DockerReference() reference.Named {
+	return ref.ref
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref dockerReference) PolicyConfigurationIdentity() string {
+	res, err := policyconfiguration.DockerReferenceIdentity(ref.ref)
+	if res == "" || err != nil { // Coverage: Should never happen, NewReference above should refuse values which could cause a failure.
+		panic(fmt.Sprintf("Internal inconsistency: policyconfiguration.DockerReferenceIdentity returned %#v, %v", res, err))
+	}
+	return res
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref dockerReference) PolicyConfigurationNamespaces() []string {
+	return policyconfiguration.DockerReferenceNamespaces(ref.ref)
+}
+
+// NewImage returns a types.Image for this reference.
+// The caller must call .Close() on the returned Image.
+func (ref dockerReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	return newImage(ctx, ref)
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref dockerReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return newImageSource(ctx, ref, requestedManifestMIMETypes)
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref dockerReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref dockerReference) DeleteImage(ctx *types.SystemContext) error {
+	return deleteImage(ctx, ref)
+}
+
+// tagOrDigest returns a tag or digest from the reference.
+func (ref dockerReference) tagOrDigest() (string, error) {
+	if ref, ok := ref.ref.(reference.Canonical); ok {
+		return ref.Digest().String(), nil
+	}
+	if ref, ok := ref.ref.(reference.NamedTagged); ok {
+		return ref.Tag(), nil
+	}
+	// This should not happen, NewReference above refuses reference.IsNameOnly values.
+	return "", fmt.Errorf("Internal inconsistency: Reference %s unexpectedly has neither a digest nor a tag", ref.ref.String())
+}

vendor/github.com/containers/image/docker/lookaside.go

@@ -0,0 +1,198 @@
+package docker
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/ghodss/yaml"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/types"
+)
+
+// systemRegistriesDirPath is the path to registries.d, used for locating lookaside Docker signature storage.
+// You can override this at build time with
+// -ldflags '-X github.com/containers/image/docker.systemRegistriesDirPath=$your_path'
+var systemRegistriesDirPath = builtinRegistriesDirPath
+
+// builtinRegistriesDirPath is the path to registries.d.
+// DO NOT change this, instead see systemRegistriesDirPath above.
+const builtinRegistriesDirPath = "/etc/containers/registries.d"
+
+// registryConfiguration is one of the files in registriesDirPath configuring lookaside locations, or the result of merging them all.
+// NOTE: Keep this in sync with docs/registries.d.md!
+type registryConfiguration struct {
+	DefaultDocker *registryNamespace `json:"default-docker"`
+	// The key is a namespace, using fully-expanded Docker reference format or parent namespaces (per dockerReference.PolicyConfiguration*),
+	Docker map[string]registryNamespace `json:"docker"`
+}
+
+// registryNamespace defines lookaside locations for a single namespace.
+type registryNamespace struct {
+	SigStore        string `json:"sigstore"`         // For reading, and if SigStoreStaging is not present, for writing.
+	SigStoreStaging string `json:"sigstore-staging"` // For writing only.
+}
+
+// signatureStorageBase is an "opaque" type representing a lookaside Docker signature storage.
+// Users outside of this file should use configuredSignatureStorageBase and signatureStorageURL below.
+type signatureStorageBase *url.URL // The only documented value is nil, meaning storage is not supported.
+
+// configuredSignatureStorageBase reads configuration to find an appropriate signature storage URL for ref, for write access if “write”.
+func configuredSignatureStorageBase(ctx *types.SystemContext, ref dockerReference, write bool) (signatureStorageBase, error) {
+	// FIXME? Loading and parsing the config could be cached across calls.
+	dirPath := registriesDirPath(ctx)
+	logrus.Debugf(`Using registries.d directory %s for sigstore configuration`, dirPath)
+	config, err := loadAndMergeConfig(dirPath)
+	if err != nil {
+		return nil, err
+	}
+
+	topLevel := config.signatureTopLevel(ref, write)
+	if topLevel == "" {
+		return nil, nil
+	}
+
+	url, err := url.Parse(topLevel)
+	if err != nil {
+		return nil, fmt.Errorf("Invalid signature storage URL %s: %v", topLevel, err)
+	}
+	// FIXME? Restrict to explicitly supported schemes?
+	repo := ref.ref.FullName()    // Note that this is without a tag or digest.
+	if path.Clean(repo) != repo { // Coverage: This should not be reachable because /./ and /../ components are not valid in docker references
+		return nil, fmt.Errorf("Unexpected path elements in Docker reference %s for signature storage", ref.ref.String())
+	}
+	url.Path = url.Path + "/" + repo
+	return url, nil
+}
+
+// registriesDirPath returns a path to registries.d
+func registriesDirPath(ctx *types.SystemContext) string {
+	if ctx != nil {
+		if ctx.RegistriesDirPath != "" {
+			return ctx.RegistriesDirPath
+		}
+		if ctx.RootForImplicitAbsolutePaths != "" {
+			return filepath.Join(ctx.RootForImplicitAbsolutePaths, systemRegistriesDirPath)
+		}
+	}
+	return systemRegistriesDirPath
+}
+
+// loadAndMergeConfig loads configuration files in dirPath
+func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {
+	mergedConfig := registryConfiguration{Docker: map[string]registryNamespace{}}
+	dockerDefaultMergedFrom := ""
+	nsMergedFrom := map[string]string{}
+
+	dir, err := os.Open(dirPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return &mergedConfig, nil
+		}
+		return nil, err
+	}
+	configNames, err := dir.Readdirnames(0)
+	if err != nil {
+		return nil, err
+	}
+	for _, configName := range configNames {
+		if !strings.HasSuffix(configName, ".yaml") {
+			continue
+		}
+		configPath := filepath.Join(dirPath, configName)
+		configBytes, err := ioutil.ReadFile(configPath)
+		if err != nil {
+			return nil, err
+		}
+
+		var config registryConfiguration
+		err = yaml.Unmarshal(configBytes, &config)
+		if err != nil {
+			return nil, fmt.Errorf("Error parsing %s: %v", configPath, err)
+		}
+
+		if config.DefaultDocker != nil {
+			if mergedConfig.DefaultDocker != nil {
+				return nil, fmt.Errorf(`Error parsing signature storage configuration: "default-docker" defined both in "%s" and "%s"`,
+					dockerDefaultMergedFrom, configPath)
+			}
+			mergedConfig.DefaultDocker = config.DefaultDocker
+			dockerDefaultMergedFrom = configPath
+		}
+
+		for nsName, nsConfig := range config.Docker { // includes config.Docker == nil
+			if _, ok := mergedConfig.Docker[nsName]; ok {
+				return nil, fmt.Errorf(`Error parsing signature storage configuration: "docker" namespace "%s" defined both in "%s" and "%s"`,
+					nsName, nsMergedFrom[nsName], configPath)
+			}
+			mergedConfig.Docker[nsName] = nsConfig
+			nsMergedFrom[nsName] = configPath
+		}
+	}
+
+	return &mergedConfig, nil
+}
+
+// config.signatureTopLevel returns an URL string configured in config for ref, for write access if “write”.
+// (the top level of the storage, namespaced by repo.FullName etc.), or "" if no signature storage should be used.
+func (config *registryConfiguration) signatureTopLevel(ref dockerReference, write bool) string {
+	if config.Docker != nil {
+		// Look for a full match.
+		identity := ref.PolicyConfigurationIdentity()
+		if ns, ok := config.Docker[identity]; ok {
+			logrus.Debugf(` Using "docker" namespace %s`, identity)
+			if url := ns.signatureTopLevel(write); url != "" {
+				return url
+			}
+		}
+
+		// Look for a match of the possible parent namespaces.
+		for _, name := range ref.PolicyConfigurationNamespaces() {
+			if ns, ok := config.Docker[name]; ok {
+				logrus.Debugf(` Using "docker" namespace %s`, name)
+				if url := ns.signatureTopLevel(write); url != "" {
+					return url
+				}
+			}
+		}
+	}
+	// Look for a default location
+	if config.DefaultDocker != nil {
+		logrus.Debugf(` Using "default-docker" configuration`)
+		if url := config.DefaultDocker.signatureTopLevel(write); url != "" {
+			return url
+		}
+	}
+	logrus.Debugf(" No signature storage configuration found for %s", ref.PolicyConfigurationIdentity())
+	return ""
+}
+
+// ns.signatureTopLevel returns an URL string configured in ns for ref, for write access if “write”.
+// or "" if nothing has been configured.
+func (ns registryNamespace) signatureTopLevel(write bool) string {
+	if write && ns.SigStoreStaging != "" {
+		logrus.Debugf(`  Using %s`, ns.SigStoreStaging)
+		return ns.SigStoreStaging
+	}
+	if ns.SigStore != "" {
+		logrus.Debugf(`  Using %s`, ns.SigStore)
+		return ns.SigStore
+	}
+	return ""
+}
+
+// signatureStorageURL returns an URL usable for acessing signature index in base with known manifestDigest, or nil if not applicable.
+// Returns nil iff base == nil.
+func signatureStorageURL(base signatureStorageBase, manifestDigest string, index int) *url.URL {
+	if base == nil {
+		return nil
+	}
+	url := *base
+	url.Path = fmt.Sprintf("%s@%s/signature-%d", url.Path, manifestDigest, index+1)
+	return &url
+}

vendor/github.com/containers/image/docker/policyconfiguration/naming.go

@@ -0,0 +1,57 @@
+package policyconfiguration
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/reference"
+)
+
+// DockerReferenceIdentity returns a string representation of the reference, suitable for policy lookup,
+// as a backend for ImageReference.PolicyConfigurationIdentity.
+// The reference must satisfy !reference.IsNameOnly().
+func DockerReferenceIdentity(ref reference.Named) (string, error) {
+	res := ref.FullName()
+	tagged, isTagged := ref.(reference.NamedTagged)
+	digested, isDigested := ref.(reference.Canonical)
+	switch {
+	case isTagged && isDigested: // This should not happen, docker/reference.ParseNamed drops the tag.
+		return "", fmt.Errorf("Unexpected Docker reference %s with both a name and a digest", ref.String())
+	case !isTagged && !isDigested: // This should not happen, the caller is expected to ensure !reference.IsNameOnly()
+		return "", fmt.Errorf("Internal inconsistency: Docker reference %s with neither a tag nor a digest", ref.String())
+	case isTagged:
+		res = res + ":" + tagged.Tag()
+	case isDigested:
+		res = res + "@" + digested.Digest().String()
+	default: // Coverage: The above was supposed to be exhaustive.
+		return "", errors.New("Internal inconsistency, unexpected default branch")
+	}
+	return res, nil
+}
+
+// DockerReferenceNamespaces returns a list of other policy configuration namespaces to search,
+// as a backend for ImageReference.PolicyConfigurationIdentity.
+// The reference must satisfy !reference.IsNameOnly().
+func DockerReferenceNamespaces(ref reference.Named) []string {
+	// Look for a match of the repository, and then of the possible parent
+	// namespaces. Note that this only happens on the expanded host names
+	// and repository names, i.e. "busybox" is looked up as "docker.io/library/busybox",
+	// then in its parent "docker.io/library"; in none of "busybox",
+	// un-namespaced "library" nor in "" supposedly implicitly representing "library/".
+	//
+	// ref.FullName() == ref.Hostname() + "/" + ref.RemoteName(), so the last
+	// iteration matches the host name (for any namespace).
+	res := []string{}
+	name := ref.FullName()
+	for {
+		res = append(res, name)
+
+		lastSlash := strings.LastIndex(name, "/")
+		if lastSlash == -1 {
+			break
+		}
+		name = name[:lastSlash]
+	}
+	return res
+}

vendor/github.com/containers/image/docker/wwwauthenticate.go

@@ -1,20 +1,25 @@
-package registry
+package docker
+
+// Based on github.com/docker/distribution/registry/client/auth/authchallenge.go, primarily stripping unnecessary dependencies.
 
 import (
 	"net/http"
 	"strings"
 )
 
-// Octet types from RFC 2616.
-type octetType byte
+// challenge carries information from a WWW-Authenticate response header.
+// See RFC 7235.
+type challenge struct {
+	// Scheme is the auth-scheme according to RFC 7235
+	Scheme string
 
-// AuthorizationChallenge carries information
-// from a WWW-Authenticate response header.
-type AuthorizationChallenge struct {
-	Scheme     string
+	// Parameters are the auth-params according to RFC 7235
 	Parameters map[string]string
 }
 
+// Octet types from RFC 7230.
+type octetType byte
+
 var octetTypes [256]octetType
 
 const (
@@ -54,17 +59,21 @@ func init() {
 	}
 }
 
-func parseAuthHeader(header http.Header) []*AuthorizationChallenge {
-	var challenges []*AuthorizationChallenge
+func parseAuthHeader(header http.Header) []challenge {
+	challenges := []challenge{}
 	for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
 		v, p := parseValueAndParams(h)
 		if v != "" {
-			challenges = append(challenges, &AuthorizationChallenge{Scheme: v, Parameters: p})
+			challenges = append(challenges, challenge{Scheme: v, Parameters: p})
 		}
 	}
 	return challenges
 }
 
+// NOTE: This is not a fully compliant parser per RFC 7235:
+// Most notably it does not support more than one challenge within a single header
+// Some of the whitespace parsing also seems noncompliant.
+// But it is clearly better than what we used to have…
 func parseValueAndParams(header string) (value string, params map[string]string) {
 	params = make(map[string]string)
 	value, s := expectToken(header)
@@ -127,7 +136,7 @@ func expectTokenOrQuoted(s string) (value string, rest string) {
 			p := make([]byte, len(s)-1)
 			j := copy(p, s[:i])
 			escape := true
-			for i = i + i; i < len(s); i++ {
+			for i = i + 1; i < len(s); i++ {
 				b := s[i]
 				switch {
 				case escape:

vendor/github.com/containers/image/image/docker_schema1.go

@@ -0,0 +1,163 @@
+package image
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"regexp"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+)
+
+var (
+	validHex = regexp.MustCompile(`^([a-f0-9]{64})$`)
+)
+
+type fsLayersSchema1 struct {
+	BlobSum string `json:"blobSum"`
+}
+
+type manifestSchema1 struct {
+	Name         string            `json:"name"`
+	Tag          string            `json:"tag"`
+	Architecture string            `json:"architecture"`
+	FSLayers     []fsLayersSchema1 `json:"fsLayers"`
+	History      []struct {
+		V1Compatibility string `json:"v1Compatibility"`
+	} `json:"history"`
+	SchemaVersion int `json:"schemaVersion"`
+}
+
+func manifestSchema1FromManifest(manifest []byte) (genericManifest, error) {
+	mschema1 := &manifestSchema1{}
+	if err := json.Unmarshal(manifest, mschema1); err != nil {
+		return nil, err
+	}
+	if err := fixManifestLayers(mschema1); err != nil {
+		return nil, err
+	}
+	// TODO(runcom): verify manifest schema 1, 2 etc
+	//if len(m.FSLayers) != len(m.History) {
+	//return nil, fmt.Errorf("length of history not equal to number of layers for %q", ref.String())
+	//}
+	//if len(m.FSLayers) == 0 {
+	//return nil, fmt.Errorf("no FSLayers in manifest for %q", ref.String())
+	//}
+	return mschema1, nil
+}
+
+func (m *manifestSchema1) ConfigInfo() types.BlobInfo {
+	return types.BlobInfo{}
+}
+
+func (m *manifestSchema1) LayerInfos() []types.BlobInfo {
+	layers := make([]types.BlobInfo, len(m.FSLayers))
+	for i, layer := range m.FSLayers { // NOTE: This includes empty layers (where m.History.V1Compatibility->ThrowAway)
+		layers[(len(m.FSLayers)-1)-i] = types.BlobInfo{Digest: layer.BlobSum, Size: -1}
+	}
+	return layers
+}
+
+func (m *manifestSchema1) Config() ([]byte, error) {
+	return []byte(m.History[0].V1Compatibility), nil
+}
+
+func (m *manifestSchema1) ImageInspectInfo() (*types.ImageInspectInfo, error) {
+	v1 := &v1Image{}
+	config, err := m.Config()
+	if err != nil {
+		return nil, err
+	}
+	if err := json.Unmarshal(config, v1); err != nil {
+		return nil, err
+	}
+	return &types.ImageInspectInfo{
+		Tag:           m.Tag,
+		DockerVersion: v1.DockerVersion,
+		Created:       v1.Created,
+		Labels:        v1.Config.Labels,
+		Architecture:  v1.Architecture,
+		Os:            v1.OS,
+	}, nil
+}
+
+func (m *manifestSchema1) UpdatedManifest(options types.ManifestUpdateOptions) ([]byte, error) {
+	copy := *m
+	if options.LayerInfos != nil {
+		// Our LayerInfos includes empty layers (where m.History.V1Compatibility->ThrowAway), so expect them to be included here as well.
+		if len(copy.FSLayers) != len(options.LayerInfos) {
+			return nil, fmt.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.FSLayers), len(options.LayerInfos))
+		}
+		for i, info := range options.LayerInfos {
+			// (docker push) sets up m.History.V1Compatibility->{Id,Parent} based on values of info.Digest,
+			// but (docker pull) ignores them in favor of computing DiffIDs from uncompressed data, except verifying the child->parent links and uniqueness.
+			// So, we don't bother recomputing the IDs in m.History.V1Compatibility.
+			copy.FSLayers[(len(options.LayerInfos)-1)-i].BlobSum = info.Digest
+		}
+	}
+	// docker/distribution requires a signature even if the incoming data uses the nominally unsigned DockerV2Schema1MediaType.
+	unsigned, err := json.Marshal(copy)
+	if err != nil {
+		return nil, err
+	}
+	return manifest.AddDummyV2S1Signature(unsigned)
+}
+
+// fixManifestLayers, after validating the supplied manifest
+// (to use correctly-formatted IDs, and to not have non-consecutive ID collisions in manifest.History),
+// modifies manifest to only have one entry for each layer ID in manifest.History (deleting the older duplicates,
+// both from manifest.History and manifest.FSLayers).
+// Note that even after this succeeds, manifest.FSLayers may contain duplicate entries
+// (for Dockerfile operations which change the configuration but not the filesystem).
+func fixManifestLayers(manifest *manifestSchema1) error {
+	type imageV1 struct {
+		ID     string
+		Parent string
+	}
+	// Per the specification, we can assume that len(manifest.FSLayers) == len(manifest.History)
+	imgs := make([]*imageV1, len(manifest.FSLayers))
+	for i := range manifest.FSLayers {
+		img := &imageV1{}
+
+		if err := json.Unmarshal([]byte(manifest.History[i].V1Compatibility), img); err != nil {
+			return err
+		}
+
+		imgs[i] = img
+		if err := validateV1ID(img.ID); err != nil {
+			return err
+		}
+	}
+	if imgs[len(imgs)-1].Parent != "" {
+		return errors.New("Invalid parent ID in the base layer of the image.")
+	}
+	// check general duplicates to error instead of a deadlock
+	idmap := make(map[string]struct{})
+	var lastID string
+	for _, img := range imgs {
+		// skip IDs that appear after each other, we handle those later
+		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
+			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
+		}
+		lastID = img.ID
+		idmap[lastID] = struct{}{}
+	}
+	// backwards loop so that we keep the remaining indexes after removing items
+	for i := len(imgs) - 2; i >= 0; i-- {
+		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
+			manifest.FSLayers = append(manifest.FSLayers[:i], manifest.FSLayers[i+1:]...)
+			manifest.History = append(manifest.History[:i], manifest.History[i+1:]...)
+		} else if imgs[i].Parent != imgs[i+1].ID {
+			return fmt.Errorf("Invalid parent ID. Expected %v, got %v.", imgs[i+1].ID, imgs[i].Parent)
+		}
+	}
+	return nil
+}
+
+func validateV1ID(id string) error {
+	if ok := validHex.MatchString(id); !ok {
+		return fmt.Errorf("image ID %q is invalid", id)
+	}
+	return nil
+}

vendor/github.com/containers/image/image/docker_schema2.go

@@ -0,0 +1,85 @@
+package image
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/containers/image/types"
+)
+
+type descriptor struct {
+	MediaType string `json:"mediaType"`
+	Size      int64  `json:"size"`
+	Digest    string `json:"digest"`
+}
+
+type manifestSchema2 struct {
+	src               types.ImageSource
+	SchemaVersion     int          `json:"schemaVersion"`
+	MediaType         string       `json:"mediaType"`
+	ConfigDescriptor  descriptor   `json:"config"`
+	LayersDescriptors []descriptor `json:"layers"`
+}
+
+func manifestSchema2FromManifest(src types.ImageSource, manifest []byte) (genericManifest, error) {
+	v2s2 := manifestSchema2{src: src}
+	if err := json.Unmarshal(manifest, &v2s2); err != nil {
+		return nil, err
+	}
+	return &v2s2, nil
+}
+
+func (m *manifestSchema2) ConfigInfo() types.BlobInfo {
+	return types.BlobInfo{Digest: m.ConfigDescriptor.Digest, Size: m.ConfigDescriptor.Size}
+}
+
+func (m *manifestSchema2) LayerInfos() []types.BlobInfo {
+	blobs := []types.BlobInfo{}
+	for _, layer := range m.LayersDescriptors {
+		blobs = append(blobs, types.BlobInfo{Digest: layer.Digest, Size: layer.Size})
+	}
+	return blobs
+}
+
+func (m *manifestSchema2) Config() ([]byte, error) {
+	rawConfig, _, err := m.src.GetBlob(m.ConfigDescriptor.Digest)
+	if err != nil {
+		return nil, err
+	}
+	config, err := ioutil.ReadAll(rawConfig)
+	rawConfig.Close()
+	return config, err
+}
+
+func (m *manifestSchema2) ImageInspectInfo() (*types.ImageInspectInfo, error) {
+	config, err := m.Config()
+	if err != nil {
+		return nil, err
+	}
+	v1 := &v1Image{}
+	if err := json.Unmarshal(config, v1); err != nil {
+		return nil, err
+	}
+	return &types.ImageInspectInfo{
+		DockerVersion: v1.DockerVersion,
+		Created:       v1.Created,
+		Labels:        v1.Config.Labels,
+		Architecture:  v1.Architecture,
+		Os:            v1.OS,
+	}, nil
+}
+
+func (m *manifestSchema2) UpdatedManifest(options types.ManifestUpdateOptions) ([]byte, error) {
+	copy := *m
+	if options.LayerInfos != nil {
+		if len(copy.LayersDescriptors) != len(options.LayerInfos) {
+			return nil, fmt.Errorf("Error preparing updated manifest: layer count changed from %d to %d", len(copy.LayersDescriptors), len(options.LayerInfos))
+		}
+		for i, info := range options.LayerInfos {
+			copy.LayersDescriptors[i].Digest = info.Digest
+			copy.LayersDescriptors[i].Size = info.Size
+		}
+	}
+	return json.Marshal(copy)
+}

vendor/github.com/containers/image/image/image.go

@@ -0,0 +1,186 @@
+// Package image consolidates knowledge about various container image formats
+// (as opposed to image storage mechanisms, which are handled by types.ImageSource)
+// and exposes all of them using an unified interface.
+package image
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+)
+
+// genericImage is a general set of utilities for working with container images,
+// whatever is their underlying location (i.e. dockerImageSource-independent).
+// Note the existence of skopeo/docker.Image: some instances of a `types.Image`
+// may not be a `genericImage` directly. However, most users of `types.Image`
+// do not care, and those who care about `skopeo/docker.Image` know they do.
+type genericImage struct {
+	src types.ImageSource
+	// private cache for Manifest(); nil if not yet known.
+	cachedManifest []byte
+	// private cache for the manifest media type w/o having to guess it
+	// this may be the empty string in case the MIME Type wasn't guessed correctly
+	// this field is valid only if cachedManifest is not nil
+	cachedManifestMIMEType string
+	// private cache for Signatures(); nil if not yet known.
+	cachedSignatures [][]byte
+}
+
+// FromSource returns a types.Image implementation for source.
+// The caller must call .Close() on the returned Image.
+//
+// FromSource “takes ownership” of the input ImageSource and will call src.Close()
+// when the image is closed.  (This does not prevent callers from using both the
+// Image and ImageSource objects simultaneously, but it means that they only need to
+// the Image.)
+func FromSource(src types.ImageSource) types.Image {
+	return &genericImage{src: src}
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (i *genericImage) Reference() types.ImageReference {
+	return i.src.Reference()
+}
+
+// Close removes resources associated with an initialized Image, if any.
+func (i *genericImage) Close() {
+	i.src.Close()
+}
+
+// Manifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
+// NOTE: It is essential for signature verification that Manifest returns the manifest from which ConfigInfo and LayerInfos is computed.
+func (i *genericImage) Manifest() ([]byte, string, error) {
+	if i.cachedManifest == nil {
+		m, mt, err := i.src.GetManifest()
+		if err != nil {
+			return nil, "", err
+		}
+		i.cachedManifest = m
+		if mt == "" || mt == "text/plain" {
+			// Crane registries can return "text/plain".
+			// This makes no real sense, but it happens
+			// because requests for manifests are
+			// redirected to a content distribution
+			// network which is configured that way.
+			mt = manifest.GuessMIMEType(i.cachedManifest)
+		}
+		i.cachedManifestMIMEType = mt
+	}
+	return i.cachedManifest, i.cachedManifestMIMEType, nil
+}
+
+// Signatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.
+func (i *genericImage) Signatures() ([][]byte, error) {
+	if i.cachedSignatures == nil {
+		sigs, err := i.src.GetSignatures()
+		if err != nil {
+			return nil, err
+		}
+		i.cachedSignatures = sigs
+	}
+	return i.cachedSignatures, nil
+}
+
+type config struct {
+	Labels map[string]string
+}
+
+type v1Image struct {
+	// Config is the configuration of the container received from the client
+	Config *config `json:"config,omitempty"`
+	// DockerVersion specifies version on which image is built
+	DockerVersion string `json:"docker_version,omitempty"`
+	// Created timestamp when image was created
+	Created time.Time `json:"created"`
+	// Architecture is the hardware that the image is build and runs on
+	Architecture string `json:"architecture,omitempty"`
+	// OS is the operating system used to build and run the image
+	OS string `json:"os,omitempty"`
+}
+
+// will support v1 one day...
+type genericManifest interface {
+	Config() ([]byte, error)
+	ConfigInfo() types.BlobInfo
+	LayerInfos() []types.BlobInfo
+	ImageInspectInfo() (*types.ImageInspectInfo, error) // The caller will need to fill in Layers
+	UpdatedManifest(types.ManifestUpdateOptions) ([]byte, error)
+}
+
+// getParsedManifest parses the manifest into a data structure, cleans it up, and returns it.
+// NOTE: The manifest may have been modified in the process; DO NOT reserialize and store the return value
+// if you want to preserve the original manifest; use the blob returned by Manifest() directly.
+// NOTE: It is essential for signature verification that the object is computed from the same manifest which is returned by Manifest().
+func (i *genericImage) getParsedManifest() (genericManifest, error) {
+	manblob, mt, err := i.Manifest()
+	if err != nil {
+		return nil, err
+	}
+	switch mt {
+	// "application/json" is a valid v2s1 value per https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-1.md .
+	// This works for now, when nothing else seems to return "application/json"; if that were not true, the mapping/detection might
+	// need to happen within the ImageSource.
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType, "application/json":
+		return manifestSchema1FromManifest(manblob)
+	case manifest.DockerV2Schema2MediaType:
+		return manifestSchema2FromManifest(i.src, manblob)
+	case "":
+		return nil, errors.New("could not guess manifest media type")
+	default:
+		return nil, fmt.Errorf("unsupported manifest media type %s", mt)
+	}
+}
+
+func (i *genericImage) Inspect() (*types.ImageInspectInfo, error) {
+	// TODO(runcom): unused version param for now, default to docker v2-1
+	m, err := i.getParsedManifest()
+	if err != nil {
+		return nil, err
+	}
+	info, err := m.ImageInspectInfo()
+	if err != nil {
+		return nil, err
+	}
+	layers := m.LayerInfos()
+	info.Layers = make([]string, len(layers))
+	for i, layer := range layers {
+		info.Layers[i] = layer.Digest
+	}
+	return info, nil
+}
+
+// ConfigInfo returns a complete BlobInfo for the separate config object, or a BlobInfo{Digest:""} if there isn't a separate object.
+// NOTE: It is essential for signature verification that ConfigInfo is computed from the same manifest which is returned by Manifest().
+func (i *genericImage) ConfigInfo() (types.BlobInfo, error) {
+	m, err := i.getParsedManifest()
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	return m.ConfigInfo(), nil
+}
+
+// LayerInfos returns a list of BlobInfos of layers referenced by this image, in order (the root layer first, and then successive layered layers).
+// The Digest field is guaranteed to be provided; Size may be -1.
+// NOTE: It is essential for signature verification that LayerInfos is computed from the same manifest which is returned by Manifest().
+// WARNING: The list may contain duplicates, and they are semantically relevant.
+func (i *genericImage) LayerInfos() ([]types.BlobInfo, error) {
+	m, err := i.getParsedManifest()
+	if err != nil {
+		return nil, err
+	}
+	return m.LayerInfos(), nil
+}
+
+// UpdatedManifest returns the image's manifest modified according to updateOptions.
+// This does not change the state of the Image object.
+func (i *genericImage) UpdatedManifest(options types.ManifestUpdateOptions) ([]byte, error) {
+	m, err := i.getParsedManifest()
+	if err != nil {
+		return nil, err
+	}
+	return m.UpdatedManifest(options)
+}

vendor/github.com/containers/image/manifest/manifest.go

@@ -0,0 +1,115 @@
+package manifest
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+
+	"github.com/docker/libtrust"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// FIXME: Should we just use docker/distribution and docker/docker implementations directly?
+
+// FIXME(runcom, mitr): should we havea mediatype pkg??
+const (
+	// DockerV2Schema1MediaType MIME type represents Docker manifest schema 1
+	DockerV2Schema1MediaType = "application/vnd.docker.distribution.manifest.v1+json"
+	// DockerV2Schema1MediaType MIME type represents Docker manifest schema 1 with a JWS signature
+	DockerV2Schema1SignedMediaType = "application/vnd.docker.distribution.manifest.v1+prettyjws"
+	// DockerV2Schema2MediaType MIME type represents Docker manifest schema 2
+	DockerV2Schema2MediaType = "application/vnd.docker.distribution.manifest.v2+json"
+	// DockerV2ListMediaType MIME type represents Docker manifest schema 2 list
+	DockerV2ListMediaType = "application/vnd.docker.distribution.manifest.list.v2+json"
+)
+
+// DefaultRequestedManifestMIMETypes is a list of MIME types a types.ImageSource
+// should request from the backend unless directed otherwise.
+var DefaultRequestedManifestMIMETypes = []string{
+	imgspecv1.MediaTypeImageManifest,
+	DockerV2Schema2MediaType,
+	DockerV2Schema1SignedMediaType,
+	DockerV2Schema1MediaType,
+}
+
+// GuessMIMEType guesses MIME type of a manifest and returns it _if it is recognized_, or "" if unknown or unrecognized.
+// FIXME? We should, in general, prefer out-of-band MIME type instead of blindly parsing the manifest,
+// but we may not have such metadata available (e.g. when the manifest is a local file).
+func GuessMIMEType(manifest []byte) string {
+	// A subset of manifest fields; the rest is silently ignored by json.Unmarshal.
+	// Also docker/distribution/manifest.Versioned.
+	meta := struct {
+		MediaType     string      `json:"mediaType"`
+		SchemaVersion int         `json:"schemaVersion"`
+		Signatures    interface{} `json:"signatures"`
+	}{}
+	if err := json.Unmarshal(manifest, &meta); err != nil {
+		return ""
+	}
+
+	switch meta.MediaType {
+	case DockerV2Schema2MediaType, DockerV2ListMediaType, imgspecv1.MediaTypeImageManifest, imgspecv1.MediaTypeImageManifestList: // A recognized type.
+		return meta.MediaType
+	}
+	// this is the only way the function can return DockerV2Schema1MediaType, and recognizing that is essential for stripping the JWS signatures = computing the correct manifest digest.
+	switch meta.SchemaVersion {
+	case 1:
+		if meta.Signatures != nil {
+			return DockerV2Schema1SignedMediaType
+		}
+		return DockerV2Schema1MediaType
+	case 2: // Really should not happen, meta.MediaType should have been set. But given the data, this is our best guess.
+		return DockerV2Schema2MediaType
+	}
+	return ""
+}
+
+// Digest returns the a digest of a docker manifest, with any necessary implied transformations like stripping v1s1 signatures.
+func Digest(manifest []byte) (string, error) {
+	if GuessMIMEType(manifest) == DockerV2Schema1SignedMediaType {
+		sig, err := libtrust.ParsePrettySignature(manifest, "signatures")
+		if err != nil {
+			return "", err
+		}
+		manifest, err = sig.Payload()
+		if err != nil {
+			// Coverage: This should never happen, libtrust's Payload() can fail only if joseBase64UrlDecode() fails, on a string
+			// that libtrust itself has josebase64UrlEncode()d
+			return "", err
+		}
+	}
+
+	hash := sha256.Sum256(manifest)
+	return "sha256:" + hex.EncodeToString(hash[:]), nil
+}
+
+// MatchesDigest returns true iff the manifest matches expectedDigest.
+// Error may be set if this returns false.
+// Note that this is not doing ConstantTimeCompare; by the time we get here, the cryptographic signature must already have been verified,
+// or we are not using a cryptographic channel and the attacker can modify the digest along with the manifest blob.
+func MatchesDigest(manifest []byte, expectedDigest string) (bool, error) {
+	// This should eventually support various digest types.
+	actualDigest, err := Digest(manifest)
+	if err != nil {
+		return false, err
+	}
+	return expectedDigest == actualDigest, nil
+}
+
+// AddDummyV2S1Signature adds an JWS signature with a temporary key (i.e. useless) to a v2s1 manifest.
+// This is useful to make the manifest acceptable to a Docker Registry (even though nothing needs or wants the JWS signature).
+func AddDummyV2S1Signature(manifest []byte) ([]byte, error) {
+	key, err := libtrust.GenerateECP256PrivateKey()
+	if err != nil {
+		return nil, err // Coverage: This can fail only if rand.Reader fails.
+	}
+
+	js, err := libtrust.NewJSONSignature(manifest)
+	if err != nil {
+		return nil, err
+	}
+	if err := js.Sign(key); err != nil { // Coverage: This can fail basically only if rand.Reader fails.
+		return nil, err
+	}
+	return js.PrettySignature("signatures")
+}

vendor/github.com/containers/image/oci/layout/oci_dest.go

@@ -0,0 +1,211 @@
+package layout
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	imgspec "github.com/opencontainers/image-spec/specs-go"
+	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type ociImageDestination struct {
+	ref ociReference
+}
+
+// newImageDestination returns an ImageDestination for writing to an existing directory.
+func newImageDestination(ref ociReference) types.ImageDestination {
+	return &ociImageDestination{ref: ref}
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *ociImageDestination) Reference() types.ImageReference {
+	return d.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *ociImageDestination) Close() {
+}
+
+func (d *ociImageDestination) SupportedManifestMIMETypes() []string {
+	return []string{
+		imgspecv1.MediaTypeImageManifest,
+		manifest.DockerV2Schema2MediaType,
+	}
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
+// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
+func (d *ociImageDestination) SupportsSignatures() error {
+	return fmt.Errorf("Pushing signatures for OCI images is not supported")
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
+func (d *ociImageDestination) ShouldCompressLayers() bool {
+	return false
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
+// to any other readers for download using the supplied digest.
+// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
+func (d *ociImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	if err := ensureDirectoryExists(d.ref.dir); err != nil {
+		return types.BlobInfo{}, err
+	}
+	blobFile, err := ioutil.TempFile(d.ref.dir, "oci-put-blob")
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	succeeded := false
+	defer func() {
+		blobFile.Close()
+		if !succeeded {
+			os.Remove(blobFile.Name())
+		}
+	}()
+
+	h := sha256.New()
+	tee := io.TeeReader(stream, h)
+
+	size, err := io.Copy(blobFile, tee)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	computedDigest := "sha256:" + hex.EncodeToString(h.Sum(nil))
+	if inputInfo.Size != -1 && size != inputInfo.Size {
+		return types.BlobInfo{}, fmt.Errorf("Size mismatch when copying %s, expected %d, got %d", computedDigest, inputInfo.Size, size)
+	}
+	if err := blobFile.Sync(); err != nil {
+		return types.BlobInfo{}, err
+	}
+	if err := blobFile.Chmod(0644); err != nil {
+		return types.BlobInfo{}, err
+	}
+
+	blobPath, err := d.ref.blobPath(computedDigest)
+	if err != nil {
+		return types.BlobInfo{}, err
+	}
+	if err := ensureParentDirectoryExists(blobPath); err != nil {
+		return types.BlobInfo{}, err
+	}
+	if err := os.Rename(blobFile.Name(), blobPath); err != nil {
+		return types.BlobInfo{}, err
+	}
+	succeeded = true
+	return types.BlobInfo{Digest: computedDigest, Size: size}, nil
+}
+
+func createManifest(m []byte) ([]byte, string, error) {
+	om := imgspecv1.Manifest{}
+	mt := manifest.GuessMIMEType(m)
+	switch mt {
+	case manifest.DockerV2Schema1MediaType, manifest.DockerV2Schema1SignedMediaType:
+		// There a simple reason about not yet implementing this.
+		// OCI image-spec assure about backward compatibility with docker v2s2 but not v2s1
+		// generating a v2s2 is a migration docker does when upgrading to 1.10.3
+		// and I don't think we should bother about this now (I don't want to have migration code here in skopeo)
+		return nil, "", errors.New("can't create an OCI manifest from Docker V2 schema 1 manifest")
+	case manifest.DockerV2Schema2MediaType:
+		if err := json.Unmarshal(m, &om); err != nil {
+			return nil, "", err
+		}
+		om.MediaType = imgspecv1.MediaTypeImageManifest
+		for i := range om.Layers {
+			om.Layers[i].MediaType = imgspecv1.MediaTypeImageLayer
+		}
+		om.Config.MediaType = imgspecv1.MediaTypeImageConfig
+		b, err := json.Marshal(om)
+		if err != nil {
+			return nil, "", err
+		}
+		return b, om.MediaType, nil
+	case manifest.DockerV2ListMediaType:
+		return nil, "", errors.New("can't create an OCI manifest from Docker V2 schema 2 manifest list")
+	case imgspecv1.MediaTypeImageManifestList:
+		return nil, "", errors.New("can't create an OCI manifest from OCI manifest list")
+	case imgspecv1.MediaTypeImageManifest:
+		return m, mt, nil
+	}
+	return nil, "", fmt.Errorf("unrecognized manifest media type %q", mt)
+}
+
+func (d *ociImageDestination) PutManifest(m []byte) error {
+	// TODO(mitr, runcom): this breaks signatures entirely since at this point we're creating a new manifest
+	// and signatures don't apply anymore. Will fix.
+	ociMan, mt, err := createManifest(m)
+	if err != nil {
+		return err
+	}
+	digest, err := manifest.Digest(ociMan)
+	if err != nil {
+		return err
+	}
+	desc := imgspec.Descriptor{}
+	desc.Digest = digest
+	// TODO(runcom): beaware and add support for OCI manifest list
+	desc.MediaType = mt
+	desc.Size = int64(len(ociMan))
+	data, err := json.Marshal(desc)
+	if err != nil {
+		return err
+	}
+
+	blobPath, err := d.ref.blobPath(digest)
+	if err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(blobPath, ociMan, 0644); err != nil {
+		return err
+	}
+	// TODO(runcom): ugly here?
+	if err := ioutil.WriteFile(d.ref.ociLayoutPath(), []byte(`{"imageLayoutVersion": "1.0.0"}`), 0644); err != nil {
+		return err
+	}
+	descriptorPath := d.ref.descriptorPath(d.ref.tag)
+	if err := ensureParentDirectoryExists(descriptorPath); err != nil {
+		return err
+	}
+	return ioutil.WriteFile(descriptorPath, data, 0644)
+}
+
+func ensureDirectoryExists(path string) error {
+	if _, err := os.Stat(path); err != nil && os.IsNotExist(err) {
+		if err := os.MkdirAll(path, 0755); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// ensureParentDirectoryExists ensures the parent of the supplied path exists.
+func ensureParentDirectoryExists(path string) error {
+	return ensureDirectoryExists(filepath.Dir(path))
+}
+
+func (d *ociImageDestination) PutSignatures(signatures [][]byte) error {
+	if len(signatures) != 0 {
+		return fmt.Errorf("Pushing signatures for OCI images is not supported")
+	}
+	return nil
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *ociImageDestination) Commit() error {
+	return nil
+}

vendor/github.com/containers/image/oci/layout/oci_transport.go

@@ -0,0 +1,209 @@
+package layout
+
+import (
+	"errors"
+	"fmt"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/containers/image/directory/explicitfilepath"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/reference"
+)
+
+// Transport is an ImageTransport for OCI directories.
+var Transport = ociTransport{}
+
+type ociTransport struct{}
+
+func (t ociTransport) Name() string {
+	return "oci"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t ociTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+var refRegexp = regexp.MustCompile(`^([A-Za-z0-9._-]+)+$`)
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t ociTransport) ValidatePolicyConfigurationScope(scope string) error {
+	var dir string
+	sep := strings.LastIndex(scope, ":")
+	if sep == -1 {
+		dir = scope
+	} else {
+		dir = scope[:sep]
+		tag := scope[sep+1:]
+		if !refRegexp.MatchString(tag) {
+			return fmt.Errorf("Invalid tag %s", tag)
+		}
+	}
+
+	if strings.Contains(dir, ":") {
+		return fmt.Errorf("Invalid OCI reference %s: path contains a colon", scope)
+	}
+
+	if !strings.HasPrefix(dir, "/") {
+		return fmt.Errorf("Invalid scope %s: must be an absolute path", scope)
+	}
+	// Refuse also "/", otherwise "/" and "" would have the same semantics,
+	// and "" could be unexpectedly shadowed by the "/" entry.
+	// (Note: we do allow "/:sometag", a bit ridiculous but why refuse it?)
+	if scope == "/" {
+		return errors.New(`Invalid scope "/": Use the generic default scope ""`)
+	}
+	cleaned := filepath.Clean(dir)
+	if cleaned != dir {
+		return fmt.Errorf(`Invalid scope %s: Uses non-canonical path format, perhaps try with path %s`, scope, cleaned)
+	}
+	return nil
+}
+
+// ociReference is an ImageReference for OCI directory paths.
+type ociReference struct {
+	// Note that the interpretation of paths below depends on the underlying filesystem state, which may change under us at any time!
+	// Either of the paths may point to a different, or no, inode over time.  resolvedDir may contain symbolic links, and so on.
+
+	// Generally we follow the intent of the user, and use the "dir" member for filesystem operations (e.g. the user can use a relative path to avoid
+	// being exposed to symlinks and renames in the parent directories to the working directory).
+	// (But in general, we make no attempt to be completely safe against concurrent hostile filesystem modifications.)
+	dir         string // As specified by the user. May be relative, contain symlinks, etc.
+	resolvedDir string // Absolute path with no symlinks, at least at the time of its creation. Primarily used for policy namespaces.
+	tag         string
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an OCI ImageReference.
+func ParseReference(reference string) (types.ImageReference, error) {
+	var dir, tag string
+	sep := strings.LastIndex(reference, ":")
+	if sep == -1 {
+		dir = reference
+		tag = "latest"
+	} else {
+		dir = reference[:sep]
+		tag = reference[sep+1:]
+	}
+	return NewReference(dir, tag)
+}
+
+// NewReference returns an OCI reference for a directory and a tag.
+//
+// We do not expose an API supplying the resolvedDir; we could, but recomputing it
+// is generally cheap enough that we prefer being confident about the properties of resolvedDir.
+func NewReference(dir, tag string) (types.ImageReference, error) {
+	resolved, err := explicitfilepath.ResolvePathToFullyExplicit(dir)
+	if err != nil {
+		return nil, err
+	}
+	// This is necessary to prevent directory paths returned by PolicyConfigurationNamespaces
+	// from being ambiguous with values of PolicyConfigurationIdentity.
+	if strings.Contains(resolved, ":") {
+		return nil, fmt.Errorf("Invalid OCI reference %s:%s: path %s contains a colon", dir, tag, resolved)
+	}
+	if !refRegexp.MatchString(tag) {
+		return nil, fmt.Errorf("Invalid tag %s", tag)
+	}
+	return ociReference{dir: dir, resolvedDir: resolved, tag: tag}, nil
+}
+
+func (ref ociReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref ociReference) StringWithinTransport() string {
+	return fmt.Sprintf("%s:%s", ref.dir, ref.tag)
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref ociReference) DockerReference() reference.Named {
+	return nil
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref ociReference) PolicyConfigurationIdentity() string {
+	return fmt.Sprintf("%s:%s", ref.resolvedDir, ref.tag)
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref ociReference) PolicyConfigurationNamespaces() []string {
+	res := []string{}
+	path := ref.resolvedDir
+	for {
+		lastSlash := strings.LastIndex(path, "/")
+		// Note that we do not include "/"; it is redundant with the default "" global default,
+		// and rejected by ociTransport.ValidatePolicyConfigurationScope above.
+		if lastSlash == -1 || path == "/" {
+			break
+		}
+		res = append(res, path)
+		path = path[:lastSlash]
+	}
+	return res
+}
+
+// NewImage returns a types.Image for this reference.
+// The caller must call .Close() on the returned Image.
+func (ref ociReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	return nil, errors.New("Full Image support not implemented for oci: image names")
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref ociReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return nil, errors.New("Reading images not implemented for oci: image names")
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref ociReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ref), nil
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref ociReference) DeleteImage(ctx *types.SystemContext) error {
+	return fmt.Errorf("Deleting images not implemented for oci: images")
+}
+
+// ociLayoutPathPath returns a path for the oci-layout within a directory using OCI conventions.
+func (ref ociReference) ociLayoutPath() string {
+	return filepath.Join(ref.dir, "oci-layout")
+}
+
+// blobPath returns a path for a blob within a directory using OCI image-layout conventions.
+func (ref ociReference) blobPath(digest string) (string, error) {
+	pts := strings.SplitN(digest, ":", 2)
+	if len(pts) != 2 {
+		return "", fmt.Errorf("unexpected digest reference %s", digest)
+	}
+	return filepath.Join(ref.dir, "blobs", pts[0], pts[1]), nil
+}
+
+// descriptorPath returns a path for the manifest within a directory using OCI conventions.
+func (ref ociReference) descriptorPath(digest string) string {
+	return filepath.Join(ref.dir, "refs", digest)
+}

vendor/github.com/containers/image/openshift/openshift.go

@@ -0,0 +1,498 @@
+package openshift
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/containers/image/docker"
+	"github.com/containers/image/manifest"
+	"github.com/containers/image/types"
+	"github.com/containers/image/version"
+)
+
+// openshiftClient is configuration for dealing with a single image stream, for reading or writing.
+type openshiftClient struct {
+	ref     openshiftReference
+	baseURL *url.URL
+	// Values from Kubernetes configuration
+	httpClient  *http.Client
+	bearerToken string // "" if not used
+	username    string // "" if not used
+	password    string // if username != ""
+}
+
+// newOpenshiftClient creates a new openshiftClient for the specified reference.
+func newOpenshiftClient(ref openshiftReference) (*openshiftClient, error) {
+	// We have already done this parsing in ParseReference, but thrown away
+	// httpClient. So, parse again.
+	// (We could also rework/split restClientFor to "get base URL" to be done
+	// in ParseReference, and "get httpClient" to be done here.  But until/unless
+	// we support non-default clusters, this is good enough.)
+
+	// Overall, this is modelled on openshift/origin/pkg/cmd/util/clientcmd.New().ClientConfig() and openshift/origin/pkg/client.
+	cmdConfig := defaultClientConfig()
+	logrus.Debugf("cmdConfig: %#v", cmdConfig)
+	restConfig, err := cmdConfig.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	// REMOVED: SetOpenShiftDefaults (values are not overridable in config files, so hard-coded these defaults.)
+	logrus.Debugf("restConfig: %#v", restConfig)
+	baseURL, httpClient, err := restClientFor(restConfig)
+	if err != nil {
+		return nil, err
+	}
+	logrus.Debugf("URL: %#v", *baseURL)
+
+	if httpClient == nil {
+		httpClient = http.DefaultClient
+	}
+
+	return &openshiftClient{
+		ref:         ref,
+		baseURL:     baseURL,
+		httpClient:  httpClient,
+		bearerToken: restConfig.BearerToken,
+		username:    restConfig.Username,
+		password:    restConfig.Password,
+	}, nil
+}
+
+// doRequest performs a correctly authenticated request to a specified path, and returns response body or an error object.
+func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([]byte, error) {
+	url := *c.baseURL
+	url.Path = path
+	var requestBodyReader io.Reader
+	if requestBody != nil {
+		logrus.Debugf("Will send body: %s", requestBody)
+		requestBodyReader = bytes.NewReader(requestBody)
+	}
+	req, err := http.NewRequest(method, url.String(), requestBodyReader)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(c.bearerToken) != 0 {
+		req.Header.Set("Authorization", "Bearer "+c.bearerToken)
+	} else if len(c.username) != 0 {
+		req.SetBasicAuth(c.username, c.password)
+	}
+	req.Header.Set("Accept", "application/json, */*")
+	req.Header.Set("User-Agent", fmt.Sprintf("skopeo/%s", version.Version))
+	if requestBody != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+
+	logrus.Debugf("%s %s", method, url)
+	res, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	logrus.Debugf("Got body: %s", body)
+	// FIXME: Just throwing this useful information away only to try to guess later...
+	logrus.Debugf("Got content-type: %s", res.Header.Get("Content-Type"))
+
+	var status status
+	statusValid := false
+	if err := json.Unmarshal(body, &status); err == nil && len(status.Status) > 0 {
+		statusValid = true
+	}
+
+	switch {
+	case res.StatusCode == http.StatusSwitchingProtocols: // FIXME?! No idea why this weird case exists in k8s.io/kubernetes/pkg/client/restclient.
+		if statusValid && status.Status != "Success" {
+			return nil, errors.New(status.Message)
+		}
+	case res.StatusCode >= http.StatusOK && res.StatusCode <= http.StatusPartialContent:
+		// OK.
+	default:
+		if statusValid {
+			return nil, errors.New(status.Message)
+		}
+		return nil, fmt.Errorf("HTTP error: status code: %d, body: %s", res.StatusCode, string(body))
+	}
+
+	return body, nil
+}
+
+// getImage loads the specified image object.
+func (c *openshiftClient) getImage(imageStreamImageName string) (*image, error) {
+	// FIXME: validate components per validation.IsValidPathSegmentName?
+	path := fmt.Sprintf("/oapi/v1/namespaces/%s/imagestreamimages/%s@%s", c.ref.namespace, c.ref.stream, imageStreamImageName)
+	body, err := c.doRequest("GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	// Note: This does absolutely no kind/version checking or conversions.
+	var isi imageStreamImage
+	if err := json.Unmarshal(body, &isi); err != nil {
+		return nil, err
+	}
+	return &isi.Image, nil
+}
+
+// convertDockerImageReference takes an image API DockerImageReference value and returns a reference we can actually use;
+// currently OpenShift stores the cluster-internal service IPs here, which are unusable from the outside.
+func (c *openshiftClient) convertDockerImageReference(ref string) (string, error) {
+	parts := strings.SplitN(ref, "/", 2)
+	if len(parts) != 2 {
+		return "", fmt.Errorf("Invalid format of docker reference %s: missing '/'", ref)
+	}
+	return c.ref.dockerReference.Hostname() + "/" + parts[1], nil
+}
+
+type openshiftImageSource struct {
+	client *openshiftClient
+	// Values specific to this image
+	ctx                        *types.SystemContext
+	requestedManifestMIMETypes []string
+	// State
+	docker               types.ImageSource // The Docker Registry endpoint, or nil if not resolved yet
+	imageStreamImageName string            // Resolved image identifier, or "" if not known yet
+}
+
+// newImageSource creates a new ImageSource for the specified reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func newImageSource(ctx *types.SystemContext, ref openshiftReference, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	client, err := newOpenshiftClient(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	return &openshiftImageSource{
+		client: client,
+		ctx:    ctx,
+		requestedManifestMIMETypes: requestedManifestMIMETypes,
+	}, nil
+}
+
+// Reference returns the reference used to set up this source, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+func (s *openshiftImageSource) Reference() types.ImageReference {
+	return s.client.ref
+}
+
+// Close removes resources associated with an initialized ImageSource, if any.
+func (s *openshiftImageSource) Close() {
+	if s.docker != nil {
+		s.docker.Close()
+		s.docker = nil
+	}
+}
+
+func (s *openshiftImageSource) GetManifest() ([]byte, string, error) {
+	if err := s.ensureImageIsResolved(); err != nil {
+		return nil, "", err
+	}
+	return s.docker.GetManifest()
+}
+
+// GetBlob returns a stream for the specified blob, and the blob’s size (or -1 if unknown).
+func (s *openshiftImageSource) GetBlob(digest string) (io.ReadCloser, int64, error) {
+	if err := s.ensureImageIsResolved(); err != nil {
+		return nil, 0, err
+	}
+	return s.docker.GetBlob(digest)
+}
+
+func (s *openshiftImageSource) GetSignatures() ([][]byte, error) {
+	if err := s.ensureImageIsResolved(); err != nil {
+		return nil, err
+	}
+
+	image, err := s.client.getImage(s.imageStreamImageName)
+	if err != nil {
+		return nil, err
+	}
+	var sigs [][]byte
+	for _, sig := range image.Signatures {
+		if sig.Type == imageSignatureTypeAtomic {
+			sigs = append(sigs, sig.Content)
+		}
+	}
+	return sigs, nil
+}
+
+// ensureImageIsResolved sets up s.docker and s.imageStreamImageName
+func (s *openshiftImageSource) ensureImageIsResolved() error {
+	if s.docker != nil {
+		return nil
+	}
+
+	// FIXME: validate components per validation.IsValidPathSegmentName?
+	path := fmt.Sprintf("/oapi/v1/namespaces/%s/imagestreams/%s", s.client.ref.namespace, s.client.ref.stream)
+	body, err := s.client.doRequest("GET", path, nil)
+	if err != nil {
+		return err
+	}
+	// Note: This does absolutely no kind/version checking or conversions.
+	var is imageStream
+	if err := json.Unmarshal(body, &is); err != nil {
+		return err
+	}
+	var te *tagEvent
+	for _, tag := range is.Status.Tags {
+		if tag.Tag != s.client.ref.dockerReference.Tag() {
+			continue
+		}
+		if len(tag.Items) > 0 {
+			te = &tag.Items[0]
+			break
+		}
+	}
+	if te == nil {
+		return fmt.Errorf("No matching tag found")
+	}
+	logrus.Debugf("tag event %#v", te)
+	dockerRefString, err := s.client.convertDockerImageReference(te.DockerImageReference)
+	if err != nil {
+		return err
+	}
+	logrus.Debugf("Resolved reference %#v", dockerRefString)
+	dockerRef, err := docker.ParseReference("//" + dockerRefString)
+	if err != nil {
+		return err
+	}
+	d, err := dockerRef.NewImageSource(s.ctx, s.requestedManifestMIMETypes)
+	if err != nil {
+		return err
+	}
+	s.docker = d
+	s.imageStreamImageName = te.Image
+	return nil
+}
+
+type openshiftImageDestination struct {
+	client *openshiftClient
+	docker types.ImageDestination // The Docker Registry endpoint
+	// State
+	imageStreamImageName string // "" if not yet known
+}
+
+// newImageDestination creates a new ImageDestination for the specified reference.
+func newImageDestination(ctx *types.SystemContext, ref openshiftReference) (types.ImageDestination, error) {
+	client, err := newOpenshiftClient(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	// FIXME: Should this always use a digest, not a tag? Uploading to Docker by tag requires the tag _inside_ the manifest to match,
+	// i.e. a single signed image cannot be available under multiple tags.  But with types.ImageDestination, we don't know
+	// the manifest digest at this point.
+	dockerRefString := fmt.Sprintf("//%s/%s/%s:%s", client.ref.dockerReference.Hostname(), client.ref.namespace, client.ref.stream, client.ref.dockerReference.Tag())
+	dockerRef, err := docker.ParseReference(dockerRefString)
+	if err != nil {
+		return nil, err
+	}
+	docker, err := dockerRef.NewImageDestination(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &openshiftImageDestination{
+		client: client,
+		docker: docker,
+	}, nil
+}
+
+// Reference returns the reference used to set up this destination.  Note that this should directly correspond to user's intent,
+// e.g. it should use the public hostname instead of the result of resolving CNAMEs or following redirects.
+func (d *openshiftImageDestination) Reference() types.ImageReference {
+	return d.client.ref
+}
+
+// Close removes resources associated with an initialized ImageDestination, if any.
+func (d *openshiftImageDestination) Close() {
+	d.docker.Close()
+}
+
+func (d *openshiftImageDestination) SupportedManifestMIMETypes() []string {
+	return []string{
+		manifest.DockerV2Schema1SignedMediaType,
+		manifest.DockerV2Schema1MediaType,
+	}
+}
+
+// SupportsSignatures returns an error (to be displayed to the user) if the destination certainly can't store signatures.
+// Note: It is still possible for PutSignatures to fail if SupportsSignatures returns nil.
+func (d *openshiftImageDestination) SupportsSignatures() error {
+	return nil
+}
+
+// ShouldCompressLayers returns true iff it is desirable to compress layer blobs written to this destination.
+func (d *openshiftImageDestination) ShouldCompressLayers() bool {
+	return true
+}
+
+// PutBlob writes contents of stream and returns data representing the result (with all data filled in).
+// inputInfo.Digest can be optionally provided if known; it is not mandatory for the implementation to verify it.
+// inputInfo.Size is the expected length of stream, if known.
+// WARNING: The contents of stream are being verified on the fly.  Until stream.Read() returns io.EOF, the contents of the data SHOULD NOT be available
+// to any other readers for download using the supplied digest.
+// If stream.Read() at any time, ESPECIALLY at end of input, returns an error, PutBlob MUST 1) fail, and 2) delete any data stored so far.
+func (d *openshiftImageDestination) PutBlob(stream io.Reader, inputInfo types.BlobInfo) (types.BlobInfo, error) {
+	return d.docker.PutBlob(stream, inputInfo)
+}
+
+func (d *openshiftImageDestination) PutManifest(m []byte) error {
+	manifestDigest, err := manifest.Digest(m)
+	if err != nil {
+		return err
+	}
+	d.imageStreamImageName = manifestDigest
+
+	return d.docker.PutManifest(m)
+}
+
+func (d *openshiftImageDestination) PutSignatures(signatures [][]byte) error {
+	if d.imageStreamImageName == "" {
+		return fmt.Errorf("Internal error: Unknown manifest digest, can't add signatures")
+	}
+	// Because image signatures are a shared resource in Atomic Registry, the default upload
+	// always adds signatures.  Eventually we should also allow removing signatures.
+
+	if len(signatures) == 0 {
+		return nil // No need to even read the old state.
+	}
+
+	image, err := d.client.getImage(d.imageStreamImageName)
+	if err != nil {
+		return err
+	}
+	existingSigNames := map[string]struct{}{}
+	for _, sig := range image.Signatures {
+		existingSigNames[sig.objectMeta.Name] = struct{}{}
+	}
+
+sigExists:
+	for _, newSig := range signatures {
+		for _, existingSig := range image.Signatures {
+			if existingSig.Type == imageSignatureTypeAtomic && bytes.Equal(existingSig.Content, newSig) {
+				continue sigExists
+			}
+		}
+
+		// The API expect us to invent a new unique name. This is racy, but hopefully good enough.
+		var signatureName string
+		for {
+			randBytes := make([]byte, 16)
+			n, err := rand.Read(randBytes)
+			if err != nil || n != 16 {
+				return fmt.Errorf("Error generating random signature ID: %v, len %d", err, n)
+			}
+			signatureName = fmt.Sprintf("%s@%032x", d.imageStreamImageName, randBytes)
+			if _, ok := existingSigNames[signatureName]; !ok {
+				break
+			}
+		}
+		// Note: This does absolutely no kind/version checking or conversions.
+		sig := imageSignature{
+			typeMeta: typeMeta{
+				Kind:       "ImageSignature",
+				APIVersion: "v1",
+			},
+			objectMeta: objectMeta{Name: signatureName},
+			Type:       imageSignatureTypeAtomic,
+			Content:    newSig,
+		}
+		body, err := json.Marshal(sig)
+		_, err = d.client.doRequest("POST", "/oapi/v1/imagesignatures", body)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Commit marks the process of storing the image as successful and asks for the image to be persisted.
+// WARNING: This does not have any transactional semantics:
+// - Uploaded data MAY be visible to others before Commit() is called
+// - Uploaded data MAY be removed or MAY remain around if Close() is called without Commit() (i.e. rollback is allowed but not guaranteed)
+func (d *openshiftImageDestination) Commit() error {
+	return d.docker.Commit()
+}
+
+// These structs are subsets of github.com/openshift/origin/pkg/image/api/v1 and its dependencies.
+type imageStream struct {
+	Status imageStreamStatus `json:"status,omitempty"`
+}
+type imageStreamStatus struct {
+	DockerImageRepository string              `json:"dockerImageRepository"`
+	Tags                  []namedTagEventList `json:"tags,omitempty"`
+}
+type namedTagEventList struct {
+	Tag   string     `json:"tag"`
+	Items []tagEvent `json:"items"`
+}
+type tagEvent struct {
+	DockerImageReference string `json:"dockerImageReference"`
+	Image                string `json:"image"`
+}
+type imageStreamImage struct {
+	Image image `json:"image"`
+}
+type image struct {
+	objectMeta           `json:"metadata,omitempty"`
+	DockerImageReference string `json:"dockerImageReference,omitempty"`
+	//	DockerImageMetadata        runtime.RawExtension `json:"dockerImageMetadata,omitempty"`
+	DockerImageMetadataVersion string `json:"dockerImageMetadataVersion,omitempty"`
+	DockerImageManifest        string `json:"dockerImageManifest,omitempty"`
+	//	DockerImageLayers          []ImageLayer         `json:"dockerImageLayers"`
+	Signatures []imageSignature `json:"signatures,omitempty"`
+}
+
+const imageSignatureTypeAtomic string = "atomic"
+
+type imageSignature struct {
+	typeMeta   `json:",inline"`
+	objectMeta `json:"metadata,omitempty"`
+	Type       string `json:"type"`
+	Content    []byte `json:"content"`
+	// Conditions []SignatureCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+	// ImageIdentity string `json:"imageIdentity,omitempty"`
+	// SignedClaims map[string]string `json:"signedClaims,omitempty"`
+	// Created *unversioned.Time `json:"created,omitempty"`
+	// IssuedBy SignatureIssuer `json:"issuedBy,omitempty"`
+	// IssuedTo SignatureSubject `json:"issuedTo,omitempty"`
+}
+type typeMeta struct {
+	Kind       string `json:"kind,omitempty"`
+	APIVersion string `json:"apiVersion,omitempty"`
+}
+type objectMeta struct {
+	Name                       string            `json:"name,omitempty"`
+	GenerateName               string            `json:"generateName,omitempty"`
+	Namespace                  string            `json:"namespace,omitempty"`
+	SelfLink                   string            `json:"selfLink,omitempty"`
+	ResourceVersion            string            `json:"resourceVersion,omitempty"`
+	Generation                 int64             `json:"generation,omitempty"`
+	DeletionGracePeriodSeconds *int64            `json:"deletionGracePeriodSeconds,omitempty"`
+	Labels                     map[string]string `json:"labels,omitempty"`
+	Annotations                map[string]string `json:"annotations,omitempty"`
+}
+
+// A subset of k8s.io/kubernetes/pkg/api/unversioned/Status
+type status struct {
+	Status  string `json:"status,omitempty"`
+	Message string `json:"message,omitempty"`
+	// Reason StatusReason `json:"reason,omitempty"`
+	// Details *StatusDetails `json:"details,omitempty"`
+	Code int32 `json:"code,omitempty"`
+}

vendor/github.com/containers/image/openshift/openshift_transport.go

@@ -0,0 +1,148 @@
+package openshift
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/containers/image/docker/policyconfiguration"
+	genericImage "github.com/containers/image/image"
+	"github.com/containers/image/types"
+	"github.com/docker/docker/reference"
+)
+
+// Transport is an ImageTransport for OpenShift registry-hosted images.
+var Transport = openshiftTransport{}
+
+type openshiftTransport struct{}
+
+func (t openshiftTransport) Name() string {
+	return "atomic"
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an ImageReference.
+func (t openshiftTransport) ParseReference(reference string) (types.ImageReference, error) {
+	return ParseReference(reference)
+}
+
+// Note that imageNameRegexp is namespace/stream:tag, this
+// is HOSTNAME/namespace/stream:tag or parent prefixes.
+// Keep this in sync with imageNameRegexp!
+var scopeRegexp = regexp.MustCompile("^[^/]*(/[^:/]*(/[^:/]*(:[^:/]*)?)?)?$")
+
+// ValidatePolicyConfigurationScope checks that scope is a valid name for a signature.PolicyTransportScopes keys
+// (i.e. a valid PolicyConfigurationIdentity() or PolicyConfigurationNamespaces() return value).
+// It is acceptable to allow an invalid value which will never be matched, it can "only" cause user confusion.
+// scope passed to this function will not be "", that value is always allowed.
+func (t openshiftTransport) ValidatePolicyConfigurationScope(scope string) error {
+	if scopeRegexp.FindStringIndex(scope) == nil {
+		return fmt.Errorf("Invalid scope name %s", scope)
+	}
+	return nil
+}
+
+// openshiftReference is an ImageReference for OpenShift images.
+type openshiftReference struct {
+	dockerReference reference.NamedTagged
+	namespace       string // Computed from dockerReference in advance.
+	stream          string // Computed from dockerReference in advance.
+}
+
+// ParseReference converts a string, which should not start with the ImageTransport.Name prefix, into an OpenShift ImageReference.
+func ParseReference(ref string) (types.ImageReference, error) {
+	r, err := reference.ParseNamed(ref)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse image reference %q, %v", ref, err)
+	}
+	tagged, ok := r.(reference.NamedTagged)
+	if !ok {
+		return nil, fmt.Errorf("invalid image reference %s, %#v", ref, r)
+	}
+	return NewReference(tagged)
+}
+
+// NewReference returns an OpenShift reference for a reference.NamedTagged
+func NewReference(dockerRef reference.NamedTagged) (types.ImageReference, error) {
+	r := strings.SplitN(dockerRef.RemoteName(), "/", 3)
+	if len(r) != 2 {
+		return nil, fmt.Errorf("invalid image reference %s", dockerRef.String())
+	}
+	return openshiftReference{
+		namespace:       r[0],
+		stream:          r[1],
+		dockerReference: dockerRef,
+	}, nil
+}
+
+func (ref openshiftReference) Transport() types.ImageTransport {
+	return Transport
+}
+
+// StringWithinTransport returns a string representation of the reference, which MUST be such that
+// reference.Transport().ParseReference(reference.StringWithinTransport()) returns an equivalent reference.
+// NOTE: The returned string is not promised to be equal to the original input to ParseReference;
+// e.g. default attribute values omitted by the user may be filled in in the return value, or vice versa.
+// WARNING: Do not use the return value in the UI to describe an image, it does not contain the Transport().Name() prefix.
+func (ref openshiftReference) StringWithinTransport() string {
+	return ref.dockerReference.String()
+}
+
+// DockerReference returns a Docker reference associated with this reference
+// (fully explicit, i.e. !reference.IsNameOnly, but reflecting user intent,
+// not e.g. after redirect or alias processing), or nil if unknown/not applicable.
+func (ref openshiftReference) DockerReference() reference.Named {
+	return ref.dockerReference
+}
+
+// PolicyConfigurationIdentity returns a string representation of the reference, suitable for policy lookup.
+// This MUST reflect user intent, not e.g. after processing of third-party redirects or aliases;
+// The value SHOULD be fully explicit about its semantics, with no hidden defaults, AND canonical
+// (i.e. various references with exactly the same semantics should return the same configuration identity)
+// It is fine for the return value to be equal to StringWithinTransport(), and it is desirable but
+// not required/guaranteed that it will be a valid input to Transport().ParseReference().
+// Returns "" if configuration identities for these references are not supported.
+func (ref openshiftReference) PolicyConfigurationIdentity() string {
+	res, err := policyconfiguration.DockerReferenceIdentity(ref.dockerReference)
+	if res == "" || err != nil { // Coverage: Should never happen, NewReference constructs a valid tagged reference.
+		panic(fmt.Sprintf("Internal inconsistency: policyconfiguration.DockerReferenceIdentity returned %#v, %v", res, err))
+	}
+	return res
+}
+
+// PolicyConfigurationNamespaces returns a list of other policy configuration namespaces to search
+// for if explicit configuration for PolicyConfigurationIdentity() is not set.  The list will be processed
+// in order, terminating on first match, and an implicit "" is always checked at the end.
+// It is STRONGLY recommended for the first element, if any, to be a prefix of PolicyConfigurationIdentity(),
+// and each following element to be a prefix of the element preceding it.
+func (ref openshiftReference) PolicyConfigurationNamespaces() []string {
+	return policyconfiguration.DockerReferenceNamespaces(ref.dockerReference)
+}
+
+// NewImage returns a types.Image for this reference.
+// The caller must call .Close() on the returned Image.
+func (ref openshiftReference) NewImage(ctx *types.SystemContext) (types.Image, error) {
+	src, err := newImageSource(ctx, ref, nil)
+	if err != nil {
+		return nil, err
+	}
+	return genericImage.FromSource(src), nil
+}
+
+// NewImageSource returns a types.ImageSource for this reference,
+// asking the backend to use a manifest from requestedManifestMIMETypes if possible.
+// nil requestedManifestMIMETypes means manifest.DefaultRequestedManifestMIMETypes.
+// The caller must call .Close() on the returned ImageSource.
+func (ref openshiftReference) NewImageSource(ctx *types.SystemContext, requestedManifestMIMETypes []string) (types.ImageSource, error) {
+	return newImageSource(ctx, ref, requestedManifestMIMETypes)
+}
+
+// NewImageDestination returns a types.ImageDestination for this reference.
+// The caller must call .Close() on the returned ImageDestination.
+func (ref openshiftReference) NewImageDestination(ctx *types.SystemContext) (types.ImageDestination, error) {
+	return newImageDestination(ctx, ref)
+}
+
+// DeleteImage deletes the named image from the registry, if supported.
+func (ref openshiftReference) DeleteImage(ctx *types.SystemContext) error {
+	return fmt.Errorf("Deleting images not implemented for atomic: images")
+}